version 2.50, 2007/08/29 14:43:55 |
version 2.51, 2007/12/12 23:30:10 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.49 2006-10-04 09:23:25 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.50 2007-08-29 14:43:55 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Line 561 allow_accept_all() |
|
Line 561 allow_accept_all() |
|
fi |
fi |
} # }}} |
} # }}} |
|
|
allow_input() |
drop_input() |
{ # {{{ |
{ # {{{ |
|
|
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
for client_ip in $NAT_CLIENT_DROP; do |
for client_ip in $NAT_CLIENT_DROP; do |
echo -en " !$client_ip"; |
echo -en " !$client_ip"; |
|
|
done |
done |
echo " done." |
echo " done." |
fi |
fi |
|
} # }}} |
|
|
|
reject_input() |
|
{ # {{{ |
|
if [ ! -z "$ALL_REJECT_INPUT_TCP" ]; then |
|
echo -en "Reject ALL INPUT TCP connections on ports:" |
|
for port in $ALL_REJECT_INPUT_TCP; do |
|
for iface in $INTERFACES; do |
|
echo -en " $port($iface)" |
|
$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
done |
|
done |
|
echo " done." |
|
fi |
|
if [ ! -z "$ALL_REJECT_INPUT_UDP" ]; then |
|
echo -en "Reject ALL INPUT UDP connections on ports:" |
|
for port in $ALL_REJECT_INPUT_UDP; do |
|
for iface in $INTERFACES; do |
|
echo -en " $port($iface)" |
|
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
done |
|
done |
|
echo " done." |
|
fi |
|
} # }}} |
|
|
|
allow_input() |
|
{ # {{{ |
|
|
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
echo -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
|
|
redirect_udp="${iface}_REDIRECT_UDP" |
redirect_udp="${iface}_REDIRECT_UDP" |
REDIRECT_UDP="${!redirect_udp}" |
REDIRECT_UDP="${!redirect_udp}" |
|
|
|
reject_input_tcp="${iface}_REJECT_INPUT_TCP" |
|
REJECT_INPUT_TCP="${!reject_input_tcp}" |
|
reject_input_udp="${iface}_REJECT_INPUT_UDP" |
|
REJECT_INPUT_UDP="${!reject_input_udp}" |
|
|
accept_input_tcp="${iface}_ACCEPT_INPUT_TCP" |
accept_input_tcp="${iface}_ACCEPT_INPUT_TCP" |
ACCEPT_INPUT_TCP="${!accept_input_tcp}" |
ACCEPT_INPUT_TCP="${!accept_input_tcp}" |
accept_input_udp="${iface}_ACCEPT_INPUT_UDP" |
accept_input_udp="${iface}_ACCEPT_INPUT_UDP" |
|
|
echo " done." |
echo " done." |
fi |
fi |
|
|
|
# REJECT {{{ |
|
if [ ! -z "$REJECT_INPUT_TCP" ]; then |
|
echo -en "$iface: Rejecting INPUT TCP connections on ports:" |
|
for port in $REJECT_INPUT_TCP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
for ip in ${!IPS}; do |
|
if [ -z $src_ip ]; then |
|
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
else |
|
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
fi |
|
done |
|
done |
|
echo " done." |
|
fi |
|
|
|
if [ ! -z "$REJECT_INPUT_UDP" ]; then |
|
echo -en "$iface: Rejecting INPUT UDP connections on ports:" |
|
for port in $REJECT_INPUT_UDP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
for ip in ${!IPS}; do |
|
if [ -z $src_ip ]; then |
|
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
else |
|
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
|
fi |
|
done |
|
done |
|
echo " done." |
|
fi |
|
# }}} |
|
|
|
# ACCEPT {{{ |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ACCEPT_INPUT_TCP" ]; then |
echo -en "$iface: Accepting INPUT TCP connections on ports:" |
echo -en "$iface: Accepting INPUT TCP connections on ports:" |
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
|
|
done |
done |
echo " done." |
echo " done." |
fi |
fi |
|
# }}} |
done |
done |
|
|
# Enable outgoing TRACEROUTE requests (required e.g. by Skype, http://www.skype.com) |
# Enable outgoing TRACEROUTE requests (required e.g. by Skype, http://www.skype.com) |
|
|
accept_related |
accept_related |
log_new_connections |
log_new_connections |
drop_output |
drop_output |
|
drop_input |
|
reject_input |
allow_input |
allow_input |
allow_output |
allow_output |
allow_icmp |
allow_icmp |