version 2.65, 2009/02/06 00:43:12 |
version 2.82, 2011/11/18 23:26:18 |
|
|
#!/bin/sh |
#!/bin/bash |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: networking |
|
# Required-Stop: |
|
# Default-Start: S |
|
# Default-Stop: |
|
# Short-Description: firewalling rules |
|
### END INIT INFO |
|
|
# |
# |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2006 Platon SDG, http://platon.sk/ |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.64 2009-02-06 00:38:56 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.81 2011-10-03 17:42:56 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
# 2011-07-20 - implemented XEN_MODE |
# |
# |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: $network $remote_fs |
|
# Required-Stop: $network $remote_fs |
|
# Default-Start: 2 3 4 5 |
|
# Default-Stop: 0 1 6 |
|
# Short-Description: Starts firewall |
|
# Description: Handle universal firewall script by Platon Group |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
|
# Author: Lubomir Host <rajo@platon.sk> |
|
# Copyright: (c) 2003-2011 Platon Group |
|
### END INIT INFO |
|
|
umask 077 # security |
umask 077 # security |
|
|
DESC="firewall" |
DESC="firewall" |
|
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
mkdir -p "$DEFAULT_CACHE_DIR"; |
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
if [ "$?" -ne "0" ]; then |
|
print_info "ERROR: unable to create cache dir in load_cache()"; |
|
return; |
|
fi |
fi |
fi |
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG $0 $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf `; # config file and firewalling script |
config=""; |
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{ print $1; }'`; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
|
fi |
|
if [ -r "$0" ]; then |
|
config="$config ` cat \"$0\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
|
fi |
|
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
#echo "CACHE_FILE=$CACHE_FILE" |
Line 206 set_default_policy() |
|
Line 245 set_default_policy() |
|
{ # {{{ |
{ # {{{ |
# Set default policy |
# Set default policy |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info "XEN_MODE enabled: default policy for FORWARD forced to ACCEPT"; |
|
$IPTABLES -P $chain ACCEPT; |
|
continue; |
|
fi |
$IPTABLES -P $chain $DEFAULT_POLICY |
$IPTABLES -P $chain $DEFAULT_POLICY |
done |
done |
} # }}} |
} # }}} |
|
|
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
|
|
for table in filter nat mangle; do |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -t $table -F # clear all chains |
print_info "XEN_MODE enabled: not clearing FORWARD chain"; |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES --flush INPUT |
$IPTABLES -t $table -Z # zero counts |
$IPTABLES --flush OUTPUT |
done |
$IPTABLES --flush spoof |
|
# TODO!!! |
|
else |
|
for table in filter nat mangle; do |
|
$IPTABLES -t $table -F # clear all chains |
|
$IPTABLES -t $table -X # remove all chains |
|
$IPTABLES -t $table -Z # zero counts |
|
done |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
Line 254 nmap_scan_filter() |
|
Line 306 nmap_scan_filter() |
|
print_info -en "Turning on nmap scan filter " |
print_info -en "Turning on nmap scan filter " |
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
|
|
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
print_info -en "." |
print_info -en "." |
|
|
Line 264 nmap_scan_filter() |
|
Line 322 nmap_scan_filter() |
|
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Line 272 nmap_scan_filter() |
|
Line 331 nmap_scan_filter() |
|
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Line 286 invalid_packet_filter() |
|
Line 346 invalid_packet_filter() |
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Turning on INVALID packet filter " |
print_info -en "Turning on INVALID packet filter " |
|
|
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
print_info -en "." |
print_info -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
Line 335 anti_spoof_filter() |
|
Line 400 anti_spoof_filter() |
|
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
|
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
# 2009-02-11 - Not reserver anymore: http://www.iana.org/assignments/ipv4-address-space/ |
|
# - it is a Comcast network now |
|
#$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
|
#$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A FORWARD -i $iface -j spoof |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j spoof |
|
fi |
$IPTABLES -A INPUT -i $iface -j spoof |
$IPTABLES -A INPUT -i $iface -j spoof |
done |
done |
print_info " done." |
print_info " done." |
|
|
|
|
} # }}} |
} # }}} |
|
|
# Masquerade local subnet |
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info "XEN_MODE enabled: masquerade is not supported in this mode"; |
|
return; |
|
fi |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
print_info -en "NAT: Enabling packet forwarding..." |
print_info -en "NAT: Enabling packet forwarding..." |
echo 1 > /proc/sys/net/ipv4/ip_forward |
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|
localnet="$ip/${!netmask}" |
localnet="$ip/${!netmask}" |
|
|
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
|
|
# alow packets from private subnet |
# alow packets from private subnet |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
for client_ip in $NAT_CLIENT_DROP; do |
for client_ip in $NAT_CLIENT_DROP; do |
|
|
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
--dport $remote_port -j REDIRECT --to-port $local_port |
--dport $remote_port -j REDIRECT --to-port $local_port |
|
|
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
|
|
for port in 69 135 445 1434 6667; do |
for port in 67 68 69 135 445 1434 6667; do |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
done |
done |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
|
# NAT_FORWARD_TCP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP hosts:" |
|
for host in $NAT_FORWARD_TCP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p TCP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP hosts:" |
|
for host in $NAT_FORWARD_UDP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p UDP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_TCP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP clients:" |
|
for client in $NAT_FORWARD_TCP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p TCP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP clients:" |
|
for client in $NAT_FORWARD_UDP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p UDP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
print_info -en "\tAccepting ICMP packets:" |
print_info -en "\tAccepting ICMP packets:" |
for type in $ACCEPT_ICMP_PACKETS; do |
for type in $ACCEPT_ICMP_PACKETS; do |
print_info -en " $type" |
print_info -en " $type" |
|
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
print_info -en "\tForwarding TCP ports to local machines:" |
print_info -en "\tForwarding TCP ports to local machines:" |
for redirect in $NAT_TCP_PORT_FORWARD; do |
for redirect in $NAT_TCP_PORT_FORWARD; do |
eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
print_info -en " $src_port -> $local_machine:$dest_port" |
eval `echo $redirect | \ |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $lan_ip \ |
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
done |
done |
|
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
print_info -en "\tForwarding UDP ports to local machines:" |
print_info -en "\tForwarding UDP ports to local machines:" |
for redirect in $NAT_UDP_PORT_FORWARD; do |
for redirect in $NAT_UDP_PORT_FORWARD; do |
eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
print_info -en " $src_port -> $local_machine:$dest_port" |
print_info -en " $src_port -> $local_machine:$dest_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_TCP; do |
for port in $DROP_OUTPUT_TCP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_UDP; do |
for port in $DROP_OUTPUT_UDP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
Line 593 bann_ip_adresses() |
|
Line 731 bann_ip_adresses() |
|
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip" |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Line 606 allow_accept_all() |
|
Line 749 allow_accept_all() |
|
for iface in $IFACE_ACCEPT_ALL; do |
for iface in $IFACE_ACCEPT_ALL; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
if [ ! -z "$REAL_DROP_INPUT_TCP" ]; then |
|
print_info -en "Drop REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_DROP_INPUT_TCP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p TCP --dport $port -j DROP |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_DROP_INPUT_UDP" ]; then |
|
print_info -en "Drop REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_DROP_INPUT_UDP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p UDP --dport $port -j DROP |
|
done |
|
print_info " done." |
|
fi |
} # }}} |
} # }}} |
|
|
reject_input() |
reject_input() |
|
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
|
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_REJECT_INPUT_TCP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
|
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_REJECT_INPUT_UDP; do |
|
for riface in $REAL_INTERFACES; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
|
done |
|
done |
|
print_info " done." |
|
fi |
} # }}} |
} # }}} |
|
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
|
|
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
for port in $ALL_ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ -z "$src_ip" ]; then |
fi |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
done |
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
|
fi |
|
done |
|
fi |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
|
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
|
print_info -en "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_ACCEPT_INPUT_TCP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
|
if [ -z "$src_ip" ]; then |
|
$IPTABLES -A INPUT -p TCP $port_rule -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -s $src_ip -p TCP $port_rule -j ACCEPT |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
|
print_info -en "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_ACCEPT_INPUT_UDP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
|
if [ -z "$src_ip" ]; then |
|
$IPTABLES -A INPUT -p UDP $port_rule -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -s $src_ip -p UDP $port_rule -j ACCEPT |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
for port in $ACCEPT_INPUT_TCP; do |
for port in $ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
|
fi |
fi |
fi |
done |
done |
done |
done |
|
|
for port in $ACCEPT_INPUT_UDP; do |
for port in $ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
|
port="ALL"; |
|
fi |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ -z $src_ip ]; then |
fi |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
done |
else |
|
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
|
fi |
|
fi |
|
done |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
print_info -en "Accepting traceroute:" |
print_info -en "Accepting traceroute:" |
|
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
if [ "X$XEN_MODE" = "Xon" ]; then |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
print_info -ne " XEN_MODE "; |
-s $ip -d $ANYWHERE -j ACCEPT |
else |
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
for iface in $TRACEROUTE_IFACE; do |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
-s $ip -d $ANYWHERE -j ACCEPT |
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
for iface in $TRACEROUTE_IFACE; do |
|
|
|
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
|
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
|
fi |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
Line 938 configure_special_rules() |
|
Line 1230 configure_special_rules() |
|
|
|
} # }}} |
} # }}} |
|
|
|
custom_rules() |
|
{ # {{{ |
|
print_info -en "Executing custom rules: " |
|
for max_rule_num in 9 99 999; do |
|
initialized="no"; |
|
for i in `seq -w 0 "$max_rule_num"`; do |
|
varname="CUSTOM_RULE_$i"; |
|
if [ -z "${!varname}" ]; then |
|
break; |
|
fi |
|
print_info -n "#$i"; |
|
$IPTABLES ${!varname}; |
|
rc="$?"; |
|
if [ "$rc" -eq 0 ]; then |
|
print_info -n "[OK] "; |
|
else |
|
print_info -n "[rc:$?] "; |
|
fi; |
|
initialized="yes"; |
|
done |
|
if [ "X$initialized" = "Xyes" ]; then |
|
break; |
|
fi |
|
done |
|
print_info " done."; |
|
} # }}} |
|
|
do_ip_accounting() |
do_ip_accounting() |
{ # {{{ |
{ # {{{ |
|
|
Line 959 do_ip_accounting() |
|
Line 1278 do_ip_accounting() |
|
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
fi |
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
for client_ip in $IP_ACCT_CLIENTS; do |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
Line 1169 map { printf "Mask_%s=\"%s\"; export Ma |
|
Line 1492 map { printf "Mask_%s=\"%s\"; export Ma |
|
map { printf "HWaddr_%s=\"%s\"; export HWaddr_%s;\n", $_, $hwaddr{$_}, $_; } keys %hwaddr; |
map { printf "HWaddr_%s=\"%s\"; export HWaddr_%s;\n", $_, $hwaddr{$_}, $_; } keys %hwaddr; |
map { printf "IPcount_%s=\"%s\"; export IPcount_%s;\n", $_, $ipcount{$_}, $_; } keys %ipcount; |
map { printf "IPcount_%s=\"%s\"; export IPcount_%s;\n", $_, $ipcount{$_}, $_; } keys %ipcount; |
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
map { printf "IFname_%s=\"%s\"; export IFname_%s;\n", $_, $ifname{$_}, $_; } keys %ifname; |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", keys %ip); |
printf "interfaces=\"%s\"; export interfaces;\n", join(" ", sort keys %ip); |
'` |
'` |
eval "$parsed_interfaces"; |
eval "$parsed_interfaces"; |
#echo "$parsed_interfaces"; |
#echo "$parsed_interfaces"; |
|
|
shaping_off |
shaping_off |
shaping_on |
shaping_on |
configure_special_rules |
configure_special_rules |
|
custom_rules |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|