extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-27 18:13:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add user accounting; add SNAT/MASQ port remapping

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1579 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-26 20:59:39 +00:00
parent 4323033828
commit daae61131e
5 changed files with 125 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall2/accounting
View File

@ -61,13 +61,33 @@
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# USER/GROUP This column may only be non-empty if the CHAIN is
# OUTPUT.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
# PORT PORT
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall2/changelog.txt
View File

@ -52,3 +52,5 @@ Changes since 2.0.3
24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.
26) Allow source port remapping in /etc/shorewall/masq.

74
Shorewall2/firewall
View File

@ -2324,11 +2324,11 @@ process_accounting_rule() {
jumpchain=
accounting_error() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
}
accounting_interface_error() {
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user
}
accounting_interface_verify() {
@ -2404,6 +2404,25 @@ process_accounting_rule() {
;;
esac
[ -n "$user" ] && case $user in
-|any|all)
;;
*:*)
[ "$chain" != OUTPUT ] && \
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
rule="$rule -m owner"
temp="${user%:*}"
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
;;
*)
[ "$chain" != OUTPUT ] && \
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
rule="$rule -m owner --uid-owner $user "
;;
esac
case $action in
COUNT)
;;
@ -2432,7 +2451,7 @@ process_accounting_rule() {
if iptables -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
else
accounting_error
fi
@ -2448,8 +2467,8 @@ setup_accounting() # $1 = Name of accounting file
strip_file accounting $1
while read action chain source dest proto port sport ; do
expandv action chain source dest proto port sport
while read action chain source dest proto port sport user ; do
expandv action chain source dest proto port sport user
process_accounting_rule
done < $TMP_DIR/accounting
@ -4687,7 +4706,9 @@ setup_masq()
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do
for addr in $(ip_range_explicit $address) ; do
address=${address%:)}
if [ -n "$address" ]; then
for addr in $(ip_range_explicit ${address%:*}) ; do
if ! list_search $addr $aliases_to_add; then
save_command qt ip addr del $addr dev $interface
aliases_to_add="$aliases_to_add $addr $fullinterface"
@ -4698,6 +4719,7 @@ setup_masq()
esac
fi
done
fi
done
fi
@ -4817,38 +4839,45 @@ setup_masq()
esac
addrlist=
target=MASQUERADE
if [ -n "$addresses" ]; then
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
fi
if [ -n "$networks" ]; then
for s in $networks; do
for network in $networks; do
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist
done
if [ -n "$addresses" ]; then
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j SNAT $addrlist
done
progress_message " To $destination $displayproto from $s through ${interface} using $addresses"
progress_message " To $destination $displayproto from $network through ${interface} using $addresses"
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -s $s -d $destnet $proto $ports $policy -j MASQUERADE
done
progress_message " To $destination $displayproto from $s through ${interface}"
progress_message " To $destination $displayproto from $network through ${interface}"
fi
done
elif [ -n "$addresses" ]; then
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet $proto $ports $policy -j SNAT $addrlist
done
echo " To $destination $displayproto from $source through ${interface} using $addresses"
else
for destnet in $(separate_list $destnets); do
addnatrule $chain -d $destnet $proto $ports $policy -j MASQUERADE
addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist
done
if [ -n "$addresses" ]; then
progress_message " To $destination $displayproto from $source through ${interface} using $addresses"
else
progress_message " To $destination $displayproto from $source through ${interface}"
fi
fi
}
@ -5266,6 +5295,9 @@ initialize_netfilter () {
echo "Deleting user chains..."
exists_INPUT=Yes
exists_OUTPUT=Yes
exists_FORWARD=Yes
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP

13
Shorewall2/masq
View File

@ -73,6 +73,19 @@
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.

23
Shorewall2/releasenotes.txt
View File

@ -381,3 +381,26 @@ New Features:
shorewall restart [ <configuration-directory> ]
shorewall start [ <configuration-directory> ]
11) Normally, when SNAT or MASQUERADE is applied to a tcp or udp
connection, Netfilter attempts to retain the source port
number. If it has to change to port number to avoid
<source address>,<source port> conflicts, it tries to do so
within port ranges ( < 512, 512-1023, and > 1023). You may
now specify an explicit range of source ports to be used
by following the address or address range (if any) in the
ADDRESS column with ":" and a port range in the format
<low-port>-<high-port>. You must specify either "tcp" or
"udp" in the PROTO column.
Examples 1 -- MASQUERADE with tcp source ports 4000-5000:
#INTERFACE SUBNET ADDRESS PROTO
eth0 192.168.1.0/24 :4000-5000 tcp
Example 2 -- SNAT with udp source ports 7000-8000:
#INTERFACE SUBNET ADDRESS PROTO
eth0 10.0.0.0/8 192.0.2.44:7000-8000 udp