verzia 2.95, 2013/09/21 03:01:24 |
verzia 2.106, 2016/01/17 15:03:29 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.94 2013-09-21 02:57:58 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.105 2015/10/19 14:00:33 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 39 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
Riadok 39 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
|
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
|
|
# quiet output? {{{ |
# quiet output? {{{ |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
print_info() |
print_info() |
|
|
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
if [ -n "$NAT_SUBNET_SRC" ]; then |
|
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
|
fi |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
print_info " done." |
print_info " done." |
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
return; |
return; |
|
|
fi |
fi |
done |
done |
|
|
#$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
if [ -n "$NAT_SUBNET_SRC" ]; then |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
|
fi |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
|
|
print_info " done." |
print_info " done." |
|
|
Riadok 1006 allow_input() |
|
Riadok 1013 allow_input() |
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
for iface in $INTERFACES; do |
# We are using REAL_INTERFACES instead of INTERFACES here, because we want |
|
# to do redirects for "lo" interface as well. However for "lo" it is done |
|
# quite differently. See http://ix.sk/0WY2j for more information on this. |
|
# -- Nepto [2015-10-19] |
|
for iface in $REAL_INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
Riadok 1034 allow_input() |
|
Riadok 1045 allow_input() |
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p TCP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1048 allow_input() |
|
Riadok 1063 allow_input() |
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p UDP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1114 allow_input() |
|
Riadok 1133 allow_input() |
|
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
if [ $(( ++counter )) -ge 5 -o "x$port" = "x10050" ]; then counter=0; print_info ""; fi; |
echo $port | grep -q , |
echo $port | grep -q , |
multiport="$?"; |
multiport="$?"; |
if [ "$multiport" -eq 0 ]; then |
if [ "$multiport" -eq 0 ]; then |
Riadok 1199 allow_input() |
|
Riadok 1218 allow_input() |
|
|
|
} # }}} |
} # }}} |
|
|
# ACCEPT all packets from our IP address |
# ACCEPT selected IPs/ports if defined for interface |
|
# if not defined ACCEPT all packets from our IP addresses |
allow_output() |
allow_output() |
{ # {{{ |
{ # {{{ |
|
output_tcp_str=""; |
|
output_udp_str=""; |
|
output_icmp_str=""; |
|
|
# Povolíme odchozí pakety, které mají naše IP adresy |
|
print_info -en "Accepting OUTPUT packets from" |
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
gateway="Gateway_$iface"; |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
|
print_info -en " $ip($iface)" |
|
$IPTABLES -A OUTPUT -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
done; |
|
print_info " done."; |
|
|
|
|
accept_output_tcp="${iface}_ACCEPT_OUTPUT_TCP" |
|
ACCEPT_OUTPUT_TCP="${!accept_output_tcp}" |
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
|
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
|
|
# TCP |
|
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_TCP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# UDP |
|
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_UDP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# ICMP |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_icmp_str="$output_icmp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p ICMP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
done |
|
|
|
if [ -n "$output_tcp_str" ]; then |
|
print_info "Accepting OUTPUT TCP packets through $output_tcp_str done." |
|
fi |
|
if [ -n "$output_udp_str" ]; then |
|
print_info "Accepting OUTPUT UDP packets through $output_udp_str done." |
|
fi |
|
if [ -n "$output_icmp_str" ]; then |
|
print_info "Accepting OUTPUT ICMP packets through $output_icmp_str done." |
|
fi |
} # }}} |
} # }}} |
|
|
allow_icmp() |
allow_icmp() |
|
|
done |
done |
} # }}} |
} # }}} |
|
|
|
map_subnet() |
|
{ # {{{ |
|
cfgvar=$1 |
|
cfgfile=$2 |
|
port=$3 |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
"Config file '$cfgfile' not found" |
|
exit 1 |
|
fi |
|
fi |
|
|
|
echo "Mapping $cfgfound map file to $cfgvar, port $port" |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
echo "$cfgvar=\"\$$cfgvar $subnet:$port\"" >> "$DEFAULT_FIREWALL_CONFIG_DIR/$cfgfile" |
|
done < $cfgfound |
|
|
|
} # }}} |
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
Riadok 1572 while (my $line = <STDIN>) { |
|
Riadok 1701 while (my $line = <STDIN>) { |
|
$iface = $1; |
$iface = $1; |
my $iface_hwaddr = $2; |
my $iface_hwaddr = $2; |
my $x_iface = $iface; |
my $x_iface = $iface; |
$iface =~ s/:/_/; # convert "eth0:0" --> "eth0_0" |
$iface =~ s/:$//g; |
|
$iface =~ s/:/_/g; # convert "eth0:0" --> "eth0_0" |
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
$ifname{$iface} = $x_iface; |
$ifname{$iface} = $x_iface; |
$ipcount{$iface}++; |
$ipcount{$iface}++; |
Riadok 1592 while (my $line = <STDIN>) { |
|
Riadok 1722 while (my $line = <STDIN>) { |
|
push @{$ip6{$iface}}, $fields[3]; |
push @{$ip6{$iface}}, $fields[3]; |
$scope6{$iface} = [ $fields[4] =~ m/Scope:(.*)$/i ]->[0]; |
$scope6{$iface} = [ $fields[4] =~ m/Scope:(.*)$/i ]->[0]; |
} |
} |
|
elsif ($line =~ m/^[ \t]+inet\s/) { # Linux IP address |
|
die unless defined $iface; |
|
my @fields = split(/[\s:]+/, $line); |
|
push @{$ip{$iface}}, $fields[2]; |
|
$bcast{$iface} = (defined($fields[5]) and $fields[5] eq "broadcast") ? $fields[6] : ""; |
|
$mask{$iface} = $fields[4]; |
|
} |
|
|
} |
} |
|
|
Riadok 1605 map { printf "IPcount_%s=\"%s\"; export |
|
Riadok 1742 map { printf "IPcount_%s=\"%s\"; export |
|
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", sort keys %ip); |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", sort keys %ip); |
'` |
'` |
eval "$parsed_interfaces"; |
|
#echo "$parsed_interfaces"; |
#echo "$parsed_interfaces"; |
|
eval "$parsed_interfaces"; |
|
|
parsed_routes=`$PERL -e ' |
parsed_routes=`$PERL -e ' |
$\ = "\n"; |
$\ = "\n"; |
Riadok 1655 printf "interfaces=\"%s\"; export inter |
|
Riadok 1792 printf "interfaces=\"%s\"; export inter |
|
|
|
} # }}} |
} # }}} |
'` |
'` |
|
#echo $parsed_routes |
eval "$parsed_routes"; |
eval "$parsed_routes"; |
|
|
# Now we have defined variables like this: |
# Now we have defined variables like this: |
|
|
remote) |
remote) |
remote; |
remote; |
;; |
;; |
|
map-subnet) |
|
shift; |
|
map_subnet $*; |
|
;; |
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |