forked from extern/shorewall_code
c4e6a75eea
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
412 lines
8.0 KiB
Plaintext
412 lines
8.0 KiB
Plaintext
#
|
|
# Clear Proxy Arp
|
|
#
|
|
delete_proxyarp() {
|
|
if [ -f ${VARDIR}/proxyarp ]; then
|
|
while read address interface external haveroute; do
|
|
qt arp -i $external -d $address pub
|
|
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
|
done < ${VARDIR}/proxyarp
|
|
|
|
for f in /proc/sys/net/ipv4/conf/*; do
|
|
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
|
|
done
|
|
fi
|
|
|
|
rm -f ${VARDIR}/proxyarp
|
|
}
|
|
|
|
#
|
|
# Stop/restore the firewall after an error or because of a "stop" or "clear" command
|
|
#
|
|
stop_firewall() {
|
|
|
|
deletechain() {
|
|
qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
|
|
}
|
|
|
|
deleteallchains() {
|
|
$IPTABLES -F
|
|
$IPTABLES -X
|
|
}
|
|
|
|
setcontinue() {
|
|
$IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
}
|
|
|
|
delete_nat() {
|
|
$IPTABLES -t nat -F
|
|
$IPTABLES -t nat -X
|
|
|
|
if [ -f ${VARDIR}/nat ]; then
|
|
while read external interface; do
|
|
del_ip_addr $external $interface
|
|
done < ${VARDIR}/nat
|
|
|
|
rm -f ${VARDIR}/nat
|
|
fi
|
|
}
|
|
|
|
case $COMMAND in
|
|
stop|clear)
|
|
;;
|
|
*)
|
|
set +x
|
|
|
|
case $COMMAND in
|
|
start)
|
|
logger -p kern.err "ERROR:$PRODUCT start failed"
|
|
;;
|
|
restart)
|
|
logger -p kern.err "ERROR:$PRODUCT restart failed"
|
|
;;
|
|
restore)
|
|
logger -p kern.err "ERROR:$PRODUCT restore failed"
|
|
;;
|
|
esac
|
|
|
|
if [ "$RESTOREFILE" = NONE ]; then
|
|
COMMAND=clear
|
|
clear_firewall
|
|
echo "$PRODUCT Cleared"
|
|
|
|
kill $$
|
|
exit 2
|
|
else
|
|
RESTOREPATH=${VARDIR}/$RESTOREFILE
|
|
|
|
if [ -x $RESTOREPATH ]; then
|
|
|
|
if [ -x ${RESTOREPATH}-ipsets ]; then
|
|
progress_message2 Restoring Ipsets...
|
|
#
|
|
# We must purge iptables to be sure that there are no
|
|
# references to ipsets
|
|
#
|
|
for table in mangle nat filter; do
|
|
$IPTABLES -t $table -F
|
|
$IPTABLES -t $table -X
|
|
done
|
|
|
|
${RESTOREPATH}-ipsets
|
|
fi
|
|
|
|
echo Restoring ${PRODUCT:=Shorewall}...
|
|
|
|
if $RESTOREPATH restore; then
|
|
echo "$PRODUCT restored from $RESTOREPATH"
|
|
set_state "Started"
|
|
else
|
|
set_state "Unknown"
|
|
fi
|
|
|
|
kill $$
|
|
exit 2
|
|
fi
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
set_state "Stopping"
|
|
|
|
STOPPING="Yes"
|
|
|
|
TERMINATOR=
|
|
|
|
deletechain shorewall
|
|
|
|
determine_capabilities
|
|
|
|
run_stop_exit
|
|
|
|
if [ -n "$MANGLE_ENABLED" ]; then
|
|
run_iptables -t mangle -F
|
|
run_iptables -t mangle -X
|
|
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
|
qt $IPTABLES -t mangle -P $chain ACCEPT
|
|
done
|
|
fi
|
|
|
|
if [ -n "$RAW_TABLE" ]; then
|
|
run_iptables -t raw -F
|
|
run_iptables -t raw -X
|
|
for chain in PREROUTING OUTPUT; do
|
|
qt $IPTABLES -t raw -P $chain ACCEPT
|
|
done
|
|
fi
|
|
|
|
if [ -n "$NAT_ENABLED" ]; then
|
|
delete_nat
|
|
for chain in PREROUTING POSTROUTING OUTPUT; do
|
|
qt $IPTABLES -t nat -P $chain ACCEPT
|
|
done
|
|
fi
|
|
|
|
delete_proxyarp
|
|
|
|
[ -n "$CLEAR_TC" ] && delete_tc1
|
|
|
|
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
|
|
|
undo_routing
|
|
|
|
restore_default_route
|
|
|
|
if [ -n "$CRITICALHOSTS" ]; then
|
|
if [ -z "$ADMINISABSENTMINDED" ]; then
|
|
|
|
for chain in INPUT OUTPUT; do
|
|
setpolicy $chain ACCEPT
|
|
done
|
|
|
|
setpolicy FORWARD DROP
|
|
|
|
deleteallchains
|
|
|
|
for host in $CRITICALHOSTS; do
|
|
interface=${host%:*}
|
|
networks=${host#*:}
|
|
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
|
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
|
done
|
|
|
|
for chain in INPUT OUTPUT; do
|
|
setpolicy $chain DROP
|
|
done
|
|
else
|
|
for chain in INPUT OUTPUT; do
|
|
setpolicy $chain ACCEPT
|
|
done
|
|
|
|
setpolicy FORWARD DROP
|
|
|
|
deleteallchains
|
|
|
|
for host in $CRITICALHOSTS; do
|
|
interface=${host%:*}
|
|
networks=${host#*:}
|
|
$IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
|
$IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
|
done
|
|
|
|
setpolicy INPUT DROP
|
|
|
|
for chain in INPUT FORWARD; do
|
|
setcontinue $chain
|
|
done
|
|
fi
|
|
elif [ -z "$ADMINISABSENTMINDED" ]; then
|
|
for chain in INPUT OUTPUT FORWARD; do
|
|
setpolicy $chain DROP
|
|
done
|
|
|
|
deleteallchains
|
|
else
|
|
for chain in INPUT FORWARD; do
|
|
setpolicy $chain DROP
|
|
done
|
|
|
|
setpolicy OUTPUT ACCEPT
|
|
|
|
deleteallchains
|
|
|
|
for chain in INPUT FORWARD; do
|
|
setcontinue $chain
|
|
done
|
|
fi
|
|
|
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
|
|
|
[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT
|
|
|
|
for interface in $DHCP_INTERFACES; do
|
|
$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
|
|
[ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
|
|
#
|
|
# This might be a bridge
|
|
#
|
|
$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
|
|
done
|
|
|
|
case "$IP_FORWARDING" in
|
|
On|on|ON)
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
progress_message2 IP Forwarding Enabled
|
|
;;
|
|
Off|off|OFF)
|
|
echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
progress_message2 IP Forwarding Disabled!
|
|
;;
|
|
esac
|
|
|
|
run_stopped_exit
|
|
|
|
set_state "Stopped"
|
|
|
|
logger -p kern.info "$PRODUCT Stopped"
|
|
|
|
case $COMMAND in
|
|
stop|clear)
|
|
;;
|
|
*)
|
|
#
|
|
# The firewall is being stopped when we were trying to do something
|
|
# else. Remove the lock file and Kill the shell in case we're in a
|
|
# subshell
|
|
#
|
|
kill $$
|
|
;;
|
|
esac
|
|
}
|
|
|
|
#
|
|
# Set policy of chain $1 to $2
|
|
#
|
|
setpolicy() {
|
|
$IPTABLES -P $1 $2
|
|
}
|
|
#
|
|
# Remove all Shorewall-added rules
|
|
#
|
|
clear_firewall() {
|
|
stop_firewall
|
|
|
|
setpolicy INPUT ACCEPT
|
|
setpolicy FORWARD ACCEPT
|
|
setpolicy OUTPUT ACCEPT
|
|
|
|
run_iptables -F
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
if [ -n "$DISABLE_IPV6" ]; then
|
|
if qt mywhich ip6tables; then
|
|
ip6tables -P INPUT ACCEPT 2> /dev/null
|
|
ip6tables -P OUTPUT ACCEPT 2> /dev/null
|
|
ip6tables -P FORWARD ACCEPT 2> /dev/null
|
|
fi
|
|
fi
|
|
|
|
run_clear_exit
|
|
|
|
set_state "Cleared"
|
|
|
|
logger -p kern.info "$PRODUCT Cleared"
|
|
}
|
|
|
|
#
|
|
# Issue a message and stop/restore the firewall
|
|
#
|
|
fatal_error()
|
|
{
|
|
echo " ERROR: $@" >&2
|
|
stop_firewall
|
|
exit 2
|
|
}
|
|
|
|
#
|
|
# Issue a message and stop
|
|
#
|
|
startup_error() # $* = Error Message
|
|
{
|
|
echo " ERROR: $@" >&2
|
|
case $COMMAND in
|
|
start)
|
|
logger -p kern.err "ERROR:$PRODUCT start failed"
|
|
;;
|
|
restart)
|
|
logger -p kern.err "ERROR:$PRODUCT restart failed"
|
|
;;
|
|
restore)
|
|
logger -p kern.err "ERROR:$PRODUCT restore failed"
|
|
;;
|
|
esac
|
|
|
|
kill $$
|
|
exit 2
|
|
}
|
|
|
|
#
|
|
# Run iptables and if an error occurs, stop/restore the firewall
|
|
#
|
|
run_iptables()
|
|
{
|
|
if [ -n "$COMMENT" ]; then
|
|
$IPTABLES $@ -m comment --comment "$COMMENT"
|
|
else
|
|
$IPTABLES $@
|
|
fi
|
|
|
|
if [ $? -ne 0 ]; then
|
|
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
|
|
stop_firewall
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Run iptables and if an error occurs, stop/restore the firewall
|
|
#
|
|
run_ip()
|
|
{
|
|
if ! ip $@; then
|
|
error_message "ERROR: Command \"ip $@\" Failed"
|
|
stop_firewall
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Run tc and if an error occurs, stop/restore the firewall
|
|
#
|
|
run_tc() {
|
|
if ! tc $@ ; then
|
|
error_message "ERROR: Command \"tc $@\" Failed"
|
|
stop_firewall
|
|
exit 2
|
|
fi
|
|
}
|
|
|
|
#
|
|
# Functions to appease unconverted extension scripts
|
|
#
|
|
save_command()
|
|
{
|
|
return 0
|
|
}
|
|
|
|
run_and_save_command() {
|
|
eval $@
|
|
}
|
|
|
|
ensure_and_save_command() {
|
|
eval $@ || fatal_error "Command \"$@\" failed"
|
|
}
|
|
|
|
restore_dynamic_rules() {
|
|
if [ -f ${VARDIR}/save ]; then
|
|
progress_message2 "Setting up dynamic rules..."
|
|
rangematch='source IP range'
|
|
while read target ignore1 ignore2 address ignore3 rest; do
|
|
case $target in
|
|
DROP|reject|logdrop|logreject)
|
|
case $rest in
|
|
$rangematch*)
|
|
run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
|
|
;;
|
|
*)
|
|
if [ -z "$rest" ]; then
|
|
run_iptables -A dynamic -s $address -j $target
|
|
else
|
|
error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
|
|
fi
|
|
;;
|
|
esac
|
|
;;
|
|
esac
|
|
done < ${VARDIR}/save
|
|
fi
|
|
}
|
|
|
|
|