verzia 2.76, 2011/01/16 12:18:14 |
verzia 2.77, 2011/01/24 20:26:04 |
|
|
#!/bin/bash |
#!/bin/bash |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: networking |
|
# Required-Stop: |
|
# Default-Start: S |
|
# Default-Stop: |
|
# Short-Description: firewalling rules |
|
### END INIT INFO |
|
|
# |
# |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.75 2010-10-22 12:20:42 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.76 2011-01-16 12:18:14 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
|
|
for port in 69 135 445 1434 6667; do |
for port in 67 68 69 135 445 1434 6667; do |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
done |
done |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
|
# NAT_FORWARD_TCP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP hosts:" |
|
for host in $NAT_FORWARD_TCP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p TCP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP hosts:" |
|
for host in $NAT_FORWARD_UDP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p UDP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_TCP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP clients:" |
|
for client in $NAT_FORWARD_TCP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p TCP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP clients:" |
|
for client in $NAT_FORWARD_UDP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p UDP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
print_info -en "\tAccepting ICMP packets:" |
print_info -en "\tAccepting ICMP packets:" |
for type in $ACCEPT_ICMP_PACKETS; do |
for type in $ACCEPT_ICMP_PACKETS; do |
print_info -en " $type" |
print_info -en " $type" |
|
|
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ -z "$src_ip" ]; then |
fi |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
done |
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
done |
|
fi |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
if [ "$port" = "ALL" ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
|
fi |
fi |
fi |
fi |
done |
done |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |