mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
Update LrpN for 2.2.4 - prerelease
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2044 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
41fcd3cb71
commit
022b6fb625
6
LrpN/etc/shorewall/continue
Normal file
6
LrpN/etc/shorewall/continue
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
############################################################################
|
||||||
|
# Shorewall 2.2 -- /etc/shorewall/continue
|
||||||
|
#
|
||||||
|
# Add commands below that you want to be executed after shorewall has
|
||||||
|
# cleared any existing Netfilter rules and has enabled existing connections.
|
||||||
|
#
|
@ -167,6 +167,8 @@
|
|||||||
# detectnets - Automatically taylors the zone named
|
# detectnets - Automatically taylors the zone named
|
||||||
# in the ZONE column to include only those
|
# in the ZONE column to include only those
|
||||||
# hosts routed through the interface.
|
# hosts routed through the interface.
|
||||||
|
# upnp - Incoming requests from this interface may
|
||||||
|
# be remapped via UPNP (upnpd).
|
||||||
#
|
#
|
||||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||||
# INTERNET INTERFACE.
|
# INTERNET INTERFACE.
|
||||||
|
38
LrpN/etc/shorewall/netmap
Normal file
38
LrpN/etc/shorewall/netmap
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
##############################################################################
|
||||||
|
#
|
||||||
|
# Shorewall 2.2 -- Network Mapping Table
|
||||||
|
#
|
||||||
|
# /etc/shorewall/netmap
|
||||||
|
#
|
||||||
|
# This file is used to map addresses in one network to corresponding
|
||||||
|
# addresses in a second network.
|
||||||
|
#
|
||||||
|
# WARNING: To use this file, your kernel and iptables must have
|
||||||
|
# NETMAP support included.
|
||||||
|
#
|
||||||
|
# Columns must be separated by white space and are:
|
||||||
|
#
|
||||||
|
# TYPE Must be DNAT or SNAT.
|
||||||
|
#
|
||||||
|
# If DNAT, traffic entering INTERFACE and addressed to
|
||||||
|
# NET1 has it's destination address rewritten to the
|
||||||
|
# corresponding address in NET2.
|
||||||
|
#
|
||||||
|
# If SNAT, traffic leaving INTERFACE with a source
|
||||||
|
# address in NET1 has it's source address rewritten to
|
||||||
|
# the corresponding address in NET2.
|
||||||
|
#
|
||||||
|
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
|
||||||
|
#
|
||||||
|
# INTERFACE The name of a network interface. The interface must
|
||||||
|
# be defined in /etc/shorewall/interfaces.
|
||||||
|
#
|
||||||
|
# NET2 Network in CIDR format
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/netmap.html for an example and usage
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
##############################################################################
|
||||||
|
#TYPE NET1 INTERFACE NET2
|
||||||
|
#
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
@ -25,6 +25,8 @@
|
|||||||
# DROP - Ignore the connection request
|
# DROP - Ignore the connection request
|
||||||
# REJECT - For TCP, send RST. For all other, send
|
# REJECT - For TCP, send RST. For all other, send
|
||||||
# "port unreachable" ICMP.
|
# "port unreachable" ICMP.
|
||||||
|
# QUEUE - Send the request to a user-space
|
||||||
|
# application using the QUEUE target.
|
||||||
# CONTINUE - Pass the connection request past
|
# CONTINUE - Pass the connection request past
|
||||||
# any other rules that it might also
|
# any other rules that it might also
|
||||||
# match (where the source or destination
|
# match (where the source or destination
|
||||||
@ -82,4 +84,8 @@ net all DROP ULOG
|
|||||||
# remove the comment from the following line.
|
# remove the comment from the following line.
|
||||||
#fw net ACCEPT
|
#fw net ACCEPT
|
||||||
|
|
||||||
|
#
|
||||||
|
# THE FOLLOWING POLICY MUST BE LAST
|
||||||
|
#
|
||||||
|
all all REJECT ULOG
|
||||||
#LAST LINE -- DO NOT REMOVE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
@ -5,7 +5,8 @@
|
|||||||
# /etc/shorewall/routestopped
|
# /etc/shorewall/routestopped
|
||||||
#
|
#
|
||||||
# This file is used to define the hosts that are accessible when the
|
# This file is used to define the hosts that are accessible when the
|
||||||
# firewall is stopped
|
# firewall is stopped or when it is in the process of being
|
||||||
|
# [re]started.
|
||||||
#
|
#
|
||||||
# Columns must be separated by white space and are:
|
# Columns must be separated by white space and are:
|
||||||
#
|
#
|
||||||
|
@ -188,14 +188,20 @@
|
|||||||
# contain the port number on the firewall that the
|
# contain the port number on the firewall that the
|
||||||
# request should be redirected to.
|
# request should be redirected to.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
# "all".
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
|
# for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# A port range is expressed as <low port>:<high port>.
|
# A port range is expressed as <low port>:<high port>.
|
||||||
#
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
# /shorewall/shorewall.conf V2.2 - Change the following variables to
|
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
|
||||||
# match your setup
|
# match your setup
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
@ -23,6 +23,11 @@ STARTUP_ENABLED=No
|
|||||||
# to syslog (8) the importance of a message and a number of parameters
|
# to syslog (8) the importance of a message and a number of parameters
|
||||||
# in this file have log levels as their value.
|
# in this file have log levels as their value.
|
||||||
#
|
#
|
||||||
|
# These levels are defined by syslog and are used to determine the destination
|
||||||
|
# of the messages through entries in /etc/syslog.conf (5). The syslog
|
||||||
|
# documentation refers to these as "priorities"; Netfilter calls them "levels"
|
||||||
|
# and Shorewall also uses that term.
|
||||||
|
#
|
||||||
# Valid levels are:
|
# Valid levels are:
|
||||||
#
|
#
|
||||||
# 7 debug
|
# 7 debug
|
||||||
@ -44,8 +49,10 @@ STARTUP_ENABLED=No
|
|||||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
# ulogd is available with most Linux distributions (although it probably isn't
|
||||||
# configured to log all Shorewall message to their own log file
|
# installed by default). Ulogd is also available from
|
||||||
|
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
|
||||||
|
# Shorewall message to their own log file
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# LOG FILE LOCATION
|
# LOG FILE LOCATION
|
||||||
@ -544,7 +551,7 @@ MUTEX_TIMEOUT=60
|
|||||||
# A packet is said to be NEW if it is not part of or related to an already
|
# A packet is said to be NEW if it is not part of or related to an already
|
||||||
# established connection.
|
# established connection.
|
||||||
#
|
#
|
||||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
||||||
# SYN off or with ACK or RST on) that are not associated with an already
|
# SYN off or with ACK or RST on) that are not associated with an already
|
||||||
# established connection.
|
# established connection.
|
||||||
#
|
#
|
||||||
@ -692,7 +699,7 @@ DYNAMIC_ZONES=No
|
|||||||
# USE PKTTYPE MATCH
|
# USE PKTTYPE MATCH
|
||||||
#
|
#
|
||||||
# Some users have reported problems with the PKTTYPE match extension not being
|
# Some users have reported problems with the PKTTYPE match extension not being
|
||||||
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
|
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||||
|
|
||||||
@ -732,6 +739,58 @@ PKTTYPE=Yes
|
|||||||
# DROPINVALID=Yes is assumed.
|
# DROPINVALID=Yes is assumed.
|
||||||
|
|
||||||
DROPINVALID=No
|
DROPINVALID=No
|
||||||
|
|
||||||
|
#
|
||||||
|
# RFC 1918 BEHAVIOR
|
||||||
|
#
|
||||||
|
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
|
||||||
|
# processing to cease for a packet if the packet's source IP address matches
|
||||||
|
# the rule. Thus, if you have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 192.168.1.0/24 RETURN
|
||||||
|
#
|
||||||
|
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
||||||
|
# also have:
|
||||||
|
#
|
||||||
|
# SUBNETS TARGET
|
||||||
|
# 10.0.0.0/8 logdrop
|
||||||
|
#
|
||||||
|
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
|
||||||
|
# since while the packet's source matches the RETURN rule, the packet's
|
||||||
|
# destination matches the 'logdrop' rule.
|
||||||
|
#
|
||||||
|
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
||||||
|
# RFC1918_STRICT=No is assumed.
|
||||||
|
#
|
||||||
|
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
|
||||||
|
# 'conntrack state' match.
|
||||||
|
|
||||||
|
RFC1918_STRICT=No
|
||||||
|
|
||||||
|
#
|
||||||
|
# MACLIST caching
|
||||||
|
#
|
||||||
|
# If your iptables and kernel support the "Recent Match" (see the output of
|
||||||
|
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
||||||
|
# file lookup and thus reduce the overhead associated with MAC Verification
|
||||||
|
# (/etc/shorewall/maclist).
|
||||||
|
#
|
||||||
|
# When a new connection arrives from a 'maclist' interface, the packet passes
|
||||||
|
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
||||||
|
# there is a match then the source IP address is added to the 'Recent' set for
|
||||||
|
# that interface. Subsequent connection attempts from that IP address occuring
|
||||||
|
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
||||||
|
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
||||||
|
# the next connection request from that IP address will be checked against
|
||||||
|
# the entire list.
|
||||||
|
#
|
||||||
|
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||||
|
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||||
|
# be cached.
|
||||||
|
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# P A C K E T D I S P O S I T I O N
|
# P A C K E T D I S P O S I T I O N
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -41,7 +41,7 @@
|
|||||||
# C - Mark the connection in the chain determined
|
# C - Mark the connection in the chain determined
|
||||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||||
#
|
#
|
||||||
# CF: Mark the conneciton in the FORWARD chain
|
# CF: Mark the connection in the FORWARD chain
|
||||||
#
|
#
|
||||||
# CP: Mark the connection in the PREROUTING chain.
|
# CP: Mark the connection in the PREROUTING chain.
|
||||||
#
|
#
|
||||||
@ -80,7 +80,8 @@
|
|||||||
# allowed. Use $FW if the packet originates on
|
# allowed. Use $FW if the packet originates on
|
||||||
# the firewall in which case the MARK column may NOT
|
# the firewall in which case the MARK column may NOT
|
||||||
# specify either ":P" or ":F" (marking always occurs
|
# specify either ":P" or ":F" (marking always occurs
|
||||||
# in the OUTPUT chain).
|
# in the OUTPUT chain). $FW may be optionally followed
|
||||||
|
# by ":" and a host/network address.
|
||||||
#
|
#
|
||||||
# MAC addresses must be prefixed with "~" and use
|
# MAC addresses must be prefixed with "~" and use
|
||||||
# "-" as a separator.
|
# "-" as a separator.
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
# This file should be placed in /sbin/shorewall.
|
# This file should be placed in /sbin/shorewall.
|
||||||
#
|
#
|
||||||
@ -220,6 +220,13 @@ get_config() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Clear descriptor 1 if it is a terminal
|
||||||
|
#
|
||||||
|
clear_term() {
|
||||||
|
[ -t 1 ] && clear
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Display IPTABLES rules -- we used to store them in a variable but ash
|
# Display IPTABLES rules -- we used to store them in a variable but ash
|
||||||
# dies when trying to display large sets of rules
|
# dies when trying to display large sets of rules
|
||||||
@ -238,7 +245,7 @@ display_chains()
|
|||||||
|
|
||||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo "Standard Chains"
|
echo "Standard Chains"
|
||||||
@ -250,7 +257,7 @@ display_chains()
|
|||||||
|
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
firstchain=Yes
|
firstchain=Yes
|
||||||
@ -268,7 +275,7 @@ display_chains()
|
|||||||
for zone in $zones; do
|
for zone in $zones; do
|
||||||
|
|
||||||
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
if [ -n "$(grep "^Chain \.*${zone}" $TMPFILE)" ] ; then
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
firstchain=Yes
|
firstchain=Yes
|
||||||
@ -287,7 +294,7 @@ display_chains()
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
firstchain=Yes
|
firstchain=Yes
|
||||||
@ -308,7 +315,7 @@ display_chains()
|
|||||||
|
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
firstchain=Yes
|
firstchain=Yes
|
||||||
@ -443,7 +450,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
while true; do
|
while true; do
|
||||||
display_chains
|
display_chains
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
@ -474,7 +481,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
timed_read
|
timed_read
|
||||||
fi
|
fi
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo "NAT Status"
|
echo "NAT Status"
|
||||||
@ -482,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
@ -491,7 +498,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
@ -500,7 +507,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
cat /proc/net/ip_conntrack
|
cat /proc/net/ip_conntrack
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
@ -509,7 +516,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
show_tc
|
show_tc
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
echo
|
echo
|
||||||
@ -541,7 +548,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
qt which awk && haveawk=Yes || haveawk=
|
qt which awk && haveawk=Yes || haveawk=
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
clear
|
clear_term
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
@ -960,7 +967,7 @@ case "$1" in
|
|||||||
status)
|
status)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
[ $# -eq 1 ] || usage 1
|
[ $# -eq 1 ] || usage 1
|
||||||
clear
|
clear_term
|
||||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
@ -1007,18 +1014,30 @@ case "$1" in
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
echo
|
if [ -n "$(ip rule ls)" ]; then
|
||||||
echo "Routing Rules"
|
|
||||||
echo
|
|
||||||
ip rule ls
|
|
||||||
ip rule ls | while read rule; do
|
|
||||||
table=${rule##* }
|
|
||||||
echo
|
echo
|
||||||
echo "Table $table:"
|
echo "Routing Rules"
|
||||||
echo
|
echo
|
||||||
ip route ls table $table
|
ip rule ls
|
||||||
done
|
ip rule ls | while read rule; do
|
||||||
|
table=${rule##* }
|
||||||
|
echo
|
||||||
|
echo "Table $table:"
|
||||||
|
echo
|
||||||
|
ip route ls table $table
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo
|
||||||
|
echo "Routing Table"
|
||||||
|
echo
|
||||||
|
ip route ls
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo
|
||||||
|
echo "ARP"
|
||||||
|
echo
|
||||||
|
arp -na
|
||||||
|
|
||||||
if qt which lsmod; then
|
if qt which lsmod; then
|
||||||
echo
|
echo
|
||||||
echo "Modules"
|
echo "Modules"
|
||||||
@ -1029,7 +1048,7 @@ case "$1" in
|
|||||||
hits)
|
hits)
|
||||||
[ -n "$debugging" ] && set -x
|
[ -n "$debugging" ] && set -x
|
||||||
[ $# -eq 1 ] || usage 1
|
[ $# -eq 1 ] || usage 1
|
||||||
clear
|
clear_term
|
||||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
|
# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
|
||||||
#
|
#
|
||||||
# ACCEPT needed ICMP types
|
# ACCEPT needed ICMP types
|
||||||
#
|
#
|
||||||
|
@ -6,6 +6,6 @@
|
|||||||
######################################################################################
|
######################################################################################
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||||
# PORT PORT(S) LIMIT GROUP
|
# PORT PORT(S) LIMIT GROUP
|
||||||
ACCEPT - - udp 5631
|
ACCEPT - - udp 5632
|
||||||
ACCEPT - - tcp 5632
|
ACCEPT - - tcp 5631
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -6,15 +6,16 @@
|
|||||||
#
|
#
|
||||||
# allowBcast #Silently Allow Broadcast/multicast
|
# allowBcast #Silently Allow Broadcast/multicast
|
||||||
# dropBcast #Silently Drop Broadcast/multicast
|
# dropBcast #Silently Drop Broadcast/multicast
|
||||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
# dropNotSyn #Silently Drop Non-syn TCP packets
|
||||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
# rejNotSyn #Silently Reject Non-syn TCP packets
|
||||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
# allowInvalid #Accept packets that are in the INVALID
|
# allowInvalid #Accept packets that are in the INVALID
|
||||||
# #conntrack state.
|
# #conntrack state.
|
||||||
#
|
# allowoutUPnP #Allow traffic from local command 'upnpd'
|
||||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
|
||||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
# forwardUPnP #Allow traffic that upnpd has redirected from
|
||||||
|
# #'upnp' interfaces.
|
||||||
#
|
#
|
||||||
#ACTION
|
#ACTION
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
# shorewall restart Restarts the firewall
|
# shorewall restart Restarts the firewall
|
||||||
# shorewall stop Stops the firewall
|
# shorewall stop Stops the firewall
|
||||||
# shorewall status Displays firewall status
|
# shorewall status Displays firewall status
|
||||||
# shorewall reset Resets iptabless packet and
|
# shorewall reset Resets iptables packet and
|
||||||
# byte counts
|
# byte counts
|
||||||
# shorewall clear Remove all Shorewall chains
|
# shorewall clear Remove all Shorewall chains
|
||||||
# and rules/policies.
|
# and rules/policies.
|
||||||
@ -464,6 +464,11 @@ mac_chain() # $1 = interface
|
|||||||
echo $(chain_base $1)_mac
|
echo $(chain_base $1)_mac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
macrecent_target() # $1 - interface
|
||||||
|
{
|
||||||
|
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Functions for creating dynamic zone rules
|
# Functions for creating dynamic zone rules
|
||||||
#
|
#
|
||||||
@ -932,7 +937,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-)
|
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||||
;;
|
;;
|
||||||
detectnets)
|
detectnets)
|
||||||
[ -n "$wildcard" ] && \
|
[ -n "$wildcard" ] && \
|
||||||
@ -1095,7 +1100,7 @@ validate_policy()
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
case $policy in
|
case $policy in
|
||||||
ACCEPT|REJECT|DROP|CONTINUE)
|
ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
|
||||||
;;
|
;;
|
||||||
NONE)
|
NONE)
|
||||||
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||||
@ -1303,10 +1308,22 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
|||||||
|
|
||||||
case $level in
|
case $level in
|
||||||
ULOG)
|
ULOG)
|
||||||
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
if ! $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ; then
|
||||||
|
if [ -z "$stopping" ]; then
|
||||||
|
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix \"$prefix\"\" Failed"
|
||||||
|
stop_firewall
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
if ! $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"; then
|
||||||
|
if [ -z "$stopping" ]; then
|
||||||
|
error_message "ERROR: Command \"$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix \"$prefix\"\" Failed"
|
||||||
|
stop_firewall
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1378,6 +1395,58 @@ disable_ipv6_1() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Process the routestopped file either adding or deleting rules
|
||||||
|
#
|
||||||
|
|
||||||
|
process_routestopped() # $1 = command
|
||||||
|
{
|
||||||
|
local hosts= interface host host1 options networks
|
||||||
|
|
||||||
|
while read interface host options; do
|
||||||
|
expandv interface host options
|
||||||
|
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
||||||
|
for h in $(separate_list $host); do
|
||||||
|
hosts="$hosts $interface:$h"
|
||||||
|
done
|
||||||
|
|
||||||
|
routeback=
|
||||||
|
|
||||||
|
if [ -n "$options" ]; then
|
||||||
|
for option in $(separate_list $options); do
|
||||||
|
case $option in
|
||||||
|
routeback)
|
||||||
|
if [ -n "$routeback" ]; then
|
||||||
|
error_message "Warning: Duplicate routestopped option ignored: routeback"
|
||||||
|
else
|
||||||
|
routeback=Yes
|
||||||
|
for h in $(separate_list $host); do
|
||||||
|
run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
error_message "Warning: Unknown routestopped option ignored: $option"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
done < $TMP_DIR/routestopped
|
||||||
|
|
||||||
|
for host in $hosts; do
|
||||||
|
interface=${host%:*}
|
||||||
|
networks=${host#*:}
|
||||||
|
$IPTABLES $1 INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
|
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
|
||||||
|
for host1 in $hosts; do
|
||||||
|
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Stop the Firewall
|
# Stop the Firewall
|
||||||
#
|
#
|
||||||
@ -1453,50 +1522,9 @@ stop_firewall() {
|
|||||||
|
|
||||||
hosts=
|
hosts=
|
||||||
|
|
||||||
strip_file routestopped
|
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||||
|
|
||||||
while read interface host options; do
|
process_routestopped -A
|
||||||
expandv interface host options
|
|
||||||
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
|
|
||||||
for h in $(separate_list $host); do
|
|
||||||
hosts="$hosts $interface:$h"
|
|
||||||
done
|
|
||||||
|
|
||||||
routeback=
|
|
||||||
|
|
||||||
if [ -n "$options" ]; then
|
|
||||||
for option in $(separate_list $options); do
|
|
||||||
case $option in
|
|
||||||
routeback)
|
|
||||||
if [ -n "$routeback" ]; then
|
|
||||||
error_message "Warning: Duplicate option ignored: routeback"
|
|
||||||
else
|
|
||||||
routeback=Yes
|
|
||||||
for h in $(separate_list $host); do
|
|
||||||
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
error_message "Warning: Unknown option ignored: $option"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
done < $TMP_DIR/routestopped
|
|
||||||
|
|
||||||
for host in $hosts; do
|
|
||||||
interface=${host%:*}
|
|
||||||
networks=${host#*:}
|
|
||||||
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
|
||||||
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
|
||||||
|
|
||||||
for host1 in $hosts; do
|
|
||||||
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
@ -1977,6 +2005,7 @@ setup_mac_lists() {
|
|||||||
local addresses
|
local addresses
|
||||||
local address
|
local address
|
||||||
local chain
|
local chain
|
||||||
|
local chain1
|
||||||
local macpart
|
local macpart
|
||||||
local blob
|
local blob
|
||||||
local hosts
|
local hosts
|
||||||
@ -2001,10 +2030,19 @@ setup_mac_lists() {
|
|||||||
|
|
||||||
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
progress_message "Setting up MAC Verification on $maclist_interfaces..."
|
||||||
#
|
#
|
||||||
# Be sure that they are all ethernet interfaces
|
# Create chains.
|
||||||
#
|
#
|
||||||
for interface in $maclist_interfaces; do
|
for interface in $maclist_interfaces; do
|
||||||
createchain $(mac_chain $interface) no
|
chain=$(mac_chain $interface)
|
||||||
|
createchain $chain no
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" ]; then
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
createchain $chain1 no
|
||||||
|
run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
|
||||||
|
run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
|
||||||
|
run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
#
|
#
|
||||||
# Process the maclist file producing the verification rules
|
# Process the maclist file producing the verification rules
|
||||||
@ -2024,6 +2062,7 @@ setup_mac_lists() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
chain=$(mac_chain $interface)
|
chain=$(mac_chain $interface)
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
|
||||||
if ! havechain $chain ; then
|
if ! havechain $chain ; then
|
||||||
fatal_error "No hosts on $interface have the maclist option specified"
|
fatal_error "No hosts on $interface have the maclist option specified"
|
||||||
@ -2032,10 +2071,10 @@ setup_mac_lists() {
|
|||||||
macpart=$(mac_match $mac)
|
macpart=$(mac_match $mac)
|
||||||
|
|
||||||
if [ -z "$addresses" ]; then
|
if [ -z "$addresses" ]; then
|
||||||
run_iptables -A $chain $macpart $physdev_part -j RETURN
|
run_iptables -A $chain $macpart $physdev_part -j $chain1
|
||||||
else
|
else
|
||||||
for address in $(separate_list $addresses) ; do
|
for address in $(separate_list $addresses) ; do
|
||||||
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
|
run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
done < $TMP_DIR/maclist
|
done < $TMP_DIR/maclist
|
||||||
@ -2045,6 +2084,7 @@ setup_mac_lists() {
|
|||||||
#
|
#
|
||||||
for interface in $maclist_interfaces; do
|
for interface in $maclist_interfaces; do
|
||||||
chain=$(mac_chain $interface)
|
chain=$(mac_chain $interface)
|
||||||
|
chain1=$(macrecent_target $interface)
|
||||||
|
|
||||||
blob=$(ip link show $interface 2> /dev/null)
|
blob=$(ip link show $interface 2> /dev/null)
|
||||||
|
|
||||||
@ -2053,11 +2093,11 @@ setup_mac_lists() {
|
|||||||
|
|
||||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||||
if [ -n "$broadcast" ]; then
|
if [ -n "$broadcast" ]; then
|
||||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
|
||||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||||
@ -2333,16 +2373,19 @@ process_tc_rule()
|
|||||||
if [ "x$source" != "x-" ]; then
|
if [ "x$source" != "x-" ]; then
|
||||||
case $source in
|
case $source in
|
||||||
*.*.*)
|
*.*.*)
|
||||||
r="-s $source "
|
r="$(source_ip_range $source) "
|
||||||
;;
|
;;
|
||||||
~*)
|
~*)
|
||||||
r="$(mac_match $source) "
|
r="$(mac_match $source) "
|
||||||
;;
|
;;
|
||||||
|
$FW:*)
|
||||||
|
chain=tcout
|
||||||
|
r="$(source_ip_range ${source%:*}) "
|
||||||
|
;;
|
||||||
$FW)
|
$FW)
|
||||||
chain=tcout
|
chain=tcout
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
|
||||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||||
r="$(match_source_dev) $source "
|
r="$(match_source_dev) $source "
|
||||||
;;
|
;;
|
||||||
@ -2376,6 +2419,7 @@ process_tc_rule()
|
|||||||
r="${r}$(dest_ip_range $dest) "
|
r="${r}$(dest_ip_range $dest) "
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||||
r="${r}$(match_dest_dev $dest) "
|
r="${r}$(match_dest_dev $dest) "
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -2763,13 +2807,14 @@ check_config() {
|
|||||||
|
|
||||||
disclaimer() {
|
disclaimer() {
|
||||||
echo
|
echo
|
||||||
echo "Notice: The 'check' command is unsupported and problem"
|
echo "Notice: The 'check' command is provided to catch"
|
||||||
echo " reports complaining about errors that it didn't catch"
|
echo " obvious errors in a Shorewall configuration."
|
||||||
echo " will not be accepted"
|
echo " It is not designed to catch all possible errors"
|
||||||
|
echo " so please don't submit problem reports about"
|
||||||
|
echo " error conditions that 'check' doesn't find"
|
||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
disclaimer
|
|
||||||
|
|
||||||
report_capabilities
|
report_capabilities
|
||||||
|
|
||||||
@ -3148,7 +3193,27 @@ process_action() # $1 = chain (Chain to add the rules to)
|
|||||||
|
|
||||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||||
|
|
||||||
if [ -n "$MULTIPORT" ] && \
|
if [ -n "$XMULTIPORT" ] && \
|
||||||
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
|
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||||
|
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||||
|
then
|
||||||
|
#
|
||||||
|
# Extended MULTIPORT is enabled, and less than
|
||||||
|
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||||
|
#
|
||||||
|
multioption="-m multiport"
|
||||||
|
for client in $(separate_list ${clients:=-}); do
|
||||||
|
for server in $(separate_list ${servers:=-}); do
|
||||||
|
#
|
||||||
|
# add_an_action() modifies these so we must set their values each time
|
||||||
|
#
|
||||||
|
port=${ports:=-}
|
||||||
|
cport=${cports:=-}
|
||||||
|
add_an_action
|
||||||
|
done
|
||||||
|
done
|
||||||
|
elif [ -n "$MULTIPORT" ] && \
|
||||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
[ "$ports" = "${ports%:*}" -a \
|
[ "$ports" = "${ports%:*}" -a \
|
||||||
"$cports" = "${cports%:*}" -a \
|
"$cports" = "${cports%:*}" -a \
|
||||||
@ -3242,7 +3307,11 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
|||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
createchain $CHAIN No
|
createchain $CHAIN No
|
||||||
LEVEL=${level%:*}
|
LEVEL=${level%:*}
|
||||||
TAG=${level#*:}
|
if [ "$LEVEL" != "$level" ]; then
|
||||||
|
TAG=${level#*:}
|
||||||
|
else
|
||||||
|
TAG=
|
||||||
|
fi
|
||||||
run_user_exit $1
|
run_user_exit $1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3404,7 +3473,8 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
#
|
#
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid"
|
ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
||||||
|
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
|
|
||||||
strip_file actions
|
strip_file actions
|
||||||
@ -3421,14 +3491,14 @@ process_actions1() {
|
|||||||
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
|
[ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
|
||||||
xaction=${xaction%:*}
|
xaction=${xaction%:*}
|
||||||
case $temp in
|
case $temp in
|
||||||
ACCEPT|REJECT|DROP)
|
ACCEPT|REJECT|DROP|QUEUE)
|
||||||
eval ${temp}_common=$xaction
|
eval ${temp}_common=$xaction
|
||||||
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
|
if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
|
||||||
USEDACTIONS="$USEDACTIONS $xaction"
|
USEDACTIONS="$USEDACTIONS $xaction"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
|
startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
esac
|
esac
|
||||||
@ -3475,6 +3545,15 @@ process_actions1() {
|
|||||||
|
|
||||||
process_actions2() {
|
process_actions2() {
|
||||||
|
|
||||||
|
local interfaces="$(find_interfaces_by_option upnp)"
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
if ! list_search forwardUPnP $USEDACTIONS; then
|
||||||
|
error_message "Warning:Missing forwardUPnP rule (required by 'upnp' interface option on $interfaces)"
|
||||||
|
USEDACTIONS="$USEDACTIONS forwardUPnP"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
progress_message " Generating Transitive Closure of Used-action List..."
|
progress_message " Generating Transitive Closure of Used-action List..."
|
||||||
|
|
||||||
changed=Yes
|
changed=Yes
|
||||||
@ -3533,8 +3612,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3548,7 +3627,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address
|
log_rule_limit ${xlevel%\!} $xchain dropBcast DROP "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3565,8 +3644,8 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$xlevel" ]; then
|
if [ -n "$xlevel" ]; then
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type broadcast
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -m pkttype --pkt-type multicast
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -3580,7 +3659,7 @@ process_actions3() {
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address
|
log_rule_limit ${xlevel%\!} $xchain allowBcast ACCEPT "" "$xtag" -A -d $address
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -3594,38 +3673,58 @@ process_actions3() {
|
|||||||
|
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNonSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropNotSyn)
|
dropNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain dropNotSyn DROP "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
run_iptables -A $xchain -p tcp ! --syn -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
rejNotSyn)
|
rejNotSyn)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn
|
log_rule_limit ${xlevel%\!} $xchain rejNotSyn REJECT "" "$xtag" -A -p tcp ! --syn
|
||||||
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropInvalid)
|
dropInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain dropInvalid DROP "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j DROP
|
run_iptables -A $xchain -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
allowInvalid)
|
allowInvalid)
|
||||||
if [ "$COMMAND" != check ]; then
|
if [ "$COMMAND" != check ]; then
|
||||||
[ -n "$xlevel" ] && \
|
[ -n "$xlevel" ] && \
|
||||||
log_rule_limit ${xlevel%\!} $xchain allowInvalid $2 "" "$xtag" -A -m state --state INVALID
|
log_rule_limit ${xlevel%\!} $xchain allowInvalid ACCEPT "" "$xtag" -A -m state --state INVALID
|
||||||
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
run_iptables -A $xchain -m state --state INVALID -j ACCEPT
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
forwardUPnP)
|
||||||
|
;;
|
||||||
|
allowinUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
if [ -n "$xlevel" ]; then
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p udp --dport 1900
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowinUPnP ACCEPT "" "$xtag" -A -p tcp --dport 49152
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A $xchain -p udp --dport 1900 -j ACCEPT
|
||||||
|
run_iptables -A $xchain -p tcp --dport 49152 -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
allowoutUPnP)
|
||||||
|
if [ "$COMMAND" != check ]; then
|
||||||
|
[ -n "$xlevel" ] && \
|
||||||
|
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||||
|
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||||
|
fi
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
#
|
#
|
||||||
# Not a builtin
|
# Not a builtin
|
||||||
@ -4318,7 +4417,26 @@ process_rule() # $1 = target
|
|||||||
|
|
||||||
case $logtarget in
|
case $logtarget in
|
||||||
DNAT*)
|
DNAT*)
|
||||||
if [ -n "$MULTIPORT" ] && \
|
if [ -n "$XMULTIPORT" ] && \
|
||||||
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
|
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||||
|
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||||
|
then
|
||||||
|
#
|
||||||
|
# Extended MULTIPORT is enabled, and less than
|
||||||
|
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||||
|
#
|
||||||
|
multioption="-m multiport"
|
||||||
|
for client in $(separate_list ${clients:=-}); do
|
||||||
|
#
|
||||||
|
# add_a_rule() modifies these so we must set their values each time
|
||||||
|
#
|
||||||
|
server=${servers:=-}
|
||||||
|
port=${ports:=-}
|
||||||
|
cport=${cports:=-}
|
||||||
|
add_a_rule
|
||||||
|
done
|
||||||
|
elif [ -n "$MULTIPORT" ] && \
|
||||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
[ "$ports" = "${ports%:*}" -a \
|
[ "$ports" = "${ports%:*}" -a \
|
||||||
"$cports" = "${cports%:*}" -a \
|
"$cports" = "${cports%:*}" -a \
|
||||||
@ -4356,7 +4474,27 @@ process_rule() # $1 = target
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
|
||||||
if [ -n "$MULTIPORT" ] && \
|
if [ -n "$XMULTIPORT" ] && \
|
||||||
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
|
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||||
|
$(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
|
||||||
|
then
|
||||||
|
#
|
||||||
|
# Extended MULTIPORT is enabled, and less than
|
||||||
|
# 16 ports are listed (port ranges count as two ports) - use multiport match.
|
||||||
|
#
|
||||||
|
multioption="-m multiport"
|
||||||
|
for client in $(separate_list ${clients:=-}); do
|
||||||
|
for server in $(separate_list ${servers:=-}); do
|
||||||
|
#
|
||||||
|
# add_a_rule() modifies these so we must set their values each time
|
||||||
|
#
|
||||||
|
port=${ports:=-}
|
||||||
|
cport=${cports:=-}
|
||||||
|
add_a_rule
|
||||||
|
done
|
||||||
|
done
|
||||||
|
elif [ -n "$MULTIPORT" ] && \
|
||||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
[ "$ports" = "${ports%:*}" -a \
|
[ "$ports" = "${ports%:*}" -a \
|
||||||
"$cports" = "${cports%:*}" -a \
|
"$cports" = "${cports%:*}" -a \
|
||||||
@ -4423,6 +4561,7 @@ process_rules()
|
|||||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||||
if [ "$ypolicy" != NONE ] ; then
|
if [ "$ypolicy" != NONE ] ; then
|
||||||
|
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -4448,11 +4587,11 @@ process_rules()
|
|||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||||
}
|
}
|
||||||
|
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
|
||||||
expandv xtarget
|
expandv xtarget
|
||||||
|
|
||||||
case "${xtarget%%:*}" in
|
case "${xtarget%%:*}" in
|
||||||
@ -4469,6 +4608,7 @@ process_rules()
|
|||||||
xtarget=$(find_logactionchain $xtarget)
|
xtarget=$(find_logactionchain $xtarget)
|
||||||
do_it
|
do_it
|
||||||
else
|
else
|
||||||
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
||||||
fatal_error "Invalid Action in rule \"$rule\""
|
fatal_error "Invalid Action in rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -4696,6 +4836,9 @@ policy_rules() # $1 = chain to add rules to
|
|||||||
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
|
[ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common
|
||||||
target=reject
|
target=reject
|
||||||
;;
|
;;
|
||||||
|
QUEUE)
|
||||||
|
[ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common
|
||||||
|
;;
|
||||||
CONTINUE)
|
CONTINUE)
|
||||||
target=
|
target=
|
||||||
;;
|
;;
|
||||||
@ -4761,7 +4904,7 @@ default_policy() # $1 = client $2 = server
|
|||||||
# depends on the policy
|
# depends on the policy
|
||||||
#
|
#
|
||||||
case $policy in
|
case $policy in
|
||||||
ACCEPT)
|
ACCEPT|QUEUE)
|
||||||
if [ -n "$synparams" ]; then
|
if [ -n "$synparams" ]; then
|
||||||
#
|
#
|
||||||
# To avoid double-counting SYN packets, enforce the policy
|
# To avoid double-counting SYN packets, enforce the policy
|
||||||
@ -4858,7 +5001,7 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
|||||||
|
|
||||||
[ -n "$chain" ] && { echo $chain; return; }
|
[ -n "$chain" ] && { echo $chain; return; }
|
||||||
|
|
||||||
fatal_error "No appropriate chain for zone $1 to zone $2"
|
fatal_error "No policy defined for zone $1 to zone $2"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5039,7 +5182,15 @@ setup_masq()
|
|||||||
if [ $listcount -gt 1 ]; then
|
if [ $listcount -gt 1 ]; then
|
||||||
case $ports in
|
case $ports in
|
||||||
*:*)
|
*:*)
|
||||||
fatal_error "Port Range not allowed in list ($ports)"
|
if [ -n "$XMULTIPORT" ]; then
|
||||||
|
if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
|
||||||
|
ports="-m multiport --dports $ports"
|
||||||
|
else
|
||||||
|
fatal_error "More than 15 entries in port list ($ports)"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
fatal_error "Port Range not allowed in list ($ports)"
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ -n "$MULTIPORT" ]; then
|
if [ -n "$MULTIPORT" ]; then
|
||||||
@ -5475,6 +5626,7 @@ save_load_kernel_modules()
|
|||||||
done < $modules
|
done < $modules
|
||||||
|
|
||||||
save_command __EOF__
|
save_command __EOF__
|
||||||
|
save_command ""
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5494,17 +5646,22 @@ determine_capabilities() {
|
|||||||
|
|
||||||
CONNTRACK_MATCH=
|
CONNTRACK_MATCH=
|
||||||
MULTIPORT=
|
MULTIPORT=
|
||||||
|
XMULTIPORT=
|
||||||
POLICY_MATCH=
|
POLICY_MATCH=
|
||||||
PHYSDEV_MATCH=
|
PHYSDEV_MATCH=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
|
RECENT_MATCH=
|
||||||
|
OWNER_MATCH=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
@ -5514,25 +5671,28 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -X fooX1234
|
qt $IPTABLES -X fooX1234
|
||||||
}
|
}
|
||||||
|
|
||||||
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
|
report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
|
||||||
{
|
{
|
||||||
local setting=
|
local setting=
|
||||||
|
|
||||||
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
|
[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
|
||||||
|
|
||||||
echo " " $@: $setting
|
echo " " $1: $setting
|
||||||
}
|
}
|
||||||
|
|
||||||
report_capabilities() {
|
report_capabilities() {
|
||||||
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
echo "Shorewall has detected the following iptables/netfilter capabilities:"
|
||||||
report_capability $NAT_ENABLED "NAT"
|
report_capability "NAT" $NAT_ENABLED
|
||||||
report_capability $MANGLE_ENABLED "Packet Mangling"
|
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||||
report_capability $MULTIPORT "Multi-port Match"
|
report_capability "Multi-port Match" $MULTIPORT
|
||||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||||
report_capability $PKTTYPE "Packet Type Match"
|
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||||
report_capability $POLICY_MATCH "Policy Match"
|
report_capability "Packet Type Match" $PKTTYPE
|
||||||
report_capability $PHYSDEV_MATCH "Physdev Match"
|
report_capability "Policy Match" $POLICY_MATCH
|
||||||
report_capability $IPRANGE_MATCH "IP range Match"
|
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||||
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5551,6 +5711,10 @@ initialize_netfilter () {
|
|||||||
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
[ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
|
||||||
|
startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
@ -5580,7 +5744,7 @@ initialize_netfilter () {
|
|||||||
run_user_exit init
|
run_user_exit init
|
||||||
|
|
||||||
#
|
#
|
||||||
# The some files might be large so strip them while the firewall is still running
|
# Some files might be large so strip them while the firewall is still running
|
||||||
# (restart command). This reduces the length of time that the firewall isn't
|
# (restart command). This reduces the length of time that the firewall isn't
|
||||||
# accepting new connections.
|
# accepting new connections.
|
||||||
#
|
#
|
||||||
@ -5623,6 +5787,16 @@ initialize_netfilter () {
|
|||||||
setcontinue INPUT
|
setcontinue INPUT
|
||||||
setcontinue OUTPUT
|
setcontinue OUTPUT
|
||||||
|
|
||||||
|
run_user_exit continue
|
||||||
|
|
||||||
|
f=$(find_file routestopped)
|
||||||
|
|
||||||
|
echo "Processing $f ..."
|
||||||
|
|
||||||
|
strip_file routestopped $f
|
||||||
|
|
||||||
|
process_routestopped -A
|
||||||
|
|
||||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5631,10 +5805,6 @@ initialize_netfilter () {
|
|||||||
run_iptables -A INPUT -i lo -j ACCEPT
|
run_iptables -A INPUT -i lo -j ACCEPT
|
||||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
accounting_file=$(find_file accounting)
|
|
||||||
|
|
||||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Allow DNS lookups during startup for FQDNs
|
# Allow DNS lookups during startup for FQDNs
|
||||||
#
|
#
|
||||||
@ -5658,6 +5828,10 @@ initialize_netfilter () {
|
|||||||
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
accounting_file=$(find_file accounting)
|
||||||
|
|
||||||
|
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||||
|
|
||||||
if [ -z "$NEWNOTSYN" ]; then
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
createchain newnotsyn no
|
createchain newnotsyn no
|
||||||
|
|
||||||
@ -5841,7 +6015,15 @@ add_common_rules() {
|
|||||||
|
|
||||||
run_iptables -A rfc1918 -j DROP
|
run_iptables -A rfc1918 -j DROP
|
||||||
|
|
||||||
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
chain=norfc1918
|
||||||
|
|
||||||
|
if [ -n "$RFC1918_STRICT" ]; then
|
||||||
|
#
|
||||||
|
# We'll generate two chains - one for source and one for destination
|
||||||
|
#
|
||||||
|
chain=rfc1918d
|
||||||
|
createchain $chain no
|
||||||
|
elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# Mangling is enabled but conntrack match isn't available --
|
# Mangling is enabled but conntrack match isn't available --
|
||||||
# create a chain in the mangle table to filter RFC1918 destination
|
# create a chain in the mangle table to filter RFC1918 destination
|
||||||
@ -5860,8 +6042,13 @@ add_common_rules() {
|
|||||||
case $target in
|
case $target in
|
||||||
logdrop)
|
logdrop)
|
||||||
target=rfc1918
|
target=rfc1918
|
||||||
|
s_target=rfc1918
|
||||||
;;
|
;;
|
||||||
DROP|RETURN)
|
DROP)
|
||||||
|
s_target=DROP
|
||||||
|
;;
|
||||||
|
RETURN)
|
||||||
|
[ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
fatal_error "Invalid target ($target) for $networks"
|
fatal_error "Invalid target ($target) for $networks"
|
||||||
@ -5869,13 +6056,13 @@ add_common_rules() {
|
|||||||
esac
|
esac
|
||||||
|
|
||||||
for network in $(separate_list $networks); do
|
for network in $(separate_list $networks); do
|
||||||
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
|
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
|
||||||
|
|
||||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||||
#
|
#
|
||||||
# We have connection tracking match -- match on the original destination
|
# We have connection tracking match -- match on the original destination
|
||||||
#
|
#
|
||||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
|
run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
|
||||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||||
#
|
#
|
||||||
# No connection tracking match but we have mangling -- add a rule to
|
# No connection tracking match but we have mangling -- add a rule to
|
||||||
@ -5886,6 +6073,8 @@ add_common_rules() {
|
|||||||
done
|
done
|
||||||
done < $TMP_DIR/rfc1918
|
done < $TMP_DIR/rfc1918
|
||||||
|
|
||||||
|
[ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
|
||||||
|
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
ipsec=${host%^*}
|
ipsec=${host%^*}
|
||||||
host=${host#*^}
|
host=${host#*^}
|
||||||
@ -6134,6 +6323,20 @@ add_common_rules() {
|
|||||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
#
|
||||||
|
# UPnP
|
||||||
|
#
|
||||||
|
interfaces=$(find_interfaces_by_option upnp)
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
echo "Setting up UPnP..."
|
||||||
|
|
||||||
|
createnatchain UPnP
|
||||||
|
|
||||||
|
for interface in $interfaces; do
|
||||||
|
run_iptables -t nat -A PREROUTING -i $interface -j UPnP
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
setup_forwarding
|
setup_forwarding
|
||||||
}
|
}
|
||||||
@ -6219,7 +6422,7 @@ activate_rules()
|
|||||||
shift
|
shift
|
||||||
|
|
||||||
if havenatchain $destchain ; then
|
if havenatchain $destchain ; then
|
||||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
run_iptables2 -t nat -A $sourcechain $@ -j $destchain
|
||||||
else
|
else
|
||||||
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
||||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
@ -6237,7 +6440,7 @@ activate_rules()
|
|||||||
shift
|
shift
|
||||||
|
|
||||||
if havenatchain $destchain; then
|
if havenatchain $destchain; then
|
||||||
eval run_iptables -t nat -I $sourcechain \
|
eval run_iptables2 -t nat -I $sourcechain \
|
||||||
\$${sourcechain}_rule $@ -j $destchain
|
\$${sourcechain}_rule $@ -j $destchain
|
||||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||||
else
|
else
|
||||||
@ -6245,7 +6448,7 @@ activate_rules()
|
|||||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add jumps to early SNAT chains
|
# Add jumps to early SNAT chains
|
||||||
@ -6297,7 +6500,7 @@ activate_rules()
|
|||||||
interface=${host%%:*}
|
interface=${host%%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
|
|
||||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -6326,7 +6529,7 @@ activate_rules()
|
|||||||
interface=${host%%:*}
|
interface=${host%%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
|
|
||||||
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add jumps from the builtin chains for DNAT and SNAT rules
|
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||||
@ -6334,10 +6537,10 @@ activate_rules()
|
|||||||
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
|
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
|
||||||
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
|
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
|
||||||
|
|
||||||
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
|
||||||
|
|
||||||
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
|
if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
|
||||||
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case $networks in
|
case $networks in
|
||||||
@ -6402,7 +6605,7 @@ activate_rules()
|
|||||||
# routeback was specified for this host group
|
# routeback was specified for this host group
|
||||||
#
|
#
|
||||||
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
|
if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
|
||||||
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
@ -6417,7 +6620,7 @@ activate_rules()
|
|||||||
networks1=${host1#*:}
|
networks1=${host1#*:}
|
||||||
|
|
||||||
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
if [ "$host" != "$host1" ] || list_search $host $routeback; then
|
||||||
run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
@ -6464,7 +6667,9 @@ activate_rules()
|
|||||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
|
process_routestopped -D
|
||||||
|
|
||||||
if [ -n "$LOGALLNEW" ]; then
|
if [ -n "$LOGALLNEW" ]; then
|
||||||
for table in mangle nat filter; do
|
for table in mangle nat filter; do
|
||||||
case $table in
|
case $table in
|
||||||
@ -6609,6 +6814,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
|
||||||
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
mv -f $RESTOREBASE /var/lib/shorewall/restore-tail
|
||||||
|
|
||||||
|
run_user_exit started
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7065,6 +7271,9 @@ do_initialize() {
|
|||||||
|
|
||||||
export LC_ALL=C
|
export LC_ALL=C
|
||||||
|
|
||||||
|
# Make sure umask is sane
|
||||||
|
umask 177
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
|
||||||
#
|
#
|
||||||
# Establish termination function
|
# Establish termination function
|
||||||
@ -7123,6 +7332,8 @@ do_initialize() {
|
|||||||
LOGTAGONLY=
|
LOGTAGONLY=
|
||||||
LOGALLNEW=
|
LOGALLNEW=
|
||||||
DROPINVALID=
|
DROPINVALID=
|
||||||
|
RFC1918_STRICT=
|
||||||
|
MACLIST_TTL=
|
||||||
|
|
||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
@ -7318,6 +7529,13 @@ do_initialize() {
|
|||||||
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
|
||||||
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
|
||||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||||
|
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||||
|
|
||||||
|
[ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
|
||||||
|
|
||||||
|
if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
|
||||||
|
startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
|
||||||
|
fi
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
#
|
#
|
||||||
|
@ -1 +1 @@
|
|||||||
2.2.0
|
2.2.4
|
||||||
|
@ -22,4 +22,7 @@
|
|||||||
/etc/shorewall/stop Stop Commands executed before stop
|
/etc/shorewall/stop Stop Commands executed before stop
|
||||||
/etc/shorewall/stopped Stopped Commands executed after stop
|
/etc/shorewall/stopped Stopped Commands executed after stop
|
||||||
/etc/shorewall/accounting Account Traffic Accounting Rules
|
/etc/shorewall/accounting Account Traffic Accounting Rules
|
||||||
|
/etc/shorewall/netmap Netmap Network address mapping
|
||||||
/etc/shorewall/actions Actions Define user actions
|
/etc/shorewall/actions Actions Define user actions
|
||||||
|
/etc/shorewall/continue Continue Commands executed early in [re]start
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
2.0.2c
|
2.2.4
|
||||||
|
Loading…
Reference in New Issue
Block a user