#!/bin/sh # # Shorewall Packet Filtering Firewall Control Program - V3.3 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) # # This file should be placed in /sbin/shorewall. # # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. # # The firewall uses configuration files in /etc/shorewall/ - skeleton # files is included with the firewall. # # Commands are: # # shorewall add [:] zone Adds a host or subnet to a zone # shorewall delete [:] zone Deletes a host or subnet from a zone # shorewall dump Dumps all Shorewall-related information # for problem analysis # shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall stop Stops the firewall # shorewall status Displays firewall status # shorewall reset Resets iptables packet and # byte counts # shorewall clear Open the floodgates by # removing all iptables rules # and setting the three permanent # chain policies to ACCEPT # shorewall refresh Rebuild the common chain to # compensate for a change of # broadcast address on any "detect" # interface. # shorewall [re]load [ ] # Compile a script and install it on a # remote Shorewall Lite system. # shorewall show [ ... ] Display the rules in each listed # shorewall show actions Displays the available actions # shorewall show log Print the last 20 log messages # shorewall show connections Show the kernel's connection # tracking table # shorewall show nat Display the rules in the nat table # shorewall show {mangle|tos} Display the rules in the mangle table # shorewall show tc Display traffic control info # shorewall show classifiers Display classifiers # shorewall show capabilities Display iptables/kernel capabilities # shorewall version Display the installed version id # shorewall check [ -e ] [ ] Dry-run compilation. # shorewall try [ ] Try a new configuration and if # it doesn't work, revert to the # standard one. If a timeout is supplied # the command reverts back to the # standard configuration after that many # seconds have elapsed after successfully # starting the new configuration. # shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall # messages. # shorewall drop
... Temporarily drop all packets from the # listed address(es) # shorewall reject
... Temporarily reject all packets from the # listed address(es) # shorewall allow
... Reenable address(es) previously # disabled with "drop" or "reject" # shorewall save [ ] Save the list of "rejected" and # "dropped" addresses so that it will # be automatically reinstated the # next time that Shorewall starts. # Save the current state so that 'shorewall # restore' can be used. # # shorewall forget [ ] Discard the data saved by 'shorewall save' # # shorewall restore [ ] Restore the state of the firewall from # previously saved information. # # shorewall ipaddr {
/ |
} # # Displays information about the network # defined by the argument[s] # # shorewall iprange
-
Decomposes a range of IP addresses into # a list of network/host addresses. # # shorewall ipdecimal {
| } # # Displays the decimal equivalent of an IP # address and vice versa. # # shorewall safe-start Starts the firewall and promtp for a c # confirmation to accept or reject the new # configuration # # shorewall safe-restart Restarts the firewall and prompt for a # confirmation to accept or reject the new # configuration # # shorewall compile [ -e ] [ ] # Compile a firewall program file. # # Set the configuration variables from shorewall.conf # get_config() { if [ -z "$EXPORT" -a "$(whoami)" = root ]; then # # This block is avoided for compile for export and when the user isn't root # export CONFIG_PATH [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if [ ! -f $LOGFILE ]; then echo "LOGFILE ($LOGFILE) does not exist!" >&2 exit 2 fi if [ -n "$IPTABLES" ]; then if [ ! -x "$IPTABLES" ]; then echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 exit 2 fi else IPTABLES=$(mywhich iptables 2> /dev/null) if [ -z "$IPTABLES" ] ; then echo " ERROR: Can't find iptables executable" >&2 exit 2 fi fi export IPTABLES # # See if we have a real version of "tail" -- use separate redirection so # that ash (aka /bin/sh on LRP) doesn't crap # if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then realtail="Yes" else realtail="" fi # # Compile by non-root needs no restore file # [ -n "$RESTOREFILE" ] || RESTOREFILE=restore validate_restorefile RESTOREFILE export RESTOREFILE case $STARTUP_ENABLED in No|no|NO) echo " WARNING: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 STARTUP_ENABLED= ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then echo " ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2 exit 2 fi ;; esac case ${TC_ENABLED:=Internal} in No|NO|no) TC_ENABLED= ;; esac [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" export LOGFORMAT fi if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2 exit 2 fi fi [ -n "${VERBOSITY:=2}" ] VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) export VERBOSE } # # Start Command Executor # start_command() { local finished=0 do_it() { local rc=0 [ -n "$nolock" ] || mutex_on progress_message3 "Compiling..." if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then ${VARDIR}/.start $debugging start rc=$? else rc=$? fi [ -n "$nolock" ] || mutex_off exit $rc } if shorewall_is_started; then error_message "Shorewall is already running" exit 1 fi if [ -z "$STARTUP_ENABLED" ]; then error_message "ERROR: Startup is disabled" exit 2 fi while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; f*) FAST=Yes option=${option#f} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$1 export SHOREWALL_DIR ;; *) usage 1 ;; esac export NOROUTES if [ -n "$FAST" ]; then if qt mywhich make; then # # RESTOREFILE is exported by get_config() # make -qf ${CONFDIR}/Makefile || FAST= fi if [ -n "$FAST" ]; then RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then echo Restoring Ipsets... # # We must purge iptables to be sure that there are no # references to ipsets # iptables -F iptables -X $SHOREWALL_SHELL ${RESTOREPATH}-ipsets fi echo Restoring Shorewall... $SHOREWALL_SHELL $RESTOREPATH restore date > ${VARDIR}/restarted progress_message3 Shorewall restored from $RESTOREPATH else do_it fi else do_it fi else do_it fi } # # Compile Command Executor # compile_command() { local finished=0 while [ $finished -eq 0 ]; do [ $# -eq 0 ] && usage 1 option=$1 case $option in -*) shift option=${option#-} [ -z "$option" ] && usage 1 while [ -n "$option" ]; do case $option in e*) EXPORT=Yes option=${option#e} ;; -) finished=1 option= ;; *) usage 1 ;; esac done ;; *) finished=1 ;; esac done file= case $# in 1) file=$1 ;; 2) [ -n "$SHOREWALL_DIR" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$1 export SHOREWALL_DIR file=$2 ;; *) usage 1 ;; esac export EXPORT progress_message3 "Compiling..." exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file } # # Check Command Executor # check_command() { local finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; e*) EXPORT=Yes option=${option#e} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$SHOREWALL_DIR" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$1 export SHOREWALL_DIR ;; *) usage 1 ;; esac export EXPORT progress_message3 "Checking..." exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check } # # Restart Command Executor # restart_command() { local finished=0 rc=0 while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; n*) NOROUTES=Yes option=${option#n} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$SHOREWALL_DIR" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$1 export SHOREWALL_DIR ;; *) usage 1 ;; esac if [ -z "$STARTUP_ENABLED" ]; then error_message "ERROR: Startup is disabled" exit 2 fi export NOROUTES [ -n "$nolock" ] || mutex_on progress_message3 "Compiling..." if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart rc=$? else rc=$? fi [ -n "$nolock" ] || mutex_off return $rc } # # Refresh Command Executor # refresh_command() { local finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; *) usage 1 ;; esac if ! shorewall_is_started ; then error_message "ERROR: Shorewall is not running" exit 2 fi if [ -z "$STARTUP_ENABLED" ]; then error_message "ERROR: Startup is disabled" exit 2 fi export NOROUTES [ -n "$nolock" ] || mutex_on progress_message3 "Compiling..." if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.refresh; then $SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh fi [ -n "$nolock" ] || mutex_off } # # Safe-start/safe-restart Command Executor # safe_commands() { local finished=0 # test is the shell supports timed read read -t 0 junk 2> /dev/null if [ $? -eq 2 -a ! -x /bin/bash ];then echo "Your shell does not support a feature required to execute this command". exit 2 fi while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; n*) NOROUTES=Yes option=${option#n} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done [ $# -eq 0 ] || usage 2 if [ -z "$STARTUP_ENABLED" ]; then error_message "ERROR: Startup is disabled" exit 2 fi mutex_on if shorewall_is_started; then running=Yes else running= fi if [ "$COMMAND" = "safe-start" -a -n "$running" ]; then # the command is safe-start but the firewall is already running error_message "Shorewall is already started" mutex_off exit 1 fi if [ "$COMMAND" = "safe-start" -o -z "$running" ]; then # the command is safe-start or shorewall is not started yet command="start" else # the command is safe-restart and the firewall is already running command="restart" fi progress_message3 "Compiling..." if ! $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging nolock compile ${VARDIR}/.$command; then status=$? mutex_off exit $status fi RESTOREFILE=.safe RESTOREPATH=${VARDIR}/.safe save_config case $command in start) progress_message3 "Starting..." ;; restart) progress_message3 "Restarting..." ;; esac ${VARDIR}/.$command $command echo -n "Do you want to accept the new firewall configuration? [y/n] " if read_yesno_with_timeout; then echo "New configuration has been accepted" else if [ "$command" = "restart" ]; then ${VARDIR}/.safe restore else ${VARDIR}/.$command clear fi mutex_off echo "New configuration has been rejected and the old one restored" exit 2 fi mutex_off } # # [Re]load command executor # reload_command() # $* = original arguments less the command. { local verbose=$(make_verbose) file= finished=0 saveit= result directory system [ -n "$LITEDIR" ] || { echo " ERROR: LITEDIR not defined in ${SHAREDIR}/configpath" >&2; exit 2; } while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; s*) saveit=Yes option=${option#s} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 1) directory="." system=$1 ;; 2) directory=$1 system=$2 ;; *) usage 1 ;; esac file=$(resolve_file $directory/firewall) if shorewall $debugging $verbose compile -e $directory $directory/firewall && \ echo "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \ scp $directory/firewall $directory/firewall.conf root@${system}:${LITEDIR} then echo "Copy complete" if [ $COMMAND = reload ]; then ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ progress_message3 "System $system reloaded" || saveit= else ssh root@${system} "/sbin/shorewall-lite $debugging $verbose restart" && \ progress_message3 "System $system reloaded" || saveit= fi if [ -n "$saveit" ]; then ssh root@${system} "/sbin/shorewall-lite $debugging $verbose save" && \ progress_message3 "Configuration on system $system saved" fi fi } # # Export command executor # export_command() # $* = original arguments less the command. { local verbose=$(make_verbose) file= finished=0 directory target while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 1) directory="." target=$1 ;; 2) directory=$1 target=$2 ;; *) usage 1 ;; esac case $target in *:*) ;; *) fatal_error "Target must be of the form [user@]:[]" ;; esac file=$(resolve_file $directory/firewall) if shorewall $debugging $verbose compile -e $directory $directory/firewall && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \ scp $directory/firewall $directory/firewall.conf $target then progress_message3 "Copy complete" fi } # # Give Usage Information # usage() # $1 = exit status { echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] " echo "where is one of:" echo " add [:] ... " echo " allow
..." echo " check [ -e ] [ ]" echo " clear" echo " compile [ -e ] [ ] " echo " delete [:] ... " echo " drop
..." echo " dump [ -x ]" echo " export [ ] [@]:[]" echo " forget [ ]" echo " help [ | host | address ]" echo " hits" echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" echo " load [ -s ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" echo " refresh" echo " reject
..." echo " reload [ -s ] [ ] " echo " reset" echo " restart [ -n ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" echo " show [ -x ] [ -m ] [-f] [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones]" echo " start [ -f ] [ -n ] [ ]" echo " stop" echo " status" echo " try [ ]" echo " version" echo " safe-start" echo " safe-restart" echo exit $1 } # # Execution begins here # debugging= if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then debugging=debug shift fi nolock= if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then nolock=nolock shift fi SHOREWALL_DIR= IPT_OPTIONS="-nv" FAST= VERBOSE_OFFSET=0 NOROUTES= EXPORT= export TIMESTAMP= noroutes= finished=0 while [ $finished -eq 0 ]; do [ $# -eq 0 ] && usage 1 option=$1 case $option in -) finished=1 ;; -*) option=${option#-} [ -z "$option" ] && usage 1 while [ -n "$option" ]; do case $option in c) [ $# -eq 1 ] && usage 1 if [ ! -d $2 ]; then if [ -e $2 ]; then echo "$2 is not a directory" >&2 && exit 2 else echo "Directory $2 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$2 option= shift ;; e*) EXPORT=Yes option=${option#e} ;; x*) IPT_OPTIONS="-xnv" option=${option#x} ;; q*) VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 )) option=${option#q} ;; f*) FAST=Yes option=${option#f} ;; v*) VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 )) option=${option#v} ;; n*) NOROUTES=Yes option=${option#n} ;; t*) TIMESTAMP=Yes option=${option#t} ;; -) finished=1 option= ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done if [ $# -eq 0 ]; then usage 1 fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= SHAREDIR=/usr/share/shorewall VARDIR=/var/lib/shorewall CONFDIR=/etc/shorewall export PRODUCT="Shorewall" FIREWALL=$SHAREDIR/firewall LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli" VERSION_FILE=$SHAREDIR/version HELP=$SHAREDIR/help for library in $LIBRARIES; do if [ -f $library ]; then . $library else echo "$library does not exist!" >&2 exit 2 fi done ensure_config_path config=$(find_file shorewall.conf) if [ -f $config ]; then if [ -r $config ]; then . $config else echo "Cannot read $config! (Hint: Are you root?)" >&2 exit 1 fi else echo "$config does not exist!" >&2 exit 2 fi ensure_config_path get_config if [ ! -f $FIREWALL ]; then echo " ERROR: Shorewall is not properly installed" >&2 if [ -L $FIREWALL ]; then echo " $FIREWALL is a symbolic link to a" >&2 echo " non-existant file" >&2 else echo " The file $FIREWALL does not exist" >&2 fi exit 2 fi if [ -f $VERSION_FILE ]; then version=$(cat $VERSION_FILE) else echo " ERROR: Shorewall is not properly installed" >&2 echo " The file $VERSION_FILE does not exist" >&2 exit 1 fi banner="Shorewall-$version Status at $HOSTNAME -" case $(echo -e) in -e*) RING_BELL="echo \a" ;; *) RING_BELL="echo -e \a" ;; esac case $(echo -n "Testing") in -n*) ECHO_N= ;; *) ECHO_N=-n ;; esac COMMAND=$1 case "$COMMAND" in start) shift start_command $@ ;; stop|reset|clear) [ $# -ne 1 ] && usage 1 export NOROUTES exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND ;; compile) shift compile_command $@ ;; restart) shift restart_command $@ ;; refresh) shift refresh_command $@ ;; check) shift check_command $@ ;; add|delete) [ $# -lt 3 ] && usage 1 exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ ;; show|list) shift show_command $@ ;; load|reload) shift reload_command $@ ;; export) shift export_command $@ ;; status) [ $# -eq 1 ] || usage 1 echo "Shorewall-$version Status at $HOSTNAME - $(date)" echo if shorewall_is_started ; then echo "Shorewall is running" status=0 else echo "Shorewall is stopped" status=4 fi if [ -f ${VARDIR}/state ]; then state="$(cat ${VARDIR}/state)" case $state in Stopped*|Clear*) status=3 ;; esac else state=Unknown fi echo "State:$state" echo exit $status ;; dump) shift dump_command $@ ;; hits) [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 clear_term echo "Shorewall-$version Hits at $HOSTNAME - $(date)" echo timeout=30 if [ $(grep -c "$LOGFORMAT" $LOGFILE ) -gt 0 ] ; then echo " HITS IP DATE" echo " ---- --------------- ------" grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | \ while read count address month day; do printf '%7d %-15s %3s %2d\n' $count $address $month $day done echo "" echo " HITS IP PORT" echo " ---- --------------- -----" grep "$LOGFORMAT" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ t s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count address port; do printf '%7d %-15s %d\n' $count $address $port done echo "" echo " HITS DATE" echo " ---- ------" grep "$LOGFORMAT" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | \ while read count month day; do printf '%7d %3s %2d\n' $count $month $day done echo "" echo " HITS PORT SERVICE(S)" echo " ---- ----- ----------" grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ while read count port ; do # List all services defined for the given port srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u) srv=$(echo $srv | sed 's/ /,/g') if [ -n "$srv" ] ; then printf '%7d %5d %s\n' $count $port $srv else printf '%7d %5d\n' $count $port fi done fi ;; version) echo $version ;; try) [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 VERBOSE=$(make_verbose) [ -n "$NOROUTES" ] && NOROUTES=-n export -n CONFIG_PATH if ! $0 $debugging $VERBOSE -c $2 restart; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 $VERBOSE $NOROUTES start fi elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then $0 $VERBOSE $NOROUTES start elif [ $# -eq 3 ]; then sleep $3 $0 $VERBOSE $NOROUTES restart fi ;; logwatch) shift finished=0 while [ $finished -eq 0 -a $# -ne 0 ]; do option=$1 case $option in -*) option=${option#-} [ -z "$option" ] && usage 1 while [ -n "$option" ]; do case $option in v*) VERBOSE=$(($VERBOSE + 1 )) option=${option#v} ;; q*) VERBOSE=$(($VERBOSE - 1 )) option=${option#q} ;; m*) SHOWMACS=Yes option=${option#m} ;; -) finished=1 option= ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done [ -n "$debugging" ] && set -x if [ $# -eq 1 ]; then logwatch $1 elif [ $# -eq 0 ]; then logwatch 30 else usage 1 fi ;; drop) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 if shorewall_is_started ; then mutex_on block DROP Dropped $* mutex_off else error_message "ERROR: Shorewall is not started" exit 2 fi ;; logdrop) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 if shorewall_is_started ; then mutex_on block logdrop Dropped $* mutex_off else error_message "ERROR: Shorewall is not started" exit 2 fi ;; reject|logreject) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 if shorewall_is_started ; then mutex_on block $COMMAND Rejected $* mutex_off else error_message "ERROR: Shorewall is not started" exit 2 fi ;; allow) [ -n "$debugging" ] && set -x [ $# -eq 1 ] && usage 1 if shorewall_is_started ; then mutex_on while [ $# -gt 1 ]; do shift case $1 in *-*) if qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject ||\ qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP ||\ qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop ||\ qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected" fi ;; *) if qt $IPTABLES -D dynamic -s $1 -j reject ||\ qt $IPTABLES -D dynamic -s $1 -j DROP ||\ qt $IPTABLES -D dynamic -s $1 -j logdrop ||\ qt $IPTABLES -D dynamic -s $1 -j logreject then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected" fi ;; esac done mutex_off else error_message "ERROR: Shorewall is not started" exit 2 fi ;; save) [ -n "$debugging" ] && set -x case $# in 1) ;; 2) RESTOREFILE="$2" validate_restorefile '' ;; *) usage 1 ;; esac RESTOREPATH=${VARDIR}/$RESTOREFILE [ "$nolock" ] || mutex_on save_config [ "$nolock" ] || mutex_off ;; forget) case $# in 1) ;; 2) RESTOREFILE="$2" validate_restorefile '' ;; *) usage 1 ;; esac RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then rm -f ${RESTOREPATH}-ipsets echo " ${RESTOREPATH}-ipsets removed" fi rm -f $RESTOREPATH rm -f ${RESTOREPATH}-iptables echo " $RESTOREPATH removed" elif [ -f $RESTOREPATH ]; then echo " $RESTOREPATH exists and is not a saved Shorewall configuration" fi rm -f ${VARDIR}/save ;; ipcalc) [ -n "$debugging" ] && set -x if [ $# -eq 2 ]; then address=${2%/*} vlsm=${2#*/} elif [ $# -eq 3 ]; then address=$2 vlsm=$(ip_vlsm $3) else usage 1 fi [ -z "$vlsm" ] && exit 2 [ "x$address" = "x$vlsm" ] && usage 2 [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2 address=$address/$vlsm echo " CIDR=$address" temp=$(ip_netmask $address); echo " NETMASK=$(encodeaddr $temp)" temp=$(ip_network $address); echo " NETWORK=$temp" temp=$(broadcastaddress $address); echo " BROADCAST=$temp" ;; iprange) [ -n "$debugging" ] && set -x case $2 in *.*.*.*-*.*.*.*) ip_range $2 ;; *) usage 1 ;; esac ;; ipdecimal) [ -n "$debugging" ] && set -x case $2 in *.*.*.*) echo " $(decodeaddr $2)" ;; *) echo " $(encodeaddr $2)" ;; esac ;; restore) shift restore_command $@ ;; call) [ -n "$debugging" ] && set -x # # Undocumented way to call functions in ${SHAREDIR}/functions directly # shift $@ ;; help) shift [ $# -ne 1 ] && usage 1 help $@ ;; safe-restart|safe-start) shift safe_commands $@ ;; *) usage 1 ;; esac