mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 08:44:05 +01:00
Update LrpN for 2.2.4 - prerelease
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2044 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
41fcd3cb71
commit
022b6fb625
6
LrpN/etc/shorewall/continue
Normal file
6
LrpN/etc/shorewall/continue
Normal file
@ -0,0 +1,6 @@
|
||||
############################################################################
|
||||
# Shorewall 2.2 -- /etc/shorewall/continue
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||
#
|
@ -167,6 +167,8 @@
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
# upnp - Incoming requests from this interface may
|
||||
# be remapped via UPNP (upnpd).
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
|
38
LrpN/etc/shorewall/netmap
Normal file
38
LrpN/etc/shorewall/netmap
Normal file
@ -0,0 +1,38 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.2 -- Network Mapping Table
|
||||
#
|
||||
# /etc/shorewall/netmap
|
||||
#
|
||||
# This file is used to map addresses in one network to corresponding
|
||||
# addresses in a second network.
|
||||
#
|
||||
# WARNING: To use this file, your kernel and iptables must have
|
||||
# NETMAP support included.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
# TYPE Must be DNAT or SNAT.
|
||||
#
|
||||
# If DNAT, traffic entering INTERFACE and addressed to
|
||||
# NET1 has it's destination address rewritten to the
|
||||
# corresponding address in NET2.
|
||||
#
|
||||
# If SNAT, traffic leaving INTERFACE with a source
|
||||
# address in NET1 has it's source address rewritten to
|
||||
# the corresponding address in NET2.
|
||||
#
|
||||
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
|
||||
#
|
||||
# INTERFACE The name of a network interface. The interface must
|
||||
# be defined in /etc/shorewall/interfaces.
|
||||
#
|
||||
# NET2 Network in CIDR format
|
||||
#
|
||||
# See http://shorewall.net/netmap.html for an example and usage
|
||||
# information.
|
||||
#
|
||||
##############################################################################
|
||||
#TYPE NET1 INTERFACE NET2
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
@ -25,6 +25,8 @@
|
||||
# DROP - Ignore the connection request
|
||||
# REJECT - For TCP, send RST. For all other, send
|
||||
# "port unreachable" ICMP.
|
||||
# QUEUE - Send the request to a user-space
|
||||
# application using the QUEUE target.
|
||||
# CONTINUE - Pass the connection request past
|
||||
# any other rules that it might also
|
||||
# match (where the source or destination
|
||||
@ -82,4 +84,8 @@ net all DROP ULOG
|
||||
# remove the comment from the following line.
|
||||
#fw net ACCEPT
|
||||
|
||||
#
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
#
|
||||
all all REJECT ULOG
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -5,7 +5,8 @@
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
# This file is used to define the hosts that are accessible when the
|
||||
# firewall is stopped
|
||||
# firewall is stopped or when it is in the process of being
|
||||
# [re]started.
|
||||
#
|
||||
# Columns must be separated by white space and are:
|
||||
#
|
||||
|
@ -188,14 +188,20 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# /shorewall/shorewall.conf V2.2 - Change the following variables to
|
||||
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -23,6 +23,11 @@ STARTUP_ENABLED=No
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
#
|
||||
# These levels are defined by syslog and are used to determine the destination
|
||||
# of the messages through entries in /etc/syslog.conf (5). The syslog
|
||||
# documentation refers to these as "priorities"; Netfilter calls them "levels"
|
||||
# and Shorewall also uses that term.
|
||||
#
|
||||
# Valid levels are:
|
||||
#
|
||||
# 7 debug
|
||||
@ -44,8 +49,10 @@ STARTUP_ENABLED=No
|
||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||
# configured to log all Shorewall message to their own log file
|
||||
# ulogd is available with most Linux distributions (although it probably isn't
|
||||
# installed by default). Ulogd is also available from
|
||||
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
|
||||
# Shorewall message to their own log file
|
||||
################################################################################
|
||||
#
|
||||
# LOG FILE LOCATION
|
||||
@ -544,7 +551,7 @@ MUTEX_TIMEOUT=60
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
@ -692,7 +699,7 @@ DYNAMIC_ZONES=No
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
@ -732,6 +739,58 @@ PKTTYPE=Yes
|
||||
# DROPINVALID=Yes is assumed.
|
||||
|
||||
DROPINVALID=No
|
||||
|
||||
#
|
||||
# RFC 1918 BEHAVIOR
|
||||
#
|
||||
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
|
||||
# processing to cease for a packet if the packet's source IP address matches
|
||||
# the rule. Thus, if you have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 192.168.1.0/24 RETURN
|
||||
#
|
||||
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
||||
# also have:
|
||||
#
|
||||
# SUBNETS TARGET
|
||||
# 10.0.0.0/8 logdrop
|
||||
#
|
||||
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
|
||||
# since while the packet's source matches the RETURN rule, the packet's
|
||||
# destination matches the 'logdrop' rule.
|
||||
#
|
||||
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
||||
# RFC1918_STRICT=No is assumed.
|
||||
#
|
||||
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
|
||||
# 'conntrack state' match.
|
||||
|
||||
RFC1918_STRICT=No
|
||||
|
||||
#
|
||||
# MACLIST caching
|
||||
#
|
||||
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||
# (/etc/shorewall/maclist).
|
||||
#
|
||||
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||
# there is a match then the source IP address is added to the 'Recent' set for
|
||||
# that interface. Subsequent connection attempts from that IP address occuring
|
||||
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||
# the next connection request from that IP address will be checked against
|
||||
# the entire list.
|
||||
#
|
||||
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
# be cached.
|
||||
|
||||
MACLIST_TTL=
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
@ -41,7 +41,7 @@
|
||||
# C - Mark the connection in the chain determined
|
||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||
#
|
||||
# CF: Mark the conneciton in the FORWARD chain
|
||||
# CF: Mark the connection in the FORWARD chain
|
||||
#
|
||||
# CP: Mark the connection in the PREROUTING chain.
|
||||
#
|
||||
@ -80,7 +80,8 @@
|
||||
# allowed. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
# in the OUTPUT chain). $FW may be optionally followed
|
||||
# by ":" and a host/network address.
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
#
|
||||
@ -220,6 +220,13 @@ get_config() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Clear descriptor 1 if it is a terminal
|
||||
#
|
||||
clear_term() {
|
||||
[ -t 1 ] && clear
|
||||
}
|
||||
|
||||
#
|
||||
# Display IPTABLES rules -- we used to store them in a variable but ash
|
||||
# dies when trying to display large sets of rules
|
||||
@ -238,7 +245,7 @@ display_chains()
|
||||
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "Standard Chains"
|
||||
@ -250,7 +257,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -268,7 +275,7 @@ display_chains()
|
||||
for zone in $zones; do
|
||||
|
||||
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -287,7 +294,7 @@ display_chains()
|
||||
fi
|
||||
done
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -308,7 +315,7 @@ display_chains()
|
||||
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
firstchain=Yes
|
||||
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
while true; do
|
||||
display_chains
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
timed_read
|
||||
fi
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo "NAT Status"
|
||||
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
cat /proc/net/ip_conntrack
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
show_tc
|
||||
timed_read
|
||||
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
echo
|
||||
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
qt which awk && haveawk=Yes || haveawk=
|
||||
|
||||
while true; do
|
||||
clear
|
||||
clear_term
|
||||
echo "$banner $(date)"
|
||||
echo
|
||||
|
||||
@ -960,7 +967,7 @@ case "$1" in
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -1007,18 +1014,30 @@ case "$1" in
|
||||
done
|
||||
done
|
||||
|
||||
echo
|
||||
echo "Routing Rules"
|
||||
echo
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
if [ -n "$(ip rule ls)" ]; then
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo "Routing Rules"
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
ip rule ls
|
||||
ip rule ls | while read rule; do
|
||||
table=${rule##* }
|
||||
echo
|
||||
echo "Table $table:"
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
else
|
||||
echo
|
||||
echo "Routing Table"
|
||||
echo
|
||||
ip route ls
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "ARP"
|
||||
echo
|
||||
arp -na
|
||||
|
||||
if qt which lsmod; then
|
||||
echo
|
||||
echo "Modules"
|
||||
@ -1029,7 +1048,7 @@ case "$1" in
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
clear
|
||||
clear_term
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# ACCEPT needed ICMP types
|
||||
#
|
||||
|
@ -6,6 +6,6 @@
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 5631
|
||||
ACCEPT - - tcp 5632
|
||||
ACCEPT - - udp 5632
|
||||
ACCEPT - - tcp 5631
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -6,15 +6,16 @@
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||
# #'upnp' interfaces.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
# shorewall reset Resets iptabless packet and
|
||||
# shorewall reset Resets iptables packet and
|
||||
# byte counts
|
||||
# shorewall clear Remove all Shorewall chains
|
||||
# and rules/policies.
|
||||
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
|
||||
echo $(chain_base $1)_mac
|
||||
}
|
||||
|
||||
macrecent_target() # $1 - interface
|
||||
{
|
||||
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||
}
|
||||
|
||||
#
|
||||
# Functions for creating dynamic zone rules
|
||||
#
|
||||
@ -932,7 +937,7 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||
;;
|
||||
detectnets)
|
||||
[ -n "$wildcard" ] && \
|
||||
@ -1095,7 +1100,7 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
|
||||
;;
|
||||
NONE)
|
||||
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||
@ -1303,10 +1308,22 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1378,6 +1395,58 @@ disable_ipv6_1() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process the routestopped file either adding or deleting rules
|
||||
#
|
||||
|
||||
process_routestopped() # $1 = command
|
||||
{
|
||||
local hosts= interface host host1 options networks
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
|
||||
routeback=
|
||||
|
||||
if [ -n "$options" ]; then
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
routeback)
|
||||
if [ -n "$routeback" ]; then
|
||||
error_message "Warning: Duplicate routestopped option ignored: routeback"
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown routestopped option ignored: $option"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Stop the Firewall
|
||||
#
|
||||
@ -1453,50 +1522,9 @@ stop_firewall() {
|
||||
|
||||
hosts=
|
||||
|
||||
strip_file routestopped
|
||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||
|
||||
while read interface host options; do
|
||||
expandv interface host options
|
||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||
for h in $(separate_list $host); do
|
||||
hosts="$hosts $interface:$h"
|
||||
done
|
||||
|
||||
routeback=
|
||||
|
||||
if [ -n "$options" ]; then
|
||||
for option in $(separate_list $options); do
|
||||
case $option in
|
||||
routeback)
|
||||
if [ -n "$routeback" ]; then
|
||||
error_message "Warning: Duplicate option ignored: routeback"
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Unknown option ignored: $option"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
done
|
||||
process_routestopped -A
|
||||
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
@ -1977,6 +2005,7 @@ setup_mac_lists() {
|
||||
local addresses
|
||||
local address
|
||||
local chain
|
||||
local chain1
|
||||
local macpart
|
||||
local blob
|
||||
local hosts
|
||||
@ -2001,10 +2030,19 @@ setup_mac_lists() {
|
||||
|
||||
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
||||
#
|
||||
# Be sure that they are all ethernet interfaces
|
||||
# Create chains.
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
createchain $(mac_chain $interface) no
|
||||
chain=$(mac_chain $interface)
|
||||
createchain $chain no
|
||||
|
||||
if [ -n "$MACLIST_TTL" ]; then
|
||||
chain1=$(macrecent_target $interface)
|
||||
createchain $chain1 no
|
||||
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
|
||||
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
|
||||
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
|
||||
fi
|
||||
done
|
||||
#
|
||||
# Process the maclist file producing the verification rules
|
||||
@ -2024,6 +2062,7 @@ setup_mac_lists() {
|
||||
fi
|
||||
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
if ! havechain $chain ; then
|
||||
fatal_error "No hosts on $interface have the maclist option specified"
|
||||
@ -2032,10 +2071,10 @@ setup_mac_lists() {
|
||||
macpart=$(mac_match $mac)
|
||||
|
||||
if [ -z "$addresses" ]; then
|
||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
||||
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||
else
|
||||
for address in $(separate_list $addresses) ; do
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||
done
|
||||
fi
|
||||
done < $TMP_DIR/maclist
|
||||
@ -2045,6 +2084,7 @@ setup_mac_lists() {
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=$(mac_chain $interface)
|
||||
chain1=$(macrecent_target $interface)
|
||||
|
||||
blob=$(ip link show $interface 2> /dev/null)
|
||||
|
||||
@ -2053,11 +2093,11 @@ setup_mac_lists() {
|
||||
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
@ -2333,16 +2373,19 @@ process_tc_rule()
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
*.*.*)
|
||||
r="-s $source "
|
||||
r="$(source_ip_range $source) "
|
||||
;;
|
||||
~*)
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW:*)
|
||||
chain=tcout
|
||||
r="$(source_ip_range ${source%:*}) "
|
||||
;;
|
||||
$FW)
|
||||
chain=tcout
|
||||
;;
|
||||
*)
|
||||
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev) $source "
|
||||
;;
|
||||
@ -2376,6 +2419,7 @@ process_tc_rule()
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
@ -2763,13 +2807,14 @@ check_config() {
|
||||
|
||||
disclaimer() {
|
||||
echo
|
||||
echo "Notice: The 'check' command is unsupported and problem"
|
||||
echo " reports complaining about errors that it didn't catch"
|
||||
echo " will not be accepted"
|
||||
echo "Notice: The 'check' command is provided to catch"
|
||||
echo " obvious errors in a Shorewall configuration."
|
||||
echo " It is not designed to catch all possible errors"
|
||||
echo " so please don't submit problem reports about"
|
||||
echo " error conditions that 'check' doesn't find"
|
||||
echo
|
||||
}
|
||||
|
||||
disclaimer
|
||||
|
||||
report_capabilities
|
||||
|
||||
@ -3148,7 +3193,27 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_an_action() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_an_action
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -3242,7 +3307,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
||||
if [ $COMMAND != check ]; then
|
||||
createchain $CHAIN No
|
||||
LEVEL=${level%:*}
|
||||
TAG=${level#*:}
|
||||
if [ "$LEVEL" != "$level" ]; then
|
||||
TAG=${level#*:}
|
||||
else
|
||||
TAG=
|
||||
fi
|
||||
run_user_exit $1
|
||||
fi
|
||||
|
||||
@ -3404,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
||||
#
|
||||
process_actions1() {
|
||||
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||
|
||||
USEDACTIONS=
|
||||
|
||||
strip_file actions
|
||||
@ -3421,14 +3491,14 @@ process_actions1() {
|
||||
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
|
||||
xaction=${xaction%:*}
|
||||
case $temp in
|
||||
ACCEPT|REJECT|DROP)
|
||||
ACCEPT|REJECT|DROP|QUEUE)
|
||||
eval ${temp}_common=$xaction
|
||||
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
|
||||
USEDACTIONS="$USEDACTIONS $xaction"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
|
||||
startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
|
||||
;;
|
||||
esac
|
||||
esac
|
||||
@ -3475,6 +3545,15 @@ process_actions1() {
|
||||
|
||||
process_actions2() {
|
||||
|
||||
local interfaces="$(find_interfaces_by_option upnp)"
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||
fi
|
||||
fi
|
||||
|
||||
progress_message " Generating Transitive Closure of Used-action List..."
|
||||
|
||||
changed=Yes
|
||||
@ -3533,8 +3612,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3548,7 +3627,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3565,8 +3644,8 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -3580,7 +3659,7 @@ process_actions3() {
|
||||
;;
|
||||
*)
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
||||
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3594,38 +3673,58 @@ process_actions3() {
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
dropNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||
fi
|
||||
;;
|
||||
rejNotSyn)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||
fi
|
||||
;;
|
||||
dropInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||
fi
|
||||
;;
|
||||
allowInvalid)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
forwardUPnP)
|
||||
;;
|
||||
allowinUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
if [ -n "$xlevel" ]; then
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||
fi
|
||||
|
||||
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
allowoutUPnP)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
[ -n "$xlevel" ] && \
|
||||
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
#
|
||||
# Not a builtin
|
||||
@ -4318,7 +4417,26 @@ process_rule() # $1 = target
|
||||
|
||||
case $logtarget in
|
||||
DNAT*)
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
server=${servers:=-}
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4356,7 +4474,27 @@ process_rule() # $1 = target
|
||||
;;
|
||||
*)
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
if [ -n "$XMULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||
then
|
||||
#
|
||||
# Extended MULTIPORT is enabled, and less than
|
||||
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in $(separate_list ${clients:=-}); do
|
||||
for server in $(separate_list ${servers:=-}); do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_a_rule
|
||||
done
|
||||
done
|
||||
elif [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
@ -4423,6 +4561,7 @@ process_rules()
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
fi
|
||||
fi
|
||||
@ -4448,11 +4587,11 @@ process_rules()
|
||||
continue
|
||||
fi
|
||||
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
expandv xtarget
|
||||
|
||||
case "${xtarget%%:*}" in
|
||||
@ -4469,6 +4608,7 @@ process_rules()
|
||||
xtarget=$(find_logactionchain $xtarget)
|
||||
do_it
|
||||
else
|
||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
fi
|
||||
;;
|
||||
@ -4696,6 +4836,9 @@ policy_rules() # $1 = chain to add rules to
|
||||
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
|
||||
target=reject
|
||||
;;
|
||||
QUEUE)
|
||||
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
|
||||
;;
|
||||
CONTINUE)
|
||||
target=
|
||||
;;
|
||||
@ -4761,7 +4904,7 @@ default_policy() # $1 = client $2 = server
|
||||
# depends on the policy
|
||||
#
|
||||
case $policy in
|
||||
ACCEPT)
|
||||
ACCEPT|QUEUE)
|
||||
if [ -n "$synparams" ]; then
|
||||
#
|
||||
# To avoid double-counting SYN packets, enforce the policy
|
||||
@ -4858,7 +5001,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
|
||||
[ -n "$chain" ] && { echo $chain; return; }
|
||||
|
||||
fatal_error "No appropriate chain for zone $1 to zone $2"
|
||||
fatal_error "No policy defined for zone $1 to zone $2"
|
||||
}
|
||||
|
||||
#
|
||||
@ -5039,7 +5182,15 @@ setup_masq()
|
||||
if [ $listcount -gt 1 ]; then
|
||||
case $ports in
|
||||
*:*)
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
if [ -n "$XMULTIPORT" ]; then
|
||||
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
|
||||
ports="-m multiport --dports $ports"
|
||||
else
|
||||
fatal_error "More than 15 entries in port list ($ports)"
|
||||
fi
|
||||
else
|
||||
fatal_error "Port Range not allowed in list ($ports)"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$MULTIPORT" ]; then
|
||||
@ -5475,6 +5626,7 @@ save_load_kernel_modules()
|
||||
done < $modules
|
||||
|
||||
save_command __EOF__
|
||||
save_command ""
|
||||
|
||||
}
|
||||
|
||||
@ -5494,17 +5646,22 @@ determine_capabilities() {
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
@ -5514,25 +5671,28 @@ determine_capabilities() {
|
||||
qt $IPTABLES -X fooX1234
|
||||
}
|
||||
|
||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
||||
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||
{
|
||||
local setting=
|
||||
|
||||
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
|
||||
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||
|
||||
echo " " $@: $setting
|
||||
echo " " $1: $setting
|
||||
}
|
||||
|
||||
report_capabilities() {
|
||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||
report_capability $NAT_ENABLED "NAT"
|
||||
report_capability $MANGLE_ENABLED "Packet Mangling"
|
||||
report_capability $MULTIPORT "Multi-port Match"
|
||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||
report_capability $PKTTYPE "Packet Type Match"
|
||||
report_capability $POLICY_MATCH "Policy Match"
|
||||
report_capability $PHYSDEV_MATCH "Physdev Match"
|
||||
report_capability $IPRANGE_MATCH "IP range Match"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Packet Type Match" $PKTTYPE
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
}
|
||||
|
||||
#
|
||||
@ -5551,6 +5711,10 @@ initialize_netfilter () {
|
||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||
fi
|
||||
|
||||
|
||||
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||
|
||||
echo "Determining Zones..."
|
||||
|
||||
determine_zones
|
||||
@ -5580,7 +5744,7 @@ initialize_netfilter () {
|
||||
run_user_exit init
|
||||
|
||||
#
|
||||
# The some files might be large so strip them while the firewall is still running
|
||||
# Some files might be large so strip them while the firewall is still running
|
||||
# (restart command). This reduces the length of time that the firewall isn't
|
||||
# accepting new connections.
|
||||
#
|
||||
@ -5623,6 +5787,16 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
run_user_exit continue
|
||||
|
||||
f=$(find_file routestopped)
|
||||
|
||||
echo "Processing $f ..."
|
||||
|
||||
strip_file routestopped $f
|
||||
|
||||
process_routestopped -A
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||
|
||||
#
|
||||
@ -5631,10 +5805,6 @@ initialize_netfilter () {
|
||||
run_iptables -A INPUT -i lo -j ACCEPT
|
||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
accounting_file=$(find_file accounting)
|
||||
|
||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||
|
||||
#
|
||||
# Allow DNS lookups during startup for FQDNs
|
||||
#
|
||||
@ -5658,6 +5828,10 @@ initialize_netfilter () {
|
||||
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
||||
fi
|
||||
|
||||
accounting_file=$(find_file accounting)
|
||||
|
||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||
|
||||
if [ -z "$NEWNOTSYN" ]; then
|
||||
createchain newnotsyn no
|
||||
|
||||
@ -5841,7 +6015,15 @@ add_common_rules() {
|
||||
|
||||
run_iptables -A rfc1918 -j DROP
|
||||
|
||||
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||
chain=norfc1918
|
||||
|
||||
if [ -n "$RFC1918_STRICT" ]; then
|
||||
#
|
||||
# We'll generate two chains - one for source and one for destination
|
||||
#
|
||||
chain=rfc1918d
|
||||
createchain $chain no
|
||||
elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# Mangling is enabled but conntrack match isn't available --
|
||||
# create a chain in the mangle table to filter RFC1918 destination
|
||||
@ -5860,8 +6042,13 @@ add_common_rules() {
|
||||
case $target in
|
||||
logdrop)
|
||||
target=rfc1918
|
||||
s_target=rfc1918
|
||||
;;
|
||||
DROP|RETURN)
|
||||
DROP)
|
||||
s_target=DROP
|
||||
;;
|
||||
RETURN)
|
||||
[ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid target ($target) for $networks"
|
||||
@ -5869,13 +6056,13 @@ add_common_rules() {
|
||||
esac
|
||||
|
||||
for network in $(separate_list $networks); do
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
||||
run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
@ -5886,6 +6073,8 @@ add_common_rules() {
|
||||
done
|
||||
done < $TMP_DIR/rfc1918
|
||||
|
||||
[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
|
||||
|
||||
for host in $hosts; do
|
||||
ipsec=${host%^*}
|
||||
host=${host#*^}
|
||||
@ -6134,6 +6323,20 @@ add_common_rules() {
|
||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||
done
|
||||
fi
|
||||
#
|
||||
# UPnP
|
||||
#
|
||||
interfaces=$(find_interfaces_by_option upnp)
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up UPnP..."
|
||||
|
||||
createnatchain UPnP
|
||||
|
||||
for interface in $interfaces; do
|
||||
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||
done
|
||||
fi
|
||||
|
||||
setup_forwarding
|
||||
}
|
||||
@ -6219,7 +6422,7 @@ activate_rules()
|
||||
shift
|
||||
|
||||
if havenatchain $destchain ; then
|
||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||
run_iptables2 -t nat -A $sourcechain $@ -j $destchain
|
||||
else
|
||||
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
@ -6237,7 +6440,7 @@ activate_rules()
|
||||
shift
|
||||
|
||||
if havenatchain $destchain; then
|
||||
eval run_iptables -t nat -I $sourcechain \
|
||||
eval run_iptables2 -t nat -I $sourcechain \
|
||||
\$${sourcechain}_rule $@ -j $destchain
|
||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||
else
|
||||
@ -6245,7 +6448,7 @@ activate_rules()
|
||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
fi
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add jumps to early SNAT chains
|
||||
@ -6297,7 +6500,7 @@ activate_rules()
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
done
|
||||
fi
|
||||
fi
|
||||
@ -6326,7 +6529,7 @@ activate_rules()
|
||||
interface=${host%%:*}
|
||||
networks=${host#*:}
|
||||
|
||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||
run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||
|
||||
#
|
||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||
@ -6334,10 +6537,10 @@ activate_rules()
|
||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
|
||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
|
||||
|
||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||
|
||||
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
|
||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||
fi
|
||||
|
||||
case $networks in
|
||||
@ -6402,7 +6605,7 @@ activate_rules()
|
||||
# routeback was specified for this host group
|
||||
#
|
||||
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
|
||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
@ -6417,7 +6620,7 @@ activate_rules()
|
||||
networks1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -6464,7 +6667,9 @@ activate_rules()
|
||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||
done
|
||||
|
||||
|
||||
process_routestopped -D
|
||||
|
||||
if [ -n "$LOGALLNEW" ]; then
|
||||
for table in mangle nat filter; do
|
||||
case $table in
|
||||
@ -6609,6 +6814,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||
|
||||
run_user_exit started
|
||||
}
|
||||
|
||||
#
|
||||
@ -7065,6 +7271,9 @@ do_initialize() {
|
||||
|
||||
export LC_ALL=C
|
||||
|
||||
# Make sure umask is sane
|
||||
umask 177
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||
#
|
||||
# Establish termination function
|
||||
@ -7123,6 +7332,8 @@ do_initialize() {
|
||||
LOGTAGONLY=
|
||||
LOGALLNEW=
|
||||
DROPINVALID=
|
||||
RFC1918_STRICT=
|
||||
MACLIST_TTL=
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
@ -7318,6 +7529,13 @@ do_initialize() {
|
||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
|
||||
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||
|
||||
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||
fi
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -1 +1 @@
|
||||
2.2.0
|
||||
2.2.4
|
||||
|
@ -22,4 +22,7 @@
|
||||
/etc/shorewall/stop Stop Commands executed before stop
|
||||
/etc/shorewall/stopped Stopped Commands executed after stop
|
||||
/etc/shorewall/accounting Account Traffic Accounting Rules
|
||||
/etc/shorewall/netmap Netmap Network address mapping
|
||||
/etc/shorewall/actions Actions Define user actions
|
||||
/etc/shorewall/continue Continue Commands executed early in [re]start
|
||||
|
||||
|
@ -1 +1 @@
|
||||
2.0.2c
|
||||
2.2.4
|
||||
|
Loading…
Reference in New Issue
Block a user