From 38319bfb3c7fca905d9d513c683e33113f3aec66 Mon Sep 17 00:00:00 2001
From: "Andreas V. 'netrunner' Meier" <avmeier@web.de>
Date: Fri, 31 Mar 2006 20:47:42 +0000
Subject: [PATCH] Andreas V. Meier: 	 add more advanced firewall module to
 rocknet_iptables.sh 	 mainly in additional module, but also changes
 semantics of old stuff 	 see ml

[2005121122415531618] (https://www.rocklinux.net/submaster)



git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@7397 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
---
 package/base/iptables/rocknet_iptables.sh | 188 ++++++++++++++++++++--
 1 file changed, 171 insertions(+), 17 deletions(-)

diff --git a/package/base/iptables/rocknet_iptables.sh b/package/base/iptables/rocknet_iptables.sh
index 9e73e1355..cdc47ac5f 100644
--- a/package/base/iptables/rocknet_iptables.sh
+++ b/package/base/iptables/rocknet_iptables.sh
@@ -2,7 +2,7 @@
 iptables_init_if() {
 	if isfirst "iptables_$if"; then
 		addcode up   1 1 "iptables -N firewall_$if"
-		addcode up   1 2 "iptables -A INPUT -i $if -j firewall_$if"
+		addcode up   2 2 "iptables -A INPUT -i $if -j firewall_$if"
 		addcode up   1 3 "iptables -A firewall_$if `
 			`-m state --state ESTABLISHED,RELATED -j ACCEPT"
 
@@ -17,31 +17,69 @@ iptables_parse_conditions() {
 	while [ -n "$1" ]
 	do
 		case "$1" in
-		    all)
+			all)
 			shift
 			;;
-		    tcp|udp)
+		    icmp)
+			iptables_cond="$iptables_cond -p icmp --icmp-type $2"
+			shift; shift
+			;;
+			from)
 			case "$2" in
-				from)
-				iptables_cond="$iptables_cond -p $1 --sport $3"
+				all)
+				shift; shift;
+				;;
+				tcp|udp)
+				if [[ "$iptables_cond" == *-p* ]] ; then
+					if [[ "$iptables_cond" != *"-p $2"* ]] ; then
+						error "Specify either tcp or udp rules"
+					else
+						iptables_cond="$iptables_cond --sport $3"
+					fi
+				else
+					iptables_cond="$iptables_cond -p $2 --sport $3"
+				fi
+				shift; shift; shift;
+				;;
+				ip)
+				iptables_cond="$iptables_cond -s $3"
 				shift; shift; shift;
 				;;
 				*)
-				iptables_cond="$iptables_cond -p $1 --dport $2"
-				shift; shift
+				error "Unknown source type $2";
+				shift; shift;
 				;;
 			esac
 			;;
-		    icmp)
-			iptables_cond="$iptables_cond -p icmp --icmp-type $2"
-			shift; shift
-			;;
-		    ip)
-			iptables_cond="$iptables_cond -s $2"
-			shift; shift
+			to)
+			case "$2" in
+				all)
+				shift; shift;
+				;;
+				tcp|udp)
+				if [[ "$iptables_cond" == *-p* ]] ; then
+					if [[ "$iptables_cond" != *"-p $2"* ]] ; then
+						error "Specify either tcp or udp rules"
+					else
+						iptables_cond="$iptables_cond --dport $3"
+					fi
+				else
+					iptables_cond="$iptables_cond -p $2 --dport $3"
+				fi
+				shift; shift; shift;
+				;;
+				ip)
+				iptables_cond="$iptables_cond -d $3"
+				shift; shift; shift;
+				;;
+				*)
+				error "Unknown destination type $2";
+				shift; shift;
+				;;
+			esac
 			;;
 		    *)
-			error "Unkown accept/reject/drop condition: $1"
+			error "Unkown firewall condition: $1"
 			shift
 		esac
 	done
@@ -65,6 +103,12 @@ public_drop() {
 	iptables_init_if
 }
 
+public_log() {
+	iptables_parse_conditions "$@"
+	addcode up 1 5 "iptables -A firewall_$if $iptables_cond -j LOG"
+	iptables_init_if
+}
+
 public_clamp_mtu() {
 	addcode up 1 6 "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 	                -j TCPMSS --clamp-mss-to-pmtu"
@@ -73,9 +117,119 @@ public_clamp_mtu() {
 }
 
 public_masquerade() {
-	addcode up 1 6 "iptables -t nat -A POSTROUTING -o $if \
+	iptables_parse_conditions "$@"
+	addcode up 1 6 "iptables -t nat -A POSTROUTING $iptables_cond -o $if \
 	                -j MASQUERADE"
-	addcode down 9 6 "iptables -t nat -D POSTROUTING -o $if \
+	addcode down 9 6 "iptables -t nat -D POSTROUTING $iptables_cond -o $if \
 	                  -j MASQUERADE"
 }
 
+public_fw() {
+	# fw <policy> <chainspec> <iptables_cond>
+# 	fw accept in from ip 
+# 	fw reject out to ip jumpto BLUBBER
+# 	fw accept forward jump MYCHAIN to ip 
+	case "$1" in
+		accept) 
+		target=ACCEPT
+		shift
+		;;
+		reject)
+		target=REJECT
+		shift
+		;;
+		drop)
+		target=DROP
+		shift
+		;;
+		return)
+		target=RETURN
+		shift
+		;;
+		log)
+		target=LOG
+		shift
+		;;
+		*)
+		target=$1
+		shift
+		;;
+	esac
+
+	if [ "$if" != "none" ]; then
+		case "$1" in
+			out|outgoing)
+			chain=OUTPUT
+			dir=o
+			shift
+			;;
+			in|incoming)
+			chain=INPUT
+			dir=i
+			shift
+			;;
+			*)
+			if [ "$1" == "forward" ]; then
+				chain=FORWARD
+			else
+				chain=$1
+			fi
+			shift
+			case "$1" in
+				in|incoming)
+				dir=i
+				shift;
+				;;
+				out|outgoing)
+				dir=o
+				shift;
+				;;
+				*)
+				error "Not a forward interface specification: $1"
+				;;
+			esac
+			;;
+		esac
+	else
+		case "$1" in
+			out|outgoing)
+			chain=OUTPUT
+			shift
+			;;
+			in|incoming)
+			chain=INPUT
+			shift
+			;;
+			forward|FORWARD)
+			chain=FORWARD
+			shift
+			;;
+			*)
+			chain=$1
+			shift
+			;;
+		esac
+		if [ "$1" == "policy" ]; then
+			addcode up 1 6 "iptables -P $chain $target"
+			shift
+			return
+		fi
+	fi
+	iptables_parse_conditions "$@"
+	$iptables -L $chain -n >/dev/null 2>/dev/null || {
+		if isfirst "iptables_$chain" && \
+			[ "$chain" != "INPUT" ] && [ "$chain" != "OUTPUT" ] && \
+			[ "$chain" != "FORWARD" ] ; then
+			addcode up   1 1 "iptables -N $chain"
+			addcode down 1 1 "iptables -X $chain"
+		fi
+	}
+	if [ "$if" == "none" -o "$dir" == "" ]; then
+		ifspec=""
+	else
+		iptables_init_if
+		ifspec="-$dir $if"
+	fi
+	addcode up 1 6 "iptables -A $chain $iptables_cond $ifspec -j $target"
+	addcode down 9 6 "iptables -D $chain $iptables_cond $ifspec -j $target"
+}