diff --git a/Shorewall/firewall b/Shorewall/firewall index 0b6f78332..2291216a5 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1966,6 +1966,7 @@ add_nat_rule() { # add_a_rule() { + local natrule= rule_error() { fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\"" @@ -1975,7 +1976,7 @@ add_a_rule() cli= - [ -n "$client" ] && case "$client" in + case "$client" in -) ;; *:*) @@ -1988,7 +1989,7 @@ add_a_rule() cli=`mac_match $client` ;; *) - cli="-i $client" + [ -n "$client" ] && cli="-i $client" ;; esac @@ -1997,7 +1998,7 @@ add_a_rule() dest_interface= serv= - [ -n "$server" ] && case "$server" in + case "$server" in -) ;; *.*.*) @@ -2007,7 +2008,7 @@ add_a_rule() fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" ;; *) - dest_interface="-o $server" + [ -n "$server" ] && dest_interface="-o $server" ;; esac @@ -2073,10 +2074,12 @@ add_a_rule() [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ " specify a server IP; rule: \"$rule\"" servport=${servport:=$port} + natrule=Yes ;; DNAT) [ -n "$serv" ] || fatal_error "DNAT rules require a" \ " server address; rule: \"$rule\"" + natrule=Yes ;; LOG) [ -z "$loglevel" ] && fatal_error "LOG requires log level" @@ -2095,19 +2098,11 @@ add_a_rule() # A specific server or server port given - case "$logtarget" in - REDIRECT|DNAT) + if [ -n "$natrule" ]; then add_nat_rule - ;; - *) - if [ -n "$addr" -a "$addr" != "$serv" ]; then - rule_error - elif [ -n "$servport" -a "$servport" != "$port" ]; then - rule_error - fi - - ;; - esac + elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then + rule_error + fi if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" @@ -2289,8 +2284,6 @@ process_rule() # $1 = target return ;; esac - else - [ $command = check ] || ensurechain $chain fi # Generate Netfilter rule(s) diff --git a/Shorewall/rules b/Shorewall/rules index fae892632..5cc3c328e 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -170,13 +170,16 @@ # specified in the DEST column. # # A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# # Finally, if the list of addresses begins with "!" then # the rule will be followed only if the original # destination address in the connection request does not # match any of the addresses listed. # -# The address may optionally be followed by +# The address (list) may optionally be followed by # a colon (":") and a second IP address. This causes # Shorewall to use the second IP address as the source # address in forwarded packets. See the Shorewall diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 44f0f2e8b..28531439a 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -756,7 +756,7 @@ case "$1" in echo " HITS PORT SERVICE(S)" echo " ---- ----- ----------" - grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`