verzia 2.28, 2005/10/09 21:11:08 |
verzia 2.34, 2006/01/10 01:01:59 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.27 2005/08/04 19:39:11 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.30 2005/11/01 00:36:24 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 57 AWK="${AWK:=/usr/bin/awk}" |
|
Riadok 57 AWK="${AWK:=/usr/bin/awk}" |
|
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IP="IP_$LO_IFACE" |
|
|
|
# |
# |
# CONSTANTS - Do not edit |
# CONSTANTS - Do not edit |
|
|
if [ -f "$CACHE_FILE" ]; then |
if [ -f "$CACHE_FILE" ]; then |
echo "Loading rules from cache file $CACHE_FILE" |
echo "Loading rules from cache file $CACHE_FILE" |
$IPTABLES_RESTORE -c < $CACHE_FILE; |
$IPTABLES_RESTORE -c < $CACHE_FILE; |
|
forward_on # this has nothing to do with IPtables rules, we need to run them explicitly |
exit 0; |
exit 0; |
fi |
fi |
} # }}} |
} # }}} |
Riadok 153 antispoof_on() |
|
Riadok 153 antispoof_on() |
|
done |
done |
} # }}} |
} # }}} |
|
|
|
# Turn on IP packets forwarding |
forward_on() |
forward_on() |
{ # {{{ |
{ # {{{ |
echo -en "NAT: Enabling packet forwarding..." |
# NAT requires turn on IP forwarding |
echo 1 > /proc/sys/net/ipv4/ip_forward |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
echo " done." |
echo -en "NAT: Enabling packet forwarding..." |
|
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
echo " done." |
|
fi |
} # }}} |
} # }}} |
|
|
forward_off() |
forward_off() |
|
|
echo -en " $src_port -> $local_machine:$dest_port" |
echo -en " $src_port -> $local_machine:$dest_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
$IPTABLES -A FORWARD -p TCP -i eth0 -d $local_machine --dport $dest_port -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
fi |
fi |
Riadok 418 log_new_connections() |
|
Riadok 422 log_new_connections() |
|
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
echo -en "Logging new connections:" |
if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then |
$IPTABLES_LOG -A INPUT -m state --state NEW -j LOG --log-prefix "IN connection: " |
NAT_LOG_NEW_CONNECTIONS="TCP UDP" |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -j LOG --log-prefix "OUT connection: " |
fi |
$IPTABLES_LOG -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: " |
echo -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
|
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
|
$IPTABLES_LOG -A INPUT -m state --state NEW -p $proto -j LOG --log-prefix "IN connection: " |
|
$IPTABLES_LOG -A OUTPUT -m state --state NEW -p $proto -j LOG --log-prefix "OUT connection: " |
|
$IPTABLES_LOG -A FORWARD -m state --state NEW -p $proto -j LOG --log-prefix "FWD connection: " |
|
done |
echo " done." |
echo " done." |
fi |
fi |
fi |
fi |
Riadok 646 log_forward_drop() |
|
Riadok 655 log_forward_drop() |
|
|
|
} # }}} |
} # }}} |
|
|
|
do_ip_accounting() |
|
{ # {{{ |
|
|
|
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
|
IPACCT_NAME="ZORBCOUNT" |
|
IPACCT_IN_NAME="ZORBCOUNTIN" |
|
IPACCT_OUT_NAME="ZORBCOUNTOUT" |
|
$IPTABLES -N $IPACCT_NAME # whole network |
|
$IPTABLES -N $IPACCT_IN_NAME # download: from server to client |
|
$IPTABLES -A $IPACCT_IN_NAME |
|
$IPTABLES -N $IPACCT_OUT_NAME # upload: from client to server |
|
$IPTABLES -A $IPACCT_OUT_NAME |
|
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
|
netmask="Mask_$NAT_SUBNET_IFACE" |
|
localnet="${!ip}/${!netmask}" |
|
|
|
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
|
$IPTABLES -A $IPACCT_NAME -s $client_ip |
|
$IPTABLES -A $IPACCT_NAME -d $client_ip |
|
done |
|
|
|
$IPTABLES -A $IPACCT_NAME -s $localnet |
|
$IPTABLES -A $IPACCT_NAME -d $localnet |
|
|
|
fi |
|
fi |
|
|
|
} # }}} |
|
|
accept_related() |
accept_related() |
{ # {{{ |
{ # {{{ |
|
|
echo -en "Accepting ESTABLISHED, RELATED packets for IP:" |
echo -en "Accepting ESTABLISHED, RELATED packets for IP:" |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
ip="IP_$iface"; |
ip="IP_$iface"; |
|
|
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
|
forward_on |
|
do_ip_accounting |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|