===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.4
retrieving revision 2.5
diff -u -p -r2.4 -r2.5
--- scripts/shell/firewall/fw-universal.sh	2004/12/31 01:54:52	2.4
+++ scripts/shell/firewall/fw-universal.sh	2005/01/02 01:49:01	2.5
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.3 2004/12/30 23:16:20 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.4 2004/12/31 01:54:52 rajo Exp $
 #
 # Changelog:
 # 2004-11-14 - created
@@ -278,19 +278,71 @@ masquerade()
 		netmask="Mask_$NAT_SUBNET_IFACE"
 		localnet="${!ip}/${!netmask}"
 
+		lan_ip="IP_$NAT_LAN_IFACE"
+
 		# alow packets from private subnet
 		$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP
-		$IPTABLES -A INPUT   -i $NAT_SUBNET_IFACE -j ACCEPT
-		$IPTABLES -A FORWARD -i $NAT_SUBNET_IFACE -j ACCEPT
+
+		for redirect in $NAT_TCP_PORT_REDIRECT; do
+			eval `echo $redirect | awk -v FS=: '{ printf "remote_port=%s; local_port=%s;", $1, $2; }'`
+			echo -en " $remote_port:$local_port"
+			$IPTABLES -t nat -A PREROUTING -p TCP \
+				-i ! $NAT_LAN_IFACE -d ! ${!lan_ip} \
+				--dport $remote_port -j REDIRECT --to-port $local_port
+		done
 
 		$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE
 
+		# don't forward Miscrosoft protocols - NOT RFC compliant packets
+		if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then
+			if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then
+				$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
+
+				for port in 69 135 445 1434 6667; do
+					$IPTABLES -A FORWARD -p TCP --dport $port -j DROP
+					$IPTABLES -A FORWARD -p UDP --dport $port -j DROP
+				done
+			fi
+		fi
+
+		if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then
+			echo -en "Accepting FORWARD TCP ports:"
+			for port in $NAT_FORWARD_TCP_PORTS; do
+				echo -en " $port"
+				$IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT
+			done
+			echo " done."
+		fi
+
+		if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then
+			echo -en "Accepting FORWARD UDP ports:"
+			for port in $NAT_FORWARD_UDP_PORTS; do
+				echo -en " $port"
+				$IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT
+			done
+			echo " done."
+		fi
 
 		# Keep state of connections from private subnets
 		$IPTABLES -A OUTPUT  -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
-		$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
+		#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
 		$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 		echo " done."
+
+	fi
+} # }}}
+
+log_new_connections()
+{ # {{{
+	if [ ! -z "$NAT_LOG_NEW_CONNECTIONS" ]; then
+		if [ "x$NAT_LOG_NEW_CONNECTIONS" = "xyes" ]; then
+			echo -en "Logging new connections:"
+			$IPTABLES -A INPUT   -m state --state NEW -j LOG --log-prefix "IN  connection: "
+			$IPTABLES -A OUTPUT  -m state --state NEW -j LOG --log-prefix "OUT connection: "
+			$IPTABLES -A FORWARD -m state --state NEW -j LOG --log-prefix "FWD connection: "
+			echo " done."
+		fi
 	fi
 } # }}}
 
@@ -542,6 +594,7 @@ case "$1" in
 		syn_flood
 		mangle_prerouting
 		mangle_output
+		log_new_connections
 		drop_output
 		allow_input
 		allow_output