version 2.108, 2016/02/26 03:11:01 |
version 2.109, 2016/02/26 07:01:10 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.107 2016/02/26 02:53:42 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.108 2016/02/26 03:11:01 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
accept_output_udp="${iface}_ACCEPT_OUTPUT_UDP" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
ACCEPT_OUTPUT_UDP="${!accept_output_udp}" |
|
|
|
# UDP *must* go before TCP |
|
# |
|
# Reason: we need to have working DNS resolving, which works over |
|
# port 53/UDP. Resolving is required for those rules, which use |
|
# hostname instead of IP address, for example cvs.platon.sk:2401. |
|
|
# TCP |
# UDP |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
for port in $ACCEPT_OUTPUT_TCP; do |
for port in $ACCEPT_OUTPUT_UDP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
# UDP |
# TCP |
if [ -z "$ACCEPT_OUTPUT_UDP" ]; then |
if [ -z "$ACCEPT_OUTPUT_TCP" ]; then |
if [ -n "${!gateway}" ]; then |
if [ -n "${!gateway}" ]; then |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
output_udp_str="$output_udp_str $ip:${!riface}:${!gateway}"; |
output_tcp_str="$output_tcp_str $ip:${!riface}:${!gateway}"; |
$IPTABLES -A OUTPUT -p UDP -o ${!riface} -s $ip -j ACCEPT |
$IPTABLES -A OUTPUT -p TCP -o ${!riface} -s $ip -j ACCEPT |
done |
done |
fi |
fi |
else |
else |
print_info -en "$iface: Accepting OUTPUT UDP connections to ports:" |
print_info -en "$iface: Accepting OUTPUT TCP connections to ports:" |
for port in $ACCEPT_OUTPUT_UDP; do |
for port in $ACCEPT_OUTPUT_TCP; do |
dest_ip="" |
dest_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "dest_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
if [ -n "$dest_ip" -a "$port" = "0" ]; then |
|
|
fi |
fi |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
print_info -en " $port"`[ ! -z "$dest_ip" ] && echo "[$dest_ip]"` |
if [ -z "$dest_ip" ]; then |
if [ -z "$dest_ip" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -p TCP --dport $port -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A OUTPUT -o ${!riface} -d $dest_ip -p TCP --dport $port -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |