diff --git a/Shorewall2/action.template b/Shorewall2/action.template index ffeed14e5..ccb68b66b 100644 --- a/Shorewall2/action.template +++ b/Shorewall2/action.template @@ -65,6 +65,10 @@ # # 155.186.235.0/24 Subnet 155.186.235.0/24 # +# 10.0.0.4-10.0.0.9 Range of IP addresses; your +# kernel and iptables must have +# iprange match support. +# # 192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2. @@ -81,10 +85,6 @@ # DEST Location of Server. Same as above with the exception that # MAC addresses are not allowed. # -# Unlike in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. -# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". # diff --git a/Shorewall2/blacklist b/Shorewall2/blacklist index 6ef42b4c9..6ec2986c4 100755 --- a/Shorewall2/blacklist +++ b/Shorewall2/blacklist @@ -7,7 +7,9 @@ # # Columns are: # -# ADDRESS/SUBNET - Host address, subnetwork or MAC address +# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address +# range (if your kernel and iptables contain iprange +# match support). # # MAC addresses must be prefixed with "~" and use "-" # as a separator. diff --git a/Shorewall2/bogons b/Shorewall2/bogons index 6d49a5cea..7b96cefde 100644 --- a/Shorewall2/bogons +++ b/Shorewall2/bogons @@ -14,7 +14,9 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed) +# SUBNET The subnet (host addresses also allowed as are IP +# address ranges provided that your kernel and iptables +# include iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet diff --git a/Shorewall2/ecn b/Shorewall2/ecn index eadda4b44..9b309eeb9 100644 --- a/Shorewall2/ecn +++ b/Shorewall2/ecn @@ -12,7 +12,9 @@ # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet # If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. +# 0.0.0.0/0 is assumed. If your kernel and iptables +# include iprange match support then IP address ranges +# are also permitted. ############################################################################## #INTERFACE HOST(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 1d7a5a8d5..f12b092f0 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -507,6 +507,36 @@ first_chains() #$1 = interface echo ${c}_fwd ${c}_in } +# +# Source IP range +# +source_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + echo "-m iprange --src-range $1" + ;; + *) + echo "-s $1" + ;; + esac +} + +# +# Destination IP range +# +dest_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + echo "-m iprange --dst-range $1" + ;; + *) + echo "-d $1" + ;; + esac +} + # # Horrible hack to work around an iptables bug # @@ -529,17 +559,17 @@ match_source_hosts() if [ -n "$BRIDGING" ]; then case $1 in *:*) - physdev_echo "--physdev-in ${1%:*} -s ${1#*:}" + physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" ;; *.*.*.*) - echo -s $1 + echo $(source_ip_range $1) ;; *) physdev_echo "--physdev-in $1" ;; esac else - echo -s $1 + echo $(source_ip_range $1) fi } @@ -548,17 +578,17 @@ match_dest_hosts() if [ -n "$BRIDGING" ]; then case $1 in *:*) - physdev_echo "--physdev-out ${1%:*} -d ${1#*:}" + physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" ;; *.*.*.*) - echo -d $1 + echo $(dest_ip_range $1) ;; *) physdev_echo "--physdev-out $1" ;; esac else - echo -d $1 + echo $(dest_ip_range $1) fi } @@ -638,6 +668,15 @@ match_ipsec_out() # $1 = zone, $2 = host fi } +# +# Jacket for ip_range() that takes care of iprange match +# + +firewall_ip_range() # $1 = IP address or range +{ + [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 +} + # # # Find hosts in a given zone @@ -1352,7 +1391,7 @@ stop_firewall() { else routeback=Yes for h in $(separate_list $host); do - iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT + iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT done fi ;; @@ -1370,10 +1409,10 @@ stop_firewall() { networks=${host#*:} iptables -A INPUT -i $interface -s $networks -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface -d $networks -j ACCEPT + iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT for host1 in $hosts; do - [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT + [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT done done @@ -1472,11 +1511,11 @@ setup_tunnels() # $1 = name of tunnels file [ $kind = IPSEC ] && kind=ipsec options="-m state --state NEW -j ACCEPT" - addrule $inchain -p 50 -s $1 -j ACCEPT - addrule $outchain -p 50 -d $1 -j ACCEPT + addrule $inchain -p 50 $(source_ip_range $1) -j ACCEPT + addrule $outchain -p 50 $(dest_ip_range $1) -j ACCEPT if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 -s $1 -j ACCEPT - run_iptables -A $outchain -p 51 -d $1 -j ACCEPT + run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT + run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT fi run_iptables -A $outchain -p udp -d $1 --dport 500 $options @@ -1507,17 +1546,17 @@ setup_tunnels() # $1 = name of tunnels file setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol { - addrule $inchain -p $3 -s $2 -j ACCEPT - addrule $outchain -p $3 -d $2 -j ACCEPT + addrule $inchain -p $3 $(source_ip_range $2) -j ACCEPT + addrule $outchain -p $3 $(dest_ip_range $2) -j ACCEPT progress_message " $1 tunnel to $2 defined." } setup_pptp_client() # $1 = gateway { - addrule $outchain -p 47 -d $1 -j ACCEPT - addrule $inchain -p 47 -j ACCEPT - addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT + addrule $outchain -p 47 $(dest_ip_range $1) -j ACCEPT + addrule $inchain -p 47 -j ACCEPT + addrule $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT progress_message " PPTP tunnel to $1 defined." } @@ -1542,8 +1581,8 @@ setup_tunnels() # $1 = name of tunnels file ;; esac - addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT - addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT + addrule $inchain -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT + addrule $outchain -p udp $(dest_ip_range $1) --sport $p --dport $p -j ACCEPT progress_message " OPENVPN tunnel to $1:$p defined." } @@ -1570,8 +1609,8 @@ setup_tunnels() # $1 = name of tunnels file p=${p:+--dport $p} - addrule $inchain -p $protocol -s $1 $p -j ACCEPT - addrule $outchain -p $protocol -d $1 $p -j ACCEPT + addrule $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT + addrule $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT for z in $(separate_list $3); do if validate_zone $z; then @@ -2129,7 +2168,7 @@ setup_ecn() # $1 = file name for host in $hosts; do interface=${host%:*} h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove + run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove progress_message " ECN Disabled to $h through $interface" done fi @@ -2184,7 +2223,7 @@ process_tc_rule() esac fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " + [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " [ "x$proto" = "x-" ] && proto=all [ "x$proto" = "x" ] && proto=all [ "$proto" = "all" ] || r="${r}-p $proto " @@ -2374,10 +2413,10 @@ process_accounting_rule() { [ -n "$dest" ] && case $dest in *:*) accounting_interface_verify ${dest%:*} - rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" + rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" ;; *.*.*.*) - rule="$rule -d $dest" + rule="$rule $(dest_ip_range $dest)" ;; -|all|any) ;; @@ -2741,14 +2780,14 @@ add_an_action() if [ $COMMAND != check ]; then if [ -n "${serv}" ]; then for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do + for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) fi run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target done done else @@ -3476,11 +3515,11 @@ add_nat_rule() { createnatchain $chain for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain + run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain done for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN + addnatrule $chain $(dest_ip_range $adr) -j RETURN done if [ -n "$loglevel" ]; then @@ -3492,10 +3531,10 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) + $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) fi - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1 + run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1 done fi else @@ -3507,7 +3546,7 @@ add_nat_rule() { createnatchain $chain for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain + addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain done for z in $(separate_list $excludezones); do @@ -3518,7 +3557,7 @@ add_nat_rule() { done for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN + addnatrule $chain $(dest_ip_range $adr) -j RETURN done if [ -n "$loglevel" ]; then @@ -3531,7 +3570,7 @@ add_nat_rule() { if [ -n "$loglevel" ]; then ensurenatchain $chain log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports -d $adr $multiport $dports) + $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) fi addnatrule $chain $proto $ratelimit $cli $sports \ @@ -3618,10 +3657,10 @@ add_a_rule() ;; *:*) rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" ;; *.*.*) - cli="-s $client" + cli="$(source_ip_range $client)" ;; ~*) cli=$(mac_match $client) @@ -3734,30 +3773,30 @@ add_a_rule() if [ -z "$dnat_only" ]; then if [ -n "$serv" ]; then for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do + for srv in $(firewall_ip_range $serv1); do if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ - $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ - -d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target + $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target done else if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi [ -n "$nonat" ] && \ addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN + $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN [ "$logtarget" != NONAT ] && \ run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target fi done done @@ -4043,29 +4082,25 @@ process_rule() # $1 = target # 16 ports are listed - use multiport match. # multioption="-m multiport" - for clientrange in $(separate_list ${clients:=-}); do - for client in $(ip_range $clientrange); do - # - # add_a_rule() modifies these so we must set their values each time - # - server=${servers:=-} - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done + for client in $(separate_list ${clients:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + server=${servers:=-} + port=${ports:=-} + cport=${cports:=-} + add_a_rule done else # # MULTIPORT is disabled or the rule isn't compatible with multiport match # multioption= - for clientrange in $(separate_list ${clients:=-}); do - for client in $(ip_range $clientrange); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - server=${servers:=-} - add_a_rule - done + for client in $(separate_list ${clients:=-}); do + for port in $(separate_list ${ports:=-}); do + for cport in $(separate_list ${cports:=-}); do + server=${servers:=-} + add_a_rule done done done @@ -4085,16 +4120,14 @@ process_rule() # $1 = target # 16 ports are listed - use multiport match. # multioption="-m multiport" - for clientrange in $(separate_list ${clients:=-}); do - for client in $(ip_range $clientrange); do - for server in $(separate_list ${servers:=-}); do - # - # add_a_rule() modifies these so we must set their values each time - # - port=${ports:=-} - cport=${cports:=-} - add_a_rule - done + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_a_rule done done else @@ -4102,13 +4135,11 @@ process_rule() # $1 = target # MULTIPORT is disabled or the rule isn't compatible with multiport match # multioption= - for clientrange in $(separate_list ${clients:=-}); do - for client in $(ip_range $clientrange); do - for server in $(separate_list ${servers:=-}); do - for port in $(separate_list ${ports:=-}); do - for cport in $(separate_list ${cports:=-}); do - add_a_rule - done + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + for port in $(separate_list ${ports:=-}); do + for cport in $(separate_list ${cports:=-}); do + add_a_rule done done done @@ -4238,7 +4269,7 @@ process_tos_rule() { # # IP Address or networks # - src="-s $src" + src="$(source_ip_range $src)" ;; ~*) src=$(mac_match $src) @@ -4335,7 +4366,7 @@ process_tos_rule() { esac for dest in $dst; do - dest="-d $dest" + dest="$(dest_ip_range $dest)" case $srczone in $FW) @@ -4797,12 +4828,12 @@ setup_masq() destnets=${destnets#!} for destnet in $(separate_list $destnets); do - addnatrule $newchain -d $destnet -j RETURN + addnatrule $newchain $(dest_ip_range $destnet) -j RETURN done if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain -s $s $proto $ports $policy -j $newchain + addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain done networks= else @@ -4818,7 +4849,7 @@ setup_masq() if [ -n "$nomasq" ]; then for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN + addnatrule $chain $(source_ip_range $addr) -j RETURN done source="$source except $nomasq" fi @@ -4831,12 +4862,12 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain done done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports $policy -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain done fi @@ -4849,7 +4880,7 @@ setup_masq() policy= for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN + addnatrule $chain $(source_ip_range $addr) -j RETURN done source="$source except $nomasq" @@ -4877,7 +4908,7 @@ setup_masq() if [ -n "$networks" ]; then for network in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist + addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -4888,7 +4919,7 @@ setup_masq() done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -4946,7 +4977,7 @@ process_blacklist_rec() { source="--match mac --mac-source $addr" ;; *) - source="-s $addr" + source="$(source_ip_range $addr)" ;; esac @@ -5205,13 +5236,14 @@ determine_capabilities() { MULTIPORT= POLICY_MATCH= PHYSDEV_MATCH= + IPRANGE_MATCH= if qt iptables -N fooX1234 ; then - qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes - + qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt iptables -F fooX1234 qt iptables -X fooX1234 @@ -5245,6 +5277,7 @@ report_capabilities() { report_capability $PKTTYPE "Packet Type Match" report_capability $POLICY_MATCH "Policy Match" report_capability $PHYSDEV_MATCH "Physdev Match" + report_capability $IPRANGE_MATCH "IP range Match" } # @@ -5395,7 +5428,7 @@ initialize_netfilter () { while read target ignore1 ignore2 address rest; do case $target in DROP|reject) - run_iptables2 -A dynamic -s $address -j $target + run_iptables2 -A dynamic $(source_ip_range $address) -j $target ;; *) ;; @@ -5434,7 +5467,7 @@ add_common_rules() { # for address in $broadcasts ; do [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs -s $address -j DROP + run_iptables -A smurfs $(source_ip_range $address) -j DROP done # # Reject Rules -- Don't respond to broadcasts with an ICMP @@ -5577,7 +5610,7 @@ add_common_rules() { ;; esac - run_iptables2 -A norfc1918 -s $networks -j $target + run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target if [ -n "$CONNTRACK_MATCH" ]; then # @@ -5589,7 +5622,7 @@ add_common_rules() { # No connection tracking match but we have mangling -- add a rule to # the mangle table # - run_iptables2 -t mangle -A man1918 -d $networks -j $target + run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target fi done < $TMP_DIR/rfc1918 @@ -5638,7 +5671,7 @@ add_common_rules() { ;; esac - run_iptables2 -A nobogons -s $networks -j $target + run_iptables2 -A nobogons $(source_ip_range $networks) -j $target done < $TMP_DIR/bogons @@ -6354,7 +6387,7 @@ add_to_zone() # $1 = [:] $2 = zone chain=${zone}_dnat if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) -s $host $policyin -j $chain + do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain fi # # Insert new rules into the filter table for the passed interface @@ -6362,7 +6395,7 @@ add_to_zone() # $1 = [:] $2 = zone while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) -s $host $policyin -j $chain + do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6372,7 +6405,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi @@ -6381,7 +6414,7 @@ add_to_zone() # $1 = [:] $2 = zone # # Add a rule to the dynamic out chain for the interface # - do_iptables -A $(dynamic_out $interface) -d $host $policyout -j $chain + do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6390,7 +6423,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain + do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi @@ -6505,14 +6538,14 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat + qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain + qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6522,13 +6555,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain + qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6537,7 +6570,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain + qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi diff --git a/Shorewall2/help b/Shorewall2/help index c29a8f301..c35657ec0 100644 --- a/Shorewall2/help +++ b/Shorewall2/help @@ -46,7 +46,9 @@ add) address|host) echo "<$1>: May be either a host IP address such as 192.168.1.4 or a network address in - CIDR format like 192.168.1.0/24" + CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange + match support then IP address ranges of the form - + are also permitted." ;; allow) diff --git a/Shorewall2/hosts b/Shorewall2/hosts index ff954b05d..d26d2694a 100644 --- a/Shorewall2/hosts +++ b/Shorewall2/hosts @@ -28,12 +28,15 @@ # a) The IP address of a host # b) A subnetwork in the form # / -# c) A physical port name; only allowed when the +# c) An IP address range of the form -. Your kernel and iptables must have iprange +# match support. +# d) A physical port name; only allowed when the # interface names a bridge created by the # brctl addbr command. This port must not # be defined in /etc/shorewall/interfaces and may # optionally followed by a colon (":") and a -# host or network IP. +# host or network IP or a range. # See http://www.shorewall.net/Bridge.html for details. # # Examples: @@ -43,6 +46,7 @@ # eth3:192.168.2.0/24,192.168.3.1 # br0:eth4 # br0:eth0:192.168.1.16/28 +# eth4:192.168.1.44-192.168.1.49 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: diff --git a/Shorewall2/maclist b/Shorewall2/maclist index af0fced97..147e5405e 100644 --- a/Shorewall2/maclist +++ b/Shorewall2/maclist @@ -15,7 +15,9 @@ # # IP ADDRESSES Optional -- if specified, both the MAC and IP address # must match. This column can contain a comma-separated -# list of host and/or subnet addresses. +# list of host and/or subnet addresses. If your kernel +# and iptables have iprange match support then IP +# address ranges are also allowed. ############################################################################## #INTERFACE MAC IP ADDRESSES (Optional) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index ff262e477..9dbf7f461 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -432,10 +432,8 @@ New Features: 13) Shorewall now verifies that your kernel and iptables have physdev match support if BRIDGING=Yes in shorewall.conf. -14) IP address ranges are now allowed in the SOURCE column of the - /etc/shorewall/rules file. - - Example: - - ACCEPT net:192.0.2.9-192.9.2.17 fw tcp 25 - +14) Beginning with this release, if your kernel and iptables have + iprange match support (see the output from "shorewall check"), then + with the exception of the /etc/shorewall/netmap file, anywhere that + a network address may appear an IP address range of the form - may also appear. diff --git a/Shorewall2/rfc1918 b/Shorewall2/rfc1918 index 36c3f4be8..2c6304a92 100644 --- a/Shorewall2/rfc1918 +++ b/Shorewall2/rfc1918 @@ -12,7 +12,9 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed) +# SUBNET The subnet (host addresses also allowed as are IP +# address ranges provided that your kernel and iptables +# have iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet diff --git a/Shorewall2/routestopped b/Shorewall2/routestopped index e32e5e934..f67a3422f 100644 --- a/Shorewall2/routestopped +++ b/Shorewall2/routestopped @@ -12,6 +12,10 @@ # INTERFACE - Interface through which host(s) communicate with # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. +# # If left empty or supplied as "-", # 0.0.0.0/0 is assumed. # OPTIONS - (Optional) A comma-separated list of diff --git a/Shorewall2/rules b/Shorewall2/rules index 3441ef34d..76f8c0547 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -119,7 +119,8 @@ # "-" as a separator. # # Hosts may be specified as an IP address range using the -# syntax -. +# syntax -. This requires that +# your kernel and iptables contain iprange match support. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # diff --git a/Shorewall2/tcrules b/Shorewall2/tcrules index 4e1910775..19aef5b48 100755 --- a/Shorewall2/tcrules +++ b/Shorewall2/tcrules @@ -27,7 +27,9 @@ # # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses -# and/or subnets. Use $FW if the packet originates on +# and/or subnets. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). @@ -38,7 +40,9 @@ # Example: ~00-A0-C9-15-39-78 # # DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. +# IP addresses and/or subnets. If your kernel and +# iptables include iprange match support, IP address +# ranges are also allowed. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # or "all". diff --git a/Shorewall2/tunnels b/Shorewall2/tunnels index ffe832967..b6fbe5074 100644 --- a/Shorewall2/tunnels +++ b/Shorewall2/tunnels @@ -34,7 +34,10 @@ # # GATEWAY -- The IP address of the remote tunnel gateway. If the # remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. +# then specify the gateway as 0.0.0.0/0. May be +# specified as a network address and if your kernel and +# iptables include iprange match support then IP address +# ranges are also allowed. # # GATEWAY # ZONES -- Optional. If the gateway system specified in the third