verzia 2.59, 2008/04/14 18:04:31 |
verzia 2.65, 2009/02/06 00:43:12 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.58 2008-04-13 19:27:00 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.64 2009-02-06 00:38:56 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 70 IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
|
Riadok 70 IFCONFIG="${IFCONFIG:=/sbin/ifconfig}" |
|
DEPMOD="${DEPMOD:=/sbin/depmod}" |
DEPMOD="${DEPMOD:=/sbin/depmod}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
MODPROBE="${MODPROBE:=/sbin/modprobe}" |
RMMOD="${RMMOD:=/sbin/rmmod}" |
RMMOD="${RMMOD:=/sbin/rmmod}" |
AWK="${AWK:=/usr/bin/awk}" |
AWK="${AWK:=/usr/bin/gawk}" |
PERL="${PERL:=/usr/bin/perl}" |
PERL="${PERL:=/usr/bin/perl}" |
|
|
# shaping |
# shaping |
Riadok 105 TRACEROUTE_DEST_PORTS="33434:33523" # Tr |
|
Riadok 105 TRACEROUTE_DEST_PORTS="33434:33523" # Tr |
|
# allow some ICMP packets - needed for ping etc. |
# allow some ICMP packets - needed for ping etc. |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
ACCEPT_ICMP_PACKETS="${ACCEPT_ICMP_PACKETS:=echo-reply destination-unreachable echo-request time-exceeded}" |
|
|
|
# check if all required tools are installed |
|
check_tools() |
|
{ # {{{ |
|
[ -x $AWK ] || (echo "AWK not found: please install gawk" && exit 1); |
|
[ -x $PERL ] || (echo "PERL not found: please install perl" && exit 1); |
|
[ -x $IPTABLES ] || (echo "IPTABLES not found: please install iptables" && exit 1); |
|
[ -x $IPTABLES_SAVE ] || (echo "IPTABLES_SAVE not found: please install iptables" && exit 1); |
|
[ -x $IPTABLES_RESTORE ] || (echo "IPTABLES_RESTORE not found: please install iptables" && exit 1); |
|
} # }}} |
|
|
print_first() |
print_first() |
{ # {{{ |
{ # {{{ |
Riadok 119 get_first_ip_addr() |
|
Riadok 128 get_first_ip_addr() |
|
|
|
read_config_ips() |
read_config_ips() |
{ # {{{ |
{ # {{{ |
PARSE_CONFIG=$1 perl -ne 'if (m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/(\d+)$/g) { print; } elsif ($_ !~ m/^\s*#/ && $_ !~ m/^\s*$/ ) { print STDERR "ERROR: $ENV{PARSE_CONFIG}:$.: ignored string $_\n"; }' $1 |
PARSE_CONFIG=$1 $PERL -ne 'if (m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/(\d+)$/g) { print; } elsif ($_ !~ m/^\s*#/ && $_ !~ m/^\s*$/ ) { print STDERR "ERROR: $ENV{PARSE_CONFIG}:$.: ignored string $_\n"; }' $1 |
} # }}} |
} # }}} |
|
|
# load necessary modules from $MODULES variable |
# load necessary modules from $MODULES variable |
|
|
|
|
# restore IPtables rules |
# restore IPtables rules |
$IPTABLES_RESTORE -c < $CACHE_FILE; |
$IPTABLES_RESTORE -c < $CACHE_FILE; |
exit 0; |
#echo "exit code $IPTABLES_RESTORE: $?" |
|
[ $? -eq 0 ] && exit 0; # exit if load succesfull |
fi |
fi |
} # }}} |
} # }}} |
|
|
Riadok 178 unload_modules() |
|
Riadok 188 unload_modules() |
|
print_iface_status() |
print_iface_status() |
{ # {{{ |
{ # {{{ |
# Print interfaces: |
# Print interfaces: |
print_info "# iface | IP addr | Gateway | broadcast | netmask | HW addr" |
print_info "$(pad7 "# iface") | $(pad15 "IP address") | $(pad15 "Gateway") | $(pad15 "Broadcast") | $(pad15 "Netmask") | HW address"; |
for iface in $interfaces; do |
for iface in $interfaces; do |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for IP in ${!IPS}; do |
for IP in ${!IPS}; do |
Gateway="Gateway_$iface"; Bcast="Bcast_$iface"; Mask="Mask_$iface"; HWaddr="HWaddr_$iface"; |
Gateway="Gateway_$iface"; |
print_info "$iface | ${IP} | ${!Gateway} | ${!Bcast} | ${!Mask} | ${!HWaddr}" |
Bcast="Bcast_$iface"; |
|
Mask="Mask_$iface"; |
|
HWaddr="HWaddr_$iface"; |
|
print_info "$(pad7 $iface) | $(pad15 ${IP}) | $(pad15 ${!Gateway}) | $(pad15 ${!Bcast}) | $(pad15 ${!Mask}) | ${!HWaddr}"; |
done |
done |
done |
done |
} # }}} |
} # }}} |
|
|
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN |
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN |
$IPTABLES -A syn-flood -j DROP |
$IPTABLES -A syn-flood -j DROP |
|
|
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
$IPTABLES -A INPUT -i $iface -p TCP --syn -j syn-flood |
$IPTABLES -A INPUT -i $riface -p TCP --syn -j syn-flood |
|
|
# packet is marked az NEW, but doesn't have SYN flag - drop it |
# packet is marked az NEW, but doesn't have SYN flag - drop it |
$IPTABLES -A INPUT -i $iface -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A INPUT -i $riface -p TCP ! --syn -m state --state NEW -j DROP |
done |
done |
|
|
|
|
Riadok 362 mangle_output() |
|
Riadok 375 mangle_output() |
|
print_info -en "Optimizing OUTPUT TOS:" |
print_info -en "Optimizing OUTPUT TOS:" |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# TOS flagy slouzi k optimalizaci datovych cest. Pro ssh, ftp a telnet |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
# pozadujeme minimalni zpozdeni. Pro ftp-data zase maximalni propostnost |
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $iface"; |
print_info -en " $riface"; |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --sport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --dport ssh -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --sport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --dport ftp -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --dport telnet -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --dport telnet -j TOS --set-tos Minimize-Delay |
$IPTABLES -t mangle -A OUTPUT -o $iface -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput |
$IPTABLES -t mangle -A OUTPUT -o $riface -p TCP --sport ftp-data -j TOS --set-tos Maximize-Throughput |
done |
done |
print_info " done." |
print_info " done." |
|
|
Riadok 530 log_new_connections() |
|
Riadok 543 log_new_connections() |
|
drop_output() |
drop_output() |
{ # {{{ |
{ # {{{ |
|
|
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
drop_output_tcp="${iface}_DROP_OUTPUT_TCP" |
drop_output_tcp="${riface}_DROP_OUTPUT_TCP" |
DROP_OUTPUT_TCP="${!drop_output_tcp}" |
DROP_OUTPUT_TCP="${!drop_output_tcp}" |
drop_output_udp="${iface}_DROP_OUTPUT_UDP" |
drop_output_udp="${riface}_DROP_OUTPUT_UDP" |
DROP_OUTPUT_UDP="${!drop_output_udp}" |
DROP_OUTPUT_UDP="${!drop_output_udp}" |
|
|
if [ ! -z "$DROP_OUTPUT_TCP" ]; then |
if [ ! -z "$DROP_OUTPUT_TCP" ]; then |
print_info -en "$iface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_TCP; do |
for port in $DROP_OUTPUT_TCP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP |
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $iface -j DROP |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
if [ ! -z "$DROP_OUTPUT_UDP" ]; then |
if [ ! -z "$DROP_OUTPUT_UDP" ]; then |
print_info -en "$iface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_UDP; do |
for port in $DROP_OUTPUT_UDP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP |
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $iface -j DROP |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
if [ ! -z "$ALL_DROP_INPUT_TCP" ]; then |
if [ ! -z "$ALL_DROP_INPUT_TCP" ]; then |
print_info -en "Drop ALL INPUT TCP connections on ports:" |
print_info -en "Drop ALL INPUT TCP connections on ports:" |
for port in $ALL_DROP_INPUT_TCP; do |
for port in $ALL_DROP_INPUT_TCP; do |
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j DROP |
$IPTABLES -A INPUT -i $riface -p TCP --dport $port -j DROP |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
if [ ! -z "$ALL_DROP_INPUT_UDP" ]; then |
if [ ! -z "$ALL_DROP_INPUT_UDP" ]; then |
print_info -en "Drop ALL INPUT UDP connections on ports:" |
print_info -en "Drop ALL INPUT UDP connections on ports:" |
for port in $ALL_DROP_INPUT_UDP; do |
for port in $ALL_DROP_INPUT_UDP; do |
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j DROP |
$IPTABLES -A INPUT -i $riface -p UDP --dport $port -j DROP |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 635 reject_input() |
|
Riadok 648 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
for port in $ALL_REJECT_INPUT_TCP; do |
for port in $ALL_REJECT_INPUT_TCP; do |
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 645 reject_input() |
|
Riadok 658 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
for port in $ALL_REJECT_INPUT_UDP; do |
for port in $ALL_REJECT_INPUT_UDP; do |
for iface in $INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
fi |
fi |
|
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
redirect_tcp="${iface}_REDIRECT_TCP" |
redirect_tcp="${iface}_REDIRECT_TCP" |
|
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i $iface -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i $iface -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
Riadok 842 allow_output() |
|
Riadok 858 allow_output() |
|
# Povolíme odchozí pakety, které mají naše IP adresy |
# Povolíme odchozí pakety, které mají naše IP adresy |
print_info -en "Accepting OUTPUT packets from" |
print_info -en "Accepting OUTPUT packets from" |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
print_info -en " $ip($iface)" |
print_info -en " $ip($iface)" |
$IPTABLES -A OUTPUT -o $iface -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -s $ip -j ACCEPT |
done |
done |
done; |
done; |
print_info " done."; |
print_info " done."; |
|
|
for type in $ACCEPT_ICMP_PACKETS; do |
for type in $ACCEPT_ICMP_PACKETS; do |
print_info -en " $type" |
print_info -en " $type" |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i $iface -d $ip -p ICMP --icmp-type $type -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p ICMP --icmp-type $type -j ACCEPT |
done |
done |
done |
done |
done |
done |
Riadok 970 do_ip_accounting() |
|
Riadok 988 do_ip_accounting() |
|
accept_related() |
accept_related() |
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Accepting ESTABLISHED, RELATED packets for IP:" |
print_info -en "Accepting ESTABLISHED, RELATED packets ..." |
for iface in $INTERFACES; do |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
IPS="IP_$iface"; |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
for ip in ${!IPS}; do |
|
print_info -en " $ip($iface)" |
|
done |
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
done |
|
print_info " done." |
print_info " done." |
|
|
} # }}} |
} # }}} |
Riadok 1118 parse_ifconfig() |
|
Riadok 1130 parse_ifconfig() |
|
$PERL -e ' |
$PERL -e ' |
my $iface_count = 0; |
my $iface_count = 0; |
my $iface; |
my $iface; |
my (%ip6, %scope6, %bcast, %mask, %hwaddr, %ipcount); |
my (%ip, %ifname, %ip6, %scope6, %bcast, %mask, %hwaddr, %ipcount); |
|
|
while (my $line = <STDIN>) { |
while (my $line = <STDIN>) { |
chomp $line; |
chomp $line; |
if ($line =~ m/^([a-z0-9:]+)\s+.*?([a-z0-9:]+)\s*$/i) { # Linux interface |
if ($line =~ m/^([a-z0-9:]+)\s+.*?([a-z0-9:]+)\s*$/i) { # Linux interface |
$iface = $1; |
$iface = $1; |
my $iface_hwaddr = $2; |
my $iface_hwaddr = $2; |
$iface = [ $iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
my $x_iface = $iface; |
|
$iface =~ s/:/_/; # convert "eth0:0" --> "eth0_0" |
|
$x_iface = [ $x_iface =~ m/^([a-z0-9]+)/i ]->[0]; # convert "eth0:0" --> "eth0" |
|
$ifname{$iface} = $x_iface; |
$ipcount{$iface}++; |
$ipcount{$iface}++; |
$hwaddr{$iface} = $iface_hwaddr; |
$hwaddr{$iface} = $iface_hwaddr; |
$iface_count++; |
$iface_count++; |
Riadok 1153 map { printf "Bcast_%s=\"%s\"; export B |
|
Riadok 1168 map { printf "Bcast_%s=\"%s\"; export B |
|
map { printf "Mask_%s=\"%s\"; export Mask_%s;\n", $_, $mask{$_}, $_; } keys %mask; |
map { printf "Mask_%s=\"%s\"; export Mask_%s;\n", $_, $mask{$_}, $_; } keys %mask; |
map { printf "HWaddr_%s=\"%s\"; export HWaddr_%s;\n", $_, $hwaddr{$_}, $_; } keys %hwaddr; |
map { printf "HWaddr_%s=\"%s\"; export HWaddr_%s;\n", $_, $hwaddr{$_}, $_; } keys %hwaddr; |
map { printf "IPcount_%s=\"%s\"; export IPcount_%s;\n", $_, $ipcount{$_}, $_; } keys %ipcount; |
map { printf "IPcount_%s=\"%s\"; export IPcount_%s;\n", $_, $ipcount{$_}, $_; } keys %ipcount; |
|
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", keys %ip); |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", keys %ip); |
'` |
'` |
eval "$parsed_interfaces"; |
eval "$parsed_interfaces"; |
|
#echo "$parsed_interfaces"; |
|
|
parsed_routes=`$PERL -e ' |
parsed_routes=`$PERL -e ' |
$\ = "\n"; |
$\ = "\n"; |
Riadok 1213 printf "interfaces=\"%s\"; export inter |
|
Riadok 1230 printf "interfaces=\"%s\"; export inter |
|
|
|
} # }}} |
} # }}} |
|
|
|
# helper function for string padding |
|
str_pad_right() |
|
{ # {{{ |
|
num="$1"; |
|
string="$2"; |
|
count=$(echo -n "$string" | wc -c); |
|
count=$((count + 0)) |
|
while [ $count -lt $num ]; do |
|
string="$string "; |
|
count=$((count + 1)); |
|
done |
|
echo -n "$string" |
|
return; |
|
} # }}} |
|
|
|
pad7() { str_pad_right 7 "$1"; } |
|
pad15() { str_pad_right 15 "$1"; } |
|
|
|
|
|
check_tools |
parse_ifconfig |
parse_ifconfig |
print_iface_status |
print_iface_status |
|
|
Riadok 1223 print_iface_status |
|
Riadok 1259 print_iface_status |
|
# $INTERFACES_ACCEPT_ALL - interfaces withouth restrictions |
# $INTERFACES_ACCEPT_ALL - interfaces withouth restrictions |
# |
# |
# $INTERFACES - all interfaces withouth loopback |
# $INTERFACES - all interfaces withouth loopback |
# and devices without restrictions (e.g. tun0 tun1 tap0 ...) |
# and devices without restrictions (e.g. tun0 tun1 tap0 eth0_0 eth0_1 ...) |
|
# |
|
# $REAL_INTERFACES - aliases like eth0:0, eth1:0 are transformed to eth0, eth1, ... |
# |
# |
# list of all interfaces is in $interfaces variable |
# list of all interfaces is in $interfaces variable |
# |
# |
INTERFACES="" |
INTERFACES="" |
INTERFACES_ACCEPT_ALL="" |
INTERFACES_ACCEPT_ALL="" |
|
x_REAL_INTERFACES="" |
regexp='^\('`echo $IFACE_ACCEPT_ALL | sed 's/ /\\\|/g; s/+/.*/g;'`'\)$' |
regexp='^\('`echo $IFACE_ACCEPT_ALL | sed 's/ /\\\|/g; s/+/.*/g;'`'\)$' |
for iface in $interfaces; do |
for iface in $interfaces; do |
|
riface="IFname_$iface"; |
|
x_REAL_INTERFACES="$x_REAL_INTERFACES ${!riface}" |
#if [ "o$iface" = "olo" ]; then continue; fi |
#if [ "o$iface" = "olo" ]; then continue; fi |
echo $iface | grep -q -e "$regexp" |
echo $iface | grep -q -e "$regexp" |
if [ $? = 0 ] || [ "o$iface" = "olo" ]; then # lo interface is always here |
if [ $? = 0 ] || [ "o$iface" = "olo" ]; then # lo interface is always here |
Riadok 1239 for iface in $interfaces; do |
|
Riadok 1280 for iface in $interfaces; do |
|
INTERFACES="$INTERFACES $iface"; |
INTERFACES="$INTERFACES $iface"; |
fi |
fi |
done |
done |
|
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
|