version 2.69, 2009/07/01 12:23:11 |
version 2.73, 2010/06/21 21:52:16 |
|
|
#!/bin/sh |
#!/bin/bash |
|
|
# |
# |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2006 Platon SDG, http://platon.sk/ |
# Copyright (c) 2003-2009 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.68 2009-03-04 22:51:42 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.72 2010-06-09 11:29:14 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
$AWK -v FS=: ' (NF == 2) { remote_ip = "$lan_ip"; remote_port = $1; local_port = $2; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
(NF == 3) { remote_ip = $2; remote_port = $1; local_port = $3; } \ |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
END { printf "remote_ip=%s; remote_port=%s; local_port=%s;", remote_ip, remote_port, local_port; }'` |
print_info -en " $remote_port>>$remote_ip:$local_port(udp)" |
print_info -en " $remote_port>>$remote_ip:$local_port(tcp)" |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
$IPTABLES -t nat -A PREROUTING -p TCP \ |
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
-i ! $NAT_LAN_IFACE -d ! $lan_ip \ |
--dport $remote_port -j REDIRECT --to-port $local_port |
--dport $remote_port -j REDIRECT --to-port $local_port |
|
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
if [ ! -z "$REAL_DROP_INPUT_TCP" ]; then |
|
print_info -en "Drop REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_DROP_INPUT_TCP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p TCP --dport $port -j DROP |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_DROP_INPUT_UDP" ]; then |
|
print_info -en "Drop REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_DROP_INPUT_UDP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p UDP --dport $port -j DROP |
|
done |
|
print_info " done." |
|
fi |
} # }}} |
} # }}} |
|
|
reject_input() |
reject_input() |
|
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
if [ ! -z "$REAL_REJECT_INPUT_TCP" ]; then |
|
print_info -en "Reject REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_REJECT_INPUT_TCP; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_REJECT_INPUT_UDP" ]; then |
|
print_info -en "Reject REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_REJECT_INPUT_UDP; do |
|
for riface in $REAL_INTERFACES; do |
|
print_info -en " $port(ALL)" |
|
$IPTABLES -A INPUT -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
|
done |
|
done |
|
print_info " done." |
|
fi |
} # }}} |
} # }}} |
|
|
allow_input() |
allow_input() |
{ # {{{ |
{ # {{{ |
|
|
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
if [ ! -z "$ALL_ACCEPT_INPUT_TCP" ]; then |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
print_info -en "Accepting ALL INPUT TCP connections on ports:" |
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
|
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
|
if [ ! -z "$REAL_ACCEPT_INPUT_TCP" ]; then |
|
print_info -en "Accepting REAL all INPUT TCP connections for ALL interfaces on ports:" |
|
for port in $REAL_ACCEPT_INPUT_TCP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
if [ -z "$src_ip" ]; then |
|
$IPTABLES -A INPUT -p TCP --dport $port -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -s $src_ip -p TCP --dport $port -j ACCEPT |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
if [ ! -z "$REAL_ACCEPT_INPUT_UDP" ]; then |
|
print_info -en "Accepting REAL all INPUT UDP connections for ALL interfaces on ports:" |
|
for port in $REAL_ACCEPT_INPUT_UDP; do |
|
src_ip="" |
|
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
if [ -z "$src_ip" ]; then |
|
$IPTABLES -A INPUT -p UDP --dport $port -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -s $src_ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
done |
|
print_info " done." |
|
fi |
|
|
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |