From 07c152ab3524a581c9b46aa24317ca1ec73e5b84 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Aug 2005 19:55:05 +0000 Subject: [PATCH] Section the rules file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 + Shorewall/firewall | 148 ++++++++++++++++++++++++++++++++----- Shorewall/releasenotes.txt | 32 ++++++++ Shorewall/rules | 37 ++++++++++ 4 files changed, 199 insertions(+), 20 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1f8c41eea..8a4f1638e 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -13,6 +13,8 @@ Changes in 2.5.3 6) Clear the raw table on stop and [re]start +7) Section the rules file. + Changes in 2.5.2 1) Allow port lists in /etc/sorewall/accounting. diff --git a/Shorewall/firewall b/Shorewall/firewall index 63a0e1f8c..c68bc2af4 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -230,6 +230,33 @@ run_ipset() { fi } +# +# Add the implicit ACCEPT rules at the end of a rules file section +# +finish_chain_section() # $1 = canonical chain $2 = state list +{ + [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT + if list_search RELATED $(separate_list $2) ; then + [ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn + fi +} + +finish_section() # $1 = Section(s) +{ + local zone zone1 chain + + if [ "$COMMAND" != check ]; then + for zone in $ZONES $FW; do + for zone1 in $ZONES $FW; do + chain=${zone}2${zone1} + if havechain $chain; then + finish_chain_section $chain $1 + fi + done + done + fi +} + # # Create a filter chain # @@ -245,6 +272,15 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule run_iptables -N $1 if [ $2 = yes ]; then + case $SECTION in + NEW) + finish_chain_section $1 ESTABLISHED,RELATED + ;; + RELATED) + finish_chain_section $1 ESTABLISHED + ;; + esac + [ -z "$NEWNOTSYN" ] && \ run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn fi @@ -259,12 +295,20 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules if $IPTABLES -N $1; then if [ $2 = yes ]; then - [ -z "$NEWNOTSYN" ] && \ - run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn + case $SECTION in + NEW) + finish_chain_section $1 ESTABLISHED,RELATED + ;; + RELATED) + finish_chain_section $1 ESTABLISHED + ;; + esac + fi eval exists_${c}=Yes fi + } # @@ -2729,6 +2773,15 @@ setup_syn_flood_chain () run_iptables -A $chain -j DROP } +setup_syn_flood_chains() +{ + for chain in $ALL_POLICY_CHAINS; do + eval loglevel=\$${chain}_loglevel + eval synparams=\$${chain}_synparams + + [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel + done +} # # Enable SYN flood protection on a chain # @@ -5015,11 +5068,11 @@ process_rule() # $1 = target if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do - run_iptables -A $logchain $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain + run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain done addr= else - run_iptables -A $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain + run_iptables -A $state $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain fi cli= @@ -5028,6 +5081,7 @@ process_rule() # $1 = target multiport= dports= user= + state= } # Set source variables. The 'cli' variable will hold the client match predicate(s). @@ -5148,7 +5202,19 @@ process_rule() # $1 = target fatal_error "LOG requires log level" ;; esac - + + case $SECTION in + NEW) + state= + ;; + ESTABLISHED) + state="-m state --state ESTABLISHED" + ;; + RELATED) + state="-m state --state ESTABLISHED" + ;; + esac + if [ -n "${serv}${servport}" ]; then if [ $COMMAND != check ]; then @@ -5173,16 +5239,16 @@ process_rule() # $1 = target for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) + $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state fi - run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ + run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target done else if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) + $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state fi if [ -n "$nonat" ]; then @@ -5191,7 +5257,7 @@ process_rule() # $1 = target fi if [ "$logtarget" != NONAT ]; then - run_iptables2 -A $chain $proto $multiport $cli $sports \ + run_iptables2 -A $chain $state $proto $multiport $cli $sports \ $(dest_ip_range $srv) $dports $ratelimit $user -j $target fi fi @@ -5200,7 +5266,7 @@ process_rule() # $1 = target else if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $sports $multiport $cli $dports) + $(fix_bang $proto $sports $multiport $cli $dports) $state fi [ -n "$nonat" ] && \ @@ -5226,7 +5292,7 @@ process_rule() # $1 = target for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $state fi if [ "$logtarget" != LOG ]; then @@ -5236,7 +5302,7 @@ process_rule() # $1 = target fi if [ "$logtarget" != NONAT ]; then - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target fi fi @@ -5244,7 +5310,7 @@ process_rule() # $1 = target else if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $state fi if [ "$logtarget" != LOG ]; then @@ -5254,7 +5320,7 @@ process_rule() # $1 = target fi if [ "$logtarget" != NONAT ]; then - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ $sports $dports $ratelimit $user -j $target fi fi @@ -5372,6 +5438,7 @@ process_rule() # $1 = target case $target in ACCEPT+|NONAT) + [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" nonat=Yes target=ACCEPT ;; @@ -5387,10 +5454,12 @@ process_rule() # $1 = target target=RETURN ;; DNAT*|SAME*) + [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" target=ACCEPT address=${address:=detect} ;; REDIRECT*) + [ $SECTION = NEW ] || fatal_error "REDIRECT rules are not allowed in the $SECTION SECTION" target=ACCEPT address=${address:=all} if [ "x-" = "x$servers" ]; then @@ -5399,6 +5468,9 @@ process_rule() # $1 = target servers="$FW::$servers" fi ;; + *-) + [ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION" + ;; esac # Parse and validate source @@ -5778,6 +5850,8 @@ process_rules() # $1 = "Yes" if the target is a macro. { expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone= + [ -z "$SECTIONS" ] && SECTIONS="ESTABLISHED RELATED NEW" + case $xclients in all+) xclients=all @@ -5828,6 +5902,30 @@ process_rules() # $1 = "Yes" if the target is a macro. ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) do_it No ;; + SECTION) + list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients" + + case $xclients in + ESTABLISHED) + SECTIONS=ESTABLISHED + ;; + RELATED) + finish_section ESTABLISHED + SECTIONS="ESTABLISHED RELATED" + ;; + NEW) + [ $SECTION = RELATED ] && finish_section RELATED || finish_section ESTABLISHED,RELATED + SECTIONS="ESTABLISHED RELATED NEW" + ;; + *) + fatal_error "Invalid SECTION $xclients" + ;; + esac + + [ -n "$xservers" ] && fatal_error "Invalid SECTION $xclients $xservers" + + SECTION=$xclients + ;; *) if list_search ${xtarget%%:*} $ACTIONS; then if ! list_search $xtarget $USEDACTIONS; then @@ -5871,6 +5969,17 @@ process_rules() # $1 = "Yes" if the target is a macro. esac done < $TMP_DIR/rules + + case $SECTION in + ESTABLISHED) + finish_section ESTABLISHED,RELATED + SECTION=NEW + ;; + RELATED) + finish_section RELATED + SECTION=NEW + ;; + esac } # @@ -7698,21 +7807,18 @@ apply_policy_rules() { for chain in $ALL_POLICY_CHAINS; do eval policy=\$${chain}_policy eval loglevel=\$${chain}_loglevel - eval synparams=\$${chain}_synparams eval optional=\$${chain}_is_optional [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel - if havechain $chain; then - [ -n "$synparams" ] && \ - run_iptables -I $chain 2 -p tcp --syn -j @$chain ### FIX ME ### + if havechain $chain ; then + [ -n "$synparms" ] && run_iptables -I $chain -p tcp --syn -j @$chain elif [ -z "$optional" -a "$policy" != CONTINUE ]; then # # The chain doesn't exist. Create the chain and add policy # rules # createchain $chain yes - # # If either client or server is 'all' then this MUST be # a policy chain and we must apply the appropriate policy rules @@ -8130,6 +8236,8 @@ define_firewall() # $1 = Command (Start or Restart) maclist_hosts=$(find_hosts_by_option maclist) [ -n "$maclist_hosts" ] && setup_mac_lists + setup_syn_flood_chains + echo "Processing $(find_file rules)..."; process_rules echo "Processing Actions..."; process_actions2 process_actions3 @@ -8722,7 +8830,7 @@ do_initialize() { STOPPING= HAVE_MUTEX= ALIASES_TO_ADD= - SECTION= + SECTION=NEW SECTIONS= FUNCTIONS=$SHARED_DIR/functions diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f169abdc4..288d1ef53 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -40,6 +40,38 @@ New Features in Shorewall 2.5.3 #SOURCE DEST POLICY LOG LEVEL loc loc ACCEPT info +5) Prior to Shorewall 2.5.3, the rules file only controlled packets in + the Netfilter states NEW and INVALID. Beginning with this release, + the rules file can also deal with packets in the ESTABLISHED and + RELATED states. + + The /etc/shorewall/rules file may now be divided into + "sections". Each section is introduced by a line that begins with + the keyword SECTION which is followed by the section name. Sections + are as listed below and must appear in the order shown. + + ESTABLISHED + + Rules in this section apply to packets in the ESTABLISHED + state. + + RELATED + + Rules in this section apply to packets in the RELATED state. + + NEW + + Rules in this section apply to packets in the NEW and INVALID + states. + + Rules in the ESTABLISHED and RELATED sections are limited to the + following ACTIONs: + + ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions. + + Macros may be used in these sections provided that they expand to + only these ACTIONs. + Problems Corrected in 2.5.2: 1) You may now include port lists in in the /etc/shorewall/accounting diff --git a/Shorewall/rules b/Shorewall/rules index 64c4da6b9..60031fe12 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -19,6 +19,40 @@ # you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You *must* use a DNAT rule instead. #------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# # Columns are: # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, @@ -370,4 +404,7 @@ ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP +SECTION ESTABLISHED +SECTION RELATED +SECTION NEW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE