version 2.81, 2011/10/03 17:42:56 |
version 2.83, 2011/11/18 23:49:00 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.80 2011-10-03 17:33:52 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.82 2011-11-18 23:26:18 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
|
|
for port in $ALL_ACCEPT_INPUT_TCP; do |
for port in $ALL_ACCEPT_INPUT_TCP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
done |
done |
|
|
for port in $ALL_ACCEPT_INPUT_UDP; do |
for port in $ALL_ACCEPT_INPUT_UDP; do |
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for iface in $INTERFACES; do |
for iface in $INTERFACES; do |
riface="IFname_$iface"; |
riface="IFname_$iface"; |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
IPS="IP_$iface"; |
IPS="IP_$iface"; |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
fi |
fi |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -p TCP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -s $src_ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -s $src_ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port(ALL)"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
if [ -z "$src_ip" ]; then |
if [ -z "$src_ip" ]; then |
$IPTABLES -A INPUT -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -p UDP $port_rule -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -s $src_ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -s $src_ip -p UDP $port_rule -j ACCEPT |
fi |
fi |
done |
done |
print_info " done." |
print_info " done." |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
src_ip="" |
src_ip="" |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
eval `echo $port | awk -v FS=: '/:/ { printf "src_ip=\"%s\"; port=\"%s\";", $1, $2; }'` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j REJECT --reject-with $REJECT_WITH |
fi |
fi |
done |
done |
done |
done |
|
|
port="ALL"; |
port="ALL"; |
fi |
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p TCP $port_rule -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p TCP $port_rule -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |
|
|
if [ -n "$src_ip" -a "$port" = "0" ]; then |
if [ -n "$src_ip" -a "$port" = "0" ]; then |
port="ALL"; |
port="ALL"; |
fi |
fi |
|
echo $port | grep -q , |
|
multiport="$?"; |
|
if [ "$multiport" -eq 0 ]; then |
|
port_rule="--match multiport --dports $port" |
|
else |
|
port_rule="--dport $port" |
|
fi |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"` |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT |
if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified |
if [ "x$port" = "x67" ]; then # DHCP requests doesn't have destination IP specified |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT |
else |
else |
for ip in ${!IPS}; do |
for ip in ${!IPS}; do |
if [ -z $src_ip ]; then |
if [ -z $src_ip ]; then |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP $port_rule -j ACCEPT |
else |
else |
if [ "$port" = "ALL" ]; then |
if [ "$port" = "ALL" ]; then |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT |
else |
else |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT |
$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP $port_rule -j ACCEPT |
fi |
fi |
fi |
fi |
done |
done |