[mirrors/Programs.git] / php / hfirewall / firewall.php

#! /usr/bin/php
<?php
///Settings////////////////////////////
$rulefile = "hfwrules.conf";
$fwscript = "fwscript.sh";

$chmod = true;
$run = true;

$iptbin = "/sbin/iptables";
$iptsave = "/sbin/iptables-save";
$iptrestore = "/sbin/iptables-restore";

///Version/////////////////////////////
$version = "0.1 Alpha";

///Banner//////////////////////////////
echo("Harvie's Firewall\n");
echo("\t<-Harvie 2oo7\n");
echo("\tVersion $version\n\n");

///CODE////////////////////////////////
//Load rules file
echo("Loading rulesfile ".$rulefile."... ");
if(is_file($rulefile)) {
	include("$rulefile");
	echo("Loaded!\n\n");
} else {
	echo("File not found!\n\n");
}

//Make iptables script file
$ipt = fopen($fwscript, "w");
fwrite($ipt, "#!/bin/sh\n#This firewall script was generated by Harvie's php firewall ($version)\n\n");

//Rules info
echo("Rules info: \n");
if(isset($author)) {
	fwrite($ipt, "#Author: $author\n");
	echo("Author: $author\n");
}
if(isset($description)){
	fwrite($ipt, "#Description: $description\n");
	echo("Description: $description\n");
}
fwrite($ipt, "######################################################################################################\n");
fwrite($ipt, "\n");
fwrite($ipt, "\n");
echo("\n");

///Rules Others////////////////////////////////////////////////////////////////////
fwrite($ipt, "#Rules Others:\n");
echo("Rules Others:\n");

if($icmp_echo_ignore_broadcasts) {
	echo("Ignore ICMP echo-request messages sent to broadcast or multicast addresses\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
}

if($accept_source_route) {
	echo("Accept source routed packets\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
}

if($tcp_syncookies) {
	echo("Enable TCP SYN cookie protection from SYN floods\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/tcp_syncookies\n");
}

if($accept_redirects) {
	echo("Accept ICMP redirect messages\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
}

if($send_redirects) {
	echo("Send ICMP redirect messages\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
}

if($rp_filter) {
	echo("Enable source address spoofing protection\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
}

if($log_martians) {
	echo("Log packets from Martians (with impossible source addresses)\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\n");
}

fwrite($ipt, "\n");
echo("\n");

///Rules IPTables//////////////////////////////////////////////////////////////////
fwrite($ipt, "#Rules IPTables:\n");
echo("Rules IPTables:\n");

//Rules flush
if($flush_rules) {
	echo("Flush old rules\n");
	fwrite($ipt, "$iptbin --flush\n\n");
}

//Rules loopback
if($loopback_allow_all == true) {
	echo("Allow all traffic on loopback\n");
	fwrite($ipt, "$iptbin -A INPUT -i lo -j ACCEPT\n");
	fwrite($ipt, "$iptbin -A OUTPUT -o lo -j ACCEPT\n\n");
}

//Rules policies
echo("Default policies: ");
foreach($default_policies as $default_policy) {
	fwrite($ipt, "$iptbin --policy $default_policy\n");
	echo("$default_policy, ");
}
fwrite($ipt, "\n");
echo("\n");

//Rules outbound traffic
if($allow_outbound_traffic) {
	fwrite($ipt, "$iptbin -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n");
	fwrite($ipt, "$iptbin -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n\n");
}

//Rules open ports
echo("Open ports: ");
foreach($open_ports as $open_port) {
	fwrite($ipt, "$iptbin -A INPUT -p tcp --dport $open_port -m state --state NEW -j ACCEPT\n");
	echo("$open_port, ");
}
fwrite($ipt, "\n");
echo("\n");

//Drop other
if(drop_other == true) {
	echo("Other traffic will be droped\n");
	fwrite($ipt, "$iptbin -A INPUT -j DROP\n");
}


//Close iptables script
fwrite($ipt, "\n\n");
echo("\nClosing $fwscript\n");
fclose($ipt);

//Chmod u+x iptables script
if($chmod) {
	echo("chmod u+x $fwscript\n");
	system("chmod u+x $fwscript");
}
//Run iptables script
if($run) {
	echo("Running firewall script...\n\n");
	system("./".$fwscript);
}
Commit	Line	Data
79a323cb H	1	#! /usr/bin/php
	2	<?php
	3	///Settings////////////////////////////
	4	$rulefile = "hfwrules.conf";
	5	$fwscript = "fwscript.sh";
	6
	7	$chmod = true;
	8	$run = true;
	9
	10	$iptbin = "/sbin/iptables";
	11	$iptsave = "/sbin/iptables-save";
	12	$iptrestore = "/sbin/iptables-restore";
	13
	14	///Version/////////////////////////////
	15	$version = "0.1 Alpha";
	16
	17	///Banner//////////////////////////////
	18	echo("Harvie's Firewall\n");
	19	echo("\t<-Harvie 2oo7\n");
	20	echo("\tVersion $version\n\n");
	21
	22	///CODE////////////////////////////////
	23	//Load rules file
	24	echo("Loading rulesfile ".$rulefile."... ");
	25	if(is_file($rulefile)) {
	26	include("$rulefile");
	27	echo("Loaded!\n\n");
	28	} else {
	29	echo("File not found!\n\n");
	30	}
	31
	32	//Make iptables script file
	33	$ipt = fopen($fwscript, "w");
	34	fwrite($ipt, "#!/bin/sh\n#This firewall script was generated by Harvie's php firewall ($version)\n\n");
	35
	36	//Rules info
	37	echo("Rules info: \n");
	38	if(isset($author)) {
	39	fwrite($ipt, "#Author: $author\n");
	40	echo("Author: $author\n");
	41	}
	42	if(isset($description)){
	43	fwrite($ipt, "#Description: $description\n");
	44	echo("Description: $description\n");
	45	}
	46	fwrite($ipt, "######################################################################################################\n");
	47	fwrite($ipt, "\n");
	48	fwrite($ipt, "\n");
	49	echo("\n");
	50
	51	///Rules Others////////////////////////////////////////////////////////////////////
	52	fwrite($ipt, "#Rules Others:\n");
	53	echo("Rules Others:\n");
	54
	55	if($icmp_echo_ignore_broadcasts) {
	56	echo("Ignore ICMP echo-request messages sent to broadcast or multicast addresses\n");
	57	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
	58	} else {
	59	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
	60	}
	61
	62	if($accept_source_route) {
	63	echo("Accept source routed packets\n");
	64	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
65	} else {
66	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
67	}
68
69	if($tcp_syncookies) {
70	echo("Enable TCP SYN cookie protection from SYN floods\n");
71	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n");
72	} else {
73	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/tcp_syncookies\n");
74	}
75
76	if($accept_redirects) {
77	echo("Accept ICMP redirect messages\n");
78	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
79	} else {
80	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
81	}
82
83	if($send_redirects) {
84	echo("Send ICMP redirect messages\n");
85	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
86	} else {
87	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
88	}
89
90	if($rp_filter) {
91	echo("Enable source address spoofing protection\n");
92	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
93	} else {
94	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
95	}
96
97	if($log_martians) {
98	echo("Log packets from Martians (with impossible source addresses)\n");
99	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\n");
100	} else {
101	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\n");
102	}
103
104	fwrite($ipt, "\n");
105	echo("\n");
106
107	///Rules IPTables//////////////////////////////////////////////////////////////////
108	fwrite($ipt, "#Rules IPTables:\n");
109	echo("Rules IPTables:\n");
110
111	//Rules flush
112	if($flush_rules) {
113	echo("Flush old rules\n");
114	fwrite($ipt, "$iptbin --flush\n\n");
115	}
116
117	//Rules loopback
118	if($loopback_allow_all == true) {
119	echo("Allow all traffic on loopback\n");
120	fwrite($ipt, "$iptbin -A INPUT -i lo -j ACCEPT\n");
121	fwrite($ipt, "$iptbin -A OUTPUT -o lo -j ACCEPT\n\n");
122	}
123
124	//Rules policies
125	echo("Default policies: ");
126	foreach($default_policies as $default_policy) {
127	fwrite($ipt, "$iptbin --policy $default_policy\n");
128	echo("$default_policy, ");
129	}
130	fwrite($ipt, "\n");
131	echo("\n");
132
133	//Rules outbound traffic
134	if($allow_outbound_traffic) {
135	fwrite($ipt, "$iptbin -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n");
136	fwrite($ipt, "$iptbin -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n\n");
137	}
138
139	//Rules open ports
140	echo("Open ports: ");
141	foreach($open_ports as $open_port) {
142	fwrite($ipt, "$iptbin -A INPUT -p tcp --dport $open_port -m state --state NEW -j ACCEPT\n");
143	echo("$open_port, ");
144	}
145	fwrite($ipt, "\n");
146	echo("\n");
147
148	//Drop other
149	if(drop_other == true) {
150	echo("Other traffic will be droped\n");
151	fwrite($ipt, "$iptbin -A INPUT -j DROP\n");
152	}
153
154
155
156	//Close iptables script
157	fwrite($ipt, "\n\n");
158	echo("\nClosing $fwscript\n");
159	fclose($ipt);
160
161	//Chmod u+x iptables script
162	if($chmod) {
163	echo("chmod u+x $fwscript\n");
164	system("chmod u+x $fwscript");
165	}
166	//Run iptables script
167	if($run) {
168	echo("Running firewall script...\n\n");
169	system("./".$fwscript);
170	}