version 2.93, 2013/09/21 02:55:50 |
version 2.101, 2013/09/28 18:51:30 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.92 2012-10-30 16:08:52 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.100 2013-09-28 10:07:18 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
|
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ -z "$NAT_LAN_IFACE" ]; then |
print_info -en "NAT: Enabling packet forwarding..." |
return; |
echo 1 > /proc/sys/net/ipv4/ip_forward |
fi |
print_info " done." |
|
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
|
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
print_info -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE" |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
|
print_info " done." |
if [ "X$XEN_MODE" = "Xon" ]; then |
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
if [ -n "$NAT_SUBNET_SRC" ]; then |
return; |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
fi |
fi |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
|
print_info " done." |
|
print_info "XEN_MODE enabled: masquerade is limited to basic functionality only"; |
|
return; |
|
fi |
|
|
ip="`get_first_ip_addr IP_$NAT_SUBNET_IFACE`" |
ip="`get_first_ip_addr IP_$NAT_SUBNET_IFACE`" |
netmask="Mask_$NAT_SUBNET_IFACE" |
netmask="Mask_$NAT_SUBNET_IFACE" |
localnet="$ip/${!netmask}" |
localnet="$ip/${!netmask}" |
|
|
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
|
|
# alow packets from private subnet |
# alow packets from private subnet |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
for client_ip in $NAT_CLIENT_DROP; do |
for client_ip in $NAT_CLIENT_DROP; do |
print_info -en " !$client_ip"; |
print_info -en " !$client_ip"; |
$IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -A FORWARD -s $client_ip -i $NAT_SUBNET_IFACE -j DROP |
done |
done |
|
|
for redirect in $NAT_TCP_PORT_REDIRECT; do |
for redirect in $NAT_TCP_PORT_REDIRECT; do |
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
eval `echo $redirect | \ |
eval `echo $redirect | \ |
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
-i $NAT_SUBNET_IFACE \ |
-i $NAT_SUBNET_IFACE \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
done |
|
for redirect in $NAT_UDP_PORT_REDIRECT; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 2) { dnat = "no" ; remote_ip = "X"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { dnat = "yes" ; remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "dnat=%s; remote_ip=%s; remote_port=%s; local_port=%s;", dnat, remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
|
if [ "x$dnat" = "xyes" ]; then |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_SUBNET_IFACE -d ! $ip \ |
|
--dport $local_port -j DNAT --to $remote_ip:$remote_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_SUBNET_IFACE -d ! $ip --dport $local_port -j ACCEPT |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP \ |
|
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
--dport $remote_port -j REDIRECT --to-port $local_port |
--dport $remote_port -j REDIRECT --to-port $local_port |
done |
fi |
for redirect in $NAT_UDP_PORT_REDIRECT; do |
done |
#eval `echo $redirect | $AWK -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 2) { dnat = "no" ; remote_ip = "X"; remote_port = $1; local_port = $2; } \ |
|
(NF == 3) { dnat = "yes" ; remote_ip = $2; remote_port = $1; local_port = $3; } \ |
|
END { printf "dnat=%s; remote_ip=%s; remote_port=%s; local_port=%s;", dnat, remote_ip, remote_port, local_port; }'` |
|
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
|
if [ "x$dnat" = "xyes" ]; then |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_SUBNET_IFACE -d ! $ip \ |
|
--dport $local_port -j DNAT --to $remote_ip:$remote_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_SUBNET_IFACE -d ! $ip --dport $local_port -j ACCEPT |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP \ |
|
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
|
--dport $remote_port -j REDIRECT --to-port $local_port |
|
fi |
|
done |
|
|
|
#$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE |
|
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE |
|
|
|
print_info " done." |
|
|
|
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
if [ -n "$NAT_SUBNET_SRC" ]; then |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
NAT_SUBNET_SRC="-s $NAT_SUBNET_SRC"; |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
fi |
$IPTABLES -A FORWARD -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
$IPTABLES -t nat -A POSTROUTING -o $NAT_LAN_IFACE -j MASQUERADE $NAT_SUBNET_SRC |
|
|
for port in 67 68 69 135 445 1434 6667; do |
print_info " done." |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
|
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
|
done |
|
fi |
|
fi |
|
|
|
if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then |
# don't forward Miscrosoft protocols - NOT RFC compliant packets |
print_info -en "\tAccepting FORWARD TCP ports:" |
if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then |
for port in $NAT_FORWARD_TCP_PORTS; do |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP ! --syn -m conntrack --ctstate NEW -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
|
|
if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then |
for port in 67 68 69 135 445 1434 6667; do |
print_info -en "\tAccepting FORWARD UDP ports:" |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
for port in $NAT_FORWARD_UDP_PORTS; do |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
print_info -en " $port" |
|
$IPTABLES -A FORWARD -p UDP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
|
done |
done |
print_info " done." |
|
fi |
fi |
|
fi |
|
|
# NAT_FORWARD_TCP_HOSTS {{{ |
if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then |
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
print_info -en "\tAccepting FORWARD TCP ports:" |
print_info -en "\tAccepting FORWARD TCP hosts:" |
for port in $NAT_FORWARD_TCP_PORTS; do |
for host in $NAT_FORWARD_TCP_HOSTS; do |
print_info -en " $port" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p TCP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_HOSTS {{{ |
if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then |
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
print_info -en "\tAccepting FORWARD UDP ports:" |
print_info -en "\tAccepting FORWARD UDP hosts:" |
for port in $NAT_FORWARD_UDP_PORTS; do |
for host in $NAT_FORWARD_UDP_HOSTS; do |
print_info -en " $port" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p UDP --dport $port -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A FORWARD -p UDP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_TCP_CLIENTS {{{ |
# NAT_FORWARD_TCP_HOSTS {{{ |
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
print_info -en "\tAccepting FORWARD TCP clients:" |
print_info -en "\tAccepting FORWARD TCP hosts:" |
for client in $NAT_FORWARD_TCP_CLIENTS; do |
for host in $NAT_FORWARD_TCP_HOSTS; do |
print_info -en " $client" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p TCP -s $client -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
# }}} |
# }}} |
|
|
# NAT_FORWARD_UDP_CLIENTS {{{ |
# NAT_FORWARD_UDP_HOSTS {{{ |
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
print_info -en "\tAccepting FORWARD UDP clients:" |
print_info -en "\tAccepting FORWARD UDP hosts:" |
for client in $NAT_FORWARD_UDP_CLIENTS; do |
for host in $NAT_FORWARD_UDP_HOSTS; do |
print_info -en " $client" |
print_info -en " $host" |
$IPTABLES -A FORWARD -p UDP -s $client -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A FORWARD -p UDP -d $host -m conntrack --ctstate NEW -j ACCEPT |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
# }}} |
# }}} |
|
|
print_info -en "\tAccepting ICMP packets:" |
# NAT_FORWARD_TCP_CLIENTS {{{ |
for type in $ACCEPT_ICMP_PACKETS; do |
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
print_info -en " $type" |
print_info -en "\tAccepting FORWARD TCP clients:" |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
for client in $NAT_FORWARD_TCP_CLIENTS; do |
done |
print_info -en " $client" |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
$IPTABLES -A FORWARD -p TCP -s $client -m conntrack --ctstate NEW -j ACCEPT |
|
done |
print_info " done." |
print_info " done." |
|
fi |
|
# }}} |
|
|
# Port forwarding to local machines |
# NAT_FORWARD_UDP_CLIENTS {{{ |
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
print_info -en "\tForwarding TCP ports to local machines:" |
print_info -en "\tAccepting FORWARD UDP clients:" |
for redirect in $NAT_TCP_PORT_FORWARD; do |
for client in $NAT_FORWARD_UDP_CLIENTS; do |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
print_info -en " $client" |
eval `echo $redirect | \ |
$IPTABLES -A FORWARD -p UDP -s $client -m conntrack --ctstate NEW -j ACCEPT |
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
done |
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
print_info " done." |
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
fi |
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
# }}} |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding UDP ports to local machines:" |
|
for redirect in $NAT_UDP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# Keep state of connections from private subnets |
print_info -en "\tAccepting ICMP packets:" |
$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
for type in $ACCEPT_ICMP_PACKETS; do |
#$IPTABLES -A FORWARD -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
print_info -en " $type" |
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT |
|
done |
# hide NAT clients behind firewall: - set TTL |
#$IPTABLES_LOG -A FORWARD -p ICMP -j LOG --log-prefix "FWD ICMP: " |
# XXX: warning: this breaks traceroute !!! |
print_info " done." |
if [ ! "a$NAT_SET_TTL" = "ano" ]; then |
|
print_info "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" |
|
$IPTABLES -t mangle -A POSTROUTING -o $NAT_LAN_IFACE -j TTL --ttl-set $NAT_SET_TTL |
|
fi |
|
|
|
|
# Port forwarding to local machines |
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding TCP ports to local machines:" |
|
for redirect in $NAT_TCP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
|
print_info -en "\tForwarding UDP ports to local machines:" |
|
for redirect in $NAT_UDP_PORT_FORWARD; do |
|
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
|
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
$IPTABLES -A FORWARD -p UDP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# Keep state of connections from private subnets |
|
$IPTABLES -A OUTPUT -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
#$IPTABLES -A FORWARD -m conntrack --ctstate NEW -o $NAT_LAN_IFACE -j ACCEPT |
|
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT |
|
|
|
# hide NAT clients behind firewall: - set TTL |
|
# XXX: warning: this breaks traceroute !!! |
|
if [ ! "a$NAT_SET_TTL" = "ano" ]; then |
|
print_info "NAT: clients hidden behind firewall - setting TTL to $NAT_SET_TTL" |
|
$IPTABLES -t mangle -A POSTROUTING -o $NAT_LAN_IFACE -j TTL --ttl-set $NAT_SET_TTL |
fi |
fi |
} # }}} |
} # }}} |
|
|
|
|
|
|
} # }}} |
} # }}} |
|
|
# ACCEPT all packets from our IP address |
# ACCEPT selected IPs/ports if defined for interface |
|
# if not defined ACCEPT all packets from our IP addresses |
allow_output() |
allow_output() |
{ # {{{ |
{ # {{{ |
|
output_tcp_str=""; |
|
output_udp_str=""; |
|
output_icmp_str=""; |
|
|
# Povolíme odchozí pakety, které mají naše IP adresy |
|
print_info -en "Accepting OUTPUT packets from" |
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
|
gateway="Gateway_$iface"; |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
|
print_info -en " $ip($iface)" |
|
$IPTABLES -A OUTPUT -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
done; |
|
print_info " done."; |
|
|
|
|
accept_output_tcp="${iface}_ACCEPT_OUTPUT_TCP" |
|
ACCEPT_OUTPUT_TCP="${!accept_output_tcp}" |
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
|
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
|
|
# TCP |
|
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_TCP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# UDP |
|
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
else |
|
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
|
for port in $ACCEPT_OUTPUT_UDP; do |
|
dest_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
|
if [ -z "$dest_ip" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
|
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
|
# ICMP |
|
if [ -n "${!gateway}" ]; then |
|
for ip in ${!IPS}; do |
|
output_icmp_str="$output_icmp_str $ip:${!riface}:${!gateway}"; |
|
$IPTABLES -A OUTPUT -p ICMP -o ${!riface} -s $ip -j ACCEPT |
|
done |
|
fi |
|
done |
|
|
|
if [ -n "$output_tcp_str" ]; then |
|
print_info "Accepting OUTPUT TCP packets through $output_tcp_str done." |
|
fi |
|
if [ -n "$output_udp_str" ]; then |
|
print_info "Accepting OUTPUT UDP packets through $output_udp_str done." |
|
fi |
|
if [ -n "$output_icmp_str" ]; then |
|
print_info "Accepting OUTPUT ICMP packets through $output_icmp_str done." |
|
fi |
} # }}} |
} # }}} |
|
|
allow_icmp() |
allow_icmp() |
|
|
allow_icmp |
allow_icmp |
accept_loopback |
accept_loopback |
masquerade |
masquerade |
|
forward_on |
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
forward_on |
|
do_ip_accounting |
do_ip_accounting |
shaping_off |
shaping_off |
shaping_on |
shaping_on |