version 2.104, 2015/10/12 22:41:24 |
version 2.106, 2016/01/17 15:03:29 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.103 2014-04-29 23:22:55 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.105 2015/10/19 14:00:33 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Line 39 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
Line 39 DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREW |
|
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
|
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
|
|
# quiet output? {{{ |
# quiet output? {{{ |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
print_info() |
print_info() |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
for iface in $INTERFACES; do |
# We are using REAL_INTERFACES instead of INTERFACES here, because we want |
|
# to do redirects for "lo" interface as well. However for "lo" it is done |
|
# quite differently. See http://ix.sk/0WY2j for more information on this. |
|
# -- Nepto [2015-10-19] |
|
for iface in $REAL_INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
|
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p TCP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
(NF == 3) { remote_ip = $1; from_port = $2; to_port = $3; } \ |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
END { printf "remote_ip=%s; from_port=%s; to_port=%s;", remote_ip, from_port, to_port; }'` |
print_info -en " $remote_ip:$from_port->$to_port" |
print_info -en " $remote_ip:$from_port->$to_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
if [ "X$iface" = "Xlo" ]; then |
|
$IPTABLES -t nat -A OUTPUT -p UDP -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
else |
|
$IPTABLES -t nat -A PREROUTING -p UDP -i ${!riface} -s $remote_ip -d $ip --dport $from_port -j REDIRECT --to-port $to_port |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
done |
done |
} # }}} |
} # }}} |
|
|
|
map_subnet() |
|
{ # {{{ |
|
cfgvar=$1 |
|
cfgfile=$2 |
|
port=$3 |
|
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DEFAULT_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
if [ -f "$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile" ]; then |
|
cfgfound="$DIST_FIREWALL_CONFIG_DIR/subnets/$cfgfile"; |
|
else |
|
"Config file '$cfgfile' not found" |
|
exit 1 |
|
fi |
|
fi |
|
|
|
echo "Mapping $cfgfound map file to $cfgvar, port $port" |
|
while read subnet ; do |
|
case "$subnet" in |
|
""|\#*) |
|
continue |
|
;; |
|
esac |
|
echo "$cfgvar=\"\$$cfgvar $subnet:$port\"" >> "$DEFAULT_FIREWALL_CONFIG_DIR/$cfgfile" |
|
done < $cfgfound |
|
|
|
} # }}} |
|
|
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# Parse output from ifconfig: - tested on Linux and FreeBSD |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh |
parse_ifconfig() |
parse_ifconfig() |
|
|
remote) |
remote) |
remote; |
remote; |
;; |
;; |
|
map-subnet) |
|
shift; |
|
map_subnet $*; |
|
;; |
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block|deploy-update|update}" >&2 |
exit 1 |
exit 1 |