From 0036a0d2730ac88c58486808b11a39322a2d7610 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 5 May 2004 16:22:21 +0000 Subject: [PATCH] Add NONAT and ACCEPT+ actions git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 1 + Shorewall2/fallback.sh | 2 +- Shorewall2/firewall | 67 +++++++++++++++++++++++++++++++------ Shorewall2/install.sh | 2 +- Shorewall2/releasenotes.txt | 10 ++++++ Shorewall2/rules | 7 ++++ Shorewall2/shorewall.spec | 4 ++- Shorewall2/uninstall.sh | 2 +- 8 files changed, 80 insertions(+), 15 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 8e88110b0..65d009fc3 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -48,3 +48,4 @@ Changes since 2.0.1 23) Apply Alex Wilms's patch for install.sh +24) Add ACCEPT+ and NONAT targets. diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 77924a95b..b1c450870 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.2-Beta1 +VERSION=2.0.2-Beta2 usage() # $1 = exit status { diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 590297950..bb6675251 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3222,9 +3222,23 @@ add_a_rule() log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ $(fix_bang $proto $sports $multiport $cli -d $srv $dports) fi - - run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + + case $logtarget in + NONAT) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN + ;; + ACCEPT+) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN + run_iptables2 -A $chain $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target + ;; + *) + run_iptables2 -A $chain $proto $multiport $cli $sports \ + -d $srv $dports $ratelimit $userandgroup -j $target + ;; + esac fi done done @@ -3234,8 +3248,22 @@ add_a_rule() $(fix_bang $proto $sports $multiport $cli $dports) fi - run_iptables2 -A $chain $proto $multiport $cli $sports \ - $dports $ratelimit $userandgroup -j $target + case $logtarget in + NONAT) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + ;; + ACCEPT+) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + run_iptables2 -A $chain $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target + ;; + *) + run_iptables2 -A $chain $proto $multiport $cli $sports \ + $dports $ratelimit $userandgroup -j $target + ;; + esac fi fi fi @@ -3253,10 +3281,24 @@ add_a_rule() $(fix_bang $proto $multiport $dest_interface $cli $sports $dports) fi - if [ $logtarget != LOG ]; then - run_iptables2 -A $chain $proto $multiport $dest_interface \ - $cli $sports $dports $ratelimit $userandgroup -j $target - fi + case $logtarget in + LOG) + ;; + NONAT) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + ;; + ACCEPT+) + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + run_iptables2 -A $chain $proto $multiport $dest_interface \ + $cli $sports $dports $ratelimit $userandgroup -j $target + ;; + *) + run_iptables2 -A $chain $proto $multiport $dest_interface \ + $cli $sports $dports $ratelimit $userandgroup -j $target + ;; + esac fi fi } @@ -3368,7 +3410,10 @@ process_rule() # $1 = target fi case $target in - ACCEPT|LOG) + ACCEPT+) + target=ACCEPT + ;; + ACCEPT|LOG|NONAT) ;; DROP) [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" @@ -3613,7 +3658,7 @@ process_rules() while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do temp="${xtarget%%:*}" case "${temp%<*}" in - ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) + ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) do_it ;; *) diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index 42ab2ed39..bc8593520 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.2-Beta1 +VERSION=2.0.2-Beta2 usage() # $1 = exit status { diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index cea4190bb..43f3baa78 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -210,4 +210,14 @@ New Features: To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177 To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176 +11) Two new actions are available in the /etc/shorewall/rules file. + + ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts + matching connections from subsequent DNAT[-] and + REDIRECT[-] rules. + + NONAT -- Exempts matching connections from subsequent DNAT[-] + and REDIRECT[-] rules. + + diff --git a/Shorewall2/rules b/Shorewall2/rules index 2d83bb744..f11a4ff53 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -25,6 +25,13 @@ # LOG, QUEUE or an . # # ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] + rules but doesn't generate a rule +# to accept the traffic. # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index 3c77061fe..7f242bde5 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.0.2 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -140,6 +140,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue May 04 2004 Tom Eastep tom@shorewall.net +- Shorewall 2.0.2-Beta2 * Tue Apr 13 2004 Tom Eastep tom@shorewall.net - Add /usr/share/shorewall/configpath * Mon Apr 05 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index 3d803dcdf..effda66c3 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.2-Beta1 +VERSION=2.0.2-Beta2 usage() # $1 = exit status {