mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
Shorewall 1.4.10
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
afee989ee5
commit
b222c76e33
131
Lrp/etc/shorewall/action.template
Normal file
131
Lrp/etc/shorewall/action.template
Normal file
@ -0,0 +1,131 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
# ACTION defined in /etc/shorewall/actions.
|
||||
#
|
||||
# To define a new action:
|
||||
#
|
||||
# 1. Add the <action name> to /etc/shorewall/actions
|
||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
||||
# 3. Add the desired rules to that file.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
||||
# previously-defined <action>
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# <action> -- An <action> defined in
|
||||
# /etc/shorewall/actions. The <action>
|
||||
# must appear in that file BEFORE the
|
||||
# one being defined in this file.
|
||||
#
|
||||
# The TARGET may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies.
|
||||
# A comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# 192.168.2.2 Host 192.168.2.2
|
||||
#
|
||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2.
|
||||
# ~00-A0-C9-15-39-78 Host with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# name. For example, eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. Same as above with the exception that
|
||||
# MAC addresses are not allowed.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the CLIENT PORT(S) list below:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
# this list and the DEST PORT(S) list above:
|
||||
# 1. There are 15 or less ports listed.
|
||||
# 2. No port ranges are included.
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# If you place a rate limit in this column, you may not
|
||||
# place a similar limit in the TARGET column.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
16
Lrp/etc/shorewall/actions
Normal file
16
Lrp/etc/shorewall/actions
Normal file
@ -0,0 +1,16 @@
|
||||
#
|
||||
# Shorewall 1.4 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
# be performed in an ACTION in
|
||||
# /etc/shorewall/action.<action-name>.
|
||||
#
|
||||
# ACTION names should begin with an upper-case letter to
|
||||
# distinguish them from Shorewall-generated chain names and
|
||||
# they must need the requirements of a Netfilter chain
|
||||
# name.
|
||||
#
|
||||
#ACTION
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
@ -16,12 +16,12 @@ run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 135 -j reject
|
||||
run_iptables -A common -p udp --dport 137:139 -j reject
|
||||
run_iptables -A common -p udp --dport 445 -j reject
|
||||
run_iptables -A common -p tcp --dport 139 -j reject
|
||||
run_iptables -A common -p tcp --dport 445 -j reject
|
||||
run_iptables -A common -p tcp --dport 135 -j reject
|
||||
run_iptables -A common -p udp --dport 135 -j DROP
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 139 -j DROP
|
||||
run_iptables -A common -p tcp --dport 445 -j DROP
|
||||
run_iptables -A common -p tcp --dport 135 -j DROP
|
||||
############################################################################
|
||||
# UPnP
|
||||
#
|
||||
@ -37,7 +37,13 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
run_iptables -A common -p tcp --dport 113 -j reject
|
||||
############################################################################
|
||||
# DNS -- Silenty drop late replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
############################################################################
|
||||
# ICMP -- Silently drop null-address ICMPs
|
||||
#
|
||||
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
|
||||
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP
|
||||
|
||||
|
||||
|
||||
|
@ -103,6 +103,11 @@
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
# out that same interface.
|
||||
#
|
||||
# arp_filter - If specified, this interface will only
|
||||
# respond to ARP who-has requests for IP
|
||||
# addresses configured on the interface.
|
||||
@ -112,6 +117,13 @@
|
||||
# interface. The interface must be up
|
||||
# when Shorewall is started.
|
||||
#
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE!
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
|
@ -18,7 +18,12 @@
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
# ":" followed by a comma-separed list of
|
||||
# destination hosts or subnets. If this list begins with
|
||||
# "!" then masquerading will occur if and only if the
|
||||
# connection destination is NOT included in the list.
|
||||
# Otherwise, the masquerading will occur if and only if
|
||||
# the destination IS included in the list.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
|
@ -48,14 +48,13 @@
|
||||
58.0.0.0/7 logdrop # Reserved
|
||||
70.0.0.0/7 logdrop # Reserved
|
||||
72.0.0.0/5 logdrop # Reserved
|
||||
83.0.0.0/8 logdrop # Reserved
|
||||
84.0.0.0/6 logdrop # Reserved
|
||||
85.0.0.0/8 logdrop # Reserved
|
||||
86.0.0.0/7 logdrop # Reserved
|
||||
88.0.0.0/5 logdrop # Reserved
|
||||
96.0.0.0/3 logdrop # Reserved
|
||||
127.0.0.0/8 logdrop # Loopback
|
||||
197.0.0.0/8 logdrop # Reserved
|
||||
198.18.0.0/15 logdrop # Reserved
|
||||
201.0.0.0/8 logdrop # Reserved - Central & South America
|
||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
||||
240.0.0.0/4 logdrop # Reserved
|
||||
#
|
||||
|
@ -15,8 +15,8 @@
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
|
||||
# or LOG.
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
# LOG or an <action>.
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
@ -48,6 +48,8 @@
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
# <action> -- The name of an action defined in
|
||||
# /etc/shorewall/actions.
|
||||
#
|
||||
# You may rate-limit the rule by optionally
|
||||
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||
|
@ -202,9 +202,8 @@ SHOREWALL_SHELL=/bin/sh
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||
# set this to "".
|
||||
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
|
||||
# use lock files, set this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/run/shorewall
|
||||
@ -222,7 +221,7 @@ STATEDIR=/tmp/shorewall
|
||||
# KERNEL MODULE DIRECTORY
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
|
||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||
|
||||
MODULESDIR=
|
||||
@ -418,13 +417,30 @@ MUTEX_TIMEOUT=60
|
||||
#
|
||||
# NEWNOTSYN
|
||||
#
|
||||
# If this variable is set to "No" or "no", then when a TCP packet that does
|
||||
# not have the SYN flag set and the ACK and RST flags clear then unless the
|
||||
# packet is part of an established connection, it will be dropped by the
|
||||
# firewall
|
||||
# TCP connections are established using the familiar three-way "handshake":
|
||||
#
|
||||
# If this variable is set to "Yes" or "yes" then such packets will not be
|
||||
# dropped but will pass through the normal rule processing.
|
||||
# CLIENT SERVER
|
||||
#
|
||||
# SYN-------------------->
|
||||
# <------------------SYN,ACK
|
||||
# ACK-------------------->
|
||||
#
|
||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
||||
# part of an already established connection, it will be dropped by the
|
||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
||||
# logged before they are dropped.
|
||||
#
|
||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
||||
# dropped but will pass through the normal rule/policy processing.
|
||||
#
|
||||
# Users with a High-availability setup with two firewall's and one acting
|
||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||
@ -432,8 +448,15 @@ MUTEX_TIMEOUT=60
|
||||
#
|
||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
|
||||
#
|
||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
||||
# connections because any network timeout during TCP session tear down
|
||||
# results in retries being dropped (Netfilter has removed the
|
||||
# connection from the conntrack table but the end-points haven't
|
||||
# completed shutting down the connection). I therefore have chosen
|
||||
# NEWNOTSYN=Yes as the default value.
|
||||
|
||||
NEWNOTSYN=No
|
||||
NEWNOTSYN=Yes
|
||||
|
||||
#
|
||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
||||
@ -486,6 +509,29 @@ ADMINISABSENTMINDED=Yes
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
# MODULE NAME SUFFIX
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
||||
# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
|
||||
# naming convention then you can specify the suffix (extension) for module
|
||||
# names in this variable.
|
||||
#
|
||||
# To see what suffix is used by your distribution:
|
||||
#
|
||||
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||
#
|
||||
# All of the file names listed should have the same suffix (extension). Set
|
||||
# MODULE_SUFFIX to that suffix.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
|
||||
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
|
||||
#
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
@ -57,7 +57,22 @@
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
#
|
||||
# USER This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective user and/or group.
|
||||
#
|
||||
# It may contain :
|
||||
#
|
||||
# [<user name or number>]:[<group name or number>]
|
||||
#
|
||||
# The colon is optionnal when specifying only a user.
|
||||
# Examples : john: / john / :users / john:users
|
||||
#
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -564,11 +564,21 @@ determine_hosts() {
|
||||
eval interfaces=\$${zone}_interfaces
|
||||
|
||||
for interface in $interfaces; do
|
||||
if [ -z "$hosts" ]; then
|
||||
hosts=$interface:0.0.0.0/0
|
||||
eval options=\$`chain_base ${interface}`_options
|
||||
|
||||
if list_search detectnets $options; then
|
||||
subnets=`get_routed_subnets $interface`
|
||||
else
|
||||
hosts="$hosts $interface:0.0.0.0/0"
|
||||
subnets=0.0.0.0/0
|
||||
fi
|
||||
|
||||
for subnet in $subnets; do
|
||||
if [ -z "$hosts" ]; then
|
||||
hosts=$interface:$subnet
|
||||
else
|
||||
hosts="$hosts $interface:$subnet"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
interfaces=
|
||||
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
|
||||
# Validate the zone names and options in the interfaces file
|
||||
#
|
||||
validate_interfaces_file() {
|
||||
local wildcard
|
||||
|
||||
while read z interface subnet options; do
|
||||
expandv z interface subnet options
|
||||
r="$z $interface $subnet $options"
|
||||
@ -628,10 +640,15 @@ validate_interfaces_file() {
|
||||
list_search $interface $all_interfaces && \
|
||||
startup_error "Duplicate Interface $interface"
|
||||
|
||||
wildcard=
|
||||
|
||||
case $interface in
|
||||
*:*)
|
||||
startup_error "Invalid Interface Name: $interface"
|
||||
;;
|
||||
*+*)
|
||||
wildcard=Yes
|
||||
;;
|
||||
esac
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
@ -646,6 +663,10 @@ validate_interfaces_file() {
|
||||
case $option in
|
||||
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
detectnets)
|
||||
[ -n "$wildcard" ] && \
|
||||
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
|
||||
;;
|
||||
dropunclean|logunclean)
|
||||
error_message \
|
||||
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
|
||||
@ -844,7 +865,7 @@ find_broadcasts() {
|
||||
for interface in $all_interfaces; do
|
||||
eval bcast=\$`chain_base $interface`_broadcast
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
addr="`ip -f inet addr show $interface 2> /dev/null`"
|
||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||
addr="`echo "$addr" | \
|
||||
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
|
||||
@ -1027,6 +1048,22 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
||||
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
|
||||
}
|
||||
|
||||
#
|
||||
# Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
|
||||
#
|
||||
setup_forwarding() {
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
echo "IP Forwarding Enabled"
|
||||
;;
|
||||
[Oo][Ff][Ff])
|
||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
echo "IP Forwarding Disabled!"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
# Stop the Firewall
|
||||
#
|
||||
@ -1118,14 +1155,7 @@ stop_firewall() {
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
done
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
;;
|
||||
[Oo][Ff][Ff])
|
||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
;;
|
||||
esac
|
||||
setup_forwarding
|
||||
|
||||
run_user_exit stopped
|
||||
|
||||
@ -1700,6 +1730,25 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x$user" != "x-" ]; then
|
||||
|
||||
[ "$chain" != tcout ] && \
|
||||
fatal_error "Invalid use of a user/group: rule \"$rule\""
|
||||
|
||||
case "$user" in
|
||||
*:*)
|
||||
r="$r-m owner"
|
||||
temp="${user%:*}"
|
||||
[ -n "$temp" ] && r="$r --uid-owner $temp "
|
||||
temp="${user#*:}"
|
||||
[ -n "$temp" ] && r="$r --gid-owner $temp "
|
||||
;;
|
||||
*)
|
||||
r="$r-m owner --uid-owner $user "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
@ -1758,9 +1807,9 @@ setup_tc1() {
|
||||
#
|
||||
strip_file tcrules
|
||||
|
||||
while read mark sources dests proto ports sports; do
|
||||
expandv mark sources dests proto ports sports
|
||||
rule=`echo "$mark $sources $dests $proto $ports $sports"`
|
||||
while read mark sources dests proto ports sports user; do
|
||||
expandv mark sources dests proto ports sports user
|
||||
rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
|
||||
process_tc_rule
|
||||
done < $TMP_DIR/tcrules
|
||||
#
|
||||
@ -2063,6 +2112,10 @@ check_config() {
|
||||
|
||||
validate_policy
|
||||
|
||||
echo "Validating Actions..."
|
||||
|
||||
process_actions
|
||||
|
||||
echo "Validating rules file..."
|
||||
|
||||
rules=`find_file rules`
|
||||
@ -2113,6 +2166,349 @@ refresh_tc() {
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Add one Filter Rule from an action -- Helper function for the action file processor
|
||||
#
|
||||
# The caller has established the following variables:
|
||||
# check = current command. If 'check', we're executing a 'check'
|
||||
# which only goes through the motions.
|
||||
# client = SOURCE IP or MAC
|
||||
# server = DESTINATION IP or interface
|
||||
# protocol = Protocol
|
||||
# address = Original Destination Address
|
||||
# port = Destination Port
|
||||
# cport = Source Port
|
||||
# multioption = String to invoke multiport match if appropriate
|
||||
# action = The chain for this rule
|
||||
# ratelimit = Optional rate limiting clause
|
||||
#
|
||||
add_an_action()
|
||||
{
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
|
||||
case "$client" in
|
||||
-)
|
||||
;;
|
||||
*:*)
|
||||
cli="-i ${client%:*} -s ${client#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
cli="-s $client"
|
||||
;;
|
||||
~*)
|
||||
cli=`mac_match $client`
|
||||
;;
|
||||
*)
|
||||
[ -n "$client" ] && cli="-i $client"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
|
||||
|
||||
dest_interface=
|
||||
serv=
|
||||
|
||||
case "$server" in
|
||||
-)
|
||||
;;
|
||||
*.*.*)
|
||||
serv=$server
|
||||
;;
|
||||
~*)
|
||||
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
|
||||
;;
|
||||
*)
|
||||
[ -n "$server" ] && dest_interface="-o $server"
|
||||
;;
|
||||
esac
|
||||
|
||||
# Setup protocol and port variables
|
||||
|
||||
sports=
|
||||
dports=
|
||||
state="-m state --state NEW"
|
||||
proto=$protocol
|
||||
servport=$serverport
|
||||
multiport=
|
||||
|
||||
[ x$port = x- ] && port=
|
||||
[ x$cport = x- ] && cport=
|
||||
|
||||
case $proto in
|
||||
tcp|TCP|6)
|
||||
do_ports
|
||||
[ "$target" = QUEUE ] && proto="$proto --syn"
|
||||
;;
|
||||
udp|UDP|17)
|
||||
do_ports
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
state=
|
||||
;;
|
||||
all|ALL)
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
||||
proto=
|
||||
;;
|
||||
*)
|
||||
state=
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
proto="${proto:+-p $proto}"
|
||||
|
||||
# Some misc. setup
|
||||
|
||||
case "$logtarget" in
|
||||
LOG)
|
||||
[ -z "$loglevel" ] && fatal_error "LOG requires log level"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ $command != check ]; then
|
||||
if [ -n "${serv}" ]; then
|
||||
for serv1 in `separate_list $serv`; do
|
||||
for srv in `ip_range $serv1`; do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
|
||||
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
|
||||
fi
|
||||
|
||||
run_iptables2 -A $action $proto $multiport $state $cli $sports \
|
||||
-d $srv $dports $ratelimit -j $target
|
||||
done
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" \
|
||||
`fix_bang $proto $sports $multiport $state $cli $dports`
|
||||
fi
|
||||
|
||||
run_iptables2 -A $action $proto $multiport $state $cli $sports \
|
||||
$dports $ratelimit -j $target
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process a record from an action file for the 'start', 'restart' or 'check' commands
|
||||
#
|
||||
process_action() # $1 = action
|
||||
# $1 = target
|
||||
# $2 = clients
|
||||
# $3 = servers
|
||||
# $4 = protocol
|
||||
# $5 = ports
|
||||
# $6 = cports
|
||||
# $7 = ratelimit
|
||||
{
|
||||
local action="$1"
|
||||
local target="$2"
|
||||
local clients="$3"
|
||||
local servers="$4"
|
||||
local protocol="$5"
|
||||
local ports="$6"
|
||||
local cports="$7"
|
||||
local ratelimit="$8"
|
||||
local rule="`echo $target $clients $servers $protocol $ports $cports $ratelimit`"
|
||||
|
||||
if [ -n "$ratelimit" ]; then
|
||||
case $ratelimit in
|
||||
-)
|
||||
ratelimit=
|
||||
;;
|
||||
*:*)
|
||||
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
|
||||
;;
|
||||
*)
|
||||
ratelimit="-m limit --limit $ratelimit"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
# Isolate log level
|
||||
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
loglevel=
|
||||
else
|
||||
loglevel="${target#*:}"
|
||||
target="${target%:*}"
|
||||
expandv loglevel
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
|
||||
case $target in
|
||||
ACCEPT|LOG)
|
||||
;;
|
||||
REJECT)
|
||||
target=reject
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
# Generate Netfilter rule(s)
|
||||
|
||||
[ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
|
||||
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
`list_count $ports` -le 15 -a \
|
||||
`list_count $cports` -le 15 ]
|
||||
then
|
||||
#
|
||||
# MULTIPORT is enabled, there are no port ranges in the rule and less than
|
||||
# 16 ports are listed - use multiport match.
|
||||
#
|
||||
multioption="-m multiport"
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
#
|
||||
# add_a_rule() modifies these so we must set their values each time
|
||||
#
|
||||
port=${ports:=-}
|
||||
cport=${cports:=-}
|
||||
add_an_action
|
||||
done
|
||||
done
|
||||
else
|
||||
#
|
||||
# MULTIPORT is disabled or the rule isn't compatible with multiport match
|
||||
#
|
||||
multioption=
|
||||
for client in `separate_list ${clients:=-}`; do
|
||||
for server in `separate_list ${servers:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
for cport in `separate_list ${cports:=-}`; do
|
||||
add_an_action
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
fi
|
||||
#
|
||||
# Report Result
|
||||
#
|
||||
if [ $command = check ]; then
|
||||
echo " Rule \"$rule\" checked."
|
||||
else
|
||||
echo " Rule \"$rule\" added."
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Read /etc/shorewall/actions and for each defined <action>, process
|
||||
# /etc/shorewall/action.<action>
|
||||
#
|
||||
|
||||
process_actions() {
|
||||
#
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
process_wildcard_rule() {
|
||||
local yclients yservers ysourcezone ydestzone ypolicy
|
||||
|
||||
for yclients in $xclients; do
|
||||
for yservers in $xservers; do
|
||||
ysourcezone=${yclients%%:*}
|
||||
ydestzone=${yservers%%:*}
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
do_it() {
|
||||
expandv xclients xservers xprotocol xports xcports xratelimit
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit
|
||||
}
|
||||
|
||||
strip_file actions
|
||||
|
||||
while read xaction rest; do
|
||||
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
|
||||
[ "$command" = check ] || createchain $xaction No
|
||||
|
||||
f=action.$xaction
|
||||
fn=`find_file $f`
|
||||
|
||||
if [ -f $fn ]; then
|
||||
echo "Processing $fn..."
|
||||
strip_file $f $fn
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit ; do
|
||||
expandv xtarget
|
||||
temp="${xtarget%:*}"
|
||||
case "${temp%<*}" in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE)
|
||||
do_it
|
||||
;;
|
||||
*)
|
||||
if list_search $temp $ACTIONS; then
|
||||
do_it
|
||||
else
|
||||
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit`"
|
||||
fatal_error "Invalid TARGET in rule \"$rule\""
|
||||
fi
|
||||
;;
|
||||
|
||||
esac
|
||||
done < $TMP_DIR/$f
|
||||
else
|
||||
fatal_error "Missing Action File: $f"
|
||||
fi
|
||||
|
||||
ACTIONS="$ACTIONS $xaction"
|
||||
done < $TMP_DIR/actions
|
||||
}
|
||||
|
||||
#
|
||||
# Add a NAT rule - Helper function for the rules file processor
|
||||
#
|
||||
@ -2548,6 +2944,8 @@ process_rule() # $1 = target
|
||||
|
||||
# Function Body - isolate rate limit
|
||||
|
||||
[ "x$ratelimit" = "x-" ] && ratelimit=
|
||||
|
||||
if [ -z "$ratelimit" ]; then
|
||||
if [ "$target" != "${target%<*}" ]; then
|
||||
ratelimit="${target#*<}"
|
||||
@ -2559,9 +2957,6 @@ process_rule() # $1 = target
|
||||
|
||||
if [ -n "$ratelimit" ]; then
|
||||
case $ratelimit in
|
||||
-)
|
||||
ratelimit=
|
||||
;;
|
||||
*:*)
|
||||
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
|
||||
;;
|
||||
@ -2599,7 +2994,11 @@ process_rule() # $1 = target
|
||||
case "$userset" in
|
||||
*:*)
|
||||
case $target in
|
||||
ACCEPT|REJECT|DROP)
|
||||
ACCEPT)
|
||||
;;
|
||||
REJECT|DROP)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
;;
|
||||
*)
|
||||
fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
|
||||
@ -2625,9 +3024,13 @@ process_rule() # $1 = target
|
||||
target=`accept_chain $userset`
|
||||
;;
|
||||
DROP)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=`drop_chain $userset`
|
||||
;;
|
||||
REJECT)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=`reject_chain $userset`
|
||||
;;
|
||||
*)
|
||||
@ -2643,8 +3046,15 @@ process_rule() # $1 = target
|
||||
ACCEPT|LOG)
|
||||
;;
|
||||
REJECT)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=reject
|
||||
;;
|
||||
CONTINUE)
|
||||
[ -n "$ratelimit" ] && fatal_error \
|
||||
"Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
|
||||
target=RETURN
|
||||
;;
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
@ -2711,9 +3121,11 @@ process_rule() # $1 = target
|
||||
source=$clientzone
|
||||
|
||||
if [ $source = $FW ]; then
|
||||
source_hosts= || eval source_hosts=\"\$${source}_hosts\"
|
||||
source_hosts=
|
||||
elif [ -n "$userset" ]; then
|
||||
fatal_error "Invalid use of a user set: rule \"$rule\""
|
||||
else
|
||||
eval source_hosts=\"\$${source}_hosts\"
|
||||
fi
|
||||
|
||||
if [ "$servers" = "${servers%:*}" ] ; then
|
||||
@ -2876,41 +3288,56 @@ process_rules()
|
||||
# Process a rule where the source or destination is "all"
|
||||
#
|
||||
process_wildcard_rule() {
|
||||
local yclients yservers ysourcezone ydestzone ypolicy
|
||||
|
||||
for yclients in $xclients; do
|
||||
for yservers in $xservers; do
|
||||
if [ "${yclients}" != "${yservers}" ] ; then
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
|
||||
ysourcezone=${yclients%%:*}
|
||||
ydestzone=${yservers%%:*}
|
||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||
if [ "$ypolicy" != NONE ] ; then
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
do_it() {
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
|
||||
temp="${xtarget%:*}"
|
||||
case "${temp%<*}" in
|
||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
xclients="$zones $FW"
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
fi
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
if [ "x$xservers" = xall ]; then
|
||||
xservers="$zones $FW"
|
||||
process_wildcard_rule
|
||||
continue
|
||||
fi
|
||||
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset
|
||||
do_it
|
||||
;;
|
||||
*)
|
||||
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
if list_search $temp $ACTIONS; then
|
||||
do_it
|
||||
else
|
||||
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserset`"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
fi
|
||||
;;
|
||||
|
||||
esac
|
||||
@ -3115,7 +3542,7 @@ loadmodule() # $1 = module name, $2 - * arguments
|
||||
if [ -z "`lsmod | grep $modulename`" ]; then
|
||||
shift
|
||||
|
||||
for suffix in o gz ko o.gz ; do
|
||||
for suffix in $MODULE_SUFFIX ; do
|
||||
modulefile=$MODULESDIR/${modulename}.${suffix}
|
||||
|
||||
if [ -f $modulefile ]; then
|
||||
@ -3362,7 +3789,7 @@ setup_masq()
|
||||
case $fullinterface in
|
||||
*:*:*)
|
||||
# Both alias name and subnet
|
||||
destnet="${fullinterface##*:}"
|
||||
destnets="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*)
|
||||
@ -3370,17 +3797,17 @@ setup_masq()
|
||||
case ${fullinterface#*:} in
|
||||
*.*)
|
||||
# It's a subnet
|
||||
destnet="${fullinterface#*:}"
|
||||
destnets="${fullinterface#*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*)
|
||||
#it's an alias name
|
||||
destnet="0.0.0.0/0"
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
destnet="0.0.0.0/0"
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3397,7 +3824,6 @@ setup_masq()
|
||||
subnet="${subnet%!*}"
|
||||
fi
|
||||
|
||||
chain=`masq_chain $interface`
|
||||
|
||||
source="$subnet"
|
||||
|
||||
@ -3426,33 +3852,70 @@ setup_masq()
|
||||
done
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
destination=$destnets
|
||||
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
chain=`masq_chain $interface`
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -d $destnet -s $s -j $newchain
|
||||
case $destnets in
|
||||
!*)
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
destnets=${destnets#!}
|
||||
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $newchain -d $destnet -j RETURN
|
||||
done
|
||||
else
|
||||
addnatrule $chain -d $destnet -j $newchain
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
destnet=
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -s $s -j $newchain
|
||||
done
|
||||
subnet=
|
||||
else
|
||||
addnatrule $chain -j $newchain
|
||||
fi
|
||||
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
destnets=0.0.0.0/0
|
||||
|
||||
source="$source except $nomasq"
|
||||
else
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
if [ -n "$nonmasq" ]; then
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
source="$source except $nomasq"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -s $s -j $newchain
|
||||
done
|
||||
done
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j $newchain
|
||||
done
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
destnets=0.0.0.0/0
|
||||
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
|
||||
source="$source except $nomasq"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
temp=
|
||||
@ -3464,18 +3927,26 @@ setup_masq()
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
if [ -n "$addresses" ]; then
|
||||
addnatrule $chain -s $s $destnet -j SNAT $temp
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet -j SNAT $temp
|
||||
done
|
||||
echo " To $destination from $s through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet -j MASQUERADE
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -s $s -d $destnet -j MASQUERADE
|
||||
done
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet -j SNAT $temp
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j SNAT $temp
|
||||
done
|
||||
echo " To $destination from $source through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain $destnet -j MASQUERADE
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain -d $destnet -j MASQUERADE
|
||||
done
|
||||
echo " To $destination from $source through ${interface}"
|
||||
fi
|
||||
|
||||
@ -3677,7 +4148,7 @@ add_ip_aliases()
|
||||
#
|
||||
# Get all of the lines that contain inet addresses
|
||||
#
|
||||
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
|
||||
ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
|
||||
case $cidr in
|
||||
*/*)
|
||||
if in_subnet $external $cidr; then
|
||||
@ -3972,9 +4443,26 @@ build_common_chain() {
|
||||
#
|
||||
add_common_rules() {
|
||||
local savelogparms="$LOGPARMS"
|
||||
local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
|
||||
#
|
||||
# Reject Rules
|
||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||
#
|
||||
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $broadcasts ; do
|
||||
run_iptables -A reject -d $address -j DROP
|
||||
done
|
||||
fi
|
||||
#
|
||||
# Don't feed the smurfs
|
||||
#
|
||||
for address in $broadcasts ; do
|
||||
run_iptables -A reject -s $address -j DROP
|
||||
done
|
||||
|
||||
run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
|
||||
run_iptables -A reject -p udp -j REJECT
|
||||
#
|
||||
@ -4079,13 +4567,13 @@ add_common_rules() {
|
||||
|
||||
strip_file rfc1918
|
||||
|
||||
createchain rfc1918 no
|
||||
createchain norfc1918 no
|
||||
|
||||
createchain logdrop no
|
||||
createchain rfc1918 no
|
||||
|
||||
log_rule $RFC1918_LOG_LEVEL logdrop DROP
|
||||
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP
|
||||
|
||||
run_iptables -A logdrop -j DROP
|
||||
run_iptables -A rfc1918 -j DROP
|
||||
|
||||
if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
@ -4097,27 +4585,30 @@ add_common_rules() {
|
||||
# Also add a chain to log and drop any RFC1918 packets that we find
|
||||
#
|
||||
run_iptables -t mangle -N man1918
|
||||
run_iptables -t mangle -N logdrop
|
||||
log_rule $RFC1918_LOG_LEVEL logdrop DROP -t mangle
|
||||
run_iptables -t mangle -A logdrop -j DROP
|
||||
run_iptables -t mangle -N rfc1918
|
||||
log_rule $RFC1918_LOG_LEVEL rfc1918 DROP -t mangle
|
||||
run_iptables -t mangle -A rfc1918 -j DROP
|
||||
fi
|
||||
|
||||
while read subnet target; do
|
||||
case $target in
|
||||
logdrop|DROP|RETURN)
|
||||
logdrop)
|
||||
target=rfc1918
|
||||
;;
|
||||
DROP|RETURN)
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid target ($target) for $subnet"
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables2 -A rfc1918 -s $subnet -j $target
|
||||
run_iptables2 -A norfc1918 -s $subnet -j $target
|
||||
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
#
|
||||
# We have connection tracking match -- match on the original destination
|
||||
#
|
||||
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
|
||||
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $subnet -j $target
|
||||
elif [ -n "$MANGLE_ENABLED" ]; then
|
||||
#
|
||||
# No connection tracking match but we have mangling -- add a rule to
|
||||
@ -4129,7 +4620,7 @@ add_common_rules() {
|
||||
|
||||
for interface in $norfc1918_interfaces; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -m state --state NEW -j rfc1918
|
||||
run_iptables -A $chain -m state --state NEW -j norfc1918
|
||||
done
|
||||
|
||||
[ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
|
||||
@ -4235,19 +4726,8 @@ add_common_rules() {
|
||||
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
|
||||
run_ip route flush cache
|
||||
fi
|
||||
#
|
||||
# IP Forwarding
|
||||
#
|
||||
case "$IP_FORWARDING" in
|
||||
[Oo][Nn])
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
echo "IP Forwarding Enabled"
|
||||
;;
|
||||
[Oo][Ff][Ff])
|
||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
echo "IP Forwarding Disabled!"
|
||||
;;
|
||||
esac
|
||||
|
||||
setup_forwarding
|
||||
}
|
||||
|
||||
#
|
||||
@ -4389,6 +4869,8 @@ activate_rules()
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||
|
||||
need_broadcast=
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
@ -4406,8 +4888,19 @@ activate_rules()
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
|
||||
|
||||
if [ "$subnet" != 0.0.0.0/0 ]; then
|
||||
if ! list_search $interface $need_broadcast ; then
|
||||
eval options=\$`chain_base ${interface}`_options
|
||||
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
for interface in $need_broadcast ; do
|
||||
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
|
||||
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
|
||||
eval policy=\$${zone}2${zone1}_policy
|
||||
@ -4473,6 +4966,7 @@ activate_rules()
|
||||
run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
run_iptables -D $chain -p udp --dport 53 -j ACCEPT
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -4532,6 +5026,10 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
rules=`find_file rules`
|
||||
|
||||
echo "Processing Actions..."
|
||||
|
||||
process_actions
|
||||
|
||||
echo "Processing $rules..."
|
||||
|
||||
process_rules
|
||||
@ -5057,6 +5555,8 @@ do_initialize() {
|
||||
LOGRULENUMBERS=
|
||||
ADMINISABSENTMINDED=
|
||||
BLACKLISTNEWONLY=
|
||||
MODULE_SUFFIX=
|
||||
ACTIONS=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
@ -5207,6 +5707,8 @@ do_initialize() {
|
||||
fi
|
||||
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
|
||||
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
|
||||
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
248
Lrp/usr/share/shorewall/help
Executable file
248
Lrp/usr/share/shorewall/help
Executable file
@ -0,0 +1,248 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V1.4 - 3/14/2003
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2003 - Tom Eastep (teastep@shorewall.net)
|
||||
# Steve Herber (herber@thing.com)
|
||||
#
|
||||
# This file should be placed in /usr/share/shorewall/help
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
##################################################################################
|
||||
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:host] zone - Adds the specified interface
|
||||
(and host if included) to the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
||||
from interface ipsec0 to the zone vpn1.
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24"
|
||||
;;
|
||||
|
||||
allow)
|
||||
echo "allow: allow <address> ...
|
||||
Re-enables receipt of packets from hosts previously blacklisted
|
||||
by a drop or reject command.
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
examples for a recommended way to make changes."
|
||||
;;
|
||||
|
||||
clear)
|
||||
echo "clear: clear
|
||||
Clear will remove all rules and chains installed by Shoreline.
|
||||
The firewall is then wide open and unprotected. Existing
|
||||
connections are untouched. Clear is often used to see if the
|
||||
firewall is causing connection problems."
|
||||
;;
|
||||
|
||||
debug)
|
||||
echo "debug: debug
|
||||
If you include the keyword debug as the first argument to any
|
||||
of these commands:
|
||||
|
||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
||||
|
||||
then a shell trace of the command is produced. For example:
|
||||
|
||||
shorewall debug start 2> /tmp/trace
|
||||
|
||||
The above command would trace the 'start' command and
|
||||
place the trace information in the file /tmp/trace."
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:host] zone - Deletes the specified
|
||||
interface (and host if included) from the specified zone.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
||||
192.0.2.24 from interface ipsec0 from zone vpn1
|
||||
|
||||
See also \"help host\""
|
||||
;;
|
||||
|
||||
drop)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be ignored
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
help)
|
||||
echo "help: help [<command> | host | address ]
|
||||
Display helpful information about the shorewall commands."
|
||||
;;
|
||||
|
||||
hits)
|
||||
echo "hits: hits
|
||||
Produces several reports about the Shorewall packet log messages
|
||||
in the current /var/log/messages file."
|
||||
;;
|
||||
|
||||
ipcalc)
|
||||
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
||||
Ipcalc displays the network address, broadcast address,
|
||||
network in CIDR notation and netmask corresponding to the input[s]."
|
||||
;;
|
||||
|
||||
iprange)
|
||||
echo "iprange: iprange address1-address2
|
||||
Iprange decomposes the specified range of IP addresses into the
|
||||
equivalent list of network/host addresses."
|
||||
;;
|
||||
|
||||
logwatch)
|
||||
echo "logwatch: logwatch [<refresh interval>]
|
||||
Monitors the LOGFILE, $LOGFILE,
|
||||
and produces an audible alarm when new Shorewall messages are logged."
|
||||
;;
|
||||
|
||||
monitor)
|
||||
echo "monitor: monitor [<refresh_interval>]
|
||||
Continuously display the firewall status, last 20 log entries and nat.
|
||||
When the log entry display changes, an audible alarm is sounded."
|
||||
;;
|
||||
|
||||
refresh)
|
||||
echo "refresh: refresh
|
||||
The rules involving the broadcast addresses of firewall interfaces,
|
||||
the black list, traffic control rules and ECN control rules are recreated
|
||||
to reflect any changes made. Existing connections are untouched"
|
||||
;;
|
||||
|
||||
reject)
|
||||
echo "$1: $1 <address> ...
|
||||
Causes packets from the specified <address> to be rejected
|
||||
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
||||
|
||||
See also \"help address\""
|
||||
;;
|
||||
|
||||
reset)
|
||||
echo "reset: reset
|
||||
All the packet and byte counters in the firewall are reset."
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -c <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are dropped."
|
||||
;;
|
||||
|
||||
save)
|
||||
echo "save: save
|
||||
The dynamic data is stored in /var/lib/shorewall/save
|
||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting."
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
shorewall show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
|
||||
shorewall show nat - produce a verbose report about the nat table.
|
||||
(iptables -t nat -L -n -v)
|
||||
|
||||
shorewall show tos - produce a verbose report about the mangle table.
|
||||
(iptables -t mangle -L -n -v)
|
||||
|
||||
shorewall show log - display the last 20 packet log entries.
|
||||
|
||||
shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.
|
||||
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: start [ -c <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies."
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo "stop: stop
|
||||
Stops the firewall. All existing connections, except those
|
||||
listed in /etc/shorewall/routestopped, are taken down.
|
||||
The only new traffic permitted through the firewall
|
||||
is from systems listed in /etc/shorewall/routestopped."
|
||||
;;
|
||||
|
||||
status)
|
||||
echo "status: status
|
||||
Produce a verbose report about the firewall.
|
||||
|
||||
(iptables -L -n -v)"
|
||||
;;
|
||||
|
||||
try)
|
||||
echo "try: try <configuration-directory> [ <timeout> ]
|
||||
Restart shorewall using the specified configuration. If an error
|
||||
occurs during the restart, then another shorewall restart is performed
|
||||
using the default configuration. If a timeout is specified then
|
||||
the restart is always performed after the timeout occurs and uses
|
||||
the default configuration."
|
||||
;;
|
||||
|
||||
version)
|
||||
echo "version: version
|
||||
Show the current shorewall version which is: $version"
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$1: $1 is not recognized by the help command"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit 0 # always ok
|
||||
|
@ -1 +1 @@
|
||||
1.4.8
|
||||
1.4.10
|
||||
|
@ -24,3 +24,5 @@
|
||||
/etc/shorewall/accounting Account Traffic Accounting Rules
|
||||
/etc/shorewall/usersets UserSets User Set definitions
|
||||
/etc/shorewall/users Users " " "
|
||||
/etc/shorewall/actions Actions Define user actions
|
||||
/etc/shorewall/action.templage Template Template for user-defined actions
|
||||
|
@ -1 +1 @@
|
||||
1.4.8
|
||||
1.4.10
|
||||
|
Loading…
Reference in New Issue
Block a user