Update LrpN for 2.2.4 - prerelease

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2044 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-11 20:22:48 +00:00
parent 41fcd3cb71
commit 022b6fb625
16 changed files with 519 additions and 159 deletions

View File

@ -0,0 +1,6 @@
############################################################################
# Shorewall 2.2 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
#

View File

@ -167,6 +167,8 @@
# detectnets - Automatically taylors the zone named # detectnets - Automatically taylors the zone named
# in the ZONE column to include only those # in the ZONE column to include only those
# hosts routed through the interface. # hosts routed through the interface.
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
# #
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR # WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE. # INTERNET INTERFACE.

38
LrpN/etc/shorewall/netmap Normal file
View File

@ -0,0 +1,38 @@
##############################################################################
#
# Shorewall 2.2 -- Network Mapping Table
#
# /etc/shorewall/netmap
#
# This file is used to map addresses in one network to corresponding
# addresses in a second network.
#
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
#
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
# corresponding address in NET2.
#
# If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to
# the corresponding address in NET2.
#
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
#
# INTERFACE The name of a network interface. The interface must
# be defined in /etc/shorewall/interfaces.
#
# NET2 Network in CIDR format
#
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

View File

@ -25,6 +25,8 @@
# DROP - Ignore the connection request # DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send # REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP. # "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past # CONTINUE - Pass the connection request past
# any other rules that it might also # any other rules that it might also
# match (where the source or destination # match (where the source or destination
@ -82,4 +84,8 @@ net all DROP ULOG
# remove the comment from the following line. # remove the comment from the following line.
#fw net ACCEPT #fw net ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT ULOG
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

View File

@ -5,7 +5,8 @@
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped or when it is in the process of being
# [re]started.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #

View File

@ -188,14 +188,20 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "all". # a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be

View File

@ -1,5 +1,5 @@
############################################################################## ##############################################################################
# /shorewall/shorewall.conf V2.2 - Change the following variables to # /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
# match your setup # match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -23,6 +23,11 @@ STARTUP_ENABLED=No
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.
# #
# These levels are defined by syslog and are used to determine the destination
# of the messages through entries in /etc/syslog.conf (5). The syslog
# documentation refers to these as "priorities"; Netfilter calls them "levels"
# and Shorewall also uses that term.
#
# Valid levels are: # Valid levels are:
# #
# 7 debug # 7 debug
@ -44,8 +49,10 @@ STARTUP_ENABLED=No
# specify a log level of ULOG (must be all caps). Rather than log its # specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages # messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'. # via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # ulogd is available with most Linux distributions (although it probably isn't
# configured to log all Shorewall message to their own log file # installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################ ################################################################################
# #
# LOG FILE LOCATION # LOG FILE LOCATION
@ -544,7 +551,7 @@ MUTEX_TIMEOUT=60
# A packet is said to be NEW if it is not part of or related to an already # A packet is said to be NEW if it is not part of or related to an already
# established connection. # established connection.
# #
# The NETNOTSYN option determines the handling of non-SYN packets (those with # The NEWNOTSYN option determines the handling of non-SYN packets (those with
# SYN off or with ACK or RST on) that are not associated with an already # SYN off or with ACK or RST on) that are not associated with an already
# established connection. # established connection.
# #
@ -692,7 +699,7 @@ DYNAMIC_ZONES=No
# USE PKTTYPE MATCH # USE PKTTYPE MATCH
# #
# Some users have reported problems with the PKTTYPE match extension not being # Some users have reported problems with the PKTTYPE match extension not being
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall # able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given # will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
@ -732,6 +739,58 @@ PKTTYPE=Yes
# DROPINVALID=Yes is assumed. # DROPINVALID=Yes is assumed.
DROPINVALID=No DROPINVALID=No
#
# RFC 1918 BEHAVIOR
#
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
# processing to cease for a packet if the packet's source IP address matches
# the rule. Thus, if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
# since while the packet's source matches the RETURN rule, the packet's
# destination matches the 'logdrop' rule.
#
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
# RFC1918_STRICT=No is assumed.
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
RFC1918_STRICT=No
#
# MACLIST caching
#
# If your iptables and kernel support the "Recent Match" (see the output of
# "shorewall check" near the top), you can cache the results of a 'maclist'
# file lookup and thus reduce the overhead associated with MAC Verification
# (/etc/shorewall/maclist).
#
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. After $MACLIST_TTL from the first accepted connection request,
# the next connection request from that IP address will be checked against
# the entire list.
#
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
MACLIST_TTL=
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################

View File

@ -41,7 +41,7 @@
# C - Mark the connection in the chain determined # C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN # by the setting of MARK_IN_FORWARD_CHAIN
# #
# CF: Mark the conneciton in the FORWARD chain # CF: Mark the connection in the FORWARD chain
# #
# CP: Mark the connection in the PREROUTING chain. # CP: Mark the connection in the PREROUTING chain.
# #
@ -80,7 +80,8 @@
# allowed. Use $FW if the packet originates on # allowed. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT # the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs # specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). # in the OUTPUT chain). $FW may be optionally followed
# by ":" and a host/network address.
# #
# MAC addresses must be prefixed with "~" and use # MAC addresses must be prefixed with "~" and use
# "-" as a separator. # "-" as a separator.

View File

@ -4,7 +4,7 @@
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
# #
# This file should be placed in /sbin/shorewall. # This file should be placed in /sbin/shorewall.
# #
@ -220,6 +220,13 @@ get_config() {
} }
#
# Clear descriptor 1 if it is a terminal
#
clear_term() {
[ -t 1 ] && clear
}
# #
# Display IPTABLES rules -- we used to store them in a variable but ash # Display IPTABLES rules -- we used to store them in a variable but ash
# dies when trying to display large sets of rules # dies when trying to display large sets of rules
@ -238,7 +245,7 @@ display_chains()
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE $IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "Standard Chains" echo "Standard Chains"
@ -250,7 +257,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -268,7 +275,7 @@ display_chains()
for zone in $zones; do for zone in $zones; do
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -287,7 +294,7 @@ display_chains()
fi fi
done done
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -308,7 +315,7 @@ display_chains()
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
firstchain=Yes firstchain=Yes
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
display_chains display_chains
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timed_read timed_read
fi fi
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo "NAT Status" echo "NAT Status"
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
$IPTABLES -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_tc show_tc
timed_read timed_read
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
echo echo
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
qt which awk && haveawk=Yes || haveawk= qt which awk && haveawk=Yes || haveawk=
while true; do while true; do
clear clear_term
echo "$banner $(date)" echo "$banner $(date)"
echo echo
@ -960,7 +967,7 @@ case "$1" in
status) status)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
@ -1007,18 +1014,30 @@ case "$1" in
done done
done done
echo if [ -n "$(ip rule ls)" ]; then
echo "Routing Rules"
echo
ip rule ls
ip rule ls | while read rule; do
table=${rule##* }
echo echo
echo "Table $table:" echo "Routing Rules"
echo echo
ip route ls table $table ip rule ls
done ip rule ls | while read rule; do
table=${rule##* }
echo
echo "Table $table:"
echo
ip route ls table $table
done
else
echo
echo "Routing Table"
echo
ip route ls
fi
echo
echo "ARP"
echo
arp -na
if qt which lsmod; then if qt which lsmod; then
echo echo
echo "Modules" echo "Modules"
@ -1029,7 +1048,7 @@ case "$1" in
hits) hits)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear clear_term
echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo echo

View File

@ -1,5 +1,5 @@
# #
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs # Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
# #
# ACCEPT needed ICMP types # ACCEPT needed ICMP types
# #

View File

@ -6,6 +6,6 @@
###################################################################################### ######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP # PORT PORT(S) LIMIT GROUP
ACCEPT - - udp 5631 ACCEPT - - udp 5632
ACCEPT - - tcp 5632 ACCEPT - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -6,15 +6,16 @@
# #
# allowBcast #Silently Allow Broadcast/multicast # allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast # dropBcast #Silently Drop Broadcast/multicast
# dropNonSyn #Silently Drop Non-syn TCP packets # dropNotSyn #Silently Drop Non-syn TCP packets
# rejNonSyn #Silently Reject Non-syn TCP packets # rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID # dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state. # #conntrack state.
# allowInvalid #Accept packets that are in the INVALID # allowInvalid #Accept packets that are in the INVALID
# #conntrack state. # #conntrack state.
# # allowoutUPnP #Allow traffic from local command 'upnpd'
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in # allowinUPnP #Allow UPnP inbound (to firewall) traffic
# shorewall.conf. If that option isn't specified then 'info' is used. # forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# #
#ACTION #ACTION

View File

@ -30,7 +30,7 @@
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptabless packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Remove all Shorewall chains # shorewall clear Remove all Shorewall chains
# and rules/policies. # and rules/policies.
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
echo $(chain_base $1)_mac echo $(chain_base $1)_mac
} }
macrecent_target() # $1 - interface
{
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
}
# #
# Functions for creating dynamic zone rules # Functions for creating dynamic zone rules
# #
@ -932,7 +937,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-) dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;; ;;
detectnets) detectnets)
[ -n "$wildcard" ] && \ [ -n "$wildcard" ] && \
@ -1095,7 +1100,7 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
;; ;;
NONE) NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \ [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@ -1303,10 +1308,22 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in case $level in
ULOG) ULOG)
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed"
stop_firewall
exit 2
fi
fi
;; ;;
*) *)
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed"
stop_firewall
exit 2
fi
fi
;; ;;
esac esac
@ -1378,6 +1395,58 @@ disable_ipv6_1() {
fi fi
} }
#
# Process the routestopped file either adding or deleting rules
#
process_routestopped() # $1 = command
{
local hosts= interface host host1 options networks
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate routestopped option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown routestopped option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
}
# #
# Stop the Firewall # Stop the Firewall
# #
@ -1453,50 +1522,9 @@ stop_firewall() {
hosts= hosts=
strip_file routestopped [ -f $TMP_DIR/routestopped ] || strip_file routestopped
while read interface host options; do process_routestopped -A
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n "$options" ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
@ -1977,6 +2005,7 @@ setup_mac_lists() {
local addresses local addresses
local address local address
local chain local chain
local chain1
local macpart local macpart
local blob local blob
local hosts local hosts
@ -2001,10 +2030,19 @@ setup_mac_lists() {
progress_message "Setting up MAC Verification on $maclist_interfaces..." progress_message "Setting up MAC Verification on $maclist_interfaces..."
# #
# Be sure that they are all ethernet interfaces # Create chains.
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
createchain $(mac_chain $interface) no chain=$(mac_chain $interface)
createchain $chain no
if [ -n "$MACLIST_TTL" ]; then
chain1=$(macrecent_target $interface)
createchain $chain1 no
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
fi
done done
# #
# Process the maclist file producing the verification rules # Process the maclist file producing the verification rules
@ -2024,6 +2062,7 @@ setup_mac_lists() {
fi fi
chain=$(mac_chain $interface) chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
if ! havechain $chain ; then if ! havechain $chain ; then
fatal_error "No hosts on $interface have the maclist option specified" fatal_error "No hosts on $interface have the maclist option specified"
@ -2032,10 +2071,10 @@ setup_mac_lists() {
macpart=$(mac_match $mac) macpart=$(mac_match $mac)
if [ -z "$addresses" ]; then if [ -z "$addresses" ]; then
run_iptables -A $chain $macpart $physdev_part -j RETURN run_iptables -A $chain $macpart $physdev_part -j $chain1
else else
for address in $(separate_list $addresses) ; do for address in $(separate_list $addresses) ; do
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
done done
fi fi
done < $TMP_DIR/maclist done < $TMP_DIR/maclist
@ -2045,6 +2084,7 @@ setup_mac_lists() {
# #
for interface in $maclist_interfaces; do for interface in $maclist_interfaces; do
chain=$(mac_chain $interface) chain=$(mac_chain $interface)
chain1=$(macrecent_target $interface)
blob=$(ip link show $interface 2> /dev/null) blob=$(ip link show $interface 2> /dev/null)
@ -2053,11 +2093,11 @@ setup_mac_lists() {
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then if [ -n "$broadcast" ]; then
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
fi fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
done done
if [ -n "$MACLIST_LOG_LEVEL" ]; then if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -2333,16 +2373,19 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
*.*.*) *.*.*)
r="-s $source " r="$(source_ip_range $source) "
;; ;;
~*) ~*)
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW) $FW)
chain=tcout chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source " r="$(match_source_dev) $source "
;; ;;
@ -2376,6 +2419,7 @@ process_tc_rule()
r="${r}$(dest_ip_range $dest) " r="${r}$(dest_ip_range $dest) "
;; ;;
*) *)
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) " r="${r}$(match_dest_dev $dest) "
;; ;;
esac esac
@ -2763,13 +2807,14 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "Notice: The 'check' command is unsupported and problem" echo "Notice: The 'check' command is provided to catch"
echo " reports complaining about errors that it didn't catch" echo " obvious errors in a Shorewall configuration."
echo " will not be accepted" echo " It is not designed to catch all possible errors"
echo " so please don't submit problem reports about"
echo " error conditions that 'check' doesn't find"
echo echo
} }
disclaimer
report_capabilities report_capabilities
@ -3148,7 +3193,27 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_an_action
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -3242,7 +3307,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
createchain $CHAIN No createchain $CHAIN No
LEVEL=${level%:*} LEVEL=${level%:*}
TAG=${level#*:} if [ "$LEVEL" != "$level" ]; then
TAG=${level#*:}
else
TAG=
fi
run_user_exit $1 run_user_exit $1
fi fi
@ -3404,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
# #
process_actions1() { process_actions1() {
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid" ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
USEDACTIONS= USEDACTIONS=
strip_file actions strip_file actions
@ -3421,14 +3491,14 @@ process_actions1() {
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp" [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
xaction=${xaction%:*} xaction=${xaction%:*}
case $temp in case $temp in
ACCEPT|REJECT|DROP) ACCEPT|REJECT|DROP|QUEUE)
eval ${temp}_common=$xaction eval ${temp}_common=$xaction
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction" USEDACTIONS="$USEDACTIONS $xaction"
fi fi
;; ;;
*) *)
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT" startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
;; ;;
esac esac
esac esac
@ -3475,6 +3545,15 @@ process_actions1() {
process_actions2() { process_actions2() {
local interfaces="$(find_interfaces_by_option upnp)"
if [ -n "$interfaces" ]; then
if ! list_search forwardUPnP $USEDACTIONS; then
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
USEDACTIONS="$USEDACTIONS forwardUPnP"
fi
fi
progress_message " Generating Transitive Closure of Used-action List..." progress_message " Generating Transitive Closure of Used-action List..."
changed=Yes changed=Yes
@ -3533,8 +3612,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3548,7 +3627,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3565,8 +3644,8 @@ process_actions3() {
;; ;;
*) *)
if [ -n "$xlevel" ]; then if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
fi fi
;; ;;
esac esac
@ -3580,7 +3659,7 @@ process_actions3() {
;; ;;
*) *)
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
;; ;;
esac esac
@ -3594,38 +3673,58 @@ process_actions3() {
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
dropNotSyn) dropNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j DROP run_iptables -A $xchain -p tcp ! --syn -j DROP
fi fi
;; ;;
rejNotSyn) rejNotSyn)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
fi fi
;; ;;
dropInvalid) dropInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j DROP run_iptables -A $xchain -m state --state INVALID -j DROP
fi fi
;; ;;
allowInvalid) allowInvalid)
if [ "$COMMAND" != check ]; then if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \ [ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
run_iptables -A $xchain -m state --state INVALID -j ACCEPT run_iptables -A $xchain -m state --state INVALID -j ACCEPT
fi fi
;; ;;
forwardUPnP)
;;
allowinUPnP)
if [ "$COMMAND" != check ]; then
if [ -n "$xlevel" ]; then
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
fi
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
fi
;;
allowoutUPnP)
if [ "$COMMAND" != check ]; then
[ -n "$xlevel" ] && \
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
fi
;;
*) *)
# #
# Not a builtin # Not a builtin
@ -4318,7 +4417,26 @@ process_rule() # $1 = target
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4356,7 +4474,27 @@ process_rule() # $1 = target
;; ;;
*) *)
if [ -n "$MULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
then
#
# Extended MULTIPORT is enabled, and less than
# 16 ports are listed (port ranges count as two ports) - use multiport match.
#
multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
done
elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ "$ports" = "${ports%:*}" -a \ [ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -4423,6 +4561,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" ] ; then if [ "${ysourcezone}" != "${ydestzone}" ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ] ; then if [ "$ypolicy" != NONE ] ; then
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
fi fi
fi fi
@ -4448,11 +4587,11 @@ process_rules()
continue continue
fi fi
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
expandv xtarget expandv xtarget
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
@ -4469,6 +4608,7 @@ process_rules()
xtarget=$(find_logactionchain $xtarget) xtarget=$(find_logactionchain $xtarget)
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
;; ;;
@ -4696,6 +4836,9 @@ policy_rules() # $1 = chain to add rules to
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
target=reject target=reject
;; ;;
QUEUE)
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
;;
CONTINUE) CONTINUE)
target= target=
;; ;;
@ -4761,7 +4904,7 @@ default_policy() # $1 = client $2 = server
# depends on the policy # depends on the policy
# #
case $policy in case $policy in
ACCEPT) ACCEPT|QUEUE)
if [ -n "$synparams" ]; then if [ -n "$synparams" ]; then
# #
# To avoid double-counting SYN packets, enforce the policy # To avoid double-counting SYN packets, enforce the policy
@ -4858,7 +5001,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
[ -n "$chain" ] && { echo $chain; return; } [ -n "$chain" ] && { echo $chain; return; }
fatal_error "No appropriate chain for zone $1 to zone $2" fatal_error "No policy defined for zone $1 to zone $2"
} }
# #
@ -5039,7 +5182,15 @@ setup_masq()
if [ $listcount -gt 1 ]; then if [ $listcount -gt 1 ]; then
case $ports in case $ports in
*:*) *:*)
fatal_error "Port Range not allowed in list ($ports)" if [ -n "$XMULTIPORT" ]; then
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
ports="-m multiport --dports $ports"
else
fatal_error "More than 15 entries in port list ($ports)"
fi
else
fatal_error "Port Range not allowed in list ($ports)"
fi
;; ;;
*) *)
if [ -n "$MULTIPORT" ]; then if [ -n "$MULTIPORT" ]; then
@ -5475,6 +5626,7 @@ save_load_kernel_modules()
done < $modules done < $modules
save_command __EOF__ save_command __EOF__
save_command ""
} }
@ -5494,17 +5646,22 @@ determine_capabilities() {
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
XMULTIPORT=
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH= PHYSDEV_MATCH=
IPRANGE_MATCH= IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
if [ -n "$PKTTYPE" ]; then if [ -n "$PKTTYPE" ]; then
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@ -5514,25 +5671,28 @@ determine_capabilities() {
qt $IPTABLES -X fooX1234 qt $IPTABLES -X fooX1234
} }
report_capability() # $1 = Capability Name, $2 Capability Setting (if any) report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
{ {
local setting= local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available" [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
echo " " $@: $setting echo " " $1: $setting
} }
report_capabilities() { report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:" echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT" report_capability "NAT" $NAT_ENABLED
report_capability $MANGLE_ENABLED "Packet Mangling" report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability $MULTIPORT "Multi-port Match" report_capability "Multi-port Match" $MULTIPORT
report_capability $CONNTRACK_MATCH "Connection Tracking Match" [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability $PKTTYPE "Packet Type Match" report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability $POLICY_MATCH "Policy Match" report_capability "Packet Type Match" $PKTTYPE
report_capability $PHYSDEV_MATCH "Physdev Match" report_capability "Policy Match" $POLICY_MATCH
report_capability $IPRANGE_MATCH "IP range Match" report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
} }
# #
@ -5551,6 +5711,10 @@ initialize_netfilter () {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi fi
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -5580,7 +5744,7 @@ initialize_netfilter () {
run_user_exit init run_user_exit init
# #
# The some files might be large so strip them while the firewall is still running # Some files might be large so strip them while the firewall is still running
# (restart command). This reduces the length of time that the firewall isn't # (restart command). This reduces the length of time that the firewall isn't
# accepting new connections. # accepting new connections.
# #
@ -5623,6 +5787,16 @@ initialize_netfilter () {
setcontinue INPUT setcontinue INPUT
setcontinue OUTPUT setcontinue OUTPUT
run_user_exit continue
f=$(find_file routestopped)
echo "Processing $f ..."
strip_file routestopped $f
process_routestopped -A
[ -n "$DISABLE_IPV6" ] && disable_ipv6 [ -n "$DISABLE_IPV6" ] && disable_ipv6
# #
@ -5631,10 +5805,6 @@ initialize_netfilter () {
run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT
accounting_file=$(find_file accounting)
[ -f $accounting_file ] && setup_accounting $accounting_file
# #
# Allow DNS lookups during startup for FQDNs # Allow DNS lookups during startup for FQDNs
# #
@ -5658,6 +5828,10 @@ initialize_netfilter () {
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
fi fi
accounting_file=$(find_file accounting)
[ -f $accounting_file ] && setup_accounting $accounting_file
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
@ -5841,7 +6015,15 @@ add_common_rules() {
run_iptables -A rfc1918 -j DROP run_iptables -A rfc1918 -j DROP
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then chain=norfc1918
if [ -n "$RFC1918_STRICT" ]; then
#
# We'll generate two chains - one for source and one for destination
#
chain=rfc1918d
createchain $chain no
elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
# Mangling is enabled but conntrack match isn't available -- # Mangling is enabled but conntrack match isn't available --
# create a chain in the mangle table to filter RFC1918 destination # create a chain in the mangle table to filter RFC1918 destination
@ -5860,8 +6042,13 @@ add_common_rules() {
case $target in case $target in
logdrop) logdrop)
target=rfc1918 target=rfc1918
s_target=rfc1918
;; ;;
DROP|RETURN) DROP)
s_target=DROP
;;
RETURN)
[ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
;; ;;
*) *)
fatal_error "Invalid target ($target) for $networks" fatal_error "Invalid target ($target) for $networks"
@ -5869,13 +6056,13 @@ add_common_rules() {
esac esac
for network in $(separate_list $networks); do for network in $(separate_list $networks); do
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
# #
# We have connection tracking match -- match on the original destination # We have connection tracking match -- match on the original destination
# #
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
elif [ -n "$MANGLE_ENABLED" ]; then elif [ -n "$MANGLE_ENABLED" ]; then
# #
# No connection tracking match but we have mangling -- add a rule to # No connection tracking match but we have mangling -- add a rule to
@ -5886,6 +6073,8 @@ add_common_rules() {
done done
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
for host in $hosts; do for host in $hosts; do
ipsec=${host%^*} ipsec=${host%^*}
host=${host#*^} host=${host#*^}
@ -6134,6 +6323,20 @@ add_common_rules() {
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done done
fi fi
#
# UPnP
#
interfaces=$(find_interfaces_by_option upnp)
if [ -n "$interfaces" ]; then
echo "Setting up UPnP..."
createnatchain UPnP
for interface in $interfaces; do
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
done
fi
setup_forwarding setup_forwarding
} }
@ -6219,7 +6422,7 @@ activate_rules()
shift shift
if havenatchain $destchain ; then if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain run_iptables2 -t nat -A $sourcechain $@ -j $destchain
else else
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
@ -6237,7 +6440,7 @@ activate_rules()
shift shift
if havenatchain $destchain; then if havenatchain $destchain; then
eval run_iptables -t nat -I $sourcechain \ eval run_iptables2 -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain \$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
else else
@ -6245,7 +6448,7 @@ activate_rules()
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi fi
} }
# #
# Add jumps to early SNAT chains # Add jumps to early SNAT chains
@ -6297,7 +6500,7 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
done done
fi fi
fi fi
@ -6326,7 +6529,7 @@ activate_rules()
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
# #
# Add jumps from the builtin chains for DNAT and SNAT rules # Add jumps from the builtin chains for DNAT and SNAT rules
@ -6334,10 +6537,10 @@ activate_rules()
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
fi fi
case $networks in case $networks in
@ -6402,7 +6605,7 @@ activate_rules()
# routeback was specified for this host group # routeback was specified for this host group
# #
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
else else
@ -6417,7 +6620,7 @@ activate_rules()
networks1=${host1#*:} networks1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
fi fi
done done
done done
@ -6464,7 +6667,9 @@ activate_rules()
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
process_routestopped -D
if [ -n "$LOGALLNEW" ]; then if [ -n "$LOGALLNEW" ]; then
for table in mangle nat filter; do for table in mangle nat filter; do
case $table in case $table in
@ -6609,6 +6814,7 @@ define_firewall() # $1 = Command (Start or Restart)
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
run_user_exit started
} }
# #
@ -7065,6 +7271,9 @@ do_initialize() {
export LC_ALL=C export LC_ALL=C
# Make sure umask is sane
umask 177
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
# #
# Establish termination function # Establish termination function
@ -7123,6 +7332,8 @@ do_initialize() {
LOGTAGONLY= LOGTAGONLY=
LOGALLNEW= LOGALLNEW=
DROPINVALID= DROPINVALID=
RFC1918_STRICT=
MACLIST_TTL=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -7318,6 +7529,13 @@ do_initialize() {
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
fi
# #
# Strip the files that we use often # Strip the files that we use often
# #

View File

@ -1 +1 @@
2.2.0 2.2.4

View File

@ -22,4 +22,7 @@
/etc/shorewall/stop Stop Commands executed before stop /etc/shorewall/stop Stop Commands executed before stop
/etc/shorewall/stopped Stopped Commands executed after stop /etc/shorewall/stopped Stopped Commands executed after stop
/etc/shorewall/accounting Account Traffic Accounting Rules /etc/shorewall/accounting Account Traffic Accounting Rules
/etc/shorewall/netmap Netmap Network address mapping
/etc/shorewall/actions Actions Define user actions /etc/shorewall/actions Actions Define user actions
/etc/shorewall/continue Continue Commands executed early in [re]start

View File

@ -1 +1 @@
2.0.2c 2.2.4