forked from extern/shorewall_code
Apply and fix Tuomas Jormola's IPTABLES patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
0c3bf6f598
commit
fa89a86f71
@ -144,3 +144,7 @@ Changes since 2.0.3
|
|||||||
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||||
|
|
||||||
70) Correct typo in shorewall.conf.
|
70) Correct typo in shorewall.conf.
|
||||||
|
|
||||||
|
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||||
|
|
||||||
|
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||||
|
|||||||
@ -156,9 +156,9 @@ run_iptables() {
|
|||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
if ! iptables $@ ; then
|
if ! $IPTABLES $@ ; then
|
||||||
if [ -z "$stopping" ]; then
|
if [ -z "$stopping" ]; then
|
||||||
error_message "ERROR: Command \"iptables $@\" Failed"
|
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
|
||||||
stop_firewall
|
stop_firewall
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
|
|||||||
{
|
{
|
||||||
local c=$(chain_base $1)
|
local c=$(chain_base $1)
|
||||||
|
|
||||||
if iptables -N $1; then
|
if $IPTABLES -N $1; then
|
||||||
|
|
||||||
if [ $2 = yes ]; then
|
if [ $2 = yes ]; then
|
||||||
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
@ -265,7 +265,7 @@ havechain() # $1 = name of chain
|
|||||||
#
|
#
|
||||||
chain_exists() # $1 = chain name
|
chain_exists() # $1 = chain name
|
||||||
{
|
{
|
||||||
qt iptables -L $1 -n
|
qt $IPTABLES -L $1 -n
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
|
|||||||
#
|
#
|
||||||
mangle_chain_exists() # $1 = chain name
|
mangle_chain_exists() # $1 = chain name
|
||||||
{
|
{
|
||||||
qt iptables -t mangle -L $1 -n
|
qt $IPTABLES -t mangle -L $1 -n
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
|
|||||||
#
|
#
|
||||||
deletechain() # $1 = name of chain
|
deletechain() # $1 = name of chain
|
||||||
{
|
{
|
||||||
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
|
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
|
|||||||
|
|
||||||
case $level in
|
case $level in
|
||||||
ULOG)
|
ULOG)
|
||||||
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1462,7 +1462,7 @@ stop_firewall() {
|
|||||||
else
|
else
|
||||||
routeback=Yes
|
routeback=Yes
|
||||||
for h in $(separate_list $host); do
|
for h in $(separate_list $host); do
|
||||||
iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -1478,27 +1478,27 @@ stop_firewall() {
|
|||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
interface=${host%:*}
|
interface=${host%:*}
|
||||||
networks=${host#*:}
|
networks=${host#*:}
|
||||||
iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
|
||||||
for host1 in $hosts; do
|
for host1 in $hosts; do
|
||||||
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
iptables -A INPUT -i lo -j ACCEPT
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
iptables -A OUTPUT -o lo -j ACCEPT
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
for interface in $(find_interfaces_by_option dhcp); do
|
for interface in $(find_interfaces_by_option dhcp); do
|
||||||
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||||
#
|
#
|
||||||
# This might be a bridge
|
# This might be a bridge
|
||||||
#
|
#
|
||||||
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
case "$IP_FORWARDING" in
|
case "$IP_FORWARDING" in
|
||||||
@ -2700,7 +2700,7 @@ process_accounting_rule() {
|
|||||||
|
|
||||||
ensurechain1 $chain
|
ensurechain1 $chain
|
||||||
|
|
||||||
if iptables -A $chain $(fix_bang $rule) ; then
|
if $IPTABLES -A $chain $(fix_bang $rule) ; then
|
||||||
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
|
||||||
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
|
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
|
||||||
else
|
else
|
||||||
@ -5303,7 +5303,7 @@ refresh_blacklist() {
|
|||||||
local f=$(find_file blacklist)
|
local f=$(find_file blacklist)
|
||||||
local disposition=$BLACKLIST_DISPOSITION
|
local disposition=$BLACKLIST_DISPOSITION
|
||||||
|
|
||||||
if qt iptables -L blacklst -n ; then
|
if qt $IPTABLES -L blacklst -n ; then
|
||||||
echo "Loading Black List..."
|
echo "Loading Black List..."
|
||||||
|
|
||||||
strip_file blacklist $f
|
strip_file blacklist $f
|
||||||
@ -5456,8 +5456,8 @@ verify_ip() {
|
|||||||
# Determine which optional facilities are supported by iptables/netfilter
|
# Determine which optional facilities are supported by iptables/netfilter
|
||||||
#
|
#
|
||||||
determine_capabilities() {
|
determine_capabilities() {
|
||||||
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||||
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||||
|
|
||||||
CONNTRACK_MATCH=
|
CONNTRACK_MATCH=
|
||||||
MULTIPORT=
|
MULTIPORT=
|
||||||
@ -5465,20 +5465,20 @@ determine_capabilities() {
|
|||||||
PHYSDEV_MATCH=
|
PHYSDEV_MATCH=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
|
|
||||||
if qt iptables -N fooX1234 ; then
|
if qt $IPTABLES -N fooX1234 ; then
|
||||||
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
fi
|
fi
|
||||||
|
|
||||||
qt iptables -F fooX1234
|
qt $IPTABLES -F fooX1234
|
||||||
qt iptables -X fooX1234
|
qt $IPTABLES -X fooX1234
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5706,8 +5706,8 @@ add_common_rules() {
|
|||||||
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
# Reject Rules -- Don't respond to broadcasts with an ICMP
|
||||||
#
|
#
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
|
qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
|
||||||
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
|
if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
|
||||||
#
|
#
|
||||||
# No pkttype support -- do it the hard way
|
# No pkttype support -- do it the hard way
|
||||||
#
|
#
|
||||||
@ -5728,8 +5728,8 @@ add_common_rules() {
|
|||||||
#
|
#
|
||||||
# Not all versions of iptables support these so don't complain if they don't work
|
# Not all versions of iptables support these so don't complain if they don't work
|
||||||
#
|
#
|
||||||
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
|
||||||
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
|
||||||
#
|
#
|
||||||
# In case the above doesn't work
|
# In case the above doesn't work
|
||||||
#
|
#
|
||||||
@ -5792,7 +5792,7 @@ add_common_rules() {
|
|||||||
if [ -n "$BRIDGING" ]; then
|
if [ -n "$BRIDGING" ]; then
|
||||||
eval is_bridge=\$$(chain_base $interface)_ports
|
eval is_bridge=\$$(chain_base $interface)_ports
|
||||||
[ -n "$is_bridge" ] && \
|
[ -n "$is_bridge" ] && \
|
||||||
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
|
$IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
|
||||||
fi
|
fi
|
||||||
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
|
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
|
||||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
|
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
|
||||||
@ -6617,12 +6617,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
|
|
||||||
nat_chain_exists() # $1 = chain name
|
nat_chain_exists() # $1 = chain name
|
||||||
{
|
{
|
||||||
qt iptables -t nat -L $1 -n
|
qt $IPTABLES -t nat -L $1 -n
|
||||||
}
|
}
|
||||||
|
|
||||||
do_iptables() # $@ = command
|
do_iptables() # $@ = command
|
||||||
{
|
{
|
||||||
if ! iptables $@ ; then
|
if ! $IPTABLES $@ ; then
|
||||||
startup_error "Can't add $1 to zone $2"
|
startup_error "Can't add $1 to zone $2"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Delete any nat table entries for the host(s)
|
# Delete any nat table entries for the host(s)
|
||||||
#
|
#
|
||||||
qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
||||||
#
|
#
|
||||||
# Delete rules rules the input chains for the passed interface
|
# Delete rules rules the input chains for the passed interface
|
||||||
#
|
#
|
||||||
while read z1 z2 chain; do
|
while read z1 z2 chain; do
|
||||||
if [ "$z1" = "$zone" ]; then
|
if [ "$z1" = "$zone" ]; then
|
||||||
if [ "$z2" = "$FW" ]; then
|
if [ "$z2" = "$FW" ]; then
|
||||||
qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||||
else
|
else
|
||||||
source_chain=$(dynamic_fwd $interface)
|
source_chain=$(dynamic_fwd $interface)
|
||||||
eval dest_hosts=\"\$${z2}_hosts\"
|
eval dest_hosts=\"\$${z2}_hosts\"
|
||||||
@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [ "$z2" = "$zone" ]; then
|
elif [ "$z2" = "$zone" ]; then
|
||||||
if [ "$z1" = "$FW" ]; then
|
if [ "$z1" = "$FW" ]; then
|
||||||
qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||||
else
|
else
|
||||||
eval source_hosts=\"\$${z1}_hosts\"
|
eval source_hosts=\"\$${z1}_hosts\"
|
||||||
|
|
||||||
@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6988,6 +6988,7 @@ do_initialize() {
|
|||||||
# Clear all configuration variables
|
# Clear all configuration variables
|
||||||
#
|
#
|
||||||
version=
|
version=
|
||||||
|
IPTABLES=
|
||||||
FW=
|
FW=
|
||||||
SUBSYSLOCK=
|
SUBSYSLOCK=
|
||||||
STATEDIR=
|
STATEDIR=
|
||||||
@ -7102,6 +7103,14 @@ do_initialize() {
|
|||||||
|
|
||||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||||
|
|
||||||
|
if [ -z "$IPTABLES" ]; then
|
||||||
|
IPTABLES=$(which iptables 2> /dev/null)
|
||||||
|
|
||||||
|
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
|
||||||
|
else
|
||||||
|
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
|
||||||
|
fi
|
||||||
|
|
||||||
[ -z "$FW" ] && FW=fw
|
[ -z "$FW" ] && FW=fw
|
||||||
|
|
||||||
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
|
||||||
@ -7283,7 +7292,7 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 1 ] && usage
|
[ $# -ne 1 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if qt iptables -L shorewall -n ; then
|
if qt $IPTABLES -L shorewall -n ; then
|
||||||
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||||
echo "Shorewall Already Started"
|
echo "Shorewall Already Started"
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
@ -7298,7 +7307,7 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 1 ] && usage
|
[ $# -ne 1 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if qt iptables -L shorewall -n ; then
|
if qt $IPTABLES -L shorewall -n ; then
|
||||||
define_firewall "Restart"
|
define_firewall "Restart"
|
||||||
else
|
else
|
||||||
echo "Shorewall Not Currently Running"
|
echo "Shorewall Not Currently Running"
|
||||||
@ -7313,22 +7322,22 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 1 ] && usage
|
[ $# -ne 1 ] && usage
|
||||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
iptables -L -n -v
|
$IPTABLES -L -n -v
|
||||||
;;
|
;;
|
||||||
|
|
||||||
reset)
|
reset)
|
||||||
[ $# -ne 1 ] && usage
|
[ $# -ne 1 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if ! qt iptables -L shorewall -n ; then
|
if ! qt $IPTABLES -L shorewall -n ; then
|
||||||
echo "Shorewall Not Started"
|
echo "Shorewall Not Started"
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
exit 2;
|
exit 2;
|
||||||
fi
|
fi
|
||||||
iptables -Z
|
$IPTABLES -Z
|
||||||
iptables -t nat -Z
|
$IPTABLES -t nat -Z
|
||||||
iptables -t mangle -Z
|
$IPTABLES -t mangle -Z
|
||||||
report "Shorewall Counters Reset"
|
report "Shorewall Counters Reset"
|
||||||
date > $STATEDIR/restarted
|
date > $STATEDIR/restarted
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
@ -7338,7 +7347,7 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 1 ] && usage
|
[ $# -ne 1 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if ! qt iptables -L shorewall -n ; then
|
if ! qt $IPTABLES -L shorewall -n ; then
|
||||||
echo "Shorewall Not Started"
|
echo "Shorewall Not Started"
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
@ -7369,7 +7378,7 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 3 ] && usage
|
[ $# -ne 3 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if ! qt iptables -L shorewall -n ; then
|
if ! qt $IPTABLES -L shorewall -n ; then
|
||||||
echo "Shorewall Not Started"
|
echo "Shorewall Not Started"
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
@ -7383,7 +7392,7 @@ case "$COMMAND" in
|
|||||||
[ $# -ne 3 ] && usage
|
[ $# -ne 3 ] && usage
|
||||||
do_initialize
|
do_initialize
|
||||||
my_mutex_on
|
my_mutex_on
|
||||||
if ! qt iptables -L shorewall -n ; then
|
if ! qt $IPTABLES -L shorewall -n ; then
|
||||||
echo "Shorewall Not Started"
|
echo "Shorewall Not Started"
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
|
|||||||
@ -202,6 +202,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
|||||||
6) The 'logunclean' and 'dropunclean' options that were deprecated in
|
6) The 'logunclean' and 'dropunclean' options that were deprecated in
|
||||||
Shorewall 2.0 have now been removed completely.
|
Shorewall 2.0 have now been removed completely.
|
||||||
|
|
||||||
|
7) A new IPTABLES variable has been added to shorewall.conf. This
|
||||||
|
variable names the iptables executable that Shorewall will use. The
|
||||||
|
variable is set to "/sbin/iptables". If you use the new
|
||||||
|
shorewall.conf, you may need to change this setting to maintain
|
||||||
|
compabibility with your current setup (if you use your existing
|
||||||
|
shorewall.conf that does not set IPTABLES then you should
|
||||||
|
experience no change in behavior).
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
@ -674,3 +682,11 @@ New Features:
|
|||||||
|
|
||||||
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
|
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
|
||||||
been renamed SOURCE PORT(S).
|
been renamed SOURCE PORT(S).
|
||||||
|
|
||||||
|
29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
|
||||||
|
in the output of "shorewall status".
|
||||||
|
|
||||||
|
30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
|
||||||
|
can be used to designate the iptables executable to be used by
|
||||||
|
Shorewall. If not specified, the iptables executable determined by
|
||||||
|
the PATH setting is used.
|
||||||
|
|||||||
@ -192,6 +192,19 @@ get_config() {
|
|||||||
|
|
||||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||||
|
|
||||||
|
if [ -n "$IPTABLES" ]; then
|
||||||
|
if [ ! -e "$IPTABLES" ]; then
|
||||||
|
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
IPTABLES=$(which iptables 2> /dev/null)
|
||||||
|
if [ -z "$IPTABLES" ] ; then
|
||||||
|
echo " ERROR: Can't find iptables executable" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||||
@ -223,7 +236,7 @@ display_chains()
|
|||||||
TMPFILE=$(mktempfile)
|
TMPFILE=$(mktempfile)
|
||||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||||
|
|
||||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||||
|
|
||||||
clear
|
clear
|
||||||
echo "$banner $(date)"
|
echo "$banner $(date)"
|
||||||
@ -306,7 +319,7 @@ display_chains()
|
|||||||
|
|
||||||
qt rm -f $TMPFILE
|
qt rm -f $TMPFILE
|
||||||
else
|
else
|
||||||
iptables -L -n -v
|
$IPTABLES -L -n -v
|
||||||
timed_read
|
timed_read
|
||||||
fi
|
fi
|
||||||
trap - 1 2 3 4 5 6 9
|
trap - 1 2 3 4 5 6 9
|
||||||
@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
get_config
|
get_config
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
let "timeout=- $1"
|
let "timeout=- $1"
|
||||||
@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
show_reset
|
show_reset
|
||||||
|
|
||||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ "$rejects" != "$oldrejects" ]; then
|
if [ "$rejects" != "$oldrejects" ]; then
|
||||||
oldrejects="$rejects"
|
oldrejects="$rejects"
|
||||||
@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
echo
|
echo
|
||||||
echo "NAT Status"
|
echo "NAT Status"
|
||||||
echo
|
echo
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear
|
||||||
@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
echo
|
echo
|
||||||
echo "TOS/MARK Status"
|
echo "TOS/MARK Status"
|
||||||
echo
|
echo
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
clear
|
clear
|
||||||
@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
get_config
|
get_config
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
timeout=$((- $1))
|
timeout=$((- $1))
|
||||||
@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
show_reset
|
show_reset
|
||||||
|
|
||||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||||
|
|
||||||
if [ "$rejects" != "$oldrejects" ]; then
|
if [ "$rejects" != "$oldrejects" ]; then
|
||||||
oldrejects="$rejects"
|
oldrejects="$rejects"
|
||||||
@ -876,14 +889,14 @@ case "$1" in
|
|||||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
;;
|
;;
|
||||||
tos|mangle)
|
tos|mangle)
|
||||||
[ $# -gt 2 ] && usage 1
|
[ $# -gt 2 ] && usage 1
|
||||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
;;
|
;;
|
||||||
log)
|
log)
|
||||||
[ $# -gt 2 ] && usage 1
|
[ $# -gt 2 ] && usage 1
|
||||||
@ -914,10 +927,10 @@ case "$1" in
|
|||||||
show_reset
|
show_reset
|
||||||
if [ $# -gt 0 ]; then
|
if [ $# -gt 0 ]; then
|
||||||
for chain in $*; do
|
for chain in $*; do
|
||||||
iptables -L $chain $IPT_OPTIONS
|
$IPTABLES -L $chain $IPT_OPTIONS
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
iptables -L $IPT_OPTIONS
|
$IPTABLES -L $IPT_OPTIONS
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -941,17 +954,17 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
show_reset
|
show_reset
|
||||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||||
iptables -L $IPT_OPTIONS
|
$IPTABLES -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
packet_log 20
|
packet_log 20
|
||||||
echo
|
echo
|
||||||
echo "NAT Table"
|
echo "NAT Table"
|
||||||
echo
|
echo
|
||||||
iptables -t nat -L $IPT_OPTIONS
|
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
echo "Mangle Table"
|
echo "Mangle Table"
|
||||||
echo
|
echo
|
||||||
iptables -t mangle -L $IPT_OPTIONS
|
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||||
echo
|
echo
|
||||||
cat /proc/net/ip_conntrack
|
cat /proc/net/ip_conntrack
|
||||||
echo
|
echo
|
||||||
@ -971,6 +984,7 @@ case "$1" in
|
|||||||
echo
|
echo
|
||||||
|
|
||||||
show_proc /proc/sys/net/ipv4/ip_forward
|
show_proc /proc/sys/net/ipv4/ip_forward
|
||||||
|
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||||
|
|
||||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||||
for file in proxy_arp arp_filter rp_filter log_martians; do
|
for file in proxy_arp arp_filter rp_filter log_martians; do
|
||||||
@ -1041,10 +1055,10 @@ case "$1" in
|
|||||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||||
if ! $0 $debugging -c $2 restart; then
|
if ! $0 $debugging -c $2 restart; then
|
||||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||||
$0 start
|
$0 start
|
||||||
fi
|
fi
|
||||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||||
$0 start
|
$0 start
|
||||||
elif [ $# -eq 3 ]; then
|
elif [ $# -eq 3 ]; then
|
||||||
sleep $3
|
sleep $3
|
||||||
@ -1067,9 +1081,9 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
qt iptables -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt iptables -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
iptables -A dynamic -s $1 -j DROP || break 1
|
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||||
echo "$1 Dropped"
|
echo "$1 Dropped"
|
||||||
done
|
done
|
||||||
mutex_off
|
mutex_off
|
||||||
@ -1080,9 +1094,9 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
qt iptables -D dynamic -s $1 -j reject
|
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||||
qt iptables -D dynamic -s $1 -j DROP
|
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||||
iptables -A dynamic -s $1 -j reject || break 1
|
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
||||||
echo "$1 Rejected"
|
echo "$1 Rejected"
|
||||||
done
|
done
|
||||||
mutex_off
|
mutex_off
|
||||||
@ -1093,7 +1107,7 @@ case "$1" in
|
|||||||
mutex_on
|
mutex_on
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
||||||
echo "$1 Allowed"
|
echo "$1 Allowed"
|
||||||
else
|
else
|
||||||
echo "$1 Not Dropped or Rejected"
|
echo "$1 Not Dropped or Rejected"
|
||||||
@ -1122,7 +1136,7 @@ case "$1" in
|
|||||||
|
|
||||||
mutex_on
|
mutex_on
|
||||||
|
|
||||||
if qt iptables -L shorewall -n; then
|
if qt $IPTABLES -L shorewall -n; then
|
||||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||||
|
|
||||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||||
@ -1133,7 +1147,7 @@ case "$1" in
|
|||||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||||
echo " Dynamic Rules Saved"
|
echo " Dynamic Rules Saved"
|
||||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||||
|
|||||||
@ -252,6 +252,15 @@ LOG_MARTIANS=No
|
|||||||
################################################################################
|
################################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
################################################################################
|
################################################################################
|
||||||
|
#
|
||||||
|
# IPTABLES
|
||||||
|
#
|
||||||
|
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||||
|
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||||
|
# the iptables executable located via the PATH setting below is used.
|
||||||
|
#
|
||||||
|
IPTABLES=
|
||||||
|
|
||||||
#
|
#
|
||||||
# PATH - Change this if you want to change the order in which Shorewall
|
# PATH - Change this if you want to change the order in which Shorewall
|
||||||
# searches directories for executable files.
|
# searches directories for executable files.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user