mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
{
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a8c7dd101d
commit
9188253bd4
@ -376,23 +376,6 @@ flushmangle() # $1 = name of chain
|
||||
run_iptables -t mangle -F $1
|
||||
}
|
||||
|
||||
#
|
||||
# Chain name base for an interface
|
||||
#
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
case $c in
|
||||
*.*)
|
||||
echo ${c%.*}_${c#*.}
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Find interfaces to a given zone
|
||||
#
|
||||
@ -473,7 +456,7 @@ snat_chain() # $1 = zone
|
||||
#
|
||||
ecn_chain() # $1 = interface
|
||||
{
|
||||
echo ${1}_ecn
|
||||
echo `chain_base $1`_ecn
|
||||
}
|
||||
|
||||
#
|
||||
@ -3472,13 +3455,25 @@ initialize_netfilter () {
|
||||
createchain reject no
|
||||
createchain dynamic no
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
chain=`dynamic_chain $interface`
|
||||
createchain $chain no
|
||||
iptables -A $chain -j dynamic
|
||||
done
|
||||
|
||||
echo $all_interfaces > $STATEDIR/interfaces
|
||||
|
||||
if [ -f /var/lib/shorewall/save ]; then
|
||||
echo "Restoring dynamic rules..."
|
||||
|
||||
while read target ignore1 ignore2 address rest; do
|
||||
case $target in
|
||||
DROP|reject)
|
||||
run_iptables2 -A dynamic -s $address -j $target
|
||||
chains=`dynamic_chains_by_address $address`
|
||||
|
||||
for chain in ${chains:-dynamic}; do
|
||||
run_iptables2 -I $chain -s $address -j $target
|
||||
done
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
@ -3490,9 +3485,9 @@ initialize_netfilter () {
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
createchain `forward_chain $interface` no
|
||||
run_iptables -A `forward_chain $interface` -j dynamic
|
||||
run_iptables -A `forward_chain $interface` -j `dynamic_chain $interface`
|
||||
createchain `input_chain $interface` no
|
||||
run_iptables -A `input_chain $interface` -j dynamic
|
||||
run_iptables -A `input_chain $interface` -j `dynamic_chain $interface`
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -380,3 +380,129 @@ ip_vlsm() {
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Chain name base for an interface
|
||||
#
|
||||
chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
case $c in
|
||||
*.*)
|
||||
echo ${c%.*}_${c#*.}
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Dynamic Blacklisting Chain to an interface
|
||||
#
|
||||
dynamic_chain() # $1 = interface
|
||||
{
|
||||
echo `chain_base $1`_dyn
|
||||
}
|
||||
|
||||
#
|
||||
# Remove trailing digits from a name
|
||||
#
|
||||
strip_trailing_digits() {
|
||||
echo $1 | sed s'/[0-9].*$//'
|
||||
}
|
||||
|
||||
#
|
||||
# Loosly Match the name of an interface
|
||||
#
|
||||
|
||||
if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
# $2 = Name from routing table
|
||||
{
|
||||
local if_file=$1
|
||||
local rt_table=$2
|
||||
|
||||
case $if_file in
|
||||
*+)
|
||||
test "`strip_trailing_digits $rt_table`" = "${if_file%+}"
|
||||
;;
|
||||
*)
|
||||
test "$rt_table" = "$if_file"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Find the value 'dev' in the passed arguments then echo the next value
|
||||
#
|
||||
|
||||
find_device() {
|
||||
while [ $# -gt 1 ]; do
|
||||
[ "x$1" = xdev ] && echo $2 && return
|
||||
shift
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the interfaces that have a route to the passed address - the default
|
||||
# route is not used.
|
||||
#
|
||||
|
||||
find_rt_interface() {
|
||||
ip route ls | while read addr rest; do
|
||||
case $addr in
|
||||
*/*)
|
||||
in_subnet ${1%/*} $addr && echo `find_device $rest`
|
||||
;;
|
||||
default)
|
||||
;;
|
||||
*)
|
||||
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
|
||||
echo `find_device $rest`
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Find the default route's interface
|
||||
#
|
||||
find_default_interface() {
|
||||
ip route ls | while read first rest; do
|
||||
[ "$first" = default ] && echo `find_device $rest` && return
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Echo the name of the interface(s) that will be used to send to the
|
||||
# passed address
|
||||
#
|
||||
|
||||
find_interface_by_address() {
|
||||
local dev="`find_rt_interface $1`"
|
||||
local first rest
|
||||
|
||||
[ -z "$dev" ] && dev=`find_default_interface`
|
||||
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
||||
#
|
||||
# Expands to a list of dynamic chains for the passed address
|
||||
#
|
||||
|
||||
dynamic_chains_by_address()
|
||||
{
|
||||
local interface iface
|
||||
|
||||
interface=`find_interface_by_address $1`
|
||||
|
||||
[ -z "$interface" ] && echo dynamic && return
|
||||
|
||||
for iface in $all_interfaces; do
|
||||
if_match $iface $interface && echo `dynamic_chain $iface`
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -12,8 +12,10 @@
|
||||
loadmodule iptable_filter
|
||||
loadmodule ip_conntrack
|
||||
loadmodule ip_conntrack_ftp
|
||||
loadmodule ip_conntrack_tftp
|
||||
loadmodule ip_conntrack_irc
|
||||
loadmodule iptable_nat
|
||||
loadmodule ip_nat_ftp
|
||||
loadmodule ip_nat_tftp
|
||||
loadmodule ip_nat_irc
|
||||
|
||||
|
@ -2,180 +2,17 @@ This is a minor release of Shorewall.
|
||||
|
||||
Problems Corrected:
|
||||
|
||||
1) A problem seen on RH7.3 systems where Shorewall encountered start
|
||||
errors when started using the "service" mechanism has been worked
|
||||
around.
|
||||
|
||||
2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
|
||||
rule, Shorewall incorrectly created multiple DNAT rules in the nat
|
||||
table (one for each element in the list). Shorewall now correctly
|
||||
creates a single DNAT rule with multiple "--to-destination" clauses.
|
||||
|
||||
3) Corrected a problem in Beta 1 where DNS names containing a "-" were
|
||||
mis-handled when they appeared in the DEST column of a rule.
|
||||
|
||||
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
|
||||
rules has been corrected.
|
||||
|
||||
5) The message "Adding rules for DHCP" is now suppressed if there are
|
||||
no DHCP rules to add.
|
||||
None.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
1) In earlier versions, an undocumented feature allowed entries in
|
||||
the host file as follows:
|
||||
|
||||
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
|
||||
|
||||
This capability was never documented and has been removed in 1.4.6
|
||||
to allow entries of the following format:
|
||||
|
||||
z eth1:192.168.1.0/24,192.168.2.0/24
|
||||
|
||||
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
||||
removed from /etc/shorewall/shorewall.conf. These capabilities are
|
||||
now automatically detected by Shorewall (see below).
|
||||
1) Once you have installed this version of Shorewall, you must
|
||||
restart Shorewall before you may use the 'drop', 'reject', 'allow'
|
||||
or 'save' commands.
|
||||
|
||||
New Features:
|
||||
|
||||
1) A 'newnotsyn' interface option has been added. This option may be
|
||||
specified in /etc/shorewall/interfaces and overrides the setting
|
||||
NEWNOTSYN=No for packets arriving on the associated interface.
|
||||
|
||||
2) The means for specifying a range of IP addresses in
|
||||
/etc/shorewall/masq to use for SNAT is now
|
||||
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
||||
|
||||
3) Shorewall can now add IP addresses to subnets other than the first
|
||||
one on an interface.
|
||||
|
||||
4) DNAT[-] rules may now be used to load balance (round-robin) over a
|
||||
set of servers. Any number of servers may be specified in a range of
|
||||
addresses given as <first address>-<last address> and multiple
|
||||
ranges or individual servers may be specified in a comma-separated
|
||||
list.
|
||||
|
||||
Example:
|
||||
|
||||
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
|
||||
|
||||
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
|
||||
have been removed and have been replaced by code that detects
|
||||
whether these capabilities are present in the current kernel. The
|
||||
output of the start, restart and check commands have been enhanced
|
||||
to report the outcome:
|
||||
|
||||
Shorewall has detected the following iptables/netfilter capabilities:
|
||||
NAT: Available
|
||||
Packet Mangling: Available
|
||||
Multi-port Match: Available
|
||||
Verifying Configuration...
|
||||
|
||||
6) Support for the Connection Tracking Match Extension has been
|
||||
added. This extension is available in recent kernel/iptables
|
||||
releases and allows for rules which match against elements in
|
||||
netfilter's connection tracking table.
|
||||
|
||||
Shorewall automatically detects the availability of this extension
|
||||
and reports its availability in the output of the start, restart and
|
||||
check commands.
|
||||
|
||||
Shorewall has detected the following iptables/netfilter capabilities:
|
||||
NAT: Available
|
||||
Packet Mangling: Available
|
||||
Multi-port Match: Available
|
||||
Connection Tracking Match: Available
|
||||
Verifying Configuration...
|
||||
|
||||
If this extension is available, the ruleset generated by Shorewall
|
||||
is changed in the following ways:
|
||||
|
||||
a) To handle 'norfc1918' filtering, Shorewall will not create chains
|
||||
in the mangle table but will rather do all 'norfc1918' filtering in
|
||||
the filter table (rfc1918 chain).
|
||||
|
||||
b) Recall that Shorewall DNAT rules generate two netfilter rules;
|
||||
one in the nat table and one in the filter table. If the Connection
|
||||
Tracking Match Extension is available, the rule in the filter table
|
||||
is extended to check that the original destination address was the
|
||||
same as specified (or defaulted to) in the DNAT rule.
|
||||
|
||||
7) The shell used to interpret the firewall script
|
||||
(/usr/share/shorewall/firewall) may now be specified using the
|
||||
SHOREWALL_SHELL parameter in shorewall.conf.
|
||||
|
||||
8) An 'ipcalc' command has been added to /sbin/shorewall.
|
||||
|
||||
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
|
||||
|
||||
Examples:
|
||||
|
||||
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
|
||||
CIDR=192.168.1.0/24
|
||||
NETMASK=255.255.255.0
|
||||
NETWORK=192.168.1.0
|
||||
BROADCAST=192.168.1.255
|
||||
[root@wookie root]#
|
||||
|
||||
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
|
||||
CIDR=192.168.1.0/24
|
||||
NETMASK=255.255.255.0
|
||||
NETWORK=192.168.1.0
|
||||
BROADCAST=192.168.1.255
|
||||
[root@wookie root]#
|
||||
|
||||
Warning:
|
||||
|
||||
If your shell only supports 32-bit signed arithmatic (ash or
|
||||
dash), then the ipcalc command produces incorrect information for
|
||||
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
|
||||
correct information for all valid IP addresses.
|
||||
|
||||
9) An 'iprange' command has been added to /sbin/shorewall.
|
||||
|
||||
iprange <address>-<address>
|
||||
|
||||
This command decomposes a range of IP addressses into a list of
|
||||
network and host addresses. The command can be useful if you need to
|
||||
construct an efficient set of rules that accept connections from a
|
||||
range of network addresses.
|
||||
|
||||
Note: If your shell only supports 32-bit signed arithmetic (ash or
|
||||
dash) then the range may not span 128.0.0.0.
|
||||
|
||||
Example:
|
||||
|
||||
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
|
||||
192.168.1.4/30
|
||||
192.168.1.8/29
|
||||
192.168.1.16/28
|
||||
192.168.1.32/27
|
||||
192.168.1.64/26
|
||||
192.168.1.128/25
|
||||
192.168.2.0/23
|
||||
192.168.4.0/22
|
||||
192.168.8.0/22
|
||||
192.168.12.0/29
|
||||
192.168.12.8/31
|
||||
[root@gateway root]#
|
||||
|
||||
10) A list of host/net addresses is now allowed in an entry in
|
||||
/etc/shorewall/hosts.
|
||||
|
||||
Example:
|
||||
|
||||
foo eth1:192.168.1.0/24,192.168.2.0/24
|
||||
|
||||
11) The "shorewall check" command now includes the chain name when
|
||||
printing the applicable policy for each pair of zones.
|
||||
|
||||
Example:
|
||||
|
||||
Policy for dmz to net is REJECT using chain all2all
|
||||
|
||||
This means that the policy for connections from the dmz to the
|
||||
internet is REJECT and the applicable entry in the
|
||||
/etc/shorewall/policy was the all->all policy.
|
||||
|
||||
12) Support for the 2.6 Kernel series has been added.
|
||||
|
||||
1) Shorewall now creates a dynamic blacklisting chain for each interface
|
||||
defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
|
||||
commands use the routing table to determine which of these chains is
|
||||
to be used for blacklisting the specified IP address(es).
|
||||
|
@ -517,6 +517,44 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Load list of interfaces into the 'all_interfaces' variable
|
||||
#
|
||||
load_all_interfaces() {
|
||||
if [ ! -f $STATEDIR/interfaces ] ; then
|
||||
echo "ERROR: $STATEDIR/interfaces does not exist" >&2
|
||||
mutex_off
|
||||
exit 2
|
||||
fi
|
||||
|
||||
read all_interfaces < $STATEDIR/interfaces
|
||||
}
|
||||
|
||||
#
|
||||
# Save Dynamic Blacklist
|
||||
#
|
||||
save_dynamic_blacklist() {
|
||||
|
||||
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
|
||||
|
||||
load_all_interfaces
|
||||
|
||||
> /var/lib/shorewall/save
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/save; then
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
if iptables -L dynamic -n >> /var/lib/shorewall/save; then
|
||||
echo "Dynamic Rules Saved"
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
|
||||
}
|
||||
#
|
||||
# Give Usage Information
|
||||
#
|
||||
@ -540,8 +578,8 @@ usage() # $1 = exit status
|
||||
echo " check"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " logwatch [<refresh interval>]"
|
||||
echo " drop <address> ..."
|
||||
echo " reject <address> ..."
|
||||
echo " drop|dropall <address> ..."
|
||||
echo " reject|rejectall <address> ..."
|
||||
echo " allow <address> ..."
|
||||
echo " save"
|
||||
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
|
||||
@ -611,8 +649,6 @@ fi
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
SHARED_DIR=/usr/share/shorewall
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
@ -634,6 +670,8 @@ else
|
||||
exit 2
|
||||
fi
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
if [ -L $FIREWALL ]; then
|
||||
@ -835,6 +873,18 @@ case "$1" in
|
||||
drop)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
|
||||
load_all_interfaces
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
chains=`dynamic_chains_by_address $1`
|
||||
|
||||
for chain in $chains; do
|
||||
iptables -A $chain -s $1 -j DROP || break 1
|
||||
echo "$1 Rejected in Chain $chain"
|
||||
done
|
||||
done
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
@ -845,29 +895,66 @@ case "$1" in
|
||||
reject)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
|
||||
load_all_interfaces
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected"
|
||||
chains=`dynamic_chains_by_address $1`
|
||||
|
||||
for chain in $chains; do
|
||||
iptables -A $chain -s $1 -j reject || break 1
|
||||
echo "$1 Rejected in Chain $chain"
|
||||
done
|
||||
done
|
||||
|
||||
mutex_off
|
||||
;;
|
||||
allow)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
|
||||
load_all_interfaces
|
||||
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
if qt iptables -D dynamic -s $1 -j reject; then
|
||||
#
|
||||
# Address was rejected -- silently remove any drop as well
|
||||
#
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
echo "$1 Allowed"
|
||||
elif qt iptables -D dynamic -s $1 -j DROP; then
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
fi
|
||||
|
||||
chains=`dynamic_chains_by_address $1`
|
||||
|
||||
for chain in $chains; do
|
||||
if qt iptables -D $chain -s $1 -j reject; then
|
||||
#
|
||||
# Address was rejected -- silently remove any drop as well
|
||||
#
|
||||
qt iptables -D $chain -s $1 -j DROP
|
||||
echo "$1 Allowed in Chain $chain"
|
||||
elif qt iptables -D $chain -s $1 -j DROP; then
|
||||
echo "$1 Allowed in Chain $chain"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected in Chain $chain"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
mutex_off
|
||||
;;
|
||||
dropall)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
echo "$1 Dropped in Chain dynamic"
|
||||
done
|
||||
mutex_off
|
||||
;;
|
||||
rejectall)
|
||||
[ $# -eq 1 ] && usage 1
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected in Chain dynamic"
|
||||
done
|
||||
mutex_off
|
||||
;;
|
||||
@ -875,13 +962,7 @@ case "$1" in
|
||||
[ $# -ne 1 ] && usage 1
|
||||
mutex_on
|
||||
if qt iptables -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
|
||||
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo "Dynamic Rules Saved"
|
||||
else
|
||||
echo "Error Saving the Dynamic Rules"
|
||||
fi
|
||||
save_dynamic_blacklist
|
||||
else
|
||||
echo "Shorewall isn't started"
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user