verzia 2.94, 2013/09/21 02:57:58 |
verzia 2.102, 2014/04/15 05:02:32 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.93 2013-09-21 02:55:50 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.101 2013-09-28 18:51:30 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
return; |
return; |
fi |
fi |
|
|
print_info -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
print_info " done." |
|
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
if [ -n "$NAT_SUBNET_SRC" ]; then |
|
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
|
fi |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
print_info " done." |
print_info " done." |
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
return; |
return; |
|
|
fi |
fi |
done |
done |
|
|
#$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
if [ -n "$NAT_SUBNET_SRC" ]; then |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
|
fi |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
|
|
print_info " done." |
print_info " done." |
|
|
Riadok 1117 allow_input() |
|
Riadok 1119 allow_input() |
|
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
if [ $(( ++counter )) -ge 5 -o "$port" -eq "10050" ]; then counter=0; print_info ""; fi; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1202 allow_input() |
|
Riadok 1204 allow_input() |
|
|
|
} # }}} |
} # }}} |
|
|
# ACCEPT all packets from our IP address |
# ACCEPT selected IPs/ports if defined for interface |
|
# if not defined ACCEPT all packets from our IP addresses |
allow_output() |
allow_output() |
{ # {{{ |
{ # {{{ |
|
output_tcp_str=""; |
|
output_udp_str=""; |
|
output_icmp_str=""; |
|
|
# Povolíme odchozí pakety, které mají naše IP adresy |
|
print_info -en "Accepting OUTPUT packets from" |
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
gateway="Gateway_$iface"; |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
|
print_info -en " $ip($iface)" |
|
$IPTABLES -A OUTPUT -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
done; |
|
print_info " done."; |
|
|
|
|
accept_output_tcp="${iface}_ACCEPT_OUTPUT_TCP" |
|
ACCEPT_OUTPUT_TCP="${!accept_output_tcp}" |
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
|
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
|
|
# TCP |
|
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_TCP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# UDP |
|
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_UDP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# ICMP |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_icmp_str="$output_icmp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p ICMP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
done |
|
|
|
if [ -n "$output_tcp_str" ]; then |
|
print_info "Accepting OUTPUT TCP packets through $output_tcp_str done." |
|
fi |
|
if [ -n "$output_udp_str" ]; then |
|
print_info "Accepting OUTPUT UDP packets through $output_udp_str done." |
|
fi |
|
if [ -n "$output_icmp_str" ]; then |
|
print_info "Accepting OUTPUT ICMP packets through $output_icmp_str done." |
|
fi |
} # }}} |
} # }}} |
|
|
allow_icmp() |
allow_icmp() |
|
|
allow_icmp |
allow_icmp |
accept_loopback |
accept_loopback |
masquerade |
masquerade |
|
forward_on |
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
forward_on |
|
do_ip_accounting |
do_ip_accounting |
shaping_off |
shaping_off |
shaping_on |
shaping_on |