=================================================================== RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v retrieving revision 2.47 retrieving revision 2.48 diff -u -p -r2.47 -r2.48 --- scripts/shell/firewall/fw-universal.sh 2006/09/24 16:17:10 2.47 +++ scripts/shell/firewall/fw-universal.sh 2006/09/30 21:55:28 2.48 @@ -9,7 +9,7 @@ # Licensed under terms of GNU General Public License. # All rights reserved. # -# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.30 2005/11/01 00:36:24 rajo Exp $ +# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.47 2006-09-24 16:17:10 rajo Exp $ # # Changelog: # 2003-10-24 - created @@ -566,11 +566,17 @@ allow_input() if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then echo -en "Accepting ALL INPUT TCP connections on ports:" for port in $ALL_ACCEPT_INPUT_TCP; do + src_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` for iface in $INTERFACES; do - echo -en " $port($iface)" + echo -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` IPS="IP_$iface"; for ip in ${!IPS}; do - $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT + if [ -z "$src_ip" ]; then + $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT + else + $IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT + fi done done done @@ -579,11 +585,17 @@ allow_input() if [ ! -z "$ALL_ACCEPT_INPUT_UDP" ]; then echo -en "Accepting ALL INPUT UDP connections on ports:" for port in $ALL_ACCEPT_INPUT_UDP; do + src_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` for iface in $INTERFACES; do - echo -en " $port($iface)" + echo -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` IPS="IP_$iface"; for ip in ${!IPS}; do - $IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT + if [ -z "$src_ip" ]; then + $IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT + else + $IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT + fi done done done @@ -634,9 +646,15 @@ allow_input() if [ ! -z "$ACCEPT_INPUT_TCP" ]; then echo -en "$iface: Accepting INPUT TCP connections on ports:" for port in $ACCEPT_INPUT_TCP; do - echo -en " $port" + src_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` + echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` for ip in ${!IPS}; do - $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT + if [ -z $src_ip ]; then + $IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT + else + $IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT + fi done done echo " done." @@ -645,11 +663,17 @@ allow_input() if [ ! -z "$ACCEPT_INPUT_UDP" ]; then echo -en "$iface: Accepting INPUT UDP connections on ports:" for port in $ACCEPT_INPUT_UDP; do - echo -en " $port" + src_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` + echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` #$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT #$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT for ip in ${!IPS}; do - $IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT + if [ -z $src_ip ]; then + $IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT + else + $IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT + fi done done echo " done."