mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-12 18:54:25 +01:00
Implement DETECT_IPADDRS parameter
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@128 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
350426f983
commit
90b701de4d
@ -422,7 +422,7 @@ determine_interfaces() {
|
||||
# Determine the defined hosts in each zone and generate report #
|
||||
################################################################################
|
||||
determine_hosts() {
|
||||
do_a_zone() # $1 = zone name
|
||||
do_a_zone()
|
||||
{
|
||||
eval interfaces=\$${zone}_interfaces
|
||||
|
||||
@ -435,16 +435,40 @@ determine_hosts() {
|
||||
done
|
||||
}
|
||||
|
||||
recalculate_hosts()
|
||||
{
|
||||
interfaces=
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
if ! list_search $interface $interfaces; then
|
||||
if [ -z "$interfaces" ]; then
|
||||
interfaces=$interface
|
||||
else
|
||||
interfaces="$interfaces $interface"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
eval ${zone}_interfaces="\$interfaces"
|
||||
}
|
||||
|
||||
for zone in $zones; do
|
||||
hosts=`find_hosts $zone`
|
||||
hosts=`echo $hosts` # Remove extra trash
|
||||
|
||||
if [ -z "$hosts" ]; then
|
||||
if [ -n "$hosts" ]; then
|
||||
####################################################################
|
||||
# Zone is defined in terms of hosts -- derive the interface list
|
||||
# from the host list
|
||||
#
|
||||
recalculate_hosts
|
||||
else
|
||||
####################################################################
|
||||
# If no hosts are defined for a zone then the zone consists of any
|
||||
# host that can send us messages via the interfaces to the zone
|
||||
#
|
||||
do_a_zone $zone
|
||||
do_a_zone
|
||||
fi
|
||||
|
||||
eval ${zone}_hosts="\$hosts"
|
||||
@ -698,7 +722,7 @@ validate_rule() {
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
address=${address:=detect}
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
@ -878,6 +902,27 @@ find_broadcasts() {
|
||||
done < $TMP_DIR/interfaces
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Find interface address--returns the first IP address assigned to the passed #
|
||||
# device #
|
||||
################################################################################
|
||||
find_interface_address() # $1 = interface
|
||||
{
|
||||
#
|
||||
# get the line of output containing the first IP address
|
||||
#
|
||||
addr=`ip addr show $1 2> /dev/null | grep inet | head -n1`
|
||||
#
|
||||
# If there wasn't one, bail out now
|
||||
#
|
||||
[ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
|
||||
#
|
||||
# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
|
||||
# along with everything else on the line
|
||||
#
|
||||
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Find interfaces that have the passed option specified #
|
||||
################################################################################
|
||||
@ -1170,8 +1215,8 @@ setup_syn_flood_chain ()
|
||||
|
||||
run_iptables -N @$chain
|
||||
run_iptables -A @$chain \
|
||||
-m limit --limit $limit --limit-burst $limit_burst \
|
||||
-j RETURN
|
||||
-m limit --limit $limit --limit-burst $limit_burst \
|
||||
-j RETURN
|
||||
run_iptables -A @$chain -j DROP
|
||||
}
|
||||
|
||||
@ -1439,7 +1484,22 @@ add_nat_rule() {
|
||||
|
||||
# Set original destination address
|
||||
|
||||
[ "$addr" = "all" ] && addr= || addr=${addr:+-d $addr}
|
||||
case $addr in
|
||||
all)
|
||||
addr=
|
||||
;;
|
||||
detect)
|
||||
addr=
|
||||
if [ -n "$DETECT_IPADDRS" && "$source"! = "$FW" ]; then
|
||||
eval interfaces=\$${source}_interfaces
|
||||
for interface in $interfaces; do
|
||||
addr="`find_interface_address $interface` $addr"
|
||||
done
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
addr=${addr:-0.0.0.0/0}
|
||||
|
||||
# Select target
|
||||
|
||||
@ -1453,7 +1513,7 @@ add_nat_rule() {
|
||||
# Generate nat table rules
|
||||
|
||||
if [ "$source" = "$FW" ]; then
|
||||
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
||||
run_iptables -t nat -A OUTPUT $proto $sports -d addr
|
||||
$multiport $dports -j $target1
|
||||
else
|
||||
chain=`dnat_chain $source`
|
||||
@ -1466,14 +1526,18 @@ add_nat_rule() {
|
||||
for z in $excludezones; do
|
||||
eval hosts=\$${z}_hosts
|
||||
for host in $hosts; do
|
||||
addnatrule $chain $proto -s ${host#*:} \
|
||||
$multiport $sports $addr $dports -j RETURN
|
||||
for adr in $addr; do
|
||||
addnatrule $chain $proto -s ${host#*:} \
|
||||
$multiport $sports -d $adr $dports -j RETURN
|
||||
done
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
addnatrule $chain $proto $cli $sports \
|
||||
$multiport $addr $dports -j $target1
|
||||
|
||||
for adr in $addr; do
|
||||
addnatrule $chain $proto $cli $sports \
|
||||
-d $adr $multiport $dports -j $target1
|
||||
done
|
||||
fi
|
||||
|
||||
# Replace destination port by the new destination port
|
||||
@ -1697,7 +1761,7 @@ process_rule() {
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
address=${address:=detect}
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
@ -3249,6 +3313,7 @@ do_initialize() {
|
||||
ROUTE_FILTER=
|
||||
NAT_BEFORE_RULES=
|
||||
MULTIPORT=
|
||||
DETECT_IPADDRS=
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -3322,6 +3387,7 @@ do_initialize() {
|
||||
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
|
||||
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
|
||||
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
|
||||
DETECT_IPADDRS=`added_param_value_no DETECT_IPADDRS $DETECT_IPADDRS`
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
||||
@ -228,4 +228,33 @@ NAT_BEFORE_RULES=Yes
|
||||
|
||||
MULTIPORT=No
|
||||
|
||||
# IP ADDRESS DETECTION
|
||||
#
|
||||
# Normally when Shorewall encounters the following rule:
|
||||
#
|
||||
# DNAT net loc:192.168.1.3 tcp 80
|
||||
#
|
||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||
# convenient for two reasons:
|
||||
#
|
||||
# a) If the the network interface has a dynamic IP address, the
|
||||
# firewall configuration will work even when the address
|
||||
# changes.
|
||||
#
|
||||
# b) It saves having to configure the IP address in the rule
|
||||
# while still allowing the firewall to be started before the
|
||||
# internet interface is brought up.
|
||||
#
|
||||
# This default behavior can also have a negative effect. If the
|
||||
# internet interface has more than one IP address then the above
|
||||
# rule will forward connection requests on all of these addresses;
|
||||
# that may not be what is desired.
|
||||
#
|
||||
# By setting DETECT_IPADDRS=Yes, rules such as the above will apply
|
||||
# only if the original destination address is the primary IP address of
|
||||
# one of the interfaces associated with the source zone.
|
||||
|
||||
DETECT_IPADDRS=No
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
||||
Loading…
Reference in New Issue
Block a user