|
|
|
@ -2,7 +2,7 @@ |
|
|
|
iptables_init_if() { |
|
|
|
if isfirst "iptables_$if"; then |
|
|
|
addcode up 1 1 "iptables -N firewall_$if" |
|
|
|
addcode up 1 2 "iptables -A INPUT -i $if -j firewall_$if" |
|
|
|
addcode up 2 2 "iptables -A INPUT -i $if -j firewall_$if" |
|
|
|
addcode up 1 3 "iptables -A firewall_$if ` |
|
|
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT" |
|
|
|
|
|
|
|
@ -17,31 +17,69 @@ iptables_parse_conditions() { |
|
|
|
while [ -n "$1" ] |
|
|
|
do |
|
|
|
case "$1" in |
|
|
|
all) |
|
|
|
all) |
|
|
|
shift |
|
|
|
;; |
|
|
|
tcp|udp) |
|
|
|
icmp) |
|
|
|
iptables_cond="$iptables_cond -p icmp --icmp-type $2" |
|
|
|
shift; shift |
|
|
|
;; |
|
|
|
from) |
|
|
|
case "$2" in |
|
|
|
from) |
|
|
|
iptables_cond="$iptables_cond -p $1 --sport $3" |
|
|
|
all) |
|
|
|
shift; shift; |
|
|
|
;; |
|
|
|
tcp|udp) |
|
|
|
if [[ "$iptables_cond" == *-p* ]] ; then |
|
|
|
if [[ "$iptables_cond" != *"-p $2"* ]] ; then |
|
|
|
error "Specify either tcp or udp rules" |
|
|
|
else |
|
|
|
iptables_cond="$iptables_cond --sport $3" |
|
|
|
fi |
|
|
|
else |
|
|
|
iptables_cond="$iptables_cond -p $2 --sport $3" |
|
|
|
fi |
|
|
|
shift; shift; shift; |
|
|
|
;; |
|
|
|
ip) |
|
|
|
iptables_cond="$iptables_cond -s $3" |
|
|
|
shift; shift; shift; |
|
|
|
;; |
|
|
|
*) |
|
|
|
iptables_cond="$iptables_cond -p $1 --dport $2" |
|
|
|
shift; shift |
|
|
|
error "Unknown source type $2"; |
|
|
|
shift; shift; |
|
|
|
;; |
|
|
|
esac |
|
|
|
;; |
|
|
|
icmp) |
|
|
|
iptables_cond="$iptables_cond -p icmp --icmp-type $2" |
|
|
|
shift; shift |
|
|
|
;; |
|
|
|
ip) |
|
|
|
iptables_cond="$iptables_cond -s $2" |
|
|
|
shift; shift |
|
|
|
to) |
|
|
|
case "$2" in |
|
|
|
all) |
|
|
|
shift; shift; |
|
|
|
;; |
|
|
|
tcp|udp) |
|
|
|
if [[ "$iptables_cond" == *-p* ]] ; then |
|
|
|
if [[ "$iptables_cond" != *"-p $2"* ]] ; then |
|
|
|
error "Specify either tcp or udp rules" |
|
|
|
else |
|
|
|
iptables_cond="$iptables_cond --dport $3" |
|
|
|
fi |
|
|
|
else |
|
|
|
iptables_cond="$iptables_cond -p $2 --dport $3" |
|
|
|
fi |
|
|
|
shift; shift; shift; |
|
|
|
;; |
|
|
|
ip) |
|
|
|
iptables_cond="$iptables_cond -d $3" |
|
|
|
shift; shift; shift; |
|
|
|
;; |
|
|
|
*) |
|
|
|
error "Unknown destination type $2"; |
|
|
|
shift; shift; |
|
|
|
;; |
|
|
|
esac |
|
|
|
;; |
|
|
|
*) |
|
|
|
error "Unkown accept/reject/drop condition: $1" |
|
|
|
error "Unkown firewall condition: $1" |
|
|
|
shift |
|
|
|
esac |
|
|
|
done |
|
|
|
@ -65,6 +103,12 @@ public_drop() { |
|
|
|
iptables_init_if |
|
|
|
} |
|
|
|
|
|
|
|
public_log() { |
|
|
|
iptables_parse_conditions "$@" |
|
|
|
addcode up 1 5 "iptables -A firewall_$if $iptables_cond -j LOG" |
|
|
|
iptables_init_if |
|
|
|
} |
|
|
|
|
|
|
|
public_clamp_mtu() { |
|
|
|
addcode up 1 6 "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
|
|
|
-j TCPMSS --clamp-mss-to-pmtu" |
|
|
|
@ -73,9 +117,119 @@ public_clamp_mtu() { |
|
|
|
} |
|
|
|
|
|
|
|
public_masquerade() { |
|
|
|
addcode up 1 6 "iptables -t nat -A POSTROUTING -o $if \ |
|
|
|
iptables_parse_conditions "$@" |
|
|
|
addcode up 1 6 "iptables -t nat -A POSTROUTING $iptables_cond -o $if \ |
|
|
|
-j MASQUERADE" |
|
|
|
addcode down 9 6 "iptables -t nat -D POSTROUTING -o $if \ |
|
|
|
addcode down 9 6 "iptables -t nat -D POSTROUTING $iptables_cond -o $if \ |
|
|
|
-j MASQUERADE" |
|
|
|
} |
|
|
|
|
|
|
|
public_fw() { |
|
|
|
# fw <policy> <chainspec> <iptables_cond> |
|
|
|
# fw accept in from ip |
|
|
|
# fw reject out to ip jumpto BLUBBER |
|
|
|
# fw accept forward jump MYCHAIN to ip |
|
|
|
case "$1" in |
|
|
|
accept) |
|
|
|
target=ACCEPT |
|
|
|
shift |
|
|
|
;; |
|
|
|
reject) |
|
|
|
target=REJECT |
|
|
|
shift |
|
|
|
;; |
|
|
|
drop) |
|
|
|
target=DROP |
|
|
|
shift |
|
|
|
;; |
|
|
|
return) |
|
|
|
target=RETURN |
|
|
|
shift |
|
|
|
;; |
|
|
|
log) |
|
|
|
target=LOG |
|
|
|
shift |
|
|
|
;; |
|
|
|
*) |
|
|
|
target=$1 |
|
|
|
shift |
|
|
|
;; |
|
|
|
esac |
|
|
|
|
|
|
|
if [ "$if" != "none" ]; then |
|
|
|
case "$1" in |
|
|
|
out|outgoing) |
|
|
|
chain=OUTPUT |
|
|
|
dir=o |
|
|
|
shift |
|
|
|
;; |
|
|
|
in|incoming) |
|
|
|
chain=INPUT |
|
|
|
dir=i |
|
|
|
shift |
|
|
|
;; |
|
|
|
*) |
|
|
|
if [ "$1" == "forward" ]; then |
|
|
|
chain=FORWARD |
|
|
|
else |
|
|
|
chain=$1 |
|
|
|
fi |
|
|
|
shift |
|
|
|
case "$1" in |
|
|
|
in|incoming) |
|
|
|
dir=i |
|
|
|
shift; |
|
|
|
;; |
|
|
|
out|outgoing) |
|
|
|
dir=o |
|
|
|
shift; |
|
|
|
;; |
|
|
|
*) |
|
|
|
error "Not a forward interface specification: $1" |
|
|
|
;; |
|
|
|
esac |
|
|
|
;; |
|
|
|
esac |
|
|
|
else |
|
|
|
case "$1" in |
|
|
|
out|outgoing) |
|
|
|
chain=OUTPUT |
|
|
|
shift |
|
|
|
;; |
|
|
|
in|incoming) |
|
|
|
chain=INPUT |
|
|
|
shift |
|
|
|
;; |
|
|
|
forward|FORWARD) |
|
|
|
chain=FORWARD |
|
|
|
shift |
|
|
|
;; |
|
|
|
*) |
|
|
|
chain=$1 |
|
|
|
shift |
|
|
|
;; |
|
|
|
esac |
|
|
|
if [ "$1" == "policy" ]; then |
|
|
|
addcode up 1 6 "iptables -P $chain $target" |
|
|
|
shift |
|
|
|
return |
|
|
|
fi |
|
|
|
fi |
|
|
|
iptables_parse_conditions "$@" |
|
|
|
$iptables -L $chain -n >/dev/null 2>/dev/null || { |
|
|
|
if isfirst "iptables_$chain" && \ |
|
|
|
[ "$chain" != "INPUT" ] && [ "$chain" != "OUTPUT" ] && \ |
|
|
|
[ "$chain" != "FORWARD" ] ; then |
|
|
|
addcode up 1 1 "iptables -N $chain" |
|
|
|
addcode down 1 1 "iptables -X $chain" |
|
|
|
fi |
|
|
|
} |
|
|
|
if [ "$if" == "none" -o "$dir" == "" ]; then |
|
|
|
ifspec="" |
|
|
|
else |
|
|
|
iptables_init_if |
|
|
|
ifspec="-$dir $if" |
|
|
|
fi |
|
|
|
addcode up 1 6 "iptables -A $chain $iptables_cond $ifspec -j $target" |
|
|
|
addcode down 9 6 "iptables -D $chain $iptables_cond $ifspec -j $target" |
|
|
|
} |
Andreas V. 'netrunner' Meier
19 years ago