forked from extern/shorewall_code
Shorewall-2.1.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1473 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6148b62256
commit
978b47bd43
@ -20,6 +20,20 @@
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||
# for this entry then include the ":" but omit the digit:
|
||||
#
|
||||
# eth0:
|
||||
# eth2::192.0.2.32/27
|
||||
#
|
||||
# Normally Masq/SNAT rules are evaluated after those for
|
||||
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||
# the rule to be applied before one-to-one NAT rules,
|
||||
# prefix the interface name with "+":
|
||||
#
|
||||
# +eth0
|
||||
# +eth0:192.0.2.32/27
|
||||
# +eth0:2
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
@ -130,5 +144,5 @@
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
||||
eth0 eth1
|
||||
eth0 eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -325,9 +325,8 @@ ADD_SNAT_ALIASES=No
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
||||
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
@ -605,6 +604,16 @@ BRIDGING=No
|
||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
||||
#
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
@ -437,6 +437,14 @@ masq_chain() # $1 = interface
|
||||
echo $(chain_base $1)_masq
|
||||
}
|
||||
|
||||
#
|
||||
# SNAT Chain for an interface
|
||||
#
|
||||
snat_chain() # $1 = interface
|
||||
{
|
||||
echo $(chain_base $1)_snat
|
||||
}
|
||||
|
||||
#
|
||||
# MAC Verification Chain for an interface
|
||||
#
|
||||
@ -1220,6 +1228,21 @@ disable_ipv6() {
|
||||
fi
|
||||
}
|
||||
|
||||
disable_ipv6_1() {
|
||||
local foo=$(ip -f inet6 addr ls 2> /dev/null)
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt which ip6tables; then
|
||||
progress_message "Disabling IPV6..."
|
||||
ip6tables -P FORWARD DROP
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P OUTPUT DROP
|
||||
else
|
||||
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Stop the Firewall
|
||||
#
|
||||
@ -1271,7 +1294,7 @@ stop_firewall() {
|
||||
delete_proxy_arp
|
||||
[ -n "$CLEAR_TC" ] && delete_tc1
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
@ -2441,7 +2464,7 @@ refresh_tc() {
|
||||
# Add one Filter Rule from an action -- Helper function for the action file processor
|
||||
#
|
||||
# The caller has established the following variables:
|
||||
# check = current command. If 'check', we're executing a 'check'
|
||||
# COMMAND = current command. If 'check', we're executing a 'check'
|
||||
# which only goes through the motions.
|
||||
# client = SOURCE IP or MAC
|
||||
# server = DESTINATION IP or interface
|
||||
@ -2884,6 +2907,13 @@ process_actions2() {
|
||||
log_action() {
|
||||
[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
|
||||
}
|
||||
|
||||
drop_broadcasts() {
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the transitive closure of $USEDACTIONS
|
||||
#
|
||||
@ -2909,14 +2939,16 @@ process_actions2() {
|
||||
case $xaction in
|
||||
dropBcast)
|
||||
if [ "$COMMAND" != check ]; then
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||
run_iptables -A dropBcast -d $address -j DROP
|
||||
done
|
||||
if [ -n "$PKTTYPE" ]; then
|
||||
qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
|
||||
if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
|
||||
#
|
||||
# No pkttype support -- do it the hard way
|
||||
#
|
||||
drop_broadcasts
|
||||
fi
|
||||
else
|
||||
drop_broadcasts
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
@ -2941,7 +2973,7 @@ process_actions2() {
|
||||
log_action dLogNotSyn DROP
|
||||
;;
|
||||
dropInvalid)
|
||||
[ "COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
|
||||
[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
|
||||
;;
|
||||
*)
|
||||
f=action.$xaction
|
||||
@ -2960,7 +2992,7 @@ process_actions2() {
|
||||
# Add a NAT rule - Helper function for the rules file processor
|
||||
#
|
||||
# The caller has established the following variables:
|
||||
# command = The current command -- if 'check', we just go through
|
||||
# COMMAND = The current command -- if 'check', we just go through
|
||||
# the motions.
|
||||
# cli = Source IP, interface or MAC Specification
|
||||
# serv = Destination IP Specification
|
||||
@ -3148,7 +3180,7 @@ add_nat_rule() {
|
||||
# Add one Filter Rule -- Helper function for the rules file processor
|
||||
#
|
||||
# The caller has established the following variables:
|
||||
# command = current command. If 'check', we're executing a 'check'
|
||||
# COMMAND = current command. If 'check', we're executing a 'check'
|
||||
# which only goes through the motions.
|
||||
# client = SOURCE IP or MAC
|
||||
# server = DESTINATION IP or interface
|
||||
@ -4166,6 +4198,7 @@ get_routed_networks() # $1 = interface name
|
||||
ip route show dev $1 2> /dev/null |
|
||||
while read address rest; do
|
||||
if [ "x$address" = xdefault ]; then
|
||||
//*-+9
|
||||
error_message "Warning: default route ignored on interface $1"
|
||||
else
|
||||
[ "$address" = "${address%/*}" ] && address="${address}/32"
|
||||
@ -4180,14 +4213,31 @@ get_routed_networks() # $1 = interface name
|
||||
setup_masq()
|
||||
{
|
||||
setup_one() {
|
||||
local using
|
||||
local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat=
|
||||
|
||||
case $fullinterface in
|
||||
+*)
|
||||
pre_nat=Yes
|
||||
fullinterface=${fullinterface#+}
|
||||
;;
|
||||
esac
|
||||
|
||||
case $fullinterface in
|
||||
*::*)
|
||||
add_snat_aliases=
|
||||
destnets="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*:*)
|
||||
# Both alias name and networks
|
||||
destnets="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:)
|
||||
add_snat_aliases=
|
||||
funninterface=${fullinterface%:}
|
||||
destnets="0.0.0.0/0"
|
||||
;;
|
||||
*:*)
|
||||
# Alias name OR networks
|
||||
case ${fullinterface#*:} in
|
||||
@ -4235,7 +4285,7 @@ setup_masq()
|
||||
|
||||
[ "x$addresses" = x- ] && addresses=
|
||||
|
||||
if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
||||
for address in $(separate_list $addresses); do
|
||||
for addr in $(ip_range_explicit $address) ; do
|
||||
if ! list_search $addr $aliases_to_add; then
|
||||
@ -4297,7 +4347,7 @@ setup_masq()
|
||||
|
||||
destination=$destnets
|
||||
|
||||
chain=$(masq_chain $interface)
|
||||
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
|
||||
|
||||
case $destnets in
|
||||
!*)
|
||||
@ -5324,6 +5374,12 @@ activate_rules()
|
||||
rm -f $TMP_DIR/physdev
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Add early SNAT jumps
|
||||
#
|
||||
for interface in $all_interfaces; do
|
||||
addrulejump POSTROUTING $(snat_chain $interface) -o $interface
|
||||
done
|
||||
|
||||
#
|
||||
# Add jumps for dynamic nat chains
|
||||
@ -6032,6 +6088,7 @@ do_initialize() {
|
||||
DISABLE_IPV6=
|
||||
BRIDGING=
|
||||
DYNAMIC_ZONES=
|
||||
PKTTYPE=
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
|
||||
@ -6204,6 +6261,7 @@ do_initialize() {
|
||||
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
|
||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
|
@ -1 +1 @@
|
||||
2.1.0
|
||||
2.1.1
|
||||
|
Loading…
Reference in New Issue
Block a user