git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-21 22:02:34 +00:00
parent a8c7dd101d
commit 9188253bd4
5 changed files with 257 additions and 216 deletions

View File

@ -376,23 +376,6 @@ flushmangle() # $1 = name of chain
run_iptables -t mangle -F $1
}
#
# Chain name base for an interface
#
chain_base() #$1 = interface
{
local c=${1%%+*}
case $c in
*.*)
echo ${c%.*}_${c#*.}
;;
*)
echo ${c:=common}
;;
esac
}
#
# Find interfaces to a given zone
#
@ -473,7 +456,7 @@ snat_chain() # $1 = zone
#
ecn_chain() # $1 = interface
{
echo ${1}_ecn
echo `chain_base $1`_ecn
}
#
@ -3472,13 +3455,25 @@ initialize_netfilter () {
createchain reject no
createchain dynamic no
for interface in $all_interfaces; do
chain=`dynamic_chain $interface`
createchain $chain no
iptables -A $chain -j dynamic
done
echo $all_interfaces > $STATEDIR/interfaces
if [ -f /var/lib/shorewall/save ]; then
echo "Restoring dynamic rules..."
while read target ignore1 ignore2 address rest; do
case $target in
DROP|reject)
run_iptables2 -A dynamic -s $address -j $target
chains=`dynamic_chains_by_address $address`
for chain in ${chains:-dynamic}; do
run_iptables2 -I $chain -s $address -j $target
done
;;
*)
;;
@ -3490,9 +3485,9 @@ initialize_netfilter () {
for interface in $all_interfaces; do
createchain `forward_chain $interface` no
run_iptables -A `forward_chain $interface` -j dynamic
run_iptables -A `forward_chain $interface` -j `dynamic_chain $interface`
createchain `input_chain $interface` no
run_iptables -A `input_chain $interface` -j dynamic
run_iptables -A `input_chain $interface` -j `dynamic_chain $interface`
done
}

View File

@ -380,3 +380,129 @@ ip_vlsm() {
fi
}
#
# Chain name base for an interface
#
chain_base() #$1 = interface
{
local c=${1%%+*}
case $c in
*.*)
echo ${c%.*}_${c#*.}
;;
*)
echo ${c:=common}
;;
esac
}
#
# Dynamic Blacklisting Chain to an interface
#
dynamic_chain() # $1 = interface
{
echo `chain_base $1`_dyn
}
#
# Remove trailing digits from a name
#
strip_trailing_digits() {
echo $1 | sed s'/[0-9].*$//'
}
#
# Loosly Match the name of an interface
#
if_match() # $1 = Name in interfaces file - may end in "+"
# $2 = Name from routing table
{
local if_file=$1
local rt_table=$2
case $if_file in
*+)
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
;;
*)
test "$rt_table" = "$if_file"
;;
esac
}
#
# Find the value 'dev' in the passed arguments then echo the next value
#
find_device() {
while [ $# -gt 1 ]; do
[ "x$1" = xdev ] && echo $2 && return
shift
done
}
#
# Find the interfaces that have a route to the passed address - the default
# route is not used.
#
find_rt_interface() {
ip route ls | while read addr rest; do
case $addr in
*/*)
in_subnet ${1%/*} $addr && echo `find_device $rest`
;;
default)
;;
*)
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
echo `find_device $rest`
fi
;;
esac
done
}
#
# Find the default route's interface
#
find_default_interface() {
ip route ls | while read first rest; do
[ "$first" = default ] && echo `find_device $rest` && return
done
}
#
# Echo the name of the interface(s) that will be used to send to the
# passed address
#
find_interface_by_address() {
local dev="`find_rt_interface $1`"
local first rest
[ -z "$dev" ] && dev=`find_default_interface`
[ -n "$dev" ] && echo $dev
}
#
# Expands to a list of dynamic chains for the passed address
#
dynamic_chains_by_address()
{
local interface iface
interface=`find_interface_by_address $1`
[ -z "$interface" ] && echo dynamic && return
for iface in $all_interfaces; do
if_match $iface $interface && echo `dynamic_chain $iface`
done
}

View File

@ -12,8 +12,10 @@
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc

View File

@ -2,180 +2,17 @@ This is a minor release of Shorewall.
Problems Corrected:
1) A problem seen on RH7.3 systems where Shorewall encountered start
errors when started using the "service" mechanism has been worked
around.
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.
3) Corrected a problem in Beta 1 where DNS names containing a "-" were
mis-handled when they appeared in the DEST column of a rule.
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
rules has been corrected.
5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add.
None.
Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in
the host file as follows:
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:
z eth1:192.168.1.0/24,192.168.2.0/24
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).
1) Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow'
or 'save' commands.
New Features:
1) A 'newnotsyn' interface option has been added. This option may be
specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets other than the first
one on an interface.
4) DNAT[-] rules may now be used to load balance (round-robin) over a
set of servers. Any number of servers may be specified in a range of
addresses given as <first address>-<last address> and multiple
ranges or individual servers may be specified in a comma-separated
list.
Example:
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The
output of the start, restart and check commands have been enhanced
to report the outcome:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter's connection tracking table.
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
a) To handle 'norfc1918' filtering, Shorewall will not create chains
in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
7) The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the
SHOREWALL_SHELL parameter in shorewall.conf.
8) An 'ipcalc' command has been added to /sbin/shorewall.
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
Examples:
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
Warning:
If your shell only supports 32-bit signed arithmatic (ash or
dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
correct information for all valid IP addresses.
9) An 'iprange' command has been added to /sbin/shorewall.
iprange <address>-<address>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a
range of network addresses.
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.
Example:
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/25
192.168.2.0/23
192.168.4.0/22
192.168.8.0/22
192.168.12.0/29
192.168.12.8/31
[root@gateway root]#
10) A list of host/net addresses is now allowed in an entry in
/etc/shorewall/hosts.
Example:
foo eth1:192.168.1.0/24,192.168.2.0/24
11) The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.
Example:
Policy for dmz to net is REJECT using chain all2all
This means that the policy for connections from the dmz to the
internet is REJECT and the applicable entry in the
/etc/shorewall/policy was the all->all policy.
12) Support for the 2.6 Kernel series has been added.
1) Shorewall now creates a dynamic blacklisting chain for each interface
defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is
to be used for blacklisting the specified IP address(es).

View File

@ -517,6 +517,44 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
done
}
#
# Load list of interfaces into the 'all_interfaces' variable
#
load_all_interfaces() {
if [ ! -f $STATEDIR/interfaces ] ; then
echo "ERROR: $STATEDIR/interfaces does not exist" >&2
mutex_off
exit 2
fi
read all_interfaces < $STATEDIR/interfaces
}
#
# Save Dynamic Blacklist
#
save_dynamic_blacklist() {
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
load_all_interfaces
> /var/lib/shorewall/save
for interface in $all_interfaces; do
if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/save; then
echo "Error Saving the Dynamic Rules"
return
fi
done
if iptables -L dynamic -n >> /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
else
echo "Error Saving the Dynamic Rules"
fi
}
#
# Give Usage Information
#
@ -540,8 +578,8 @@ usage() # $1 = exit status
echo " check"
echo " try <directory> [ <timeout> ]"
echo " logwatch [<refresh interval>]"
echo " drop <address> ..."
echo " reject <address> ..."
echo " drop|dropall <address> ..."
echo " reject|rejectall <address> ..."
echo " allow <address> ..."
echo " save"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -611,8 +649,6 @@ fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
MUTEX_TIMEOUT=
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
@ -634,6 +670,8 @@ else
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then
@ -835,6 +873,18 @@ case "$1" in
drop)
[ $# -eq 1 ] && usage 1
mutex_on
load_all_interfaces
while [ $# -gt 1 ]; do
shift
chains=`dynamic_chains_by_address $1`
for chain in $chains; do
iptables -A $chain -s $1 -j DROP || break 1
echo "$1 Rejected in Chain $chain"
done
done
while [ $# -gt 1 ]; do
shift
iptables -A dynamic -s $1 -j DROP || break 1
@ -845,29 +895,66 @@ case "$1" in
reject)
[ $# -eq 1 ] && usage 1
mutex_on
load_all_interfaces
while [ $# -gt 1 ]; do
shift
iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
chains=`dynamic_chains_by_address $1`
for chain in $chains; do
iptables -A $chain -s $1 -j reject || break 1
echo "$1 Rejected in Chain $chain"
done
done
mutex_off
;;
allow)
[ $# -eq 1 ] && usage 1
mutex_on
load_all_interfaces
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D dynamic -s $1 -j DROP
echo "$1 Allowed"
elif qt iptables -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
chains=`dynamic_chains_by_address $1`
for chain in $chains; do
if qt iptables -D $chain -s $1 -j reject; then
#
# Address was rejected -- silently remove any drop as well
#
qt iptables -D $chain -s $1 -j DROP
echo "$1 Allowed in Chain $chain"
elif qt iptables -D $chain -s $1 -j DROP; then
echo "$1 Allowed in Chain $chain"
else
echo "$1 Not Dropped or Rejected in Chain $chain"
fi
done
done
mutex_off
;;
dropall)
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
shift
iptables -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped in Chain dynamic"
done
mutex_off
;;
rejectall)
[ $# -eq 1 ] && usage 1
mutex_on
while [ $# -gt 1 ]; do
shift
iptables -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected in Chain dynamic"
done
mutex_off
;;
@ -875,13 +962,7 @@ case "$1" in
[ $# -ne 1 ] && usage 1
mutex_on
if qt iptables -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
if iptables -L dynamic -n > /var/lib/shorewall/save; then
echo "Dynamic Rules Saved"
else
echo "Error Saving the Dynamic Rules"
fi
save_dynamic_blacklist
else
echo "Shorewall isn't started"
fi