mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-27 01:53:27 +01:00
Section the rules file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b800346eea
commit
07c152ab35
@ -13,6 +13,8 @@ Changes in 2.5.3
|
||||
|
||||
6) Clear the raw table on stop and [re]start
|
||||
|
||||
7) Section the rules file.
|
||||
|
||||
Changes in 2.5.2
|
||||
|
||||
1) Allow port lists in /etc/sorewall/accounting.
|
||||
|
@ -230,6 +230,33 @@ run_ipset() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Add the implicit ACCEPT rules at the end of a rules file section
|
||||
#
|
||||
finish_chain_section() # $1 = canonical chain $2 = state list
|
||||
{
|
||||
[ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT
|
||||
if list_search RELATED $(separate_list $2) ; then
|
||||
[ -z "$NEWNOTSYN" ] && run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
}
|
||||
|
||||
finish_section() # $1 = Section(s)
|
||||
{
|
||||
local zone zone1 chain
|
||||
|
||||
if [ "$COMMAND" != check ]; then
|
||||
for zone in $ZONES $FW; do
|
||||
for zone1 in $ZONES $FW; do
|
||||
chain=${zone}2${zone1}
|
||||
if havechain $chain; then
|
||||
finish_chain_section $chain $1
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Create a filter chain
|
||||
#
|
||||
@ -245,6 +272,15 @@ createchain() # $1 = chain name, $2 = If "yes", create newnotsyn rule
|
||||
run_iptables -N $1
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
case $SECTION in
|
||||
NEW)
|
||||
finish_chain_section $1 ESTABLISHED,RELATED
|
||||
;;
|
||||
RELATED)
|
||||
finish_chain_section $1 ESTABLISHED
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -z "$NEWNOTSYN" ] && \
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
@ -259,12 +295,20 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
if $IPTABLES -N $1; then
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
[ -z "$NEWNOTSYN" ] && \
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
case $SECTION in
|
||||
NEW)
|
||||
finish_chain_section $1 ESTABLISHED,RELATED
|
||||
;;
|
||||
RELATED)
|
||||
finish_chain_section $1 ESTABLISHED
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
eval exists_${c}=Yes
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -2729,6 +2773,15 @@ setup_syn_flood_chain ()
|
||||
run_iptables -A $chain -j DROP
|
||||
}
|
||||
|
||||
setup_syn_flood_chains()
|
||||
{
|
||||
for chain in $ALL_POLICY_CHAINS; do
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval synparams=\$${chain}_synparams
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
done
|
||||
}
|
||||
#
|
||||
# Enable SYN flood protection on a chain
|
||||
#
|
||||
@ -5015,11 +5068,11 @@ process_rule() # $1 = target
|
||||
|
||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||
for adr in $(separate_list $addr); do
|
||||
run_iptables -A $logchain $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
|
||||
run_iptables -A $logchain $state $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $chain
|
||||
done
|
||||
addr=
|
||||
else
|
||||
run_iptables -A $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
|
||||
run_iptables -A $state $logchain $(fix_bang $cli $proto $sports $multiport $dports) $user -j $chain
|
||||
fi
|
||||
|
||||
cli=
|
||||
@ -5028,6 +5081,7 @@ process_rule() # $1 = target
|
||||
multiport=
|
||||
dports=
|
||||
user=
|
||||
state=
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
@ -5149,6 +5203,18 @@ process_rule() # $1 = target
|
||||
;;
|
||||
esac
|
||||
|
||||
case $SECTION in
|
||||
NEW)
|
||||
state=
|
||||
;;
|
||||
ESTABLISHED)
|
||||
state="-m state --state ESTABLISHED"
|
||||
;;
|
||||
RELATED)
|
||||
state="-m state --state ESTABLISHED"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "${serv}${servport}" ]; then
|
||||
if [ $COMMAND != check ]; then
|
||||
|
||||
@ -5173,16 +5239,16 @@ process_rule() # $1 = target
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
|
||||
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
|
||||
fi
|
||||
|
||||
if [ -n "$nonat" ]; then
|
||||
@ -5191,7 +5257,7 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
|
||||
fi
|
||||
fi
|
||||
@ -5200,7 +5266,7 @@ process_rule() # $1 = target
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||
$(fix_bang $proto $sports $multiport $cli $dports) $state
|
||||
fi
|
||||
|
||||
[ -n "$nonat" ] && \
|
||||
@ -5226,7 +5292,7 @@ process_rule() # $1 = target
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $state
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
@ -5236,7 +5302,7 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
|
||||
fi
|
||||
fi
|
||||
@ -5244,7 +5310,7 @@ process_rule() # $1 = target
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $state
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
@ -5254,7 +5320,7 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $user -j $target
|
||||
fi
|
||||
fi
|
||||
@ -5372,6 +5438,7 @@ process_rule() # $1 = target
|
||||
|
||||
case $target in
|
||||
ACCEPT+|NONAT)
|
||||
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
|
||||
nonat=Yes
|
||||
target=ACCEPT
|
||||
;;
|
||||
@ -5387,10 +5454,12 @@ process_rule() # $1 = target
|
||||
target=RETURN
|
||||
;;
|
||||
DNAT*|SAME*)
|
||||
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
REDIRECT*)
|
||||
[ $SECTION = NEW ] || fatal_error "REDIRECT rules are not allowed in the $SECTION SECTION"
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
if [ "x-" = "x$servers" ]; then
|
||||
@ -5399,6 +5468,9 @@ process_rule() # $1 = target
|
||||
servers="$FW::$servers"
|
||||
fi
|
||||
;;
|
||||
*-)
|
||||
[ $SECTION = NEW ] || fatal_error "$target rules are not allowed in the $SECTION SECTION"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Parse and validate source
|
||||
@ -5778,6 +5850,8 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
||||
{
|
||||
expandv xprotocol xports xcports xaddress xratelimit xuserspec intrazone=
|
||||
|
||||
[ -z "$SECTIONS" ] && SECTIONS="ESTABLISHED RELATED NEW"
|
||||
|
||||
case $xclients in
|
||||
all+)
|
||||
xclients=all
|
||||
@ -5828,6 +5902,30 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||
do_it No
|
||||
;;
|
||||
SECTION)
|
||||
list_search $xclients $SECTIONS && fatal_error "Duplicate or out of order SECTION $xclients"
|
||||
|
||||
case $xclients in
|
||||
ESTABLISHED)
|
||||
SECTIONS=ESTABLISHED
|
||||
;;
|
||||
RELATED)
|
||||
finish_section ESTABLISHED
|
||||
SECTIONS="ESTABLISHED RELATED"
|
||||
;;
|
||||
NEW)
|
||||
[ $SECTION = RELATED ] && finish_section RELATED || finish_section ESTABLISHED,RELATED
|
||||
SECTIONS="ESTABLISHED RELATED NEW"
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid SECTION $xclients"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$xservers" ] && fatal_error "Invalid SECTION $xclients $xservers"
|
||||
|
||||
SECTION=$xclients
|
||||
;;
|
||||
*)
|
||||
if list_search ${xtarget%%:*} $ACTIONS; then
|
||||
if ! list_search $xtarget $USEDACTIONS; then
|
||||
@ -5871,6 +5969,17 @@ process_rules() # $1 = "Yes" if the target is a macro.
|
||||
|
||||
esac
|
||||
done < $TMP_DIR/rules
|
||||
|
||||
case $SECTION in
|
||||
ESTABLISHED)
|
||||
finish_section ESTABLISHED,RELATED
|
||||
SECTION=NEW
|
||||
;;
|
||||
RELATED)
|
||||
finish_section RELATED
|
||||
SECTION=NEW
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
@ -7698,21 +7807,18 @@ apply_policy_rules() {
|
||||
for chain in $ALL_POLICY_CHAINS; do
|
||||
eval policy=\$${chain}_policy
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval synparams=\$${chain}_synparams
|
||||
eval optional=\$${chain}_is_optional
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
|
||||
if havechain $chain ; then
|
||||
[ -n "$synparams" ] && \
|
||||
run_iptables -I $chain 2 -p tcp --syn -j @$chain ### FIX ME ###
|
||||
[ -n "$synparms" ] && run_iptables -I $chain -p tcp --syn -j @$chain
|
||||
elif [ -z "$optional" -a "$policy" != CONTINUE ]; then
|
||||
#
|
||||
# The chain doesn't exist. Create the chain and add policy
|
||||
# rules
|
||||
#
|
||||
createchain $chain yes
|
||||
|
||||
#
|
||||
# If either client or server is 'all' then this MUST be
|
||||
# a policy chain and we must apply the appropriate policy rules
|
||||
@ -8130,6 +8236,8 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
maclist_hosts=$(find_hosts_by_option maclist)
|
||||
[ -n "$maclist_hosts" ] && setup_mac_lists
|
||||
|
||||
setup_syn_flood_chains
|
||||
|
||||
echo "Processing $(find_file rules)..."; process_rules
|
||||
echo "Processing Actions..."; process_actions2
|
||||
process_actions3
|
||||
@ -8722,7 +8830,7 @@ do_initialize() {
|
||||
STOPPING=
|
||||
HAVE_MUTEX=
|
||||
ALIASES_TO_ADD=
|
||||
SECTION=
|
||||
SECTION=NEW
|
||||
SECTIONS=
|
||||
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
|
@ -40,6 +40,38 @@ New Features in Shorewall 2.5.3
|
||||
#SOURCE DEST POLICY LOG LEVEL
|
||||
loc loc ACCEPT info
|
||||
|
||||
5) Prior to Shorewall 2.5.3, the rules file only controlled packets in
|
||||
the Netfilter states NEW and INVALID. Beginning with this release,
|
||||
the rules file can also deal with packets in the ESTABLISHED and
|
||||
RELATED states.
|
||||
|
||||
The /etc/shorewall/rules file may now be divided into
|
||||
"sections". Each section is introduced by a line that begins with
|
||||
the keyword SECTION which is followed by the section name. Sections
|
||||
are as listed below and must appear in the order shown.
|
||||
|
||||
ESTABLISHED
|
||||
|
||||
Rules in this section apply to packets in the ESTABLISHED
|
||||
state.
|
||||
|
||||
RELATED
|
||||
|
||||
Rules in this section apply to packets in the RELATED state.
|
||||
|
||||
NEW
|
||||
|
||||
Rules in this section apply to packets in the NEW and INVALID
|
||||
states.
|
||||
|
||||
Rules in the ESTABLISHED and RELATED sections are limited to the
|
||||
following ACTIONs:
|
||||
|
||||
ACCEPT, DROP, REJECT, QUEUE, LOG and User-defined actions.
|
||||
|
||||
Macros may be used in these sections provided that they expand to
|
||||
only these ACTIONs.
|
||||
|
||||
Problems Corrected in 2.5.2:
|
||||
|
||||
1) You may now include port lists in in the /etc/shorewall/accounting
|
||||
|
@ -19,6 +19,40 @@
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You *must* use a DNAT rule instead.
|
||||
#------------------------------------------------------------------------------
|
||||
#
|
||||
# The rules file is divided into sections. Each section is introduced by
|
||||
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||
# section name.
|
||||
#
|
||||
# Sections are as follows and must appear in the order listed:
|
||||
#
|
||||
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||
# by rules in this section.
|
||||
#
|
||||
# The only ACTIONs allowed in this section are
|
||||
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||
#
|
||||
# There is an implicit ACCEPT rule inserted
|
||||
# at the end of this section.
|
||||
#
|
||||
# RELATED Packets in the RELATED state are processed by
|
||||
# rules in this section.
|
||||
#
|
||||
# The only ACTIONs allowed in this section are
|
||||
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||
#
|
||||
# There is an implicit ACCEPT rule inserted
|
||||
# at the end of this section.
|
||||
#
|
||||
# NEW Packets in the NEW and INVALID states are
|
||||
# processed by rules in this section.
|
||||
#
|
||||
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||
# ESTABLISHED and RELATED sections must be empty.
|
||||
#
|
||||
# You may omit any section that you don't need. If no Section Headers appear
|
||||
# in the file then all rules are assumed to be in the NEW section.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
@ -370,4 +404,7 @@
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
SECTION ESTABLISHED
|
||||
SECTION RELATED
|
||||
SECTION NEW
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user