[mirrors/Programs.git] / php / hfirewall / firewall.php

#! /usr/bin/php
<?php
///Settings////////////////////////////
$rulefile = "hfwrules.conf";
$fwscript = "fwscript.sh";

$chmod = true;
$run = true;

$iptbin = "/sbin/iptables";
$iptsave = "/sbin/iptables-save";
$iptrestore = "/sbin/iptables-restore";

///Version/////////////////////////////
$version = "0.1 Alpha";

///Banner//////////////////////////////
echo("Harvie's Firewall\n");
echo("\t<-Harvie 2oo7\n");
echo("\tVersion $version\n\n");

///CODE////////////////////////////////
//Load rules file
echo("Loading rulesfile ".$rulefile."... ");
if(is_file($rulefile)) {
	include("$rulefile");
	echo("Loaded!\n\n");
} else {
	echo("File not found!\n\n");
}

//Make iptables script file
$ipt = fopen($fwscript, "w");
fwrite($ipt, "#!/bin/sh\n#This firewall script was generated by Harvie's php firewall ($version)\n\n");

//Rules info
echo("Rules info: \n");
if(isset($author)) {
	fwrite($ipt, "#Author: $author\n");
	echo("Author: $author\n");
}
if(isset($description)){
	fwrite($ipt, "#Description: $description\n");
	echo("Description: $description\n");
}
fwrite($ipt, "######################################################################################################\n");
fwrite($ipt, "\n");
fwrite($ipt, "\n");
echo("\n");

///Rules Others////////////////////////////////////////////////////////////////////
fwrite($ipt, "#Rules Others:\n");
echo("Rules Others:\n");

if($icmp_echo_ignore_broadcasts) {
	echo("Ignore ICMP echo-request messages sent to broadcast or multicast addresses\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
}

if($accept_source_route) {
	echo("Accept source routed packets\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
}

if($tcp_syncookies) {
	echo("Enable TCP SYN cookie protection from SYN floods\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/tcp_syncookies\n");
}

if($accept_redirects) {
	echo("Accept ICMP redirect messages\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
}

if($send_redirects) {
	echo("Send ICMP redirect messages\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
}

if($rp_filter) {
	echo("Enable source address spoofing protection\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
}

if($log_martians) {
	echo("Log packets from Martians (with impossible source addresses)\n");
	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\n");
} else {
	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\n");
}

fwrite($ipt, "\n");
echo("\n");

///Rules IPTables//////////////////////////////////////////////////////////////////
fwrite($ipt, "#Rules IPTables:\n");
echo("Rules IPTables:\n");

//Rules flush
if($flush_rules) {
	echo("Flush old rules\n");
	fwrite($ipt, "$iptbin --flush\n\n");
}

//Rules loopback
if($loopback_allow_all == true) {
	echo("Allow all traffic on loopback\n");
	fwrite($ipt, "$iptbin -A INPUT -i lo -j ACCEPT\n");
	fwrite($ipt, "$iptbin -A OUTPUT -o lo -j ACCEPT\n\n");
}

//Rules policies
echo("Default policies: ");
foreach($default_policies as $default_policy) {
	fwrite($ipt, "$iptbin --policy $default_policy\n");
	echo("$default_policy, ");
}
fwrite($ipt, "\n");
echo("\n");

//Rules outbound traffic
if($allow_outbound_traffic) {
	fwrite($ipt, "$iptbin -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n");
	fwrite($ipt, "$iptbin -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n\n");
}

//Rules open ports
echo("Open ports: ");
foreach($open_ports as $open_port) {
	fwrite($ipt, "$iptbin -A INPUT -p tcp --dport $open_port -m state --state NEW -j ACCEPT\n");
	echo("$open_port, ");
}
fwrite($ipt, "\n");
echo("\n");

//Drop other
if(drop_other == true) {
	echo("Other traffic will be droped\n");
	fwrite($ipt, "$iptbin -A INPUT -j DROP\n");
}


//Close iptables script
fwrite($ipt, "\n\n");
echo("\nClosing $fwscript\n");
fclose($ipt);

//Chmod u+x iptables script
if($chmod) {
	echo("chmod u+x $fwscript\n");
	system("chmod u+x $fwscript");
}
//Run iptables script
if($run) {
	echo("Running firewall script...\n\n");
	system("./".$fwscript);
}
Commit	Line	Data
	1	#! /usr/bin/php
	2	<?php
	3	///Settings////////////////////////////
	4	$rulefile = "hfwrules.conf";
	5	$fwscript = "fwscript.sh";
	6
	7	$chmod = true;
	8	$run = true;
	9
	10	$iptbin = "/sbin/iptables";
	11	$iptsave = "/sbin/iptables-save";
	12	$iptrestore = "/sbin/iptables-restore";
	13
	14	///Version/////////////////////////////
	15	$version = "0.1 Alpha";
	16
	17	///Banner//////////////////////////////
	18	echo("Harvie's Firewall\n");
	19	echo("\t<-Harvie 2oo7\n");
	20	echo("\tVersion $version\n\n");
	21
	22	///CODE////////////////////////////////
	23	//Load rules file
	24	echo("Loading rulesfile ".$rulefile."... ");
	25	if(is_file($rulefile)) {
	26	include("$rulefile");
	27	echo("Loaded!\n\n");
	28	} else {
	29	echo("File not found!\n\n");
	30	}
	31
	32	//Make iptables script file
	33	$ipt = fopen($fwscript, "w");
	34	fwrite($ipt, "#!/bin/sh\n#This firewall script was generated by Harvie's php firewall ($version)\n\n");
	35
	36	//Rules info
	37	echo("Rules info: \n");
	38	if(isset($author)) {
	39	fwrite($ipt, "#Author: $author\n");
	40	echo("Author: $author\n");
	41	}
	42	if(isset($description)){
	43	fwrite($ipt, "#Description: $description\n");
	44	echo("Description: $description\n");
	45	}
	46	fwrite($ipt, "######################################################################################################\n");
	47	fwrite($ipt, "\n");
	48	fwrite($ipt, "\n");
	49	echo("\n");
	50
	51	///Rules Others////////////////////////////////////////////////////////////////////
	52	fwrite($ipt, "#Rules Others:\n");
	53	echo("Rules Others:\n");
	54
	55	if($icmp_echo_ignore_broadcasts) {
	56	echo("Ignore ICMP echo-request messages sent to broadcast or multicast addresses\n");
	57	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
	58	} else {
	59	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
	60	}
	61
	62	if($accept_source_route) {
	63	echo("Accept source routed packets\n");
	64	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
	65	} else {
	66	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
	67	}
	68
	69	if($tcp_syncookies) {
	70	echo("Enable TCP SYN cookie protection from SYN floods\n");
	71	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n");
	72	} else {
	73	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/tcp_syncookies\n");
	74	}
	75
	76	if($accept_redirects) {
	77	echo("Accept ICMP redirect messages\n");
	78	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
	79	} else {
	80	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
	81	}
	82
	83	if($send_redirects) {
	84	echo("Send ICMP redirect messages\n");
	85	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
	86	} else {
	87	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
	88	}
	89
	90	if($rp_filter) {
	91	echo("Enable source address spoofing protection\n");
	92	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
	93	} else {
	94	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
	95	}
	96
	97	if($log_martians) {
	98	echo("Log packets from Martians (with impossible source addresses)\n");
	99	fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\n");
	100	} else {
	101	fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\n");
	102	}
	103
	104	fwrite($ipt, "\n");
	105	echo("\n");
	106
	107	///Rules IPTables//////////////////////////////////////////////////////////////////
	108	fwrite($ipt, "#Rules IPTables:\n");
	109	echo("Rules IPTables:\n");
	110
	111	//Rules flush
	112	if($flush_rules) {
	113	echo("Flush old rules\n");
	114	fwrite($ipt, "$iptbin --flush\n\n");
	115	}
	116
	117	//Rules loopback
	118	if($loopback_allow_all == true) {
	119	echo("Allow all traffic on loopback\n");
	120	fwrite($ipt, "$iptbin -A INPUT -i lo -j ACCEPT\n");
	121	fwrite($ipt, "$iptbin -A OUTPUT -o lo -j ACCEPT\n\n");
	122	}
	123
	124	//Rules policies
	125	echo("Default policies: ");
	126	foreach($default_policies as $default_policy) {
	127	fwrite($ipt, "$iptbin --policy $default_policy\n");
	128	echo("$default_policy, ");
	129	}
	130	fwrite($ipt, "\n");
	131	echo("\n");
	132
	133	//Rules outbound traffic
	134	if($allow_outbound_traffic) {
	135	fwrite($ipt, "$iptbin -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n");
	136	fwrite($ipt, "$iptbin -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n\n");
	137	}
	138
	139	//Rules open ports
	140	echo("Open ports: ");
	141	foreach($open_ports as $open_port) {
	142	fwrite($ipt, "$iptbin -A INPUT -p tcp --dport $open_port -m state --state NEW -j ACCEPT\n");
	143	echo("$open_port, ");
	144	}
	145	fwrite($ipt, "\n");
	146	echo("\n");
	147
	148	//Drop other
	149	if(drop_other == true) {
	150	echo("Other traffic will be droped\n");
	151	fwrite($ipt, "$iptbin -A INPUT -j DROP\n");
	152	}
	153
	154
	155
	156	//Close iptables script
	157	fwrite($ipt, "\n\n");
	158	echo("\nClosing $fwscript\n");
	159	fclose($ipt);
	160
	161	//Chmod u+x iptables script
	162	if($chmod) {
	163	echo("chmod u+x $fwscript\n");
	164	system("chmod u+x $fwscript");
	165	}
	166	//Run iptables script
	167	if($run) {
	168	echo("Running firewall script...\n\n");
	169	system("./".$fwscript);
	170	}