diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 3af09b5fd..7552c66d9 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -4288,8 +4288,8 @@ add_a_rule() if [ -n "$natrule" ]; then add_nat_rule - elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then - fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\"" + elif [ -n "$servport" -a "$servport" != "$port" ]; then + fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\"" fi if [ -z "$dnat_only" ]; then @@ -4312,13 +4312,15 @@ add_a_rule() $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi - [ -n "$nonat" ] && \ + if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN - - [ "$logtarget" != NONAT ] && \ + fi + + if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $proto $multiport $cli $sports \ $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target + fi fi done done @@ -4342,24 +4344,43 @@ add_a_rule() # Destination is a simple zone - [ -n "$addr" ] && fatal_error \ - "An ORIGINAL DESTINATION ($addr) is only allowed in" \ - " a DNAT, SAME or REDIRECT: \"$rule\"" - if [ $COMMAND != check ]; then - if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ - $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) - fi + if [ -n "$addr" ]; then + for adr in $(separate_list $addr); do + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) + fi - if [ "$logtarget" != LOG ]; then - [ -n "$nonat" ] && \ - addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $userandgroup -j RETURN + if [ "$logtarget" != LOG ]; then + if [ -n "$nonat" ]; then + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN + fi + + if [ "$logtarget" != NONAT ]; then + run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target + fi + fi + done + else + if [ -n "$loglevel" ]; then + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ + $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) + fi - [ "$logtarget" != NONAT ] && \ - run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $userandgroup -j $target + if [ "$logtarget" != LOG ]; then + if [ -n "$nonat" ]; then + addnatrule $(dnat_chain $source) $proto $multiport \ + $cli $sports $dports $ratelimit $userandgroup -j RETURN + fi + + if [ "$logtarget" != NONAT ]; then + run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ + $sports $dports $ratelimit $userandgroup -j $target + fi + fi fi fi fi diff --git a/Shorewall2/functions b/Shorewall2/functions index c5debba45..003191eac 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -269,6 +269,9 @@ find_zones() # $1 = name of the zone file { while read zone display comments; do [ -n "$zone" ] && case "$zone" in + [0-9*]) + echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2 + ;; \#*) ;; $FW|all|none) diff --git a/Shorewall2/rules b/Shorewall2/rules index ab0be283c..e0a619ab9 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -263,8 +263,8 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then +# if included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -280,6 +280,20 @@ # destination address in the connection request does not # match any of the addresses listed. # +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address matches +# one of the listed addresses. This feature is most useful when +# you want to generate a filter rule that corresponds to a +# DNAT- or REDIRECT- rule. In this usage, the list of +# addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: #