holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Apply and fix Tuomas Jormola's IPTABLES patch

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1766 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-11-26 18:44:42 +00:00
parent 0c3bf6f598
commit fa89a86f71
5 changed files with 130 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall2/changelog.txt
View File

@ -144,3 +144,7 @@ Changes since 2.0.3
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
70) Correct typo in shorewall.conf.
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
72) Apply Tuomas Jormola's IPTABLES patch.

113
Shorewall2/firewall
View File

@ -156,9 +156,9 @@ run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! iptables $@ ; then
if ! $IPTABLES $@ ; then
if [ -z "$stopping" ]; then
error_message "ERROR: Command \"iptables $@\" Failed"
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
fi
@ -234,7 +234,7 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=$(chain_base $1)
if iptables -N $1; then
if $IPTABLES -N $1; then
if [ $2 = yes ]; then
run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -265,7 +265,7 @@ havechain() # $1 = name of chain
#
chain_exists() # $1 = chain name
{
qt iptables -L $1 -n
qt $IPTABLES -L $1 -n
}
#
@ -273,7 +273,7 @@ chain_exists() # $1 = chain name
#
mangle_chain_exists() # $1 = chain name
{
qt iptables -t mangle -L $1 -n
qt $IPTABLES -t mangle -L $1 -n
}
#
@ -351,7 +351,7 @@ addnatrule() # $1 = chain name, remainder of arguments specify the rule
#
deletechain() # $1 = name of chain
{
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
}
#
@ -1292,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi
case $level in
ULOG)
iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
$IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
;;
*)
iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
$IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
;;
esac
@ -1462,7 +1462,7 @@ stop_firewall() {
else
routeback=Yes
for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
done
fi
;;
@ -1478,27 +1478,27 @@ stop_firewall() {
for host in $hosts; do
interface=${host%:*}
networks=${host#*:}
iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
for host1 in $hosts; do
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
[ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done
done
iptables -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
for interface in $(find_interfaces_by_option dhcp); do
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
case "$IP_FORWARDING" in
@ -2700,7 +2700,7 @@ process_accounting_rule() {
ensurechain1 $chain
if iptables -A $chain $(fix_bang $rule) ; then
if $IPTABLES -A $chain $(fix_bang $rule) ; then
[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport $user Added
else
@ -5303,7 +5303,7 @@ refresh_blacklist() {
local f=$(find_file blacklist)
local disposition=$BLACKLIST_DISPOSITION
if qt iptables -L blacklst -n ; then
if qt $IPTABLES -L blacklst -n ; then
echo "Loading Black List..."
strip_file blacklist $f
@ -5456,8 +5456,8 @@ verify_ip() {
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
@ -5465,20 +5465,20 @@ determine_capabilities() {
PHYSDEV_MATCH=
IPRANGE_MATCH=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if qt $IPTABLES -N fooX1234 ; then
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
if [ -n "$PKTTYPE" ]; then
qt iptables -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
fi
qt iptables -F fooX1234
qt iptables -X fooX1234
qt $IPTABLES -F fooX1234
qt $IPTABLES -X fooX1234
fi
}
@ -5706,8 +5706,8 @@ add_common_rules() {
# Reject Rules -- Don't respond to broadcasts with an ICMP
#
if [ -n "$PKTTYPE" ]; then
qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
qt $IPTABLES -A reject -m pkttype --pkt-type broadcast -j DROP
if ! qt $IPTABLES -A reject -m pkttype --pkt-type multicast -j DROP; then
#
# No pkttype support -- do it the hard way
#
@ -5728,8 +5728,8 @@ add_common_rules() {
#
# Not all versions of iptables support these so don't complain if they don't work
#
qt iptables -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt iptables -A reject -j REJECT --reject-with icmp-host-prohibited; then
qt $IPTABLES -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
if ! qt $IPTABLES -A reject -j REJECT --reject-with icmp-host-prohibited; then
#
# In case the above doesn't work
#
@ -5792,7 +5792,7 @@ add_common_rules() {
if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_ports
[ -n "$is_bridge" ] && \
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
$IPTABLES -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 $policyin -j ACCEPT
fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 $policyin -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 $policyout -j ACCEPT
@ -6617,12 +6617,12 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
nat_chain_exists() # $1 = chain name
{
qt iptables -t nat -L $1 -n
qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
if ! iptables $@ ; then
if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2"
fi
}
@ -6878,14 +6878,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
#
# Delete any nat table entries for the host(s)
#
qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
else
source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6895,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi
done
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6910,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
fi
done
fi
@ -6988,6 +6988,7 @@ do_initialize() {
# Clear all configuration variables
#
version=
IPTABLES=
FW=
SUBSYSLOCK=
STATEDIR=
@ -7102,6 +7103,14 @@ do_initialize() {
[ -d $STATEDIR ] || mkdir -p $STATEDIR
if [ -z "$IPTABLES" ]; then
IPTABLES=$(which iptables 2> /dev/null)
[ -z "$IPTABLES" ] && startup_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
[ -z "$FW" ] && FW=fw
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
@ -7283,7 +7292,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if qt iptables -L shorewall -n ; then
if qt $IPTABLES -L shorewall -n ; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
echo "Shorewall Already Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
@ -7298,7 +7307,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if qt iptables -L shorewall -n ; then
if qt $IPTABLES -L shorewall -n ; then
define_firewall "Restart"
else
echo "Shorewall Not Currently Running"
@ -7313,22 +7322,22 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo
iptables -L -n -v
$IPTABLES -L -n -v
;;
reset)
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
iptables -Z
iptables -t nat -Z
iptables -t mangle -Z
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
report "Shorewall Counters Reset"
date > $STATEDIR/restarted
my_mutex_off
@ -7338,7 +7347,7 @@ case "$COMMAND" in
[ $# -ne 1 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@ -7369,7 +7378,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
@ -7383,7 +7392,7 @@ case "$COMMAND" in
[ $# -ne 3 ] && usage
do_initialize
my_mutex_on
if ! qt iptables -L shorewall -n ; then
if ! qt $IPTABLES -L shorewall -n ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off

16
Shorewall2/releasenotes.txt
View File

@ -202,6 +202,14 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
6) The 'logunclean' and 'dropunclean' options that were deprecated in
Shorewall 2.0 have now been removed completely.
7) A new IPTABLES variable has been added to shorewall.conf. This
variable names the iptables executable that Shorewall will use. The
variable is set to "/sbin/iptables". If you use the new
shorewall.conf, you may need to change this setting to maintain
compabibility with your current setup (if you use your existing
shorewall.conf that does not set IPTABLES then you should
experience no change in behavior).
-----------------------------------------------------------------------
New Features:
@ -674,3 +682,11 @@ New Features:
28) For consistency, the CLIENT PORT(S) column in the tcrules file has
been renamed SOURCE PORT(S).
29) The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now shown
in the output of "shorewall status".
30) A new IPTABLES option has been added to shorewall.conf. IPTABLES
can be used to designate the iptables executable to be used by
Shorewall. If not specified, the iptables executable determined by
the PATH setting is used.

66
Shorewall2/shorewall
View File

@ -192,6 +192,19 @@ get_config() {
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$IPTABLES" ]; then
if [ ! -e "$IPTABLES" ]; then
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
exit 2
fi
else
IPTABLES=$(which iptables 2> /dev/null)
if [ -z "$IPTABLES" ] ; then
echo " ERROR: Can't find iptables executable" >&2
exit 2
fi
fi
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
@ -223,7 +236,7 @@ display_chains()
TMPFILE=$(mktempfile)
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
iptables -L $IPT_OPTIONS >> $TMPFILE
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
clear
echo "$banner $(date)"
@ -306,7 +319,7 @@ display_chains()
qt rm -f $TMPFILE
else
iptables -L -n -v
$IPTABLES -L -n -v
timed_read
fi
trap - 1 2 3 4 5 6 9
@ -407,7 +420,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
let "timeout=- $1"
@ -440,7 +453,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -467,7 +480,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "NAT Status"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
timed_read
clear
@ -476,7 +489,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
timed_read
clear
@ -517,7 +530,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config
host=$(echo $HOSTNAME | sed 's/\..*$//')
oldrejects=$(iptables -L -v -n | grep 'LOG')
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ $1 -lt 0 ]; then
timeout=$((- $1))
@ -539,7 +552,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
show_reset
rejects=$(iptables -L -v -n | grep 'LOG')
rejects=$($IPTABLES -L -v -n | grep 'LOG')
if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects"
@ -876,14 +889,14 @@ case "$1" in
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
echo
show_reset
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
;;
tos|mangle)
[ $# -gt 2 ] && usage 1
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
echo
show_reset
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
;;
log)
[ $# -gt 2 ] && usage 1
@ -914,10 +927,10 @@ case "$1" in
show_reset
if [ $# -gt 0 ]; then
for chain in $*; do
iptables -L $chain $IPT_OPTIONS
$IPTABLES -L $chain $IPT_OPTIONS
done
else
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
fi
;;
esac
@ -941,17 +954,17 @@ case "$1" in
echo
show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//')
iptables -L $IPT_OPTIONS
$IPTABLES -L $IPT_OPTIONS
echo
packet_log 20
echo
echo "NAT Table"
echo
iptables -t nat -L $IPT_OPTIONS
$IPTABLES -t nat -L $IPT_OPTIONS
echo
echo "Mangle Table"
echo
iptables -t mangle -L $IPT_OPTIONS
$IPTABLES -t mangle -L $IPT_OPTIONS
echo
cat /proc/net/ip_conntrack
echo
@ -971,6 +984,7 @@ case "$1" in
echo
show_proc /proc/sys/net/ipv4/ip_forward
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
for directory in /proc/sys/net/ipv4/conf/*; do
for file in proxy_arp arp_filter rp_filter log_martians; do
@ -1041,10 +1055,10 @@ case "$1" in
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
fi
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
$0 start
elif [ $# -eq 3 ]; then
sleep $3
@ -1067,9 +1081,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j DROP || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
mutex_off
@ -1080,9 +1094,9 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
qt iptables -D dynamic -s $1 -j reject
qt iptables -D dynamic -s $1 -j DROP
iptables -A dynamic -s $1 -j reject || break 1
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j reject || break 1
echo "$1 Rejected"
done
mutex_off
@ -1093,7 +1107,7 @@ case "$1" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
@ -1122,7 +1136,7 @@ case "$1" in
mutex_on
if qt iptables -L shorewall -n; then
if qt $IPTABLES -L shorewall -n; then
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
@ -1133,7 +1147,7 @@ case "$1" in
echo " ERROR: Reserved file name: $RESTOREFILE"
;;
*)
if iptables -L dynamic -n > /var/lib/shorewall/save; then
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
echo " Dynamic Rules Saved"
if [ -f /var/lib/shorewall/restore-base ]; then
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$

9
Shorewall2/shorewall.conf
View File

@ -252,6 +252,15 @@ LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# IPTABLES
#
# Full path to iptables executable Shorewall uses to build the firewall. If
# not specified or if specified with an empty value (e.g., IPTABLES="") then
# the iptables executable located via the PATH setting below is used.
#
IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.