Browse Source

Andreas V. Meier:


			
			
				rocklinux
			
			
		
Andreas V. 'netrunner' Meier 19 years ago
parent
commit
38319bfb3c
1 changed files with 171 additions and 17 deletions
  1. +171
    -17
      package/base/iptables/rocknet_iptables.sh

+ 171
- 17
package/base/iptables/rocknet_iptables.sh

@ -2,7 +2,7 @@
iptables_init_if() {
if isfirst "iptables_$if"; then
addcode up 1 1 "iptables -N firewall_$if"
addcode up 1 2 "iptables -A INPUT -i $if -j firewall_$if"
addcode up 2 2 "iptables -A INPUT -i $if -j firewall_$if"
addcode up 1 3 "iptables -A firewall_$if `
`-m state --state ESTABLISHED,RELATED -j ACCEPT"
@ -17,31 +17,69 @@ iptables_parse_conditions() {
while [ -n "$1" ]
do
case "$1" in
all)
all)
shift
;;
tcp|udp)
icmp)
iptables_cond="$iptables_cond -p icmp --icmp-type $2"
shift; shift
;;
from)
case "$2" in
from)
iptables_cond="$iptables_cond -p $1 --sport $3"
all)
shift; shift;
;;
tcp|udp)
if [[ "$iptables_cond" == *-p* ]] ; then
if [[ "$iptables_cond" != *"-p $2"* ]] ; then
error "Specify either tcp or udp rules"
else
iptables_cond="$iptables_cond --sport $3"
fi
else
iptables_cond="$iptables_cond -p $2 --sport $3"
fi
shift; shift; shift;
;;
ip)
iptables_cond="$iptables_cond -s $3"
shift; shift; shift;
;;
*)
iptables_cond="$iptables_cond -p $1 --dport $2"
shift; shift
error "Unknown source type $2";
shift; shift;
;;
esac
;;
icmp)
iptables_cond="$iptables_cond -p icmp --icmp-type $2"
shift; shift
;;
ip)
iptables_cond="$iptables_cond -s $2"
shift; shift
to)
case "$2" in
all)
shift; shift;
;;
tcp|udp)
if [[ "$iptables_cond" == *-p* ]] ; then
if [[ "$iptables_cond" != *"-p $2"* ]] ; then
error "Specify either tcp or udp rules"
else
iptables_cond="$iptables_cond --dport $3"
fi
else
iptables_cond="$iptables_cond -p $2 --dport $3"
fi
shift; shift; shift;
;;
ip)
iptables_cond="$iptables_cond -d $3"
shift; shift; shift;
;;
*)
error "Unknown destination type $2";
shift; shift;
;;
esac
;;
*)
error "Unkown accept/reject/drop condition: $1"
error "Unkown firewall condition: $1"
shift
esac
done
@ -65,6 +103,12 @@ public_drop() {
iptables_init_if
}
public_log() {
iptables_parse_conditions "$@"
addcode up 1 5 "iptables -A firewall_$if $iptables_cond -j LOG"
iptables_init_if
}
public_clamp_mtu() {
addcode up 1 6 "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu"
@ -73,9 +117,119 @@ public_clamp_mtu() {
}
public_masquerade() {
addcode up 1 6 "iptables -t nat -A POSTROUTING -o $if \
iptables_parse_conditions "$@"
addcode up 1 6 "iptables -t nat -A POSTROUTING $iptables_cond -o $if \
-j MASQUERADE"
addcode down 9 6 "iptables -t nat -D POSTROUTING -o $if \
addcode down 9 6 "iptables -t nat -D POSTROUTING $iptables_cond -o $if \
-j MASQUERADE"
}
public_fw() {
# fw <policy> <chainspec> <iptables_cond>
# fw accept in from ip
# fw reject out to ip jumpto BLUBBER
# fw accept forward jump MYCHAIN to ip
case "$1" in
accept)
target=ACCEPT
shift
;;
reject)
target=REJECT
shift
;;
drop)
target=DROP
shift
;;
return)
target=RETURN
shift
;;
log)
target=LOG
shift
;;
*)
target=$1
shift
;;
esac
if [ "$if" != "none" ]; then
case "$1" in
out|outgoing)
chain=OUTPUT
dir=o
shift
;;
in|incoming)
chain=INPUT
dir=i
shift
;;
*)
if [ "$1" == "forward" ]; then
chain=FORWARD
else
chain=$1
fi
shift
case "$1" in
in|incoming)
dir=i
shift;
;;
out|outgoing)
dir=o
shift;
;;
*)
error "Not a forward interface specification: $1"
;;
esac
;;
esac
else
case "$1" in
out|outgoing)
chain=OUTPUT
shift
;;
in|incoming)
chain=INPUT
shift
;;
forward|FORWARD)
chain=FORWARD
shift
;;
*)
chain=$1
shift
;;
esac
if [ "$1" == "policy" ]; then
addcode up 1 6 "iptables -P $chain $target"
shift
return
fi
fi
iptables_parse_conditions "$@"
$iptables -L $chain -n >/dev/null 2>/dev/null || {
if isfirst "iptables_$chain" && \
[ "$chain" != "INPUT" ] && [ "$chain" != "OUTPUT" ] && \
[ "$chain" != "FORWARD" ] ; then
addcode up 1 1 "iptables -N $chain"
addcode down 1 1 "iptables -X $chain"
fi
}
if [ "$if" == "none" -o "$dir" == "" ]; then
ifspec=""
else
iptables_init_if
ifspec="-$dir $if"
fi
addcode up 1 6 "iptables -A $chain $iptables_cond $ifspec -j $target"
addcode down 9 6 "iptables -D $chain $iptables_cond $ifspec -j $target"
}

Loading…
Cancel
Save