forked from extern/shorewall_code
Shorewall 1.4.8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@794 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f9c596a465
commit
ce7dddfc5a
@ -46,6 +46,8 @@
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as p2pwall.
|
||||
#
|
||||
# You may rate-limit the rule by optionally
|
||||
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||
|
@ -350,11 +350,12 @@ CLAMPMSS=No
|
||||
# ROUTE FILTERING
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces (anti-spoofing measure).
|
||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
||||
#
|
||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
||||
# In that case, you can still enable route filtering on individual interfaces
|
||||
# in the /etc/shorewall/interfaces file.
|
||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
||||
# on individual interfaces using the 'routefilter' option in the
|
||||
# /etc/shorewall/interfaces file.
|
||||
|
||||
ROUTE_FILTER=No
|
||||
|
||||
@ -463,6 +464,28 @@ NEWNOTSYN=No
|
||||
#
|
||||
ADMINISABSENTMINDED=Yes
|
||||
|
||||
#
|
||||
# BLACKLIST Behavior
|
||||
#
|
||||
# Shorewall offers two types of blacklisting:
|
||||
#
|
||||
# - static blacklisting through the /etc/shorewall/blacklist file together
|
||||
# with the 'blacklist' interface option.
|
||||
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
|
||||
#
|
||||
# The following variable determines whether the blacklist is checked for each
|
||||
# packet or for each new connection.
|
||||
#
|
||||
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
|
||||
# requests
|
||||
#
|
||||
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
|
||||
#
|
||||
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
|
||||
# BLACKLISTNEWONLY=No is assumed.
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
@ -57,14 +57,18 @@ list_search() # $1 = element to search for , $2-$n = list
|
||||
}
|
||||
|
||||
#
|
||||
# Function to count list elements
|
||||
# Functions to count list elements
|
||||
# - - - - - - - - - - - - - - - -
|
||||
# Whitespace-separated list
|
||||
#
|
||||
list_count1() {
|
||||
echo $#
|
||||
}
|
||||
#
|
||||
# Comma-separated list
|
||||
#
|
||||
list_count() {
|
||||
arg_count() {
|
||||
echo $#
|
||||
}
|
||||
|
||||
arg_count `separate_list $1`
|
||||
list_count1 `separate_list $1`
|
||||
}
|
||||
|
||||
#
|
||||
@ -225,11 +229,13 @@ run_tc() {
|
||||
#
|
||||
# If the chain isn't one of the common chains then add a rule to the chain
|
||||
# allowing packets that are part of an established connection. Create a
|
||||
# variable ${1}_exists and set its value to Yes to indicate that the chain now
|
||||
# variable exists_${1} and set its value to Yes to indicate that the chain now
|
||||
# exists.
|
||||
#
|
||||
createchain() # $1 = chain name, $2 = If "yes", create default rules
|
||||
{
|
||||
local c=`chain_base $1`
|
||||
|
||||
run_iptables -N $1
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
@ -238,11 +244,13 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
|
||||
eval ${1}_exists=Yes
|
||||
eval exists_${c}=Yes
|
||||
}
|
||||
|
||||
createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
{
|
||||
local c=`chain_base $1`
|
||||
|
||||
if iptables -N $1; then
|
||||
|
||||
if [ $2 = yes ]; then
|
||||
@ -251,20 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
||||
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
|
||||
fi
|
||||
|
||||
eval ${1}_exists=Yes
|
||||
eval exists_${c}=Yes
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a chain exists
|
||||
#
|
||||
# When we create a chain "chain", we create a variable named chain_exists and
|
||||
# set its value to Yes. This function tests for the "_exists" variable
|
||||
# When we create a chain "chain", we create a variable named exists_chain and
|
||||
# set its value to Yes. This function tests for the "exists_" variable
|
||||
# corresponding to the passed chain having the value of "Yes".
|
||||
#
|
||||
havechain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$${1}_exists\" = Yes
|
||||
local c=`chain_base $1`
|
||||
|
||||
eval test \"\$exists_${c}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
@ -303,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
|
||||
#
|
||||
# Create a nat chain
|
||||
#
|
||||
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that
|
||||
# Create a variable exists_nat_${1} and set its value to Yes to indicate that
|
||||
# the chain now exists.
|
||||
#
|
||||
createnatchain() # $1 = chain name
|
||||
{
|
||||
run_iptables -t nat -N $1
|
||||
|
||||
eval ${1}_nat_exists=Yes
|
||||
eval exists_nat_${1}=Yes
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a nat chain exists
|
||||
#
|
||||
# When we create a chain "chain", we create a variable named chain_nat_exists
|
||||
# and set its value to Yes. This function tests for the "_exists" variable
|
||||
# When we create a chain "chain", we create a variable named exists_nat_chain
|
||||
# and set its value to Yes. This function tests for the "exists_" variable
|
||||
# corresponding to the passed chain having the value of "Yes".
|
||||
#
|
||||
havenatchain() # $1 = name of chain
|
||||
{
|
||||
eval test \"\$${1}_nat_exists\" = Yes
|
||||
eval test \"\$exists_nat_${1}\" = Yes
|
||||
}
|
||||
|
||||
#
|
||||
@ -626,11 +636,11 @@ validate_interfaces_file() {
|
||||
|
||||
all_interfaces="$all_interfaces $interface"
|
||||
options=`separate_list $options`
|
||||
interface=`chain_base $interface`
|
||||
iface=`chain_base $interface`
|
||||
|
||||
eval ${interface}_broadcast="$subnet"
|
||||
eval ${interface}_zone="$z"
|
||||
eval ${interface}_options=\"$options\"
|
||||
eval ${iface}_broadcast="$subnet"
|
||||
eval ${iface}_zone="$z"
|
||||
eval ${iface}_options=\"$options\"
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
@ -753,7 +763,14 @@ validate_policy()
|
||||
esac
|
||||
|
||||
case $policy in
|
||||
ACCEPT|REJECT|DROP|CONTINUE|NONE)
|
||||
ACCEPT|REJECT|DROP|CONTINUE)
|
||||
;;
|
||||
NONE)
|
||||
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
|
||||
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
|
||||
|
||||
[ -n "$clientwild" -o -n "$serverwild" ] && \
|
||||
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid policy $policy"
|
||||
@ -771,8 +788,6 @@ validate_policy()
|
||||
|
||||
[ "x$loglevel" = "x-" ] && loglevel=
|
||||
|
||||
chain=${client}2${server}
|
||||
|
||||
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
|
||||
|
||||
eval ${chain}_is_policy=Yes
|
||||
@ -960,7 +975,7 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
|
||||
local chain=$2
|
||||
local disposition=$3
|
||||
local rulenum=
|
||||
local limit=${4:-$LOGLIMIT}
|
||||
local limit="${4:-$LOGLIMIT}"
|
||||
|
||||
shift;shift;shift;shift
|
||||
|
||||
@ -1452,28 +1467,19 @@ setup_mac_lists() {
|
||||
#
|
||||
for interface in $maclist_interfaces; do
|
||||
chain=`mac_chain $interface`
|
||||
blob=`ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
|
||||
|
||||
blob=`ip link show $interface 2> /dev/null`
|
||||
|
||||
[ -z "$blob" ] && \
|
||||
fatal_error "Interface $interface must be up before Shorewall can start"
|
||||
|
||||
set -- $blob
|
||||
|
||||
while [ $# -gt 0 ]; do
|
||||
address=${1%/*}
|
||||
|
||||
case $1 in
|
||||
*/32)
|
||||
;;
|
||||
*)
|
||||
run_iptables -A $chain -s $address -d $2 -j RETURN
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
|
||||
if [ -n "$broadcast" ]; then
|
||||
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
|
||||
fi
|
||||
|
||||
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
|
||||
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
|
||||
shift
|
||||
done
|
||||
|
||||
if [ -n "$MACLIST_LOG_LEVEL" ]; then
|
||||
@ -1668,9 +1674,10 @@ setup_ecn() # $1 = file name
|
||||
#
|
||||
process_tc_rule()
|
||||
{
|
||||
chain=$marking_chain
|
||||
|
||||
add_a_tc_rule() {
|
||||
r=
|
||||
chain=$marking_chain
|
||||
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case $source in
|
||||
@ -1693,6 +1700,15 @@ process_tc_rule()
|
||||
esac
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
|
||||
|
||||
}
|
||||
|
||||
if [ "$mark" != "${mark%:*}" ]; then
|
||||
|
||||
[ "$chain" = tcout ] && \
|
||||
@ -1713,15 +1729,6 @@ process_tc_rule()
|
||||
mark="${mark%:*}"
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
|
||||
|
||||
}
|
||||
|
||||
for source in `separate_list ${sources:=-}`; do
|
||||
for dest in `separate_list ${dests:=-}`; do
|
||||
for port in `separate_list ${ports:=-}`; do
|
||||
@ -2315,6 +2322,26 @@ add_a_rule()
|
||||
{
|
||||
local natrule=
|
||||
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
@ -2369,24 +2396,12 @@ add_a_rule()
|
||||
[ x$cport = x- ] && cport=
|
||||
|
||||
case $proto in
|
||||
tcp|udp|TCP|UDP|6|17)
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
tcp|TCP|6)
|
||||
do_ports
|
||||
[ "$target" = QUEUE ] && proto="$proto --syn"
|
||||
;;
|
||||
udp|UDP|17)
|
||||
do_ports
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
@ -2761,10 +2776,13 @@ process_rule() # $1 = target
|
||||
|
||||
# Generate Netfilter rule(s)
|
||||
|
||||
protocol=${protocol:=all}
|
||||
|
||||
case $logtarget in
|
||||
DNAT*)
|
||||
if [ -n "$MULTIPORT" -a \
|
||||
"$ports" = "${ports%:*}" -a \
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
`list_count $ports` -le 15 -a \
|
||||
`list_count $cports` -le 15 ]
|
||||
@ -2800,8 +2818,9 @@ process_rule() # $1 = target
|
||||
;;
|
||||
*)
|
||||
|
||||
if [ -n "$MULTIPORT" -a \
|
||||
"$ports" = "${ports%:*}" -a \
|
||||
if [ -n "$MULTIPORT" ] && \
|
||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||
[ "$ports" = "${ports%:*}" -a \
|
||||
"$cports" = "${cports%:*}" -a \
|
||||
`list_count $ports` -le 15 -a \
|
||||
`list_count $cports` -le 15 ]
|
||||
@ -2869,7 +2888,7 @@ process_rules()
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
|
||||
temp="${xtarget%:*}"
|
||||
case "${temp%<*}" in
|
||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
|
||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
@ -3387,7 +3406,7 @@ setup_masq()
|
||||
;;
|
||||
*)
|
||||
subnets=`get_routed_subnets $subnet`
|
||||
[ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
|
||||
[ -z "$subnets" ] && fatal_error "Unable to determine the routes through interface $subnet"
|
||||
subnet="$subnets"
|
||||
;;
|
||||
esac
|
||||
@ -3578,9 +3597,11 @@ setup_blacklist() {
|
||||
|
||||
createchain blacklst no
|
||||
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
||||
|
||||
for interface in $interfaces; do
|
||||
for chain in `first_chains $interface`; do
|
||||
run_iptables -A $chain -j blacklst
|
||||
run_iptables -A $chain $state -j blacklst
|
||||
done
|
||||
|
||||
echo " Blacklisting enabled on $interface"
|
||||
@ -3899,13 +3920,15 @@ initialize_netfilter () {
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
|
||||
|
||||
echo "Creating Interface Chains..."
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
createchain `forward_chain $interface` no
|
||||
run_iptables -A `forward_chain $interface` -j dynamic
|
||||
run_iptables -A `forward_chain $interface` $state -j dynamic
|
||||
createchain `input_chain $interface` no
|
||||
run_iptables -A `input_chain $interface` -j dynamic
|
||||
run_iptables -A `input_chain $interface` $state -j dynamic
|
||||
done
|
||||
}
|
||||
|
||||
@ -4003,7 +4026,7 @@ add_common_rules() {
|
||||
if [ -n "$interfaces" ]; then
|
||||
createchain logpkt no
|
||||
|
||||
[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
|
||||
[ -z "$LOGUNCLEAN" ] && LOGUNCLEAN=info
|
||||
|
||||
LOGPARMS="$LOGPARMS --log-ip-options"
|
||||
|
||||
@ -4175,6 +4198,7 @@ add_common_rules() {
|
||||
|
||||
if [ -n "$interfaces" ]; then
|
||||
echo "Setting up ARP Filtering..."
|
||||
|
||||
for interface in $interfaces; do
|
||||
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
|
||||
if [ -f $file ]; then
|
||||
@ -4188,18 +4212,15 @@ add_common_rules() {
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 0 > $f
|
||||
done
|
||||
|
||||
interfaces="`find_interfaces_by_option routefilter`"
|
||||
|
||||
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
|
||||
echo "Setting up Kernel Route Filtering..."
|
||||
|
||||
if [ -n "$ROUTE_FILTER" ]; then
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
else
|
||||
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
||||
echo 0 > $f
|
||||
done
|
||||
|
||||
for interface in $interfaces; do
|
||||
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
|
||||
if [ -f $file ]; then
|
||||
@ -4209,7 +4230,10 @@ add_common_rules() {
|
||||
"Warning: Cannot set route filtering on $interface"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
|
||||
run_ip route flush cache
|
||||
fi
|
||||
#
|
||||
# IP Forwarding
|
||||
@ -4381,6 +4405,7 @@ activate_rules()
|
||||
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
|
||||
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
@ -4401,14 +4426,23 @@ activate_rules()
|
||||
routeback=
|
||||
fi
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
if [ `list_count1 $source_hosts` -eq 1 -a "$source_hosts" = "$host1" ]; then
|
||||
if list_search $host1 $routeback; then
|
||||
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
else
|
||||
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
chain1=$frwd_chain
|
||||
else
|
||||
chain1=`forward_chain $interface`
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
@ -4419,6 +4453,7 @@ activate_rules()
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
@ -5021,6 +5056,7 @@ do_initialize() {
|
||||
LOGFORMAT=
|
||||
LOGRULENUMBERS=
|
||||
ADMINISABSENTMINDED=
|
||||
BLACKLISTNEWONLY=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
@ -5170,6 +5206,7 @@ do_initialize() {
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
fi
|
||||
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
|
||||
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -425,6 +425,9 @@ chain_base() #$1 = interface
|
||||
*.*)
|
||||
c="${c%.*}_${c##*.}"
|
||||
;;
|
||||
*-*)
|
||||
c="${c%-*}_${c##*-}"
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
return
|
||||
|
@ -1 +1 @@
|
||||
1.4.7
|
||||
1.4.8
|
||||
|
@ -1 +1 @@
|
||||
1.4.7
|
||||
1.4.8
|
||||
|
Loading…
Reference in New Issue
Block a user