mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-24 06:29:03 +01:00
Apply and fix Tuomas Jormola's IPTABLES patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0c3bf6f598
commit
fa89a86f71
@ -144,3 +144,7 @@ Changes since 2.0.3
|
||||
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||
|
||||
70) Correct typo in shorewall.conf.
|
||||
|
||||
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||
|
||||
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||
|
@ -156,9 +156,9 @@ run_iptables() {
|
||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||
|
||||
if ! iptables $@ ; then
|
||||
if ! $IPTABLES $@ ; then
|
||||
if [ -z "$stopping" ]; then
|
||||
error_message "ERROR: Command \"iptables $@\" Failed"
|
||||
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
{
|
||||
local c=$(chain_base $1)
|
||||
|
||||
if iptables -N $1; then
|
||||
if $IPTABLES -N $1; then
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
@ -265,7 +265,7 @@ havechain() # $1 = name of chain
|
||||
#
|
||||
chain_exists() # $1 = chain name
|
||||
{
|
||||
qt iptables -L $1 -n
|
||||
qt $IPTABLES -L $1 -n
|
||||
}
|
||||
|
||||
#
|
||||
@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
|
||||
#
|
||||
mangle_chain_exists() # $1 = chain name
|
||||
{
|
||||
qt iptables -t mangle -L $1 -n
|
||||
qt $IPTABLES -t mangle -L $1 -n
|
||||
}
|
||||
|
||||
#
|
||||
@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
|
||||
#
|
||||
deletechain() # $1 = name of chain
|
||||
{
|
||||
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
|
||||
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
|
||||
}
|
||||
|
||||
#
|
||||
@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
||||
|
||||
case $level in
|
||||
ULOG)
|
||||
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||
;;
|
||||
*)
|
||||
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1462,7 +1462,7 @@ stop_firewall() {
|
||||
else
|
||||
routeback=Yes
|
||||
for h in $(separate_list $host); do
|
||||
iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||
done
|
||||
fi
|
||||
;;
|
||||
@ -1478,27 +1478,27 @@ stop_firewall() {
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||
|
||||
for host1 in $hosts; do
|
||||
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||
done
|
||||
done
|
||||
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
for interface in $(find_interfaces_by_option dhcp); do
|
||||
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
||||
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
||||
done
|
||||
|
||||
case "$IP_FORWARDING" in
|
||||
@ -2700,7 +2700,7 @@ process_accounting_rule() {
|
||||
|
||||
ensurechain1 $chain
|
||||
|
||||
if iptables -A $chain $(fix_bang $rule) ; then
|
||||
if $IPTABLES -A $chain $(fix_bang $rule) ; then
|
||||
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
||||
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
|
||||
else
|
||||
@ -5303,7 +5303,7 @@ refresh_blacklist() {
|
||||
local f=$(find_file blacklist)
|
||||
local disposition=$BLACKLIST_DISPOSITION
|
||||
|
||||
if qt iptables -L blacklst -n ; then
|
||||
if qt $IPTABLES -L blacklst -n ; then
|
||||
echo "Loading Black List..."
|
||||
|
||||
strip_file blacklist $f
|
||||
@ -5456,8 +5456,8 @@ verify_ip() {
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
determine_capabilities() {
|
||||
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
|
||||
CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
@ -5465,20 +5465,20 @@ determine_capabilities() {
|
||||
PHYSDEV_MATCH=
|
||||
IPRANGE_MATCH=
|
||||
|
||||
if qt iptables -N fooX1234 ; then
|
||||
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
if qt $IPTABLES -N fooX1234 ; then
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||
|
||||
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||
fi
|
||||
|
||||
qt iptables -F fooX1234
|
||||
qt iptables -X fooX1234
|
||||
qt $IPTABLES -F fooX1234
|
||||
qt $IPTABLES -X fooX1234
|
||||
fi
|
||||
}
|
||||
|
||||
@ -5706,8 +5706,8 @@ add_common_rules() {
|
||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||
#
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
@ -5728,8 +5728,8 @@ add_common_rules() {
|
||||
#
|
||||
# Not all versions of iptables support these so don't complain if they don't work
|
||||
#
|
||||
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
||||
qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||
if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
||||
#
|
||||
# In case the above doesn't work
|
||||
#
|
||||
@ -5792,7 +5792,7 @@ add_common_rules() {
|
||||
if [ -n "$BRIDGING" ]; then
|
||||
eval is_bridge=\$$(chain_base $interface)_ports
|
||||
[ -n "$is_bridge" ] && \
|
||||
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
|
||||
$IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
|
||||
fi
|
||||
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
|
||||
@ -6617,12 +6617,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
|
||||
nat_chain_exists() # $1 = chain name
|
||||
{
|
||||
qt iptables -t nat -L $1 -n
|
||||
qt $IPTABLES -t nat -L $1 -n
|
||||
}
|
||||
|
||||
do_iptables() # $@ = command
|
||||
{
|
||||
if ! iptables $@ ; then
|
||||
if ! $IPTABLES $@ ; then
|
||||
startup_error "Can't add $1 to zone $2"
|
||||
fi
|
||||
}
|
||||
@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
#
|
||||
# Delete any nat table entries for the host(s)
|
||||
#
|
||||
qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
||||
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
||||
#
|
||||
# Delete rules rules the input chains for the passed interface
|
||||
#
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||
else
|
||||
source_chain=$(dynamic_fwd $interface)
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ "$z2" = "$zone" ]; then
|
||||
if [ "$z1" = "$FW" ]; then
|
||||
qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||
else
|
||||
eval source_hosts=\"\$${z1}_hosts\"
|
||||
|
||||
@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
hosts=${h#*:}
|
||||
|
||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@ -6988,6 +6988,7 @@ do_initialize() {
|
||||
# Clear all configuration variables
|
||||
#
|
||||
version=
|
||||
IPTABLES=
|
||||
FW=
|
||||
SUBSYSLOCK=
|
||||
STATEDIR=
|
||||
@ -7102,6 +7103,14 @@ do_initialize() {
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
if [ -z "$IPTABLES" ]; then
|
||||
IPTABLES=$(which iptables 2> /dev/null)
|
||||
|
||||
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
|
||||
else
|
||||
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||
fi
|
||||
|
||||
[ -z "$FW" ] && FW=fw
|
||||
|
||||
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
||||
@ -7283,7 +7292,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if qt iptables -L shorewall -n ; then
|
||||
if qt $IPTABLES -L shorewall -n ; then
|
||||
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
echo "Shorewall Already Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
@ -7298,7 +7307,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if qt iptables -L shorewall -n ; then
|
||||
if qt $IPTABLES -L shorewall -n ; then
|
||||
define_firewall "Restart"
|
||||
else
|
||||
echo "Shorewall Not Currently Running"
|
||||
@ -7313,22 +7322,22 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
iptables -L -n -v
|
||||
$IPTABLES -L -n -v
|
||||
;;
|
||||
|
||||
reset)
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! qt iptables -L shorewall -n ; then
|
||||
if ! qt $IPTABLES -L shorewall -n ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
exit 2;
|
||||
fi
|
||||
iptables -Z
|
||||
iptables -t nat -Z
|
||||
iptables -t mangle -Z
|
||||
$IPTABLES -Z
|
||||
$IPTABLES -t nat -Z
|
||||
$IPTABLES -t mangle -Z
|
||||
report "Shorewall Counters Reset"
|
||||
date > $STATEDIR/restarted
|
||||
my_mutex_off
|
||||
@ -7338,7 +7347,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 1 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! qt iptables -L shorewall -n ; then
|
||||
if ! qt $IPTABLES -L shorewall -n ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
@ -7369,7 +7378,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 3 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! qt iptables -L shorewall -n ; then
|
||||
if ! qt $IPTABLES -L shorewall -n ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
@ -7383,7 +7392,7 @@ case "$COMMAND" in
|
||||
[ $# -ne 3 ] && usage
|
||||
do_initialize
|
||||
my_mutex_on
|
||||
if ! qt iptables -L shorewall -n ; then
|
||||
if ! qt $IPTABLES -L shorewall -n ; then
|
||||
echo "Shorewall Not Started"
|
||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||
my_mutex_off
|
||||
|
@ -202,6 +202,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||
6) The 'logunclean' and 'dropunclean' options that were deprecated in
|
||||
Shorewall 2.0 have now been removed completely.
|
||||
|
||||
7) A new IPTABLES variable has been added to shorewall.conf. This
|
||||
variable names the iptables executable that Shorewall will use. The
|
||||
variable is set to "/sbin/iptables". If you use the new
|
||||
shorewall.conf, you may need to change this setting to maintain
|
||||
compabibility with your current setup (if you use your existing
|
||||
shorewall.conf that does not set IPTABLES then you should
|
||||
experience no change in behavior).
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
New Features:
|
||||
|
||||
@ -674,3 +682,11 @@ New Features:
|
||||
|
||||
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
|
||||
been renamed SOURCE PORT(S).
|
||||
|
||||
29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
|
||||
in the output of "shorewall status".
|
||||
|
||||
30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
|
||||
can be used to designate the iptables executable to be used by
|
||||
Shorewall. If not specified, the iptables executable determined by
|
||||
the PATH setting is used.
|
||||
|
@ -192,6 +192,19 @@ get_config() {
|
||||
|
||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||
|
||||
if [ -n "$IPTABLES" ]; then
|
||||
if [ ! -e "$IPTABLES" ]; then
|
||||
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
IPTABLES=$(which iptables 2> /dev/null)
|
||||
if [ -z "$IPTABLES" ] ; then
|
||||
echo " ERROR: Can't find iptables executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
@ -223,7 +236,7 @@ display_chains()
|
||||
TMPFILE=$(mktempfile)
|
||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||
|
||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
@ -306,7 +319,7 @@ display_chains()
|
||||
|
||||
qt rm -f $TMPFILE
|
||||
else
|
||||
iptables -L -n -v
|
||||
$IPTABLES -L -n -v
|
||||
timed_read
|
||||
fi
|
||||
trap - 1 2 3 4 5 6 9
|
||||
@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -876,14 +889,14 @@ case "$1" in
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
@ -914,10 +927,10 @@ case "$1" in
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
iptables -L $chain $IPT_OPTIONS
|
||||
$IPTABLES -L $chain $IPT_OPTIONS
|
||||
done
|
||||
else
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -941,17 +954,17 @@ case "$1" in
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
echo
|
||||
@ -971,6 +984,7 @@ case "$1" in
|
||||
echo
|
||||
|
||||
show_proc /proc/sys/net/ipv4/ip_forward
|
||||
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||
for file in proxy_arp arp_filter rp_filter log_martians; do
|
||||
@ -1041,10 +1055,10 @@ case "$1" in
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||
if ! $0 $debugging -c $2 restart; then
|
||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
fi
|
||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
elif [ $# -eq 3 ]; then
|
||||
sleep $3
|
||||
@ -1067,9 +1081,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||
echo "$1 Dropped"
|
||||
done
|
||||
mutex_off
|
||||
@ -1080,9 +1094,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected"
|
||||
done
|
||||
mutex_off
|
||||
@ -1093,7 +1107,7 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
||||
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
@ -1122,7 +1136,7 @@ case "$1" in
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
@ -1133,7 +1147,7 @@ case "$1" in
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
|
@ -252,6 +252,15 @@ LOG_MARTIANS=No
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
#
|
||||
# IPTABLES
|
||||
#
|
||||
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||
# the iptables executable located via the PATH setting below is used.
|
||||
#
|
||||
IPTABLES=
|
||||
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
|
Loading…
Reference in New Issue
Block a user