=================================================================== RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v retrieving revision 2.97 retrieving revision 2.98 diff -u -p -r2.97 -r2.98 --- scripts/shell/firewall/fw-universal.sh 2013/09/28 08:30:57 2.97 +++ scripts/shell/firewall/fw-universal.sh 2013/09/28 09:22:42 2.98 @@ -22,7 +22,7 @@ # Licensed under terms of GNU General Public License. # All rights reserved. # -# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.96 2013-09-23 08:40:34 nepto Exp $ +# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.97 2013-09-28 08:30:57 nepto Exp $ # # Changelog: # 2003-10-24 - created @@ -1204,22 +1204,95 @@ allow_input() } # }}} -# ACCEPT all packets from our IP address -allow_all_output() -{ # {{{ +# ACCEPT selected IPs/ports if defined for interface +# if not defined ACCEPT all packets from our IP addresses +allow_output() +{ # {{{ + output_tcp_str=""; + output_udp_str=""; + output_icmp_str=""; - # Povolíme odchozí pakety, které mají naše IP adresy - print_info -en "Accepting OUTPUT packets from" for iface in $INTERFACES; do riface="IFname_$iface"; IPS="IP_$iface"; + + accept_output_tcp="${iface}_ACCEPT_OUTPUT_TCP" + ACCEPT_OUTPUT_TCP="${!accept_output_tcp}" + accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" + ACCEPT_OUTPUT_UDP="${!accept_output_udp}" + + # TCP + if [ -z "$ACCEPT_OUTPUT_TCP" ]; then + for ip in ${!IPS}; do + output_tcp_str=" $ip($iface)"; + $IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT + done + else + print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" + for port in $ACCEPT_OUTPUT_TCP; do + dest_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` + if [ -n "$dest_ip" -a "$port" = "0" ]; then + port="ALL"; + fi + print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` + if [ -z "$dest_ip" ]; then + $IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT + else + if [ "$port" = "ALL" ]; then + $IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT + else + $IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT + fi + fi + done + print_info " done." + fi + + # UDP + if [ -z "$ACCEPT_OUTPUT_UDP" ]; then + for ip in ${!IPS}; do + output_udp_str=" $ip($iface)"; + $IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT + done + else + print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" + for port in $ACCEPT_OUTPUT_UDP; do + dest_ip="" + eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` + if [ -n "$dest_ip" -a "$port" = "0" ]; then + port="ALL"; + fi + print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` + if [ -z "$dest_ip" ]; then + $IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT + else + if [ "$port" = "ALL" ]; then + $IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT + else + $IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT + fi + fi + done + print_info " done." + fi + + # ICMP for ip in ${!IPS}; do - print_info -en " $ip($iface)" - $IPTABLES -A OUTPUT -o ${!riface} -s $ip -j ACCEPT + output_icmp_str=" $ip($iface)"; + $IPTABLES -A OUTPUT -p ICMP -o ${!riface} -s $ip -j ACCEPT done - done; - print_info " done."; + done + if [ -n "$output_tcp_str" ]; then + print_info "Accepting OUTPUT TCP packets from $output_tcp_str done." + fi + if [ -n "$output_udp_str" ]; then + print_info "Accepting OUTPUT UDP packets from $output_udp_str done." + fi + if [ -n "$output_icmp_str" ]; then + print_info "Accepting OUTPUT ICMP packets from $output_icmp_str done." + fi } # }}} allow_icmp() @@ -1749,8 +1822,8 @@ case "$1" in drop_input reject_input allow_input + allow_output allow_icmp - allow_all_output accept_loopback masquerade forward_on