Add dynamic drop/reject/allow/save functions.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@57 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-16 09:50:33 +01:00 · 2002-06-04 20:17:46 +00:00 · 2002-06-04 20:17:46 +00:00 · aac129f404
commit aac129f404
parent 5c9562c20a
2 changed files with 57 additions and 7 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2536,12 +2536,29 @@ initialize_netfilter () {
    createchain icmpdef no
    createchain common  no
    createchain reject  no
+    createchain dynamic no
+    
+    if [ -f /etc/shorewall/save ]; then
+        echo "Restoring dynamic rules..."
+
+	while read target ignore1 ignore2 address rest; do
+	    case $target in
+	    DROP|reject)
+	    	run_iptables -A dynamic -s $address -j $target
+		;;
+	    *)
+	    	;;
+	esac
+	done < /etc/shorewall/save
+    fi
    
    echo "Creating input Chains..."
-    
+
    for interface in $all_interfaces; do
 	createchain `forward_chain $interface` no
+	run_iptables -A `forward_chain $interface` -j dynamic
 	createchain `input_chain $interface`   no
+	run_iptables -A `input_chain $interface`   -j dynamic
    done
 }

--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -68,8 +68,10 @@
 #						   starting the new configuration.
 #	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
 #						   messages.
-#	   shorewall blacklist <address> ...       Temporarily blacklist the listed
-#						   address(es)
+#	   shorewall drop <address> ...            Temporarily drop all packets from the
+#						   listed address(es)
+#	   shorewall reject <address> ...          Temporarily reject all packets from the
+#						   listed address(es)
 #
 # Display a chain if it exists
 #
@ -406,7 +408,10 @@ usage() # $1 = exit status
    echo "   check"
    echo "   try <directory> [ <timeout> ]"
    echo "   logwatch [<refresh interval>]"
-    echo "   blacklist <address> ..."
+    echo "   drop <address> ..."
+    echo "   reject <address> ..."
+    echo "   allow <address> ..."
+    echo "   save"
    exit $1
 }

@ -622,16 +627,44 @@ case "$1" in
 	    usage 1
 	fi
        ;;
-    blacklist)
+    drop)
    	[ $# -eq 1 ] && usage 1
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    iptables -A blacklst -s $1 -j DROP || break 1
-	    echo "$1 Temporarily Blacklisted"
+	    iptables -A dynamic -s $1 -j DROP || break 1
+	    echo "$1 Dropped"
 	done
 	mutex_off
 	;;
+    reject)
+    	[ $# -eq 1 ] && usage 1
+	mutex_on
+	while [ $# -gt 1 ]; do
+	    shift
+	    iptables -A dynamic -s $1 -j reject || break 1
+	    echo "$1 Rejected"
+	done
+	mutex_off
+	;;
+    allow)
+    	[ $# -eq 1 ] && usage 1
+	mutex_on
+	while [ $# -gt 1 ]; do
+	    shift
+	    if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
+	       echo "$1 Allowed"
+	    else
+	       echo "$1 Not Dropped or Rejected"
+	    fi
+	done
+	mutex_off
+	;;
+    save)
+        if iptables -L dynamic -n > /etc/shorewall/save; then
+	    echo "Dynamic Rules Saved"
+	fi
+	;;
    *)
 	usage 1
 	;;