42b9518200
ist jetzt auch möglich git-svn-id: svn://svn.compuextreme.de/Viitor/V962/Viitor_iptables@5795 504e572c-2e33-0410-9681-be2bf7408885
1227 lines
31 KiB
Bash
Executable File
1227 lines
31 KiB
Bash
Executable File
#!/bin/bash
|
|
#Framework, welches ein komplettes Linux System aus den Sourcen erstellt
|
|
#
|
|
#Lage dieser Datei im Archiv: $Source$
|
|
#
|
|
#(c) 2004-2006, Harald Kueller, CompuExtreme
|
|
#This program is free software; you can redistribute it and/or
|
|
#modify ist under the terms of the GNU General Public License
|
|
#as published by the Free Software Foundation; either version
|
|
#2 of the License, or (at your option) any later version.
|
|
#
|
|
#This program is distributed in the hope that it will be useful,
|
|
#but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
#See the GNU General Public License for more details.
|
|
#
|
|
#You should have received a copy of the GNU General Public License
|
|
#along with this program; if not write to the Free Software Foundation,
|
|
#Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
#
|
|
#Beschreibung:
|
|
#Initialisierungsscript fuer die Firewall einrichtung mit IPTables.
|
|
#Verwendet das Konfigurationsfile /etc/sysconfig/firewall zur Konfiguration
|
|
#der Firewall
|
|
#
|
|
#Enthaltene Funktionen:
|
|
#
|
|
#FindIP(): Gibt die IP Adresse der konfigurierten Interfaces zurück.
|
|
# Wird als Argument ein Netwerk Device uebergeben, so wird nur
|
|
# dessen IP Zurückgegeben.
|
|
#
|
|
#FindNet(): Benoetigt als Argument eine IP Adresse. Gibt die Netzwerk-
|
|
# Adresse und die zugehoerige Netmask in "Short" notation zurueck.
|
|
#
|
|
#LoadDevArray(): Laed die Konfiguration (IP, NetIP, Mask) in ein Array (DEVICE).
|
|
# Hierbei erfolgt die Indizierung mit dreistelligen nummern:
|
|
# 1. Nummer = Interface Adressierung
|
|
# 2. Nummer = Informationstyp
|
|
# (1=Devicename, 2. IP Adresse, 3. Net/Mask)
|
|
# 3. Nummer = Zugehoerige Information (bei #1# immer 1)
|
|
# Damit koennen auch bei einer Konfiguration mit mehreren
|
|
# IP Adressen pro Interface diese dem Array entnommen werden.
|
|
#
|
|
#DefaultRule(): Setzt die Default Rule fuer die INPUT, FORWARD und OUTPUT Table
|
|
# auf drop
|
|
#
|
|
#AllowLoopback(): Schaltet die Komplette LoopBack Kommunikation frei
|
|
# Diese wird von vielen diensten innerhalb UNIX benoetigt,
|
|
# und sollte daher nicht von der firewall blockiert werden!
|
|
#
|
|
#AllowInternRouting(): Benoetigt eine Regel sowie ein oder mehrere Devices.
|
|
# Das routing zwischen den Angegebenen Devices wird in
|
|
# jeder Richtung mit der angegebenen Regel versehen
|
|
# (idR. ACCEPT)
|
|
#
|
|
|
|
#
|
|
#Letzte Änderung von: $Author$
|
|
#Datum der letzten Änderung: $Date$
|
|
#Version der Datei: $Revision$
|
|
#
|
|
#$Log$
|
|
#Revision 1.8 2007/03/23 11:25:32 kueller
|
|
#Neue Funktionen und bugfixes eingepflegt. (Diese laufen auf skylla und sphinx stabil)
|
|
#
|
|
#Revision 1.7 2006/08/24 21:19:41 kueller
|
|
#Viele Funktionen ueberarbeitet. Erkennung der incomming devices optimiert.
|
|
#Wird nicht mehr ueber das DEVICES Array mit verschachtelten schleifen gemacht,
|
|
#sondern ueber ausgaben von netstat -rn mit zugehoerigen netzadressen ->
|
|
#das ist deutlich schneller.
|
|
#Ausserdem ausbau und verbesserung diverser Firewall einstellungen. Weiter
|
|
#entwicklung des port forwardings auf interne Server -> dem scheint jetzt
|
|
#auch mit MASQUERADE zu funktionieren.
|
|
#Weiterhin die entschluesselung von "Portnummer;tcp" aufgehoben. dafuer
|
|
#werden jetzt jeweils 2 Variablen (1x udp, 1x tcp) definiert, und deren
|
|
#inhalte mit -m multiport auf einen schlag uebergeben. Das spart einiges
|
|
#an Schleifen und beschleunigt das script emminent.
|
|
#
|
|
#Revision 1.6 2006/06/30 09:33:02 kueller
|
|
#Sonderbehandlung fuer localen zugriff auf syslog eingebaut
|
|
#
|
|
#Revision 1.5 2004/11/23 19:46:07 kueller
|
|
#Debuging und neue Funktionalität der Firewall. Mit der Zeit weiter gewachsen
|
|
#im CompuExtreme Netzwerk.
|
|
#
|
|
#Revision 1.1 2002/11/04 12:03:01 kueller
|
|
#Fehlende Funktionssammlung .firewallfunc hinzugefügt. Erweiterung der Firewall
|
|
#um MARK Funktionalitaet, sowie Freischaltung von Getunnelten Netzen (letzteres
|
|
#ist in der DEBUG Phase und funktioniert noch nicht komplett!)
|
|
#
|
|
#
|
|
|
|
source /etc/init.d/functions
|
|
|
|
#Definition von einigen hilfreichen Funktionen
|
|
|
|
FindIP() {
|
|
DEVICE=$1
|
|
|
|
$IPCFG addr list $DEVICE|awk '{print $1, $2}'\
|
|
|awk '{ if ( $1 == "inet" ) print $2 }'\
|
|
|awk -F / '{ print $1 }'
|
|
}
|
|
|
|
FindNet() {
|
|
IP=$1
|
|
|
|
NETMASK=`getmask $IP`
|
|
NETADDR=`getnetaddr $IP $NETMASK`
|
|
SHMASK=`GetShortMask $NETMASK`
|
|
|
|
echo $NETADDR/$SHMASK
|
|
}
|
|
|
|
LoadDevArray() {
|
|
devzahler=1
|
|
ipzahler=1
|
|
|
|
for i in `$IFCONFIG -a|sed -e "/^ /d"|sed -e "/^$/d"|awk '{ print $1 }'`; do
|
|
DEVICE[`echo $devzahler`11]=$i
|
|
for j in `FindIP $i`; do
|
|
DEVICE[`echo $devzahler`2`echo $ipzahler`]=$j
|
|
DEVICE[`echo $devzahler`3`echo $ipzahler`]=`FindNet $j`
|
|
(( ipzahler = $ipzahler + 1 ))
|
|
done
|
|
(( ipzahler = $ipzahler - 1 ))
|
|
DEVICE[`echo $devzahler`12]=$ipzahler
|
|
(( devzahler = $devzahler + 1 ))
|
|
ipzahler=1
|
|
done
|
|
}
|
|
|
|
FindInDevice() {
|
|
IPADDR=$1
|
|
|
|
NETMSK=`getmask $IPADDR`
|
|
NETADDR=`getnetaddr $IPADDR $NETMSK`
|
|
DEVICE=`netstat -rn|grep $NETADDR|sed -e "/^0.0.0.0/d"|awk '{print $8}'`
|
|
if [ ! "$DEVICE" ]; then
|
|
DEVICE=`netstat -rn|grep "^0.0.0.0"|awk '{print $8}'`
|
|
fi
|
|
echo $DEVICE
|
|
}
|
|
|
|
DefaultRule() {
|
|
echo $DEBUG $IPTABLES -P INPUT DROP >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -P FORWARD DROP >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -P OUTPUT DROP >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowLoopBack() {
|
|
echo $DEBUG $IPTABLES -A INPUT -i lo -j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT -o lo -j ACCEPT >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowInternRouting() {
|
|
RULE=$1
|
|
shift
|
|
zahler=0
|
|
NumDev=1
|
|
unset LOCAL_NET
|
|
for k in $*; do
|
|
if [ "$k" == "lo" ]; then
|
|
LOCAL_NET[$zahler]="127.0.0.0/8"
|
|
(( zahler++ ))
|
|
else
|
|
for l in `netstat -rn|\
|
|
grep $k|\
|
|
sed -e "/^0.0.0.0/d"|\
|
|
awk '{print $1}'`; do
|
|
NETMASK=`getmask $l`
|
|
SHORTMASK=`GetShortMask $NETMASK`
|
|
LOCAL_NET[$zahler]="$l/$SHORTMASK"
|
|
(( zahler++ ))
|
|
done
|
|
fi
|
|
done
|
|
anznet=$zahler
|
|
zahler=0
|
|
|
|
while [ ! $zahler = $anznet ]; do
|
|
zahler_dest=0
|
|
while [ ! $zahler_dest = $anznet ]; do
|
|
echo $DEBUG $IPTABLES -A FORWARD -s ${LOCAL_NET[$zahler]} -d ${LOCAL_NET[$zahler_dest]} -j $RULE >>$TMPSCRIPT
|
|
(( zahler_dest = $zahler_dest + 1 ))
|
|
done
|
|
(( zahler = $zahler + 1 ))
|
|
done
|
|
}
|
|
|
|
AllowAllDefault() {
|
|
SOURCENET=$1
|
|
OUTDEV=$2
|
|
RULE=$3
|
|
|
|
echo $DEBUG $IPTABLES -A FORWARD -s $SOURCENET -o $OUTDEV -j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD -d $SOURCENET -i $OUTDEV -j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
ActivateMasq() {
|
|
OUTDEV=$1
|
|
MASQNET=$2
|
|
|
|
echo $DEBUG $IPTABLES -t nat \
|
|
-A POSTROUTING \
|
|
-s $MASQNET \
|
|
-o $OUTDEV \
|
|
-j MASQUERADE >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowLocalServer() {
|
|
SERVER=$1
|
|
CLIENT=$2
|
|
PORT=$3
|
|
PROT=$4
|
|
RULE=ACCEPT
|
|
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-s $CLIENT \
|
|
-d $SERVER \
|
|
-p $PROT \
|
|
--dport $PORT \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowDMZServiceAccess() {
|
|
SRVIP=$1
|
|
UDPPORTS=$2
|
|
TCPPORTS=$3
|
|
SRVNETMASK=`getmask $SRVIP`
|
|
SRVNET=`getnetaddr $SRVIP $SRVNETMASK`
|
|
OUTDEV=`netstat -rn| \
|
|
grep $SRVNET| \
|
|
sed -e "/^0.0.0.0/d" |\
|
|
awk '{print $8}'`
|
|
for k in `netstat -rn|\
|
|
sed -e "/$SRVNET/d"|\
|
|
sed -e "/^0.0.0.0/d"|\
|
|
sed -e "/^[A-Z]/d"|\
|
|
awk '{print $8}'`; do
|
|
for l in `netstat -rn|\
|
|
grep $k|\
|
|
sed -e "/^0.0.0.0/d"|\
|
|
awk '{print $1}'`; do
|
|
NETMASK=`getmask $l`
|
|
SHORTMASK=`GetShortMask $NETMASK`
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-i $k \
|
|
-o $OUTDEV \
|
|
-d $SRVIP \
|
|
-s $l/$SHORTMASK \
|
|
-p udp \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-i $OUTDEV \
|
|
-o $k \
|
|
-s $SRVIP \
|
|
-d $l/$SHORTMASK \
|
|
-p udp \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-i $k \
|
|
-o $OUTDEV \
|
|
-d $SRVIP \
|
|
-s $l/$SHORTMASK \
|
|
-p tcp \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-o $k \
|
|
-i $OUTDEV \
|
|
-s $SRVIP \
|
|
-d $l/$SHORTMASK \
|
|
-p tcp \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
done
|
|
done
|
|
}
|
|
|
|
LocalAllowWSAll() {
|
|
echo
|
|
WSIP=`echo $1|sed -e "s/\/.*$//"`
|
|
DESTNET=$1
|
|
|
|
WSMASK=`getmask $WSIP`
|
|
WSNET=`getnetaddr $WSIP $WSMASK`
|
|
NETDEV=`netstat -rn| \
|
|
grep $WSNET| \
|
|
sed -e "/^0.0.0.0/d" | \
|
|
awk '{print $8}'`
|
|
if [ ! "$NETDEV" ]; then
|
|
WSNET="0.0.0.0"
|
|
NETDEV=`netstat -rn|grep "^$WSNET"|awk '{print $8}'`
|
|
RIP=`netstat -rn|grep "^$WSNET"|awk '{print $2}'`
|
|
WSMASK=`getmask $RIP`
|
|
WSNET=`getnetaddr $RIP $WSMASK`
|
|
fi
|
|
NETBCAST=`getbroadcast $WSNET $WSMASK`
|
|
for k in `ip addr list dev $NETDEV|grep $NETBCAST|awk '{print $2}'|sed -e "s/\/.*$//"`; do
|
|
for m in tcp udp; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p $m \
|
|
-s $DESTNET \
|
|
-d $k \
|
|
-i $NETDEV \
|
|
-j ACCEPT >> $TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p $m \
|
|
-s $k \
|
|
-d $DESTNET \
|
|
-o $NETDEV \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
done
|
|
}
|
|
|
|
AllowIntranetService() {
|
|
WSIP=$1
|
|
WSPORT=$2
|
|
WSPROT=$3
|
|
|
|
WSMASK=`getmask $WSIP`
|
|
WSNET=`getnetaddr $WSIP $WSMASK`
|
|
NETDEV=`netstat -rn| \
|
|
grep $WSNET| \
|
|
sed -e "/^0.0.0.0/d" | \
|
|
awk '{print $8}'`
|
|
LOCIP=`ifconfig $NETDEV|grep inet|awk '{print $2}'|cut -d":" -f 2`
|
|
echo "AllowIntanetService $NETDEV , $LOCIP"
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p $WSPROT \
|
|
-d $WSIP \
|
|
-s $LOCIP \
|
|
-o $NETDEV \
|
|
--dport $WSPORT \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p $WSPROT \
|
|
-s $WSIP \
|
|
-d $LOCIP \
|
|
-i $NETDEV \
|
|
--sport $WSPORT \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
}
|
|
|
|
LocalAllowPortIN() {
|
|
UDP=$1
|
|
TCP=$2
|
|
shift
|
|
shift
|
|
zahler=0
|
|
NumDev=1
|
|
for k in $*; do
|
|
while [ "${DEVICE[`echo $NumDev`11]}" ] && [ ! "${DEVICE[`echo $NumDev`11]}" = "$k" ]; do
|
|
(( NumDev = $NumDev + 1 ))
|
|
done
|
|
NumIP=0
|
|
while [ ! "$NumIP" = "${DEVICE[`echo $NumDev`12]}" ]; do
|
|
(( NumIP = $NumIP + 1 ))
|
|
LOCAL_NET[$zahler]=${DEVICE[`echo $NumDev`3`echo $NumIP`]}
|
|
INIP[$zahler]=${DEVICE[`echo $NumDev`2`echo $NumIP`]}
|
|
INDEV[$zahler]=${DEVICE[`echo $NumDev`11]}
|
|
(( zahler = $zahler + 1 ))
|
|
done
|
|
NumDev=1
|
|
done
|
|
anznet=$zahler
|
|
zahler=0
|
|
|
|
while [ ! $zahler = $anznet ]; do
|
|
for m in $UDP; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-s ${LOCAL_NET[$zahler]} \
|
|
-d ${INIP[$zahler]} \
|
|
-i ${INDEV[$zahler]} \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-s ${INIP[$zahler]} \
|
|
-d ${LOCAL_NET[$zahler]} \
|
|
-o ${INDEV[$zahler]} \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
for m in $TCP; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p tcp \
|
|
-s ${LOCAL_NET[$zahler]} \
|
|
-d ${INIP[$zahler]} \
|
|
-i ${INDEV[$zahler]} \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p tcp \
|
|
-s ${INIP[$zahler]} \
|
|
-d ${LOCAL_NET[$zahler]} \
|
|
-o ${INDEV[$zahler]} \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
(( zahler = $zahler + 1 ))
|
|
done
|
|
}
|
|
|
|
AllowWSPortOUT() {
|
|
OUTDEV=$1
|
|
WSIP=$2
|
|
UDPPORTS=$3
|
|
TCPPORTS=$4
|
|
RULE=$5
|
|
|
|
INDEV=`FindInDevice $WSIP`
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-s $WSIP \
|
|
--sport 1024: \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-d $WSIP \
|
|
--dport 1024: \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-s $WSIP \
|
|
--sport 1024: \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-d $WSIP \
|
|
--dport 1024: \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
AllowRouteNetOut() {
|
|
RNET=$1
|
|
OUTDEV=$2
|
|
UDPPORTS=$3
|
|
TCPPORTS=$4
|
|
RULE=$5
|
|
|
|
RNETIP=`echo $RNET|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $RNETIP`
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-s $RNET \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
-o $INDEV \
|
|
-d $RNET \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-s $RNET \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-i $OUTDEV \
|
|
-o $INDEV \
|
|
-d $RNET \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
AllowRouteNetSwitch() {
|
|
BGNET=$1
|
|
OUTDEV=$2
|
|
PROT=$3
|
|
RULE=$4
|
|
|
|
BGNETIP=`echo $BGNET|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $BGNETIP`
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-d $BGNET \
|
|
--dport 1024: \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-s $BGNET \
|
|
--sport 1024: \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowRouteNetNTP() {
|
|
BGNET=$1
|
|
OUTDEV=$2
|
|
RULE=$3
|
|
BGNETIP=`echo $BGNET|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $BGNETIP`
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-s $BGNET \
|
|
--dport 123 \
|
|
--sport 123 \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-d $BGNET \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-i $OUTDEV \
|
|
-o $INDEV \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-s $BGNET \
|
|
--dport 123 \
|
|
--sport 123 \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-d $BGNET \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-i $OUTDEV \
|
|
-o $INDEV \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
ChangeWSOutRule () {
|
|
WSREMOVE=$1
|
|
FW_PORT=$2
|
|
FW_PROT=$3
|
|
RULE=$4
|
|
|
|
|
|
if ! LINE=`iptables -v -n -L FORWARD|sed -e "/Chain/d"|sed -e "/pkts/d"|grep -n $WSREMOVE|grep dpt:$FW_PORT|grep spts:1024:65535|grep $FW_PROT|grep "state NEW,ESTABLISHED"`; then
|
|
LINE=`iptables -v -n -L FORWARD|sed -e "/Chain/d"|sed -e "/pkts/d"|grep -n $WSREMOVE|grep dpts:$FW_PORT|grep spts:1024:65535|grep $FW_PROT|grep "state NEW,ESTABLISHED"`
|
|
fi
|
|
|
|
OUTDEV=`echo "$LINE"|awk '{print $8}'`
|
|
LNUM=`echo "$LINE"|cut -d ":" -f 1`
|
|
|
|
echo $DEBUG $IPTABLES -R FORWARD $LNUM -p $FW_PROT -s $WSREMOVE \
|
|
--sport 1024: --dport $FW_PORT -o $OUTDEV \
|
|
-m state --state NEW,ESTABLISHED -j $RULE >>$TMPSCRIPT
|
|
|
|
if ! LINE=`iptables -v -n -L FORWARD|sed -e "/Chain/d"|sed -e "/pkts/d"|grep -n $WSREMOVE|grep spt:$FW_PORT|grep dpts:1024:65535|grep $FW_PROT|grep "state ESTABLISHED"`; then
|
|
LINE=`iptables -v -n -L FORWARD|sed -e "/Chain/d"|sed -e "/pkts/d"|grep -n $WSREMOVE|grep spts:$FW_PORT|grep dpts:1024:65535|grep $FW_PROT|grep "state ESTABLISHED"`
|
|
fi
|
|
|
|
|
|
OUTDEV=`echo "$LINE"|awk '{print $8}'`
|
|
LNUM=`echo "$LINE"|cut -d ":" -f 1`
|
|
|
|
echo $DEBUG $IPTABLES -R FORWARD $LNUM -p $FW_PROT -s $WSREMOVE \
|
|
--sport $FW_PORT --dport 1024: -o $OUTDEV \
|
|
-m state --state ESTABLISHED -j $RULE >>$TMPSCRIPT
|
|
|
|
}
|
|
|
|
AllowWSSwitchPort() {
|
|
WSIP=$1
|
|
PROT=$2
|
|
OUTDEV=$3
|
|
RULE=$4
|
|
|
|
WSIPADDR=`echo $WSIP|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $WSIPADDR`
|
|
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-d $WSIP \
|
|
--dport 1024: \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-s $WSIP \
|
|
--sport 1024: \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowWSntpSync() {
|
|
OUTDEV=$1
|
|
WSIP=$2
|
|
RULE=$3
|
|
|
|
WSIPADDR=`echo $WSIP|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $WSIPADDR`
|
|
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-s $WSIP \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-d $WSIP \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-s $WSIP\
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-d $WSIP \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowNetBios() {
|
|
OUTDEV=$1
|
|
WSIP=$2
|
|
RULE=$3
|
|
echo >&2 "Executing AllowNetBios with \"$1\" \"$2\" \"$3\""
|
|
WSIPADDR=`echo $WSIP|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $WSIPADDR`
|
|
for i in 137 138 139; do
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-s $WSIP \
|
|
--sport $i \
|
|
--dport $i \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-d $WSIP \
|
|
--sport $i \
|
|
--dport $i \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-s $WSIP\
|
|
--sport $i \
|
|
--dport $i \
|
|
-o $OUTDEV \
|
|
-i $INDEV \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-d $WSIP \
|
|
--sport $i \
|
|
--dport $i \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
AllowDHCPRelay() {
|
|
SERVERIP=$1
|
|
|
|
OUTDEV=`FindInDevice $SERVERIP`
|
|
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $OUTDEV \
|
|
--dport 67 \
|
|
-m multiport \
|
|
--source-ports 67,68 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
--sport 67 \
|
|
-m multiport \
|
|
--destination-ports 67,68 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
}
|
|
|
|
AllowNetPortIN() {
|
|
ALLOWNET=$3
|
|
UDPPORTS=$1
|
|
TCPPORTS=$2
|
|
|
|
NETIP=`echo $ALLOWNET|sed -e "s/\/.*$//"`
|
|
SHMASK=`echo $ALLOWNET|sed -e "s/^.*\///"`
|
|
NETMSK=`GetLongMask $SHMASK`
|
|
INDEV=`netstat -rn| \
|
|
grep $NETIP| \
|
|
sed -e "/^0.0.0.0/d"| \
|
|
awk '{print $8}'`
|
|
if [ ! "$INDEV" ]; then
|
|
INDEV=`netstat -rn|grep "^0.0.0.0"|awk '{print $8}'`
|
|
RIP=`netstat -rn|grep "^0.0.0.0"|awk '{print $2}'`
|
|
NETMSK=`getmask $RIP`
|
|
NETIP=`getnetaddr $RIP $NETMSK`
|
|
fi
|
|
NETBCAST=`getbroadcast $NETIP $NETMSK`
|
|
for k in `ip addr list dev $INDEV|grep $NETBCAST|awk '{print $2}'|sed -e "s/\/.*$//"`; do
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-s $ALLOWNET \
|
|
-d $k \
|
|
-i $INDEV \
|
|
--sport 0: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-s $k \
|
|
-d $ALLOWNET \
|
|
-o $INDEV \
|
|
--dport 0: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p tcp \
|
|
-s $ALLOWNET \
|
|
-d $k \
|
|
-i $INDEV \
|
|
--sport 0: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p tcp \
|
|
-s $k \
|
|
-d $ALLOWNET \
|
|
-o $INDEV \
|
|
--dport 0: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
done
|
|
}
|
|
|
|
AllowLocalSwitchPort() {
|
|
PROT=$1
|
|
DEVICE=$2
|
|
RULE=$3
|
|
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p $PROT \
|
|
-i $DEVICE \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p $PROT -o $DEVICE \
|
|
-m state \
|
|
--state RELATED,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
ExternAllowPortIn() {
|
|
UDPPORTS=$1
|
|
TCPPORTS=$2
|
|
OUTDEV=$3
|
|
RULE=$4
|
|
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $OUTDEV \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p tcp \
|
|
-i $OUTDEV \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p tcp \
|
|
-o $OUTDEV \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
ExternAllowPortOut() {
|
|
UDPPORTS=$1
|
|
TCPPORTS=$2
|
|
OUTDEV=$3
|
|
RULE=$4
|
|
|
|
for m in $UDPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $OUTDEV \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
for m in $TCPPORTS; do
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p tcp \
|
|
-i $OUTDEV \
|
|
--dport 1024: \
|
|
-m multiport \
|
|
--source-ports $m \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p tcp \
|
|
-o $OUTDEV \
|
|
--sport 1024: \
|
|
-m multiport \
|
|
--destination-ports $m \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
LocalAllowntpSync() {
|
|
OUTDEV=$1
|
|
RULE=$2
|
|
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p tcp \
|
|
-i $OUTDEV \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p tcp \
|
|
-o $OUTDEV \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $OUTDEV \
|
|
--sport 123 \
|
|
--dport 123 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
ExternAllowSyslog() {
|
|
INIP=$1
|
|
RULE=$2
|
|
|
|
INIPADDR=`echo $INIP|sed -e "s/\/.*$//"`
|
|
INDEV=`FindInDevice $INIPADDR`
|
|
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $INDEV \
|
|
-s $INIP \
|
|
--sport 514 \
|
|
--dport 514 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $INDEV \
|
|
-d $INIP \
|
|
--sport 514 \
|
|
--dport 514 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
LocalAllowSyslog() {
|
|
OUTIP=$1
|
|
RULE=$2
|
|
|
|
OUTDEV=`FindInDevice $OUTIP`
|
|
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p udp \
|
|
-o $OUTDEV \
|
|
-d $OUTIP \
|
|
--sport 514 \
|
|
--dport 514 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p udp \
|
|
-i $OUTDEV \
|
|
-s $OUTIP \
|
|
--dport 514 \
|
|
--sport 514 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j $RULE >>$TMPSCRIPT
|
|
}
|
|
|
|
InternMarkNet() {
|
|
NET=$1
|
|
VALUE=$2
|
|
|
|
echo $DEBUG $IPTABLES -t mangle \
|
|
-A PREROUTING \
|
|
-s $NET \
|
|
-j MARK \
|
|
--set-mark $VALUE >>$TMPSCRIPT
|
|
}
|
|
|
|
ExtForwardPorts() {
|
|
DSTSRVIP=$1
|
|
DSTUDPPORT=$2
|
|
DSTTCPPORT=$3
|
|
INDEV=$4
|
|
|
|
OUTDEV=`FindInDevice $DSTSRVIP`
|
|
for m in $DSTTCPPORT; do
|
|
echo $DEBUG $IPTABLES -t nat \
|
|
-A PREROUTING \
|
|
-p tcp \
|
|
-i $INDEV \
|
|
-m multiport \
|
|
--dports $m \
|
|
-j DNAT \
|
|
--to $DSTSRVIP >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-d $DSTSRVIP \
|
|
-m multiport \
|
|
--dports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p tcp \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-s $DSTSRVIP \
|
|
-m multiport \
|
|
--sports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
for m in $DSTUDPPORT; do
|
|
echo $DEBUG $IPTABLES -t nat \
|
|
-A PREROUTING \
|
|
-p udp \
|
|
-i $INDEV \
|
|
-m multiport \
|
|
--dports $m \
|
|
-j DNAT \
|
|
--to $DSTSRVIP >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-d $DSTSRVIP \
|
|
-m multiport \
|
|
--dports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p udp \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-s $DSTSRVIP \
|
|
-m multiport \
|
|
--sports $m \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
done
|
|
}
|
|
|
|
ExtForwardPort() {
|
|
DSTSRVIP=$1
|
|
PROT=$2
|
|
SRCPORT=$3
|
|
DSTPORT=$4
|
|
INDEV=$5
|
|
|
|
OUTDEV=`FindInDevice $DSTSRVIP`
|
|
echo $DEBUG $IPTABLES -t nat \
|
|
-A PREROUTING \
|
|
-p $PROT \
|
|
--dport $SRCPORT \
|
|
-i $INDEV \
|
|
-j DNAT \
|
|
--to $DSTSRVIP:$DSTPORT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-i $INDEV \
|
|
-o $OUTDEV \
|
|
-d $DSTSRVIP \
|
|
--dport $DSTPORT \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p $PROT \
|
|
-o $INDEV \
|
|
-i $OUTDEV \
|
|
-s $DSTSRVIP \
|
|
--sport $DSTPORT \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
}
|
|
|
|
CreateLogTable() {
|
|
echo $DEBUG $IPTABLES -N reject-log >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A reject-log -j LOG --log-prefix "Firewall:\"rejected\"" >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A reject-log -j REJECT >>$TMPSCRIPT
|
|
}
|
|
|
|
CreateAccountingTable() {
|
|
echo $DEBUG $IPTABLES -N account-log >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A account-log \
|
|
-j LOG --log-prefix "FIREWALL: allowed" >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A account-log \
|
|
-j ACCEPT >>$TMPSCRIPT
|
|
}
|
|
|
|
|
|
CreateICMPTable() {
|
|
echo $DEBUG $IPTABLES -N icmp-rules >>$TMPSCRIPT
|
|
for p in destination-unreachable \
|
|
source-quench \
|
|
time-exceeded \
|
|
parameter-problem \
|
|
echo-request \
|
|
echo-reply; do
|
|
echo $DEBUG $IPTABLES -A icmp-rules \
|
|
-p icmp \
|
|
--icmp-type $p \
|
|
-j $ACCEPTRULE >>$TMPSCRIPT
|
|
done
|
|
echo $DEBUG $IPTABLES -A icmp-rules \
|
|
-m limit \
|
|
--limit 6/m \
|
|
-j LOG \
|
|
--limit-burst 10 \
|
|
--log-prefix "FIREWALL:icmp-drop" >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A icmp-rules -j DROP >>$TMPSCRIPT
|
|
}
|
|
|
|
ActivateICMPRules() {
|
|
echo $DEBUG $IPTABLES -A INPUT \
|
|
-p icmp \
|
|
-j icmp-rules >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD \
|
|
-p icmp \
|
|
-j icmp-rules >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT \
|
|
-p icmp \
|
|
-j icmp-rules >>$TMPSCRIPT
|
|
}
|
|
|
|
CloseLast() {
|
|
CLOSE_ACTION=$1
|
|
|
|
echo $DEBUG $IPTABLES -A INPUT -j $CLOSE_ACTION >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A FORWARD -j $CLOSE_ACTION >>$TMPSCRIPT
|
|
echo $DEBUG $IPTABLES -A OUTPUT -j $CLOSE_ACTION >>$TMPSCRIPT
|
|
}
|
|
|