php/hfirewall/firewall.php

   1 #! /usr/bin/php
   2 <?php
   3 ///Settings////////////////////////////
   4 $rulefile = "hfwrules.conf";
   5 $fwscript = "fwscript.sh";
   6
   7 $chmod = true;
   8 $run = true;
   9
  10 $iptbin = "/sbin/iptables";
  11 $iptsave = "/sbin/iptables-save";
  12 $iptrestore = "/sbin/iptables-restore";
  13
  14 ///Version/////////////////////////////
  15 $version = "0.1 Alpha";
  16
  17 ///Banner//////////////////////////////
  18 echo("Harvie's Firewall\n");
  19 echo("\t<-Harvie 2oo7\n");
  20 echo("\tVersion $version\n\n");
  21
  22 ///CODE////////////////////////////////
  23 //Load rules file
  24 echo("Loading rulesfile ".$rulefile."... ");
  25 if(is_file($rulefile)) {
  26         include("$rulefile");
  27         echo("Loaded!\n\n");
  28 } else {
  29         echo("File not found!\n\n");
  30 }
  31
  32 //Make iptables script file
  33 $ipt = fopen($fwscript, "w");
  34 fwrite($ipt, "#!/bin/sh\n#This firewall script was generated by Harvie's php firewall ($version)\n\n");
  35
  36 //Rules info
  37 echo("Rules info: \n");
  38 if(isset($author)) {
  39         fwrite($ipt, "#Author: $author\n");
  40         echo("Author: $author\n");
  41 }
  42 if(isset($description)){
  43         fwrite($ipt, "#Description: $description\n");
  44         echo("Description: $description\n");
  45 }
  46 fwrite($ipt, "######################################################################################################\n");
  47 fwrite($ipt, "\n");
  48 fwrite($ipt, "\n");
  49 echo("\n");
  50
  51 ///Rules Others////////////////////////////////////////////////////////////////////
  52 fwrite($ipt, "#Rules Others:\n");
  53 echo("Rules Others:\n");
  54
  55 if($icmp_echo_ignore_broadcasts) {
  56         echo("Ignore ICMP echo-request messages sent to broadcast or multicast addresses\n");
  57         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
  58 } else {
  59         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\n");
  60 }
  61
  62 if($accept_source_route) {
  63         echo("Accept source routed packets\n");
  64         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
  65 } else {
  66         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route\n");
  67 }
  68
  69 if($tcp_syncookies) {
  70         echo("Enable TCP SYN cookie protection from SYN floods\n");
  71         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/tcp_syncookies\n");
  72 } else {
  73         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/tcp_syncookies\n");
  74 }
  75
  76 if($accept_redirects) {
  77         echo("Accept ICMP redirect messages\n");
  78         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
  79 } else {
  80         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects\n");
  81 }
  82
  83 if($send_redirects) {
  84         echo("Send ICMP redirect messages\n");
  85         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
  86 } else {
  87         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects\n");
  88 }
  89
  90 if($rp_filter) {
  91         echo("Enable source address spoofing protection\n");
  92         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
  93 } else {
  94         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter\n");
  95 }
  96
  97 if($log_martians) {
  98         echo("Log packets from Martians (with impossible source addresses)\n");
  99         fwrite($ipt, "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians\n");
 100 } else {
 101         fwrite($ipt, "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians\n");
 102 }
 103
 104 fwrite($ipt, "\n");
 105 echo("\n");
 106
 107 ///Rules IPTables//////////////////////////////////////////////////////////////////
 108 fwrite($ipt, "#Rules IPTables:\n");
 109 echo("Rules IPTables:\n");
 110
 111 //Rules flush
 112 if($flush_rules) {
 113         echo("Flush old rules\n");
 114         fwrite($ipt, "$iptbin --flush\n\n");
 115 }
 116
 117 //Rules loopback
 118 if($loopback_allow_all == true) {
 119         echo("Allow all traffic on loopback\n");
 120         fwrite($ipt, "$iptbin -A INPUT -i lo -j ACCEPT\n");
 121         fwrite($ipt, "$iptbin -A OUTPUT -o lo -j ACCEPT\n\n");
 122 }
 123
 124 //Rules policies
 125 echo("Default policies: ");
 126 foreach($default_policies as $default_policy) {
 127         fwrite($ipt, "$iptbin --policy $default_policy\n");
 128         echo("$default_policy, ");
 129 }
 130 fwrite($ipt, "\n");
 131 echo("\n");
 132
 133 //Rules outbound traffic
 134 if($allow_outbound_traffic) {
 135         fwrite($ipt, "$iptbin -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n");
 136         fwrite($ipt, "$iptbin -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\n\n");
 137 }
 138
 139 //Rules open ports
 140 echo("Open ports: ");
 141 foreach($open_ports as $open_port) {
 142         fwrite($ipt, "$iptbin -A INPUT -p tcp --dport $open_port -m state --state NEW -j ACCEPT\n");
 143         echo("$open_port, ");
 144 }
 145 fwrite($ipt, "\n");
 146 echo("\n");
 147
 148 //Drop other
 149 if(drop_other == true) {
 150         echo("Other traffic will be droped\n");
 151         fwrite($ipt, "$iptbin -A INPUT -j DROP\n");
 152 }
 153
 154
 155
 156 //Close iptables script
 157 fwrite($ipt, "\n\n");
 158 echo("\nClosing $fwscript\n");
 159 fclose($ipt);
 160
 161 //Chmod u+x iptables script
 162 if($chmod) {
 163         echo("chmod u+x $fwscript\n");
 164         system("chmod u+x $fwscript");
 165 }
 166 //Run iptables script
 167 if($run) {
 168         echo("Running firewall script...\n\n");
 169         system("./".$fwscript);
 170 }