verzia 2.71, 2009/11/06 23:14:36 |
verzia 2.96, 2013/09/23 08:40:34 |
|
|
#!/bin/sh |
#!/bin/bash |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: $network |
|
# Required-Stop: $remote_fs |
|
# Default-Start: S |
|
# Default-Stop: 0 6 |
|
# Short-Description: Starts firewall |
|
# Description: Handle universal firewall script by Platon Group |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
|
# Author: Lubomir Host <rajo@platon.sk> |
|
# Copyright: (c) 2003-2011 Platon Group |
|
### END INIT INFO |
|
|
# |
# |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2009 Platon Group, http://platon.sk/ |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.70 2009-07-01 12:28:07 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.95 2013-09-21 03:01:24 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
# 2011-07-20 - implemented XEN_MODE |
# |
# |
|
|
|
|
umask 077 # security |
umask 077 # security |
|
|
DESC="firewall" |
DESC="firewall" |
Riadok 61 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
Riadok 76 IPTABLES="${IPTABLES:=$DEBUG/sbin/iptabl |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
|
IPTABLES_TABLES="${IPTABLES_TABLES:=filter nat mangle}" |
|
|
|
|
if [ "x$LOGGING" = "xoff" ]; then |
if [ "x$LOGGING" = "xoff" ]; then |
IPTABLES_LOG=": log turned off" |
IPTABLES_LOG=": log turned off" |
else |
else |
Riadok 76 PERL="${PERL:=/usr/bin/perl}" |
|
Riadok 94 PERL="${PERL:=/usr/bin/perl}" |
|
# shaping |
# shaping |
TC="${TC:=/sbin/tc}" |
TC="${TC:=/sbin/tc}" |
|
|
|
# update script |
|
UPDATE_SCRIPT="${UPDATE_SCRIPT:=update_from_cvs}" |
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
# Hide NAT clients behind firewall |
# Hide NAT clients behind firewall |
|
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
mkdir -p "$DEFAULT_CACHE_DIR"; |
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
if [ "$?" -ne "0" ]; then |
|
print_info "ERROR: unable to create cache dir in load_cache()"; |
|
return; |
|
fi |
fi |
fi |
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG $0 $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf `; # config file and firewalling script |
config=""; |
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{ print $1; }'`; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
|
fi |
|
if [ -r "$0" ]; then |
|
config="$config ` cat \"$0\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
|
fi |
|
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
#echo "CACHE_FILE=$CACHE_FILE" |
Riadok 206 set_default_policy() |
|
Riadok 243 set_default_policy() |
|
{ # {{{ |
{ # {{{ |
# Set default policy |
# Set default policy |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info "XEN_MODE enabled: default policy for FORWARD forced to ACCEPT"; |
|
$IPTABLES -P $chain ACCEPT; |
|
continue; |
|
fi |
$IPTABLES -P $chain $DEFAULT_POLICY |
$IPTABLES -P $chain $DEFAULT_POLICY |
done |
done |
} # }}} |
} # }}} |
|
|
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
|
|
for table in filter nat mangle; do |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -t $table -F # clear all chains |
print_info "XEN_MODE enabled: not clearing FORWARD chain"; |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES --flush INPUT |
$IPTABLES -t $table -Z # zero counts |
$IPTABLES --flush OUTPUT |
done |
$IPTABLES --flush spoof |
|
# TODO!!! |
|
else |
|
for table in $IPTABLES_TABLES; do |
|
$IPTABLES -t $table -F # clear all chains |
|
$IPTABLES -t $table -X # remove all chains |
|
$IPTABLES -t $table -Z # zero counts |
|
done |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
Riadok 254 nmap_scan_filter() |
|
Riadok 304 nmap_scan_filter() |
|
print_info -en "Turning on nmap scan filter " |
print_info -en "Turning on nmap scan filter " |
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
|
|
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
print_info -en "." |
print_info -en "." |
|
|
Riadok 264 nmap_scan_filter() |
|
Riadok 320 nmap_scan_filter() |
|
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Riadok 272 nmap_scan_filter() |
|
Riadok 329 nmap_scan_filter() |
|
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Riadok 286 invalid_packet_filter() |
|
Riadok 344 invalid_packet_filter() |
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Turning on INVALID packet filter " |
print_info -en "Turning on INVALID packet filter " |
|
|
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
|
$IPTABLES_LOG -A $chain -m conntrack --ctstate INVALID $LOG_LIMIT "INVALID $chain: " |
print_info -en "." |
print_info -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m conntrack --ctstate INVALID -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
|
|
|
|
$IPTABLES -A INPUT -i $riface -p TCP --syn -j syn-flood |
$IPTABLES -A INPUT -i $riface -p TCP --syn -j syn-flood |
|
|
# packet is marked az NEW, but doesn't have SYN flag - drop it |
# packet is marked az NEW, but doesn't have SYN flag - drop it |
$IPTABLES -A INPUT -i $riface -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A INPUT -i $riface -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
done |
done |
|
|
|
|
Riadok 343 anti_spoof_filter() |
|
Riadok 406 anti_spoof_filter() |
|
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A FORWARD -i $iface -j spoof |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j spoof |
|
fi |
$IPTABLES -A INPUT -i $iface -j spoof |
$IPTABLES -A INPUT -i $iface -j spoof |
done |
done |
print_info " done." |
print_info " done." |
Riadok 391 mangle_output() |
|
Riadok 459 mangle_output() |
|
|
|
} # }}} |
} # }}} |
|
|
# Masquerade local subnet |
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ -z "$NAT_LAN_IFACE" ]; then |
print_info -en "NAT: Enabling packet forwarding..." |
return; |
echo 1 > /proc/sys/net/ipv4/ip_forward |
fi |
print_info " done." |
|
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
|
ip="`get_first_ip_addr IP_$NAT_SUBNET_IFACE`" |
|
netmask="Mask_$NAT_SUBNET_IFACE" |
|
localnet="$ip/${!netmask}" |
|
|
|
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
# alow packets from private subnet |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
if [ -n "$NAT_SUBNET_SRC" ]; then |
for client_ip in $NAT_CLIENT_DROP; do |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
print_info -en " !$client_ip"; |
fi |
$IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
done |
print_info " done." |
|
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
|
return; |
|
fi |
|
|
for redirect in $NAT_TCP_PORT_REDIRECT; do |
ip="`get_first_ip_addr IP_$NAT_SUBNET_IFACE`" |
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
netmask="Mask_$NAT_SUBNET_IFACE" |
eval `echo $redirect | \ |
localnet="$ip/${!netmask}" |
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
|
$IPTABLES -t nat -A PREROUTING -p TCP \ |
|
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
done |
|
for redirect in $NAT_UDP_PORT_REDIRECT; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 2) { dnat = "no" ; remote_ip = "X"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { dnat = "yes" ; remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "dnat=%s; remote_ip=%s; remote_port=%s; local_port=%s;", dnat, remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
|
if [ "x$dnat" = "xyes" ]; then |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_SUBNET_IFACE -d ! $ip \ |
|
--dport $local_port -j DNAT --to $remote_ip:$remote_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_SUBNET_IFACE -d ! $ip --dport $local_port -j ACCEPT |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP \ |
|
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
fi |
|
done |
|
|
|
#$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
|
|
# alow packets from private subnet |
|
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
|
for client_ip in $NAT_CLIENT_DROP; do |
|
print_info -en " !$client_ip"; |
|
$IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
|
done |
|
|
print_info " done." |
for redirect in $NAT_TCP_PORT_REDIRECT; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
|
$IPTABLES -t nat -A PREROUTING -p TCP \ |
|
-i $NAT_SUBNET_IFACE \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
done |
|
for redirect in $NAT_UDP_PORT_REDIRECT; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 2) { dnat = "no" ; remote_ip = "X"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { dnat = "yes" ; remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "dnat=%s; remote_ip=%s; remote_port=%s; local_port=%s;", dnat, remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
|
if [ "x$dnat" = "xyes" ]; then |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_SUBNET_IFACE -d ! $ip \ |
|
--dport $local_port -j DNAT --to $remote_ip:$remote_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_SUBNET_IFACE -d ! $ip --dport $local_port -j ACCEPT |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP \ |
|
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
fi |
|
done |
|
|
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
if [ -n "$NAT_SUBNET_SRC" ]; then |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
fi |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
|
|
for port in 69 135 445 1434 6667; do |
print_info " done." |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
|
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
|
done |
|
fi |
|
fi |
|
|
|
if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then |
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
print_info -en "\tAccepting FORWARD TCP ports:" |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
for port in $NAT_FORWARD_TCP_PORTS; do |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT |
|
|
for port in 67 68 69 135 445 1434 6667; do |
|
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
|
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
done |
done |
print_info " done." |
|
fi |
fi |
|
fi |
|
|
if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then |
if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then |
print_info -en "\tAccepting FORWARD UDP ports:" |
print_info -en "\tAccepting FORWARD TCP ports:" |
for port in $NAT_FORWARD_UDP_PORTS; do |
for port in $NAT_FORWARD_TCP_PORTS; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "\tAccepting ICMP packets:" |
if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then |
for type in $ACCEPT_ICMP_PACKETS; do |
print_info -en "\tAccepting FORWARD UDP ports:" |
print_info -en " $type" |
for port in $NAT_FORWARD_UDP_PORTS; do |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
print_info -en " $port" |
done |
$IPTABLES -A FORWARD -p UDP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
done |
print_info " done." |
print_info " done." |
|
fi |
|
|
# Port forwarding to local machines |
# NAT_FORWARD_TCP_HOSTS {{{ |
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
print_info -en "\tForwarding TCP ports to local machines:" |
print_info -en "\tAccepting FORWARD TCP hosts:" |
for redirect in $NAT_TCP_PORT_FORWARD; do |
for host in $NAT_FORWARD_TCP_HOSTS; do |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
print_info -en " $host" |
eval `echo $redirect | \ |
$IPTABLES -A FORWARD -p TCP -d $host -m conntrack --ctstate NEW -j ACCEPT |
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
done |
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
print_info " done." |
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
fi |
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
# }}} |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding UDP ports to local machines:" |
|
for redirect in $NAT_UDP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# Keep state of connections from private subnets |
# NAT_FORWARD_UDP_HOSTS {{{ |
$IPTABLES -A OUTPUT -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT |
print_info -en "\tAccepting FORWARD UDP hosts:" |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
for host in $NAT_FORWARD_UDP_HOSTS; do |
|
print_info -en " $host" |
# hide NAT clients behind firewall: - set TTL |
$IPTABLES -A FORWARD -p UDP -d $host -m conntrack --ctstate NEW -j ACCEPT |
# XXX: warning: this breaks traceroute !!! |
done |
if [ ! "a$NAT_SET_TTL" = "ano" ]; then |
print_info " done." |
print_info "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" |
fi |
$IPTABLES -t mangle -A POSTROUTING -o $NAT_LAN_IFACE -j TTL --ttl-set $NAT_SET_TTL |
# }}} |
fi |
|
|
|
|
# NAT_FORWARD_TCP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP clients:" |
|
for client in $NAT_FORWARD_TCP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p TCP -s $client -m conntrack --ctstate NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP clients:" |
|
for client in $NAT_FORWARD_UDP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p UDP -s $client -m conntrack --ctstate NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
print_info -en "\tAccepting ICMP packets:" |
|
for type in $ACCEPT_ICMP_PACKETS; do |
|
print_info -en " $type" |
|
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
|
done |
|
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
|
print_info " done." |
|
|
|
# Port forwarding to local machines |
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding TCP ports to local machines:" |
|
for redirect in $NAT_TCP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding UDP ports to local machines:" |
|
for redirect in $NAT_UDP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# Keep state of connections from private subnets |
|
$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
#$IPTABLES -A FORWARD -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
|
|
# hide NAT clients behind firewall: - set TTL |
|
# XXX: warning: this breaks traceroute !!! |
|
if [ ! "a$NAT_SET_TTL" = "ano" ]; then |
|
print_info "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" |
|
$IPTABLES -t mangle -A POSTROUTING -o $NAT_LAN_IFACE -j TTL --ttl-set $NAT_SET_TTL |
fi |
fi |
} # }}} |
} # }}} |
|
|
Riadok 542 log_new_connections() |
|
Riadok 662 log_new_connections() |
|
fi |
fi |
print_info -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
print_info -en "Logging new connections $NAT_LOG_NEW_CONNECTIONS:" |
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
for proto in $NAT_LOG_NEW_CONNECTIONS; do |
$IPTABLES_LOG -A INPUT -m state --state NEW -p $proto -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A INPUT -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "IN connection: " |
$IPTABLES_LOG -A OUTPUT -m state --state NEW -p $proto -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A OUTPUT -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "OUT connection: " |
$IPTABLES_LOG -A FORWARD -m state --state NEW -p $proto -j LOG --log-prefix "FWD connection: " |
$IPTABLES_LOG -A FORWARD -m conntrack --ctstate NEW -p $proto -j LOG --log-prefix "FWD connection: " |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_TCP; do |
for port in $DROP_OUTPUT_TCP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_UDP; do |
for port in $DROP_OUTPUT_UDP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
Riadok 604 bann_ip_adresses() |
|
Riadok 734 bann_ip_adresses() |
|
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip" |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 617 allow_accept_all() |
|
Riadok 752 allow_accept_all() |
|
for iface in $IFACE_ACCEPT_ALL; do |
for iface in $IFACE_ACCEPT_ALL; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
if [ ! -z "$ALL_DROP_INPUT_TCP" ]; then |
if [ ! -z "$ALL_DROP_INPUT_TCP" ]; then |
print_info -en "Drop ALL INPUT TCP connections on ports:" |
print_info -en "Drop ALL INPUT TCP connections on ports:" |
for port in $ALL_DROP_INPUT_TCP; do |
for port in $ALL_DROP_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p TCP --dport $port -j DROP |
$IPTABLES -A INPUT -i $riface -p TCP $port_rule -j DROP |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
if [ ! -z "$ALL_DROP_INPUT_UDP" ]; then |
if [ ! -z "$ALL_DROP_INPUT_UDP" ]; then |
print_info -en "Drop ALL INPUT UDP connections on ports:" |
print_info -en "Drop ALL INPUT UDP connections on ports:" |
for port in $ALL_DROP_INPUT_UDP; do |
for port in $ALL_DROP_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p UDP --dport $port -j DROP |
$IPTABLES -A INPUT -i $riface -p UDP $port_rule -j DROP |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
if [ ! -z "$REAL_DROP_INPUT_TCP" ]; then |
if [ ! -z "$REAL_DROP_INPUT_TCP" ]; then |
print_info -en "Drop REAL all INPUT TCP connections for ALL interfaces on ports:" |
print_info -en "Drop REAL all INPUT TCP connections for ALL interfaces on ports:" |
for port in $REAL_DROP_INPUT_TCP; do |
for port in $REAL_DROP_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p TCP --dport $port -j DROP |
$IPTABLES -A INPUT -p TCP $port_rule -j DROP |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$REAL_DROP_INPUT_UDP" ]; then |
if [ ! -z "$REAL_DROP_INPUT_UDP" ]; then |
print_info -en "Drop REAL all INPUT UDP connections for ALL interfaces on ports:" |
print_info -en "Drop REAL all INPUT UDP connections for ALL interfaces on ports:" |
for port in $REAL_DROP_INPUT_UDP; do |
for port in $REAL_DROP_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p UDP --dport $port -j DROP |
$IPTABLES -A INPUT -p UDP $port_rule -j DROP |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 675 reject_input() |
|
Riadok 842 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
print_info -en "Reject ALL INPUT TCP connections on ports:" |
for port in $ALL_REJECT_INPUT_TCP; do |
for port in $ALL_REJECT_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 685 reject_input() |
|
Riadok 859 reject_input() |
|
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
print_info -en "Reject ALL INPUT UDP connections on ports:" |
for port in $ALL_REJECT_INPUT_UDP; do |
for port in $ALL_REJECT_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port($riface)" |
print_info -en " $port($riface)" |
$IPTABLES -A INPUT -i $riface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i $riface -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
Riadok 695 reject_input() |
|
Riadok 876 reject_input() |
|
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
for port in $REAL_REJECT_INPUT_TCP; do |
for port in $REAL_REJECT_INPUT_TCP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
for port in $REAL_REJECT_INPUT_UDP; do |
for port in $REAL_REJECT_INPUT_UDP; do |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for riface in $REAL_INTERFACES; do |
for riface in $REAL_INTERFACES; do |
print_info -en " $port(ALL)" |
print_info -en " $port(ALL)" |
$IPTABLES -A INPUT -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
for port in $ALL_ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ -z "$src_ip" ]; then |
fi |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
done |
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
|
fi |
|
done |
|
fi |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
for port in $REAL_ACCEPT_INPUT_TCP; do |
for port in $REAL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -s $src_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -s $src_ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
|
|
for port in $REAL_ACCEPT_INPUT_UDP; do |
for port in $REAL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -p UDP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -s $src_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -s $src_ip -p UDP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
|
Riadok 1064 allow_input() |
|
for port in $REJECT_INPUT_TCP; do |
for port in $REJECT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
Riadok 1088 allow_input() |
|
for port in $REJECT_INPUT_UDP; do |
for port in $REJECT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
Riadok 1111 allow_input() |
|
# ACCEPT {{{ |
# ACCEPT {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
print_info -en "$iface: Accepting INPUT TCP connections on ports:" |
|
counter=0; |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
|
if [ $(( ++counter )) -ge 5 ]; then counter=0; print_info ""; fi; |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
|
Riadok 1150 allow_input() |
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
|
print_info -en " $port"`[ ! -z "$src_ip" ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
for ip in ${!IPS}; do |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
if [ "$port" = "ALL" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
|
fi |
fi |
fi |
fi |
done |
done |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
Riadok 1186 allow_input() |
|
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
print_info -en "Accepting traceroute:" |
print_info -en "Accepting traceroute:" |
|
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
if [ "X$XEN_MODE" = "Xon" ]; then |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
print_info -ne " XEN_MODE "; |
-s $ip -d $ANYWHERE -j ACCEPT |
else |
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
for iface in $TRACEROUTE_IFACE; do |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
-s $ip -d $ANYWHERE -j ACCEPT |
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
for iface in $TRACEROUTE_IFACE; do |
|
|
|
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
|
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
|
fi |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
Riadok 1025 configure_special_rules() |
|
Riadok 1291 configure_special_rules() |
|
|
|
} # }}} |
} # }}} |
|
|
|
custom_rules() |
|
{ # {{{ |
|
print_info -en "Executing custom rules: " |
|
for max_rule_num in 9 99 999; do |
|
initialized="no"; |
|
for i in `seq -w 0 "$max_rule_num"`; do |
|
varname="CUSTOM_RULE_$i"; |
|
if [ -z "${!varname}" ]; then |
|
break; |
|
fi |
|
print_info -n "#$i"; |
|
$IPTABLES ${!varname}; |
|
rc="$?"; |
|
if [ "$rc" -eq 0 ]; then |
|
print_info -n "[OK] "; |
|
else |
|
print_info -n "[rc:$?] "; |
|
fi; |
|
initialized="yes"; |
|
done |
|
if [ "X$initialized" = "Xyes" ]; then |
|
break; |
|
fi |
|
done |
|
print_info " done."; |
|
} # }}} |
|
|
do_ip_accounting() |
do_ip_accounting() |
{ # {{{ |
{ # {{{ |
|
|
Riadok 1046 do_ip_accounting() |
|
Riadok 1339 do_ip_accounting() |
|
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
fi |
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
for client_ip in $IP_ACCT_CLIENTS; do |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
Riadok 1076 accept_related() |
|
Riadok 1373 accept_related() |
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Accepting ESTABLISHED, RELATED packets ..." |
print_info -en "Accepting ESTABLISHED, RELATED packets ..." |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
print_info " done." |
print_info " done." |
|
|
} # }}} |
} # }}} |
|
|
{ # {{{ |
{ # {{{ |
|
|
mark_idx=1 |
mark_idx=1 |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
for iface in $SHAPING_IFACE; do |
for iface in $SHAPING_IFACE; do |
echo "Shaping for interface $iface" |
echo "Shaping for interface $iface" |
shaping_classes="${iface}_SHAPING_CLASSES" |
shaping_classes="${iface}_SHAPING_CLASSES" |
|
|
burst="${iface}_SHAPING_BURST_${class}" |
burst="${iface}_SHAPING_BURST_${class}" |
netmask="${iface}_SHAPING_NETMASK_${class}" |
netmask="${iface}_SHAPING_NETMASK_${class}" |
echo -e "\tshaping \"$class\" traffic: rate=${!rate} burst=${!burst} netmask=${!netmask}" |
echo -e "\tshaping \"$class\" traffic: rate=${!rate} burst=${!burst} netmask=${!netmask}" |
if [ -z ${!netmask} ]; then |
if [ -z "${!netmask}" ]; then |
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x$mark_idx |
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x$mark_idx |
else |
else |
$IPTABLES -t mangle -A OUTPUT -d ${!netmask} -j MARK --set-mark 0x$mark_idx |
$IPTABLES -t mangle -A OUTPUT -d ${!netmask} -j MARK --set-mark 0x$mark_idx |
fi |
fi |
|
|
if [ -z ${!rate} ]; then |
if [ -z "${!rate}" ]; then |
# SFQ for local traffic |
# SFQ for local traffic |
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): sfq perturb 10 |
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): sfq perturb 10 |
else |
else |
|
|
|
|
shaping_off() |
shaping_off() |
{ # {{{ |
{ # {{{ |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
echo -en "Shaping turned off for interface" |
echo -en "Shaping turned off for interface" |
for iface in $SHAPING_IFACE; do |
for iface in $SHAPING_IFACE; do |
echo -en " $iface" |
echo -en " $iface" |
Riadok 1153 shaping_off() |
|
Riadok 1450 shaping_off() |
|
|
|
shaping_status() |
shaping_status() |
{ # {{{ |
{ # {{{ |
if [ ! -z $SHAPING_IFACE ]; then |
if [ ! -z "$SHAPING_IFACE" ]; then |
echo "# Shaping status: " |
echo "# Shaping status: " |
$TC qdisc list |
$TC qdisc list |
else |
else |
Riadok 1165 shaping_status() |
|
Riadok 1462 shaping_status() |
|
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' ` - ${SSH_CLIENT:=local}" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%Y-%m-%d %X' `" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
if [ -z "$*" ]; then |
if [ -z "$*" ]; then |
print_info "Reading banned IP's from STDIN:" |
#print_info "Reading banned IP's from STDIN:" |
cat >> $TMPFILE |
cat >> $TMPFILE |
else |
else |
for IP in $*; do |
for IP in $*; do |
Riadok 1178 add_banned_ip() |
|
Riadok 1475 add_banned_ip() |
|
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
rm -f $TMPFILE |
rm -f $TMPFILE |
|
# start with new firewalling rules |
|
$0 start |
} # }}} |
} # }}} |
|
|
deploy_block() |
deploy_block() |
Riadok 1188 deploy_block() |
|
Riadok 1487 deploy_block() |
|
fi |
fi |
print_info "Deploying to local rules ..." |
print_info "Deploying to local rules ..." |
add_banned_ip $* |
add_banned_ip $* |
# start the some script twice to refresh rules (new blocked IP's) |
# start the same script twice to refresh rules (new blocked IP's) |
QUIET=yes $0 start |
QUIET=yes $0 start |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
for i in $*; do |
for i in $*; do |
echo $i >> $TMPFILE; |
echo "block $i" >> $TMPFILE; |
done |
done |
while read conn keyfile |
while read conn keyfile |
do |
do |
case "$conn" in |
case "$conn" in |
""|\#*) |
""|\#*) |
continue |
continue |
;; |
;; |
esac |
esac |
print_info "Deploying to $conn ..."; |
print_info "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" |
cat $TMPFILE | ssh -i $keyfile $conn $0 block |
print_info "Deploying to $conn ..."; |
|
cat $TMPFILE | ssh -i $keyfile $conn $0 remote |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
rm -f $TMPFILE |
rm -f $TMPFILE |
} # }}} |
} # }}} |
|
|
|
update_from_cvs() |
|
{ # {{{ |
|
cd /etc/firewall && cvs up -d |
|
} # }}} |
|
|
|
update() |
|
{ # {{{ |
|
$UPDATE_SCRIPT |
|
} # }}} |
|
|
|
deploy_update() |
|
{ # {{{ |
|
print_info "Updating local firewall ..." |
|
$0 update |
|
|
|
# start the same script twice to refresh rules (updated scripts and configs) |
|
QUIET=yes $0 start |
|
while read conn keyfile |
|
do |
|
case "$conn" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
|
|
print_info "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" |
|
print_info "Updating $conn ..."; |
|
echo "update" | ssh -i $keyfile $conn $0 remote |
|
done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list |
|
} # }}} |
|
|
|
remote() |
|
{ # {{{ |
|
while read comnd par |
|
do |
|
case "$comnd" in |
|
block) |
|
echo "Blocking '$par'..." |
|
add_banned_ip $par |
|
;; |
|
update) |
|
echo "Updating firewall scripts..." |
|
update |
|
;; |
|
""|\#*) |
|
echo "Line '$comnd $par' ignored" |
|
continue |
|
;; |
|
esac |
|
done |
|
} # }}} |
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
|
|
allow_icmp |
allow_icmp |
accept_loopback |
accept_loopback |
masquerade |
masquerade |
|
forward_on |
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
forward_on |
|
do_ip_accounting |
do_ip_accounting |
shaping_off |
shaping_off |
shaping_on |
shaping_on |
configure_special_rules |
configure_special_rules |
|
custom_rules |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|
|
|
# start the some script twice to refresh rules (new blocked IP's) |
# start the some script twice to refresh rules (new blocked IP's) |
QUIET=yes $0 start; |
QUIET=yes $0 start; |
;; |
;; |
|
update) |
|
update; |
|
;; |
deploy-block) |
deploy-block) |
shift; |
shift; |
deploy_block $*; |
deploy_block $*; |
;; |
;; |
|
deploy-update) |
|
deploy_update; |
|
;; |
|
remote) |
|
remote; |
|
;; |
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |