===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.1
retrieving revision 2.2
diff -u -p -r2.1 -r2.2
--- scripts/shell/firewall/fw-universal.sh	2004/12/11 19:50:24	2.1
+++ scripts/shell/firewall/fw-universal.sh	2004/12/12 18:00:11	2.2
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.0 2004/11/14 15:23:09 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.1 2004/12/11 19:50:24 rajo Exp $
 #
 # Changelog:
 # 2004-11-14 - created
@@ -196,28 +196,35 @@ syn_flood()
 anti_spoof_filter()
 { # {{{
 	
-#   http://www.iana.com/assignments/ipv4-address-space
+	#   http://www.iana.com/assignments/ipv4-address-space
 
-	INET_IFACE=$1
+	if [ ! -z "$ANTISPOOF_IFACE" ]; then
 
-	$IPTABLES -N spoof
+		echo -en "Turning on antispoof filter for interfaces: "
+		$IPTABLES -N spoof
 
-	echo "Turning on antispoof filter for interface $INET_IFACE "
-	# Ochrana proti Spoogingu zo spatnej slucky
-	$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 src" 
-	$IPTABLES -A spoof -i $INET_IFACE -s 127.0.0.0/8 -j DROP 
-	$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:127.0.0.0/8 dest"
-	$IPTABLES -A spoof -i $INET_IFACE -d 127.0.0.0/8 -j DROP
-	# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete 
-	$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:192.168.0.0/16 src"
-	$IPTABLES -A spoof -i $INET_IFACE -s 192.168.0.0/16 -j DROP 		# RFC1918
-	$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:172.16.0.0/12 src"
-	$IPTABLES -A spoof -i $INET_IFACE -s 172.16.0.0/12 -j DROP 		# RFC1918
-	$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8  $LOG_LIMIT -j LOG --log-prefix "Reserved IP:10.0.0.0/8 src"
-	$IPTABLES -A spoof -i $INET_IFACE -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
-	$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "Reserved IP:96.0.0.0/4 src"
-	$IPTABLES -A spoof -i $INET_IFACE -s 96.0.0.0/4 -j DROP  			# IANA
-	echo " done."
+		# Ochrana proti Spoogingu zo spatnej slucky
+		$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 src" 
+		$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP 
+		$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 dest"
+		$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
+		# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete 
+		$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "RESERVED:192.168.0.0/16 src"
+		$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP 		# RFC1918
+		$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "RESERVED:172.16.0.0/12 src"
+		$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP 		# RFC1918
+		$IPTABLES -A spoof -s 10.0.0.0/8  $LOG_LIMIT -j LOG --log-prefix "RESERVED:10.0.0.0/8 src"
+		$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
+		$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "RESERVED:96.0.0.0/4 src"
+		$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP  			# IANA
+
+		for iface in $ANTISPOOF_IFACE; do
+			echo -en " $iface"
+			$IPTABLES -A FORWARD -i $iface -j spoof
+			$IPTABLES -A INPUT   -i $iface -j spoof
+		done
+		echo " done."
+	fi
 } # }}}
 
 mangle_prerouting()
@@ -261,8 +268,78 @@ mangle_output()
 
 } # }}}
 
+# Masquerade local subnet
+masquerade()
+{ # {{{
+	if [ ! -z "$NAT_LAN_IFACE" ]; then
+		echo -en "Masquerading local subnet:"
+
+		ip="IP_$NAT_SUBNET_IFACE";
+		netmask="Mask_$NAT_SUBNET_IFACE"
+		localnet="${!ip}/${!netmask}"
+
+		# alow packets from private subnet
+		$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP
+		$IPTABLES -A INPUT   -i $NAT_SUBNET_IFACE -j ACCEPT
+		$IPTABLES -A FORWARD -i $NAT_SUBNET_IFACE -j ACCEPT
+
+		$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE
+
+
+		# Keep state of connections from private subnets
+		iptables -A OUTPUT  -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
+		iptables -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
+		iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+		echo " done."
+	fi
+} # }}}
+
+drop_output()
+{ # {{{
+
+	for iface in $INTERFACES; do
+		ip="IP_$iface";
+		drop_output_tcp="${iface}_DROP_OUTPUT_TCP"
+		DROP_OUTPUT_TCP="${!drop_output_tcp}"
+		drop_output_udp="${iface}_DROP_OUTPUT_UDP"
+		DROP_OUTPUT_UDP="${!drop_output_udp}"
+
+		if [ ! -z "$DROP_OUTPUT_TCP" ]; then
+			echo -en "$iface: Dropping outgoing packets from ports:"
+			for port in $DROP_OUTPUT_TCP; do
+				echo -en " $port"
+				$IPTABLES -A FORWARD -p TCP --sport $port -o $iface -j DROP
+				$IPTABLES -A OUTPUT  -p TCP --sport $port -o $iface -j DROP
+			done
+			echo " done."
+		fi
+
+		if [ ! -z "$DROP_OUTPUT_UDP" ]; then
+			echo -en "$iface: Dropping outgoing packets from ports:"
+			for port in $DROP_OUTPUT_UDP; do
+				echo -en " $port"
+				$IPTABLES -A FORWARD -p UDP --sport $port -o $iface -j DROP
+				$IPTABLES -A OUTPUT  -p UDP --sport $port -o $iface -j DROP
+			done
+			echo " done."
+		fi
+	done
+
+} # }}}
+
 allow_input()
 { # {{{
+
+	if [ ! -z "$IFACE_ACCEPT_ALL" ]; then
+		echo -en "Accepting ALL packets on interfaces:"
+		for iface in $IFACE_ACCEPT_ALL; do
+			echo -en " $iface"
+			$IPTABLES -A INPUT   -i $iface -j ACCEPT
+			$IPTABLES -A FORWARD -i $iface -j ACCEPT
+		done
+		echo " done."
+	fi
+
 	if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then
 		echo -en "Accepting ALL INPUT TCP connections on ports:"
 		for port in $ALL_ACCEPT_INPUT_TCP; do
@@ -283,7 +360,7 @@ allow_input()
 		ACCEPT_INPUT_UDP="${!accept_input_udp}"
 
 		if [ ! -z "$ACCEPT_INPUT_TCP" ]; then
-			echo -en "$iface: Accepting INPUT TCP connections on ports: "
+			echo -en "$iface: Accepting INPUT TCP connections on ports:"
 			for port in $ACCEPT_INPUT_TCP; do
 				echo -en " $port"
 				$IPTABLES -A INPUT -i $iface -d ${!ip} -p TCP --dport $port -j ACCEPT
@@ -292,7 +369,7 @@ allow_input()
 		fi
 
 		if [ ! -z "$ACCEPT_INPUT_UDP" ]; then
-			echo -en "$iface: Accepting INPUT UDP connections on ports: "
+			echo -en "$iface: Accepting INPUT UDP connections on ports:"
 			for port in $ACCEPT_INPUT_UDP; do
 				echo -en " $port"
 				#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT
@@ -355,11 +432,19 @@ log_output_drop()
 
 	prefix="output drop: "
 	echo "Output drop is logged with prefix '$prefix'"
-	# Ostatní pakety logujeme (neměly by být žádné takové)
 	$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix"
 
 } # }}}
 
+log_forward_drop()
+{ # {{{
+
+	prefix="forward drop: "
+	echo "Forward drop is logged with prefix '$prefix'"
+	$IPTABLES -A FORWARD $LOG_LIMIT -j LOG --log-prefix "$prefix"
+
+} # }}}
+
 accept_related()
 { # {{{
 	
@@ -367,7 +452,7 @@ accept_related()
 	for iface in $INTERFACES; do
 		ip="IP_$iface";
 		echo -en " ${!ip}($iface)"
-		$IPTABLES -A INPUT -i $iface -d ${!ip} -m state --state ESTABLISHED,RELATED -j ACCEPT
+		$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 	done
 	echo " done."
 
@@ -453,17 +538,20 @@ case "$1" in
 		set_loopback
 		nmap_scan_filter
 		invalid_packet_filter
-		#anti_spoof_filter eth0
+		anti_spoof_filter
 		syn_flood
 		mangle_prerouting
 		mangle_output
+		drop_output
 		allow_input
 		allow_output
 		allow_icmp
 		accept_related
 		accept_loopback
+		masquerade
 		log_input_drop
 		log_output_drop
+		log_forward_drop
 		;;
 		
 	stop)