version 2.53, 2008/01/17 21:44:30 |
version 2.57, 2008/02/02 22:57:54 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.52 2008-01-16 23:45:08 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.56 2008-01-27 13:36:02 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Line 33 if [ "x$1" = "xblock" ] || [ "x$QUIET" = |
|
Line 33 if [ "x$1" = "xblock" ] || [ "x$QUIET" = |
|
else |
else |
print_info() |
print_info() |
{ |
{ |
echo $* |
echo "$@" |
} |
} |
fi |
fi |
# }}} |
# }}} |
Line 78 LO_IFACE="${LO_IFACE:=lo}" |
|
Line 78 LO_IFACE="${LO_IFACE:=lo}" |
|
# Hide NAT clients behind firewall |
# Hide NAT clients behind firewall |
NAT_SET_TTL="${NAT_SET_TTL:=no}" |
NAT_SET_TTL="${NAT_SET_TTL:=no}" |
|
|
|
# reject config |
|
ALL_REJECT_INPUT_TCP="${ALL_REJECT_INPUT_TCP:=113}" # by default reject connections to AUTH server |
|
REJECT_WITH="${REJECT_WITH:=tcp-reset}" |
|
|
# |
# |
# CONSTANTS - Do not edit |
# CONSTANTS - Do not edit |
# |
# |
|
|
for port in $ALL_REJECT_INPUT_TCP; do |
for port in $ALL_REJECT_INPUT_TCP; do |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($iface)" |
$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
for port in $ALL_REJECT_INPUT_UDP; do |
for port in $ALL_REJECT_INPUT_UDP; do |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
print_info -en " $port($iface)" |
print_info -en " $port($iface)" |
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Accepting ICMP packets:" |
print_info -en "Accepting ICMP packets:" |
# Službu AUTH není dobré filtrovat pomocí DROP, protože to může |
|
# vést k prodlevám při navazování některých spojení. Proto jej |
|
# sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu |
|
$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server |
|
|
|
# accept only allowed ICMP packets |
# accept only allowed ICMP packets |
for type in $ACCEPT_ICMP_PACKETS; do |
for type in $ACCEPT_ICMP_PACKETS; do |
|
|
cat >> $TMPFILE |
cat >> $TMPFILE |
else |
else |
for IP in $*; do |
for IP in $*; do |
echo $i >> $TMPFILE; |
echo $IP >> $TMPFILE; |
done |
done |
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
|
|
print_info "Deploying to local rules ..." |
print_info "Deploying to local rules ..." |
add_banned_ip $* |
add_banned_ip $* |
# start the some script twice to refresh rules (new blocked IP's) |
# start the some script twice to refresh rules (new blocked IP's) |
$0 start |
QUIET=yes $0 start |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
for i in $*; do |
for i in $*; do |
|
|
shift; |
shift; |
add_banned_ip $*; |
add_banned_ip $*; |
# start the some script twice to refresh rules (new blocked IP's) |
# start the some script twice to refresh rules (new blocked IP's) |
$0 start; |
QUIET=yes $0 start; |
;; |
;; |
deploy-block) |
deploy-block) |
shift; |
shift; |