version 2.65, 2009/02/06 00:43:12 |
version 2.67, 2009/02/11 22:55:41 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.64 2009-02-06 00:38:56 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.66 2009-02-06 23:13:38 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Line 335 anti_spoof_filter() |
|
Line 335 anti_spoof_filter() |
|
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP # RFC1918 |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES_LOG -A spoof -s 10.0.0.0/8 $LOG_LIMIT "RESERVED:10.0.0.0/8 src" |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN |
$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
|
$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
# 2009-02-11 - Not reserver anymore: http://www.iana.org/assignments/ipv4-address-space/ |
|
# - it is a Comcast network now |
|
#$IPTABLES_LOG -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src" |
|
#$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP # IANA |
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
print_info -en " $iface" |
print_info -en " $iface" |
|
|
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_TCP_PORT_FORWARD" ]; then |
print_info -en "\tForwarding TCP ports to local machines:" |
print_info -en "\tForwarding TCP ports to local machines:" |
for redirect in $NAT_TCP_PORT_FORWARD; do |
for redirect in $NAT_TCP_PORT_FORWARD; do |
eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
print_info -en " $src_port -> $local_machine:$dest_port" |
eval `echo $redirect | \ |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $lan_ip \ |
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
|
print_info -en " $src_ip:$src_port -> $local_machine:$dest_port" |
|
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d $src_ip \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
done |
done |
|
|
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
if [ ! -z "$NAT_UDP_PORT_FORWARD" ]; then |
print_info -en "\tForwarding UDP ports to local machines:" |
print_info -en "\tForwarding UDP ports to local machines:" |
for redirect in $NAT_UDP_PORT_FORWARD; do |
for redirect in $NAT_UDP_PORT_FORWARD; do |
eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
#eval `echo $redirect | $AWK -v FS=: '{ printf "src_port=%s; local_machine=%s; dest_port=%s;", $1, $2, $3; }'` |
|
eval `echo $redirect | \ |
|
$AWK -v FS=: ' (NF == 3) { src_ip = "$lan_ip" ; src_port = $1; local_machine = $2; dest_port = $3; } \ |
|
(NF == 4) { src_ip = $1 ; src_port = $2; local_machine = $3; dest_port = $4; } \ |
|
END { printf "src_ip=%s; src_port=%s; local_machine=%s; dest_port=%s;", src_ip, src_port, local_machine, dest_port; }'` |
print_info -en " $src_port -> $local_machine:$dest_port" |
print_info -en " $src_port -> $local_machine:$dest_port" |
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
$IPTABLES -t nat -A PREROUTING -p UDP -i $NAT_LAN_IFACE -d $lan_ip \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |