version 2.75, 2010/10/22 12:20:42 |
version 2.81, 2011/10/03 17:42:56 |
|
|
#!/bin/bash |
#!/bin/bash |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: networking |
|
# Required-Stop: |
|
# Default-Start: S |
|
# Default-Stop: |
|
# Short-Description: firewalling rules |
|
### END INIT INFO |
|
|
# |
# |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# This will be universal firewalling script for Linux kernel (iptables) in near future |
# Can be started by init or by hand. |
# Can be started by init or by hand. |
# |
# |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Developed by Lubomir Host 'rajo' <rajo AT platon.sk> |
# Copyright (c) 2003-2009 Platon Group, http://platon.sk/ |
# Copyright (c) 2003-2011 Platon Group, http://platon.sk/ |
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.74 2010-08-08 23:34:25 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.80 2011-10-03 17:33:52 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
# 2011-07-20 - implemented XEN_MODE |
# |
# |
|
|
|
### BEGIN INIT INFO |
|
# Provides: firewall |
|
# Required-Start: $network $remote_fs |
|
# Required-Stop: $network $remote_fs |
|
# Default-Start: 2 3 4 5 |
|
# Default-Stop: 0 1 6 |
|
# Short-Description: Starts firewall |
|
# Description: Handle universal firewall script by Platon Group |
|
# http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ |
|
# Author: Lubomir Host <rajo@platon.sk> |
|
# Copyright: (c) 2003-2011 Platon Group |
|
### END INIT INFO |
|
|
umask 077 # security |
umask 077 # security |
|
|
DESC="firewall" |
DESC="firewall" |
|
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
mkdir -p "$DEFAULT_CACHE_DIR"; |
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
if [ "$?" -ne "0" ]; then |
|
print_info "ERROR: unable to create cache dir in load_cache()"; |
|
return; |
|
fi |
fi |
fi |
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG $0 $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf `; # config file and firewalling script |
config=""; |
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{ print $1; }'`; |
if [ -r "$DEFAULT_FIREWALL_CONFIG" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG\" `"; |
|
fi |
|
if [ -r "$0" ]; then |
|
config="$config ` cat \"$0\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list\" `"; |
|
fi |
|
if [ -r "$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" ]; then |
|
config="$config ` cat \"$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf\" `"; |
|
fi |
|
md5key=`echo "config='$config' parsed_interfaces='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{print $1;}'`; |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
#echo "CACHE_FILE=$CACHE_FILE" |
Line 206 set_default_policy() |
|
Line 245 set_default_policy() |
|
{ # {{{ |
{ # {{{ |
# Set default policy |
# Set default policy |
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info "XEN_MODE enabled: default policy for FORWARD forced to ACCEPT"; |
|
$IPTABLES -P $chain ACCEPT; |
|
continue; |
|
fi |
$IPTABLES -P $chain $DEFAULT_POLICY |
$IPTABLES -P $chain $DEFAULT_POLICY |
done |
done |
} # }}} |
} # }}} |
|
|
remove_chains() |
remove_chains() |
{ # {{{ |
{ # {{{ |
|
|
for table in filter nat mangle; do |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -t $table -F # clear all chains |
print_info "XEN_MODE enabled: not clearing FORWARD chain"; |
$IPTABLES -t $table -X # remove all chains |
$IPTABLES --flush INPUT |
$IPTABLES -t $table -Z # zero counts |
$IPTABLES --flush OUTPUT |
done |
$IPTABLES --flush spoof |
|
# TODO!!! |
|
else |
|
for table in filter nat mangle; do |
|
$IPTABLES -t $table -F # clear all chains |
|
$IPTABLES -t $table -X # remove all chains |
|
$IPTABLES -t $table -Z # zero counts |
|
done |
|
fi |
|
|
} # }}} |
} # }}} |
|
|
Line 254 nmap_scan_filter() |
|
Line 306 nmap_scan_filter() |
|
print_info -en "Turning on nmap scan filter " |
print_info -en "Turning on nmap scan filter " |
|
|
for chain in INPUT FORWARD; do |
for chain in INPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
|
|
# Nie je nastaveny ziaden bit |
# Nie je nastaveny ziaden bit |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ALL NONE $LOG_LIMIT "nmap scan $chain ALL NONE: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ALL NONE -j DROP |
print_info -en "." |
print_info -en "." |
|
|
Line 264 nmap_scan_filter() |
|
Line 322 nmap_scan_filter() |
|
for flags in SYN,FIN SYN,RST FIN,RST ; do |
for flags in SYN,FIN SYN,RST FIN,RST ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags $flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Line 272 nmap_scan_filter() |
|
Line 331 nmap_scan_filter() |
|
for flags in FIN PSH URG ; do |
for flags in FIN PSH URG ; do |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
$IPTABLES_LOG -A $chain -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: " |
print_info -en "." |
print_info -en "." |
|
|
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
$IPTABLES -A $chain -p TCP --tcp-flags ACK,$flags $flags -j DROP |
print_info -en "." |
print_info -en "." |
done |
done |
Line 286 invalid_packet_filter() |
|
Line 346 invalid_packet_filter() |
|
{ # {{{ |
{ # {{{ |
|
|
print_info -en "Turning on INVALID packet filter " |
print_info -en "Turning on INVALID packet filter " |
|
|
for chain in INPUT OUTPUT FORWARD; do |
for chain in INPUT OUTPUT FORWARD; do |
|
if [ "X$XEN_MODE" = "Xon" -a "$chain" = "FORWARD" ]; then |
|
print_info -ne " XEN_MODE "; |
|
continue; |
|
fi |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
$IPTABLES_LOG -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: " |
print_info -en "." |
print_info -en "." |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
$IPTABLES -A $chain -m state --state INVALID -j DROP |
Line 343 anti_spoof_filter() |
|
Line 408 anti_spoof_filter() |
|
|
|
for iface in $ANTISPOOF_IFACE; do |
for iface in $ANTISPOOF_IFACE; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A FORWARD -i $iface -j spoof |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j spoof |
|
fi |
$IPTABLES -A INPUT -i $iface -j spoof |
$IPTABLES -A INPUT -i $iface -j spoof |
done |
done |
print_info " done." |
print_info " done." |
|
|
|
|
} # }}} |
} # }}} |
|
|
# Masquerade local subnet |
|
masquerade() |
masquerade() |
{ # {{{ |
{ # {{{ |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info "XEN_MODE enabled: masquerade is not supported in this mode"; |
|
return; |
|
fi |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
print_info -en "NAT: Enabling packet forwarding..." |
print_info -en "NAT: Enabling packet forwarding..." |
echo 1 > /proc/sys/net/ipv4/ip_forward |
echo 1 > /proc/sys/net/ipv4/ip_forward |
|
|
localnet="$ip/${!netmask}" |
localnet="$ip/${!netmask}" |
|
|
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
lan_ip="`get_first_ip_addr IP_$NAT_LAN_IFACE`" |
|
|
# alow packets from private subnet |
# alow packets from private subnet |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
$IPTABLES -A FORWARD -s ! $localnet -i $NAT_SUBNET_IFACE -j DROP |
for client_ip in $NAT_CLIENT_DROP; do |
for client_ip in $NAT_CLIENT_DROP; do |
|
|
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP |
|
|
for port in 69 135 445 1434 6667; do |
for port in 67 68 69 135 445 1434 6667; do |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p TCP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
$IPTABLES -A FORWARD -p UDP --dport $port -j DROP |
done |
done |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
|
|
|
# NAT_FORWARD_TCP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP hosts:" |
|
for host in $NAT_FORWARD_TCP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p TCP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_HOSTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP hosts:" |
|
for host in $NAT_FORWARD_UDP_HOSTS; do |
|
print_info -en " $host" |
|
$IPTABLES -A FORWARD -p UDP -d $host -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_TCP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD TCP clients:" |
|
for client in $NAT_FORWARD_TCP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p TCP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
|
# NAT_FORWARD_UDP_CLIENTS {{{ |
|
if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then |
|
print_info -en "\tAccepting FORWARD UDP clients:" |
|
for client in $NAT_FORWARD_UDP_CLIENTS; do |
|
print_info -en " $client" |
|
$IPTABLES -A FORWARD -p UDP -s $client -m state --state NEW -j ACCEPT |
|
done |
|
print_info " done." |
|
fi |
|
# }}} |
|
|
print_info -en "\tAccepting ICMP packets:" |
print_info -en "\tAccepting ICMP packets:" |
for type in $ACCEPT_ICMP_PACKETS; do |
for type in $ACCEPT_ICMP_PACKETS; do |
print_info -en " $type" |
print_info -en " $type" |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_TCP; do |
for port in $DROP_OUTPUT_TCP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p TCP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p TCP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en "$riface: Dropping outgoing packets from ports:" |
print_info -en "$riface: Dropping outgoing packets from ports:" |
for port in $DROP_OUTPUT_UDP; do |
for port in $DROP_OUTPUT_UDP; do |
print_info -en " $port" |
print_info -en " $port" |
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -p UDP --sport $port -o $riface -j DROP |
|
fi |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
$IPTABLES -A OUTPUT -p UDP --sport $port -o $riface -j DROP |
done |
done |
print_info " done." |
print_info " done." |
Line 604 bann_ip_adresses() |
|
Line 731 bann_ip_adresses() |
|
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip" |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Line 617 allow_accept_all() |
|
Line 749 allow_accept_all() |
|
for iface in $IFACE_ACCEPT_ALL; do |
for iface in $IFACE_ACCEPT_ALL; do |
print_info -en " $iface" |
print_info -en " $iface" |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A INPUT -i $iface -j ACCEPT |
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
$IPTABLES -A OUTPUT -o $iface -j ACCEPT |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -i $iface -j ACCEPT |
|
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ -z "$src_ip" ]; then |
fi |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
done |
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
|
fi |
|
done |
|
fi |
done |
done |
done |
done |
print_info " done." |
print_info " done." |
|
|
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
for ip in ${!IPS}; do |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
if [ "$port" = "ALL" ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
if [ "$port" = "ALL" ]; then |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
|
else |
|
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
|
fi |
fi |
fi |
fi |
done |
done |
fi |
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
ip="`get_first_ip_addr IP_$ANTISPOOF_IFACE`"; |
print_info -en "Accepting traceroute:" |
print_info -en "Accepting traceroute:" |
|
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
if [ "X$XEN_MODE" = "Xon" ]; then |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
print_info -ne " XEN_MODE "; |
-s $ip -d $ANYWHERE -j ACCEPT |
else |
|
$IPTABLES -A OUTPUT -o $ANTISPOOF_IFACE -p UDP \ |
for iface in $TRACEROUTE_IFACE; do |
--sport $TRACEROUTE_SRC_PORTS --dport $TRACEROUTE_DEST_PORTS \ |
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
-s $ip -d $ANYWHERE -j ACCEPT |
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
for iface in $TRACEROUTE_IFACE; do |
|
|
|
$IPTABLES -A FORWARD -p UDP -i $iface --sport $TRACEROUTE_SRC_PORTS \ |
|
--dport $TRACEROUTE_DEST_PORTS -j ACCEPT |
|
done |
|
fi |
print_info " done." |
print_info " done." |
fi |
fi |
|
|
Line 1073 do_ip_accounting() |
|
Line 1222 do_ip_accounting() |
|
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
if [ "X$XEN_MODE" = "Xon" ]; then |
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
fi |
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
for client_ip in $IP_ACCT_CLIENTS; do |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
$IPTABLES -A $IPACCT_NAME -s $client_ip |