From fa89a86f718513bf93aab2c904e4d1a95a9f3b53 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Nov 2004 18:44:42 +0000 Subject: [PATCH] Apply and fix Tuomas Jormola's IPTABLES patch git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 4 ++ Shorewall2/firewall | 113 +++++++++++++++++++----------------- Shorewall2/releasenotes.txt | 16 +++++ Shorewall2/shorewall | 66 ++++++++++++--------- Shorewall2/shorewall.conf | 9 +++ 5 files changed, 130 insertions(+), 78 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index af6737908..f3c7b194f 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -144,3 +144,7 @@ Changes since 2.0.3 69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file. 70) Correct typo in shorewall.conf. + +71) Add the 'icmp_echo_ignore_all' file to the /proc display. + +72) Apply Tuomas Jormola's IPTABLES patch. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 1ae200063..b1238d2aa 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -156,9 +156,9 @@ run_iptables() { [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange - if ! iptables $@ ; then + if ! $IPTABLES $@ ; then if [ -z "$stopping" ]; then - error_message "ERROR: Command \"iptables $@\" Failed" + error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall exit 2 fi @@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules { local c=$(chain_base $1) - if iptables -N $1; then + if $IPTABLES -N $1; then if [ $2 = yes ]; then run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -265,7 +265,7 @@ havechain() # $1 = name of chain # chain_exists() # $1 = chain name { - qt iptables -L $1 -n + qt $IPTABLES -L $1 -n } # @@ -273,7 +273,7 @@ chain_exists() # $1 = chain name # mangle_chain_exists() # $1 = chain name { - qt iptables -t mangle -L $1 -n + qt $IPTABLES -t mangle -L $1 -n } # @@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule # deletechain() # $1 = name of chain { - qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 + qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 } # @@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -1462,7 +1462,7 @@ stop_firewall() { else routeback=Yes for h in $(separate_list $host); do - iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT + $IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT done fi ;; @@ -1478,27 +1478,27 @@ stop_firewall() { for host in $hosts; do interface=${host%:*} networks=${host#*:} - iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT for host1 in $hosts; do - [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT + [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT done done - iptables -A INPUT -i lo -j ACCEPT + $IPTABLES -A INPUT -i lo -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o lo -j ACCEPT + $IPTABLES -A OUTPUT -o lo -j ACCEPT for interface in $(find_interfaces_by_option dhcp); do - iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT # # This might be a bridge # - iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT + $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT done case "$IP_FORWARDING" in @@ -2700,7 +2700,7 @@ process_accounting_rule() { ensurechain1 $chain - if iptables -A $chain $(fix_bang $rule) ; then + if $IPTABLES -A $chain $(fix_bang $rule) ; then [ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added else @@ -5303,7 +5303,7 @@ refresh_blacklist() { local f=$(find_file blacklist) local disposition=$BLACKLIST_DISPOSITION - if qt iptables -L blacklst -n ; then + if qt $IPTABLES -L blacklst -n ; then echo "Loading Black List..." strip_file blacklist $f @@ -5456,8 +5456,8 @@ verify_ip() { # Determine which optional facilities are supported by iptables/netfilter # determine_capabilities() { - qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= CONNTRACK_MATCH= MULTIPORT= @@ -5465,20 +5465,20 @@ determine_capabilities() { PHYSDEV_MATCH= IPRANGE_MATCH= - if qt iptables -N fooX1234 ; then - qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes + if qt $IPTABLES -N fooX1234 ; then + qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes if [ -n "$PKTTYPE" ]; then - qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= + qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE= fi - qt iptables -F fooX1234 - qt iptables -X fooX1234 + qt $IPTABLES -F fooX1234 + qt $IPTABLES -X fooX1234 fi } @@ -5706,8 +5706,8 @@ add_common_rules() { # Reject Rules -- Don't respond to broadcasts with an ICMP # if [ -n "$PKTTYPE" ]; then - qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP - if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then + qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP + if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then # # No pkttype support -- do it the hard way # @@ -5728,8 +5728,8 @@ add_common_rules() { # # Not all versions of iptables support these so don't complain if they don't work # - qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable - if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then + qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable + if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then # # In case the above doesn't work # @@ -5792,7 +5792,7 @@ add_common_rules() { if [ -n "$BRIDGING" ]; then eval is_bridge=\$$(chain_base $interface)_ports [ -n "$is_bridge" ] && \ - iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT + $IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT fi run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT @@ -6617,12 +6617,12 @@ add_to_zone() # $1 = [:] $2 = zone nat_chain_exists() # $1 = chain name { - qt iptables -t nat -L $1 -n + qt $IPTABLES -t nat -L $1 -n } do_iptables() # $@ = command { - if ! iptables $@ ; then + if ! $IPTABLES $@ ; then startup_error "Can't add $1 to zone $2" fi } @@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat + qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain + qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain + qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain + qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi @@ -6988,6 +6988,7 @@ do_initialize() { # Clear all configuration variables # version= + IPTABLES= FW= SUBSYSLOCK= STATEDIR= @@ -7102,6 +7103,14 @@ do_initialize() { [ -d $STATEDIR ] || mkdir -p $STATEDIR + if [ -z "$IPTABLES" ]; then + IPTABLES=$(which iptables 2> /dev/null) + + [ -z "$IPTABLES" ] && startup_error "Can't find iptables executable" + else + [ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable" + fi + [ -z "$FW" ] && FW=fw ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" @@ -7283,7 +7292,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if qt iptables -L shorewall -n ; then + if qt $IPTABLES -L shorewall -n ; then [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK echo "Shorewall Already Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR @@ -7298,7 +7307,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if qt iptables -L shorewall -n ; then + if qt $IPTABLES -L shorewall -n ; then define_firewall "Restart" else echo "Shorewall Not Currently Running" @@ -7313,22 +7322,22 @@ case "$COMMAND" in [ $# -ne 1 ] && usage echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo - iptables -L -n -v + $IPTABLES -L -n -v ;; reset) [ $# -ne 1 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off exit 2; fi - iptables -Z - iptables -t nat -Z - iptables -t mangle -Z + $IPTABLES -Z + $IPTABLES -t nat -Z + $IPTABLES -t mangle -Z report "Shorewall Counters Reset" date > $STATEDIR/restarted my_mutex_off @@ -7338,7 +7347,7 @@ case "$COMMAND" in [ $# -ne 1 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -7369,7 +7378,7 @@ case "$COMMAND" in [ $# -ne 3 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off @@ -7383,7 +7392,7 @@ case "$COMMAND" in [ $# -ne 3 ] && usage do_initialize my_mutex_on - if ! qt iptables -L shorewall -n ; then + if ! qt $IPTABLES -L shorewall -n ; then echo "Shorewall Not Started" [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR my_mutex_off diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 156b2704e..a02eb6800 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -202,6 +202,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1: 6) The 'logunclean' and 'dropunclean' options that were deprecated in Shorewall 2.0 have now been removed completely. +7) A new IPTABLES variable has been added to shorewall.conf. This + variable names the iptables executable that Shorewall will use. The + variable is set to "/sbin/iptables". If you use the new + shorewall.conf, you may need to change this setting to maintain + compabibility with your current setup (if you use your existing + shorewall.conf that does not set IPTABLES then you should + experience no change in behavior). + ----------------------------------------------------------------------- New Features: @@ -674,3 +682,11 @@ New Features: 28) For consistency, the CLIENT PORT(S) column in the tcrules file has been renamed SOURCE PORT(S). + +29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown + in the output of "shorewall status". + +30) A new IPTABLES option has been added to shorewall.conf. IPTABLES + can be used to designate the iptables executable to be used by + Shorewall. If not specified, the iptables executable determined by + the PATH setting is used. diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index 3683c2e2c..d657ea865 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -192,6 +192,19 @@ get_config() { [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" + if [ -n "$IPTABLES" ]; then + if [ ! -e "$IPTABLES" ]; then + echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 + exit 2 + fi + else + IPTABLES=$(which iptables 2> /dev/null) + if [ -z "$IPTABLES" ] ; then + echo " ERROR: Can't find iptables executable" >&2 + exit 2 + fi + fi + if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -e "$SHOREWALL_SHELL" ]; then echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 @@ -223,7 +236,7 @@ display_chains() TMPFILE=$(mktempfile) [ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; } - iptables -L $IPT_OPTIONS >> $TMPFILE + $IPTABLES -L $IPT_OPTIONS >> $TMPFILE clear echo "$banner $(date)" @@ -306,7 +319,7 @@ display_chains() qt rm -f $TMPFILE else - iptables -L -n -v + $IPTABLES -L -n -v timed_read fi trap - 1 2 3 4 5 6 9 @@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that get_config host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then let "timeout=- $1" @@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$(iptables -L -v -n | grep 'LOG') + rejects=$($IPTABLES -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "NAT Status" echo - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS timed_read clear @@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that echo echo "TOS/MARK Status" echo - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS timed_read clear @@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that get_config host=$(echo $HOSTNAME | sed 's/\..*$//') - oldrejects=$(iptables -L -v -n | grep 'LOG') + oldrejects=$($IPTABLES -L -v -n | grep 'LOG') if [ $1 -lt 0 ]; then timeout=$((- $1)) @@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that show_reset - rejects=$(iptables -L -v -n | grep 'LOG') + rejects=$($IPTABLES -L -v -n | grep 'LOG') if [ "$rejects" != "$oldrejects" ]; then oldrejects="$rejects" @@ -876,14 +889,14 @@ case "$1" in echo "Shorewall-$version NAT at $HOSTNAME - $(date)" echo show_reset - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS ;; tos|mangle) [ $# -gt 2 ] && usage 1 echo "Shorewall-$version TOS at $HOSTNAME - $(date)" echo show_reset - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS ;; log) [ $# -gt 2 ] && usage 1 @@ -914,10 +927,10 @@ case "$1" in show_reset if [ $# -gt 0 ]; then for chain in $*; do - iptables -L $chain $IPT_OPTIONS + $IPTABLES -L $chain $IPT_OPTIONS done else - iptables -L $IPT_OPTIONS + $IPTABLES -L $IPT_OPTIONS fi ;; esac @@ -941,17 +954,17 @@ case "$1" in echo show_reset host=$(echo $HOSTNAME | sed 's/\..*$//') - iptables -L $IPT_OPTIONS + $IPTABLES -L $IPT_OPTIONS echo packet_log 20 echo echo "NAT Table" echo - iptables -t nat -L $IPT_OPTIONS + $IPTABLES -t nat -L $IPT_OPTIONS echo echo "Mangle Table" echo - iptables -t mangle -L $IPT_OPTIONS + $IPTABLES -t mangle -L $IPT_OPTIONS echo cat /proc/net/ip_conntrack echo @@ -971,6 +984,7 @@ case "$1" in echo show_proc /proc/sys/net/ipv4/ip_forward + show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all for directory in /proc/sys/net/ipv4/conf/*; do for file in proxy_arp arp_filter rp_filter log_martians; do @@ -1041,10 +1055,10 @@ case "$1" in [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 if ! $0 $debugging -c $2 restart; then - if ! iptables -L shorewall > /dev/null 2> /dev/null; then + if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 start fi - elif ! iptables -L shorewall > /dev/null 2> /dev/null; then + elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 start elif [ $# -eq 3 ]; then sleep $3 @@ -1067,9 +1081,9 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j DROP || break 1 + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + $IPTABLES -A dynamic -s $1 -j DROP || break 1 echo "$1 Dropped" done mutex_off @@ -1080,9 +1094,9 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - qt iptables -D dynamic -s $1 -j reject - qt iptables -D dynamic -s $1 -j DROP - iptables -A dynamic -s $1 -j reject || break 1 + qt $IPTABLES -D dynamic -s $1 -j reject + qt $IPTABLES -D dynamic -s $1 -j DROP + $IPTABLES -A dynamic -s $1 -j reject || break 1 echo "$1 Rejected" done mutex_off @@ -1093,7 +1107,7 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then + if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected" @@ -1122,7 +1136,7 @@ case "$1" in mutex_on - if qt iptables -L shorewall -n; then + if qt $IPTABLES -L shorewall -n; then [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then @@ -1133,7 +1147,7 @@ case "$1" in echo " ERROR: Reserved file name: $RESTOREFILE" ;; *) - if iptables -L dynamic -n > /var/lib/shorewall/save; then + if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then echo " Dynamic Rules Saved" if [ -f /var/lib/shorewall/restore-base ]; then cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 3dd90c208..f51ef8c6e 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -252,6 +252,15 @@ LOG_MARTIANS=No ################################################################################ # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ################################################################################ +# +# IPTABLES +# +# Full path to iptables executable Shorewall uses to build the firewall. If +# not specified or if specified with an empty value (e.g., IPTABLES="") then +# the iptables executable located via the PATH setting below is used. +# +IPTABLES= + # # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files.