2010-09-16 17:41:50 -06:00
|
|
|
#/bin/bash
|
|
|
|
# By Brielle Bruns <bruns@2mbit.com>
|
|
|
|
# URL: http://www.sosdg.org/freestuff/firewall
|
|
|
|
# License: GPLv3
|
|
|
|
#
|
2011-02-18 13:09:54 -07:00
|
|
|
# Copyright (C) 2009 - 2011 Brielle Bruns
|
|
|
|
# Copyright (C) 2009 - 2011 The Summit Open Source Development Group
|
2010-09-16 17:41:50 -06:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
2013-10-16 00:25:01 -06:00
|
|
|
FW_VERSION="1.1"
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
|
|
|
|
# that would otherwise require remaking their options file. I leave this on by default,
|
|
|
|
# but if you want to make sure you have a current options file, define this to 0.
|
|
|
|
COMPAT_CONFIG=1
|
|
|
|
|
|
|
|
BASEDIR=/etc/firewall-sosdg
|
|
|
|
PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
|
|
|
#BASEDIR=`pwd`
|
|
|
|
|
2011-02-18 10:53:36 -07:00
|
|
|
# We require at least bash v3 or later at this point given some of the more complex
|
|
|
|
# operations we do to make the firewall script work.
|
|
|
|
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
|
|
|
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
|
|
|
|
echo "of bash to something more recent, preferably the latest which is, as of this"
|
|
|
|
echo "writing, 4.x"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
TWEAKS=$BASEDIR/tweaks
|
|
|
|
|
|
|
|
if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
|
|
|
|
echo "Error: Missing either include/static or include/functions. These are critical to operation"
|
|
|
|
echo "of this script. Please make sure they are readable and exist!"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-10-28 15:41:09 -06:00
|
|
|
if [ -r $BASEDIR/include/static ]; then
|
|
|
|
. $BASEDIR/include/static
|
|
|
|
else
|
|
|
|
echo -e "${RED}Error: Can not load static variables file. There is no way to make this tool work without it."
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ -r $BASEDIR/options ]; then
|
|
|
|
. $BASEDIR/options
|
|
|
|
else
|
|
|
|
echo -e "${RED}Error: Can not load options file. Did you forget to rename options.default?"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2011-10-28 15:36:20 -06:00
|
|
|
if [ -r $BASEDIR/include/functions ]; then
|
|
|
|
. $BASEDIR/include/functions
|
|
|
|
else
|
|
|
|
echo -e "${RED}Error: Can not load functions library file. There is no way to make this tool work without it."
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
while [ $# -gt 0 ]; do
|
|
|
|
case "$1" in
|
|
|
|
-f|--flush)
|
|
|
|
iptables_policy_reset ipv4 ACCEPT
|
|
|
|
iptables_policy_reset ipv6 ACCEPT
|
|
|
|
iptables_rules_flush ipv4
|
|
|
|
iptables_rules_flush ipv6
|
|
|
|
exit 0
|
|
|
|
;;
|
|
|
|
-h|--help)
|
|
|
|
show_help
|
|
|
|
exit 0
|
|
|
|
;;
|
2010-11-25 11:50:55 -07:00
|
|
|
--generate-cache)
|
|
|
|
GEN_CACHE="force"
|
|
|
|
;;
|
2010-09-16 17:41:50 -06:00
|
|
|
esac
|
|
|
|
shift
|
|
|
|
done
|
|
|
|
|
|
|
|
if [ ${PORTFW} ] && [ ! -r "${PORTFW}" ]; then
|
|
|
|
display_c RED "Error: Missing ${PORTFW} as defined in the PORTFW option. Please make sure"
|
|
|
|
display_c RED "it exists, or comment out the PORTFW line in options."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
|
|
Firewall/SOSDG ${FW_VERSION}
|
|
|
|
Brielle Bruns <bruns@2mbit.com>
|
|
|
|
http://www.sosdg.org/freestuff/firewall
|
|
|
|
This program comes with ABSOLUTELY NO WARRANTY.
|
|
|
|
This is free software, and you are welcome to
|
|
|
|
redistribute it under certain conditions.
|
|
|
|
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
|
|
|
|
|
2010-11-11 17:52:23 -07:00
|
|
|
if [ "$UID" != "0" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c RED "You must be root to run this script."
|
|
|
|
exit 2
|
|
|
|
fi
|
|
|
|
|
2011-10-28 15:36:20 -06:00
|
|
|
if [ ! -x "${IPTABLES}" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c RED "iptables command not found. Please make sure you have the iptables"
|
|
|
|
display_c RED "installed (package or source) and you have the IPTABLES option properly"
|
|
|
|
display_c RED "defined in the 'options' file."
|
|
|
|
exit 3
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
2011-10-28 15:36:20 -06:00
|
|
|
if [ ! -x "${IP6TABLES}" ] && [ $IPV6 == "1" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c RED "ip6tables command not found. Please make sure you have the iptables"
|
|
|
|
display_c RED "installed (package or source) and you have the IP6TABLES option properly"
|
|
|
|
display_c RED "defined in the 'options' file."
|
|
|
|
exit 3
|
|
|
|
fi
|
|
|
|
|
2010-12-18 14:15:57 -07:00
|
|
|
|
2011-10-28 15:36:20 -06:00
|
|
|
if [[ "${EXTIF}" == "auto" ]]; then
|
2010-12-18 14:54:51 -07:00
|
|
|
EXTIF=`$EXTIF_FIND`
|
2010-12-18 14:20:18 -07:00
|
|
|
display_c YELLOW "Found default interface at: ${BLUE}${EXTIF}${DEFAULT_COLOR}"
|
2010-12-18 14:17:25 -07:00
|
|
|
fi
|
2010-12-18 14:15:57 -07:00
|
|
|
|
2011-10-28 15:36:20 -06:00
|
|
|
if [[ "${EXTIP}" == "auto" ]]; then
|
2010-12-18 14:55:32 -07:00
|
|
|
EXTIP=`$EXTIP_FIND ${EXTIF}`
|
2010-12-18 14:34:36 -07:00
|
|
|
display_c YELLOW "Found default interface IP at: ${BLUE}${EXTIP}${DEFAULT_COLOR}"
|
|
|
|
fi
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
iptables_rules_flush ipv4
|
|
|
|
|
2011-10-28 15:41:09 -06:00
|
|
|
if [ -s "${BASEDIR}/include/ipv4_custom_flush" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c YELLOW "Loading custom flush rules..."
|
2011-10-28 15:41:09 -06:00
|
|
|
. "${BASEDIR}/include/ipv4_custom_flush"
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
2011-10-28 15:41:09 -06:00
|
|
|
if [ -x "${PRERUN}" ]; then
|
|
|
|
${PRERUN}
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
2010-10-10 21:01:20 -06:00
|
|
|
if [ "$MODULES_LOAD" ]; then
|
|
|
|
display_c YELLOW "Loading modules: " N
|
|
|
|
for i in $MODULES_LOAD; do
|
|
|
|
display_c BLUE "$i " N
|
|
|
|
${MODPROBE} $i
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
|
|
|
|
2010-11-25 11:11:12 -07:00
|
|
|
if [ "$STATE_TYPE" ]; then
|
|
|
|
case $STATE_TYPE in
|
|
|
|
conntrack|CONNTRACK|*)
|
|
|
|
M_STATE="-m conntrack"
|
|
|
|
C_STATE="--ctstate"
|
|
|
|
;;
|
|
|
|
state|STATE)
|
|
|
|
M_STATE="-m state"
|
|
|
|
C_STATE="--state"
|
|
|
|
esac
|
|
|
|
else
|
|
|
|
M_STATE="-m conntrack"
|
|
|
|
C_STATE="--ctstate"
|
|
|
|
fi
|
|
|
|
|
2011-10-28 15:41:09 -06:00
|
|
|
# This function currently isn't implemented entirely or properly. It's mostly
|
|
|
|
# used for debugging purposes, and to see what iptables rules will be generated
|
|
|
|
# before running.
|
2010-11-25 11:50:55 -07:00
|
|
|
if [ "$GEN_CACHE" ]; then
|
|
|
|
case $GEN_CACHE in
|
|
|
|
force)
|
|
|
|
IPTABLES="write_out_rules"
|
|
|
|
if [ "$IPV6" ]; then
|
2010-11-25 11:58:30 -07:00
|
|
|
IP6TABLES="write_out_rules_v6"
|
|
|
|
rm -f "${RULE_CACHE_V6}" &>/dev/null
|
2010-11-25 11:50:55 -07:00
|
|
|
fi
|
|
|
|
rm -f "${RULE_CACHE}" &>/dev/null
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
2013-10-16 00:25:01 -06:00
|
|
|
if [ "$IPTABLES_MULTIPORT" ]; then
|
|
|
|
case $IPTABLES_MULTIPORT in
|
|
|
|
auto|AUTO|Auto)
|
|
|
|
if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then
|
|
|
|
display_c YELLOW "Multiport successfully loaded."
|
|
|
|
IPTABLES_MULTIPORT="yes"
|
|
|
|
else
|
|
|
|
display_c RED "Multiport was not loaded successfully. Disabling."
|
|
|
|
IPTABLES_MULTIPORT="no"
|
|
|
|
fi ;;
|
|
|
|
yes|YES|Yes)
|
|
|
|
${MODPROBE} ${NF_MULTIPORT}
|
|
|
|
display_c PURPLE "Multiport loading forced, not error checking."
|
|
|
|
IPTABLES_MULTIPORT="yes" ;;
|
|
|
|
*) IPTABLES_MULTIPORT="no"
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
2014-02-16 13:53:55 -07:00
|
|
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
|
|
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_trust" ]; then
|
|
|
|
display_c YELLOW "Loading custom trust rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_trust"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$TRUSTEDIP" ]; then
|
|
|
|
display_c YELLOW "Adding trusted IP: " N
|
|
|
|
for i in $TRUSTEDIP; do
|
|
|
|
echo -n "$i "
|
2014-02-16 13:53:55 -07:00
|
|
|
$IPTABLES -A INPUT -s $i -j ACCEPT
|
|
|
|
$IPTABLES -A OUTPUT -d $i -j ACCEPT
|
2010-09-16 17:41:50 -06:00
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
|
|
|
|
2010-10-21 20:06:39 -06:00
|
|
|
if [ "$CLAMPMSS" ]; then
|
|
|
|
display_c YELLOW "Clamping MSS to PMTU..."
|
|
|
|
for i in $CLAMPMSS; do
|
|
|
|
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
|
|
|
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
|
|
|
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
|
|
|
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
|
|
|
done
|
|
|
|
echo -en "\n"
|
|
|
|
fi
|
|
|
|
|
2010-10-13 14:14:46 -06:00
|
|
|
if [ "$DNS_REQUESTS_OUT" ]; then
|
|
|
|
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
|
|
|
|
for i in $DNS_REQUESTS_OUT; do
|
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
DNSREQ=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${DNSREQ[0]}
|
|
|
|
DNSIP_NUM=${#DNSREQ[@]}
|
|
|
|
DNSIP_COUNT_CURR=1
|
|
|
|
for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
|
|
|
|
if [ ${DNSREQ[$i]} ]; then
|
2014-02-16 13:53:55 -07:00
|
|
|
${IPTABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
|
2010-10-13 14:14:46 -06:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
else
|
2014-02-16 13:53:55 -07:00
|
|
|
${IPTABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
|
2010-10-13 14:14:46 -06:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2013-10-16 00:25:01 -06:00
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_allowedports" ]; then
|
|
|
|
display_c YELLOW "Loading custom allowed port rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_allowedports"
|
|
|
|
fi
|
2011-02-21 19:37:27 -07:00
|
|
|
|
2013-10-16 00:25:01 -06:00
|
|
|
if [ "$IPV4_ALLOWED" ]; then
|
|
|
|
display_c YELLOW "Adding allowed IPs and ports... "
|
|
|
|
for i in `grep -v "\#" $IPV4_ALLOWED`; do
|
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
ADVALLOWIP=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${ADVALLOWIP[0]}
|
|
|
|
SRCIP=${ADVALLOWIP[1]}
|
|
|
|
SRCPORT=${ADVALLOWIP[2]}
|
|
|
|
DSTIF=${ADVALLOWIP[3]}
|
|
|
|
DSTIP=${ADVALLOWIP[4]}
|
|
|
|
DSTPORT=${ADVALLOWIP[5]}
|
|
|
|
DIRECTION=${ADVALLOWIP[6]}
|
|
|
|
PROTO=${ADVALLOWIP[7]}
|
|
|
|
if [ "$SRCIF" ]; then
|
|
|
|
SRCIF="-i ${SRCIF} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCPORT" ]; then
|
|
|
|
SRCPORT="--sport ${SRCPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIF" ]; then
|
|
|
|
DSTIF="-o ${DSTIF} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIP" ]; then
|
|
|
|
DSTIP="-d ${DSTIP} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTPORT" ]; then
|
|
|
|
DSTPORT="--dport ${DSTPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$PROTO" ]; then
|
|
|
|
case $PROTO in
|
|
|
|
TCP|tcp) PROTO="-p tcp";;
|
|
|
|
UDP|udp) PROTO="-p udp";;
|
|
|
|
*) PROTO="-p ${PROTO}";;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
case $DIRECTION in
|
|
|
|
IN) DIRECTION="INPUT" ;;
|
|
|
|
OUT) DIRECTION="OUTPUT" ;;
|
|
|
|
FWD) DIRECTION="FORWARD" ;;
|
|
|
|
*) DIRECTION="INPUT" ;;
|
|
|
|
esac
|
|
|
|
${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2011-02-21 19:32:14 -07:00
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
|
|
|
|
display_c YELLOW "Loading custom ip block rules..."
|
2010-10-05 17:50:26 -06:00
|
|
|
. "$BASEDIR/include/ipv4_custom_blockip"
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
2010-10-06 14:11:59 -06:00
|
|
|
if [ "$BLOCKEDIP" ]; then
|
2010-10-06 10:25:39 -06:00
|
|
|
display_c YELLOW "Adding blocked IPs... "
|
2010-09-16 17:41:50 -06:00
|
|
|
for i in `grep -v "\#" $BLOCKEDIP`; do
|
2010-10-06 10:25:39 -06:00
|
|
|
#echo -n "$i "
|
2010-10-06 14:05:09 -06:00
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
2010-10-06 13:24:16 -06:00
|
|
|
ADVBLKIP=($i)
|
2010-10-06 12:23:08 -06:00
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${ADVBLKIP[0]}
|
|
|
|
SRCIP=${ADVBLKIP[1]}
|
|
|
|
SRCPORT=${ADVBLKIP[2]}
|
|
|
|
DSTIF=${ADVBLKIP[3]}
|
|
|
|
DSTIP=${ADVBLKIP[4]}
|
|
|
|
DSTPORT=${ADVBLKIP[5]}
|
|
|
|
DIRECTION=${ADVBLKIP[6]}
|
|
|
|
PROTO=${ADVBLKIP[7]}
|
|
|
|
if [ "$SRCIF" ]; then
|
|
|
|
SRCIF="-i ${SRCIF} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCPORT" ]; then
|
|
|
|
SRCPORT="--sport ${SRCPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIF" ]; then
|
|
|
|
DSTIF="-o ${DSTIF} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIP" ]; then
|
|
|
|
DSTIP="-d ${DSTIP} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTPORT" ]; then
|
|
|
|
DSTPORT="--dport ${DSTPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$PROTO" ]; then
|
|
|
|
case $PROTO in
|
|
|
|
TCP|tcp) PROTO="-p tcp";;
|
|
|
|
UDP|udp) PROTO="-p udp";;
|
|
|
|
*) PROTO="-p ${PROTO}";;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
case $DIRECTION in
|
|
|
|
IN) DIRECTION="INPUT" ;;
|
|
|
|
OUT) DIRECTION="OUTPUT" ;;
|
|
|
|
FWD) DIRECTION="FORWARD" ;;
|
|
|
|
*) DIRECTION="INPUT" ;;
|
|
|
|
esac
|
2010-10-06 13:37:04 -06:00
|
|
|
${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP
|
2010-10-06 12:23:08 -06:00
|
|
|
else
|
|
|
|
$IPTABLES -A INPUT -s $i -j DROP
|
|
|
|
$IPTABLES -A OUTPUT -d $i -j DROP
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2010-09-29 17:04:48 -06:00
|
|
|
|
|
|
|
if [ "$BLOCK_OUTGOING_RFC1918" ]; then
|
|
|
|
display_c YELLOW "Blocking RFC1918 space going out on: " N
|
|
|
|
for i in $BLOCK_OUTGOING_RFC1918; do
|
2010-09-29 17:09:17 -06:00
|
|
|
display_c BLUE "$i " N
|
2010-09-29 17:04:48 -06:00
|
|
|
for x in $RFC1918_SPACE; do
|
2010-09-29 19:12:46 -06:00
|
|
|
$IPTABLES -A INPUT -i $i -s $x -j DROP
|
|
|
|
$IPTABLES -A FORWARD -i $i -s $x -j DROP
|
2010-09-29 17:04:48 -06:00
|
|
|
done
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
unset i x
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$BLOCK_INCOMING_RFC1918" ]; then
|
|
|
|
display_c YELLOW "Blocking RFC1918 space coming in on: " N
|
|
|
|
for i in $BLOCK_INCOMING_RFC1918; do
|
2010-09-29 17:09:17 -06:00
|
|
|
display_c BLUE "$i " N
|
2010-09-29 17:04:48 -06:00
|
|
|
for x in $RFC1918_SPACE; do
|
2010-09-29 17:08:16 -06:00
|
|
|
$IPTABLES -A INPUT -i $i -s $x -j DROP
|
2010-09-29 17:06:56 -06:00
|
|
|
$IPTABLES -A FORWARD -i $i -s $x -j DROP
|
2010-09-29 17:04:48 -06:00
|
|
|
done
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
unset i x
|
|
|
|
fi
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
if [ "$STRIPECN" ]; then
|
|
|
|
display_c YELLOW "Stripping ECN off of TCP packets to " N
|
|
|
|
for i in $STRIPECN; do
|
|
|
|
echo -en "$i "
|
|
|
|
$IPTABLES -A PREROUTING -t mangle -p tcp -d $i -j ECN \
|
|
|
|
--ecn-tcp-remove
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
|
|
|
|
display_c YELLOW "Loading custom MSS Clamp rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_mssclamp"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
2010-09-30 13:16:25 -06:00
|
|
|
if [ "$HACK_IPV4" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
apply_ipv4_hack $HACK_IPV4
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
|
|
|
|
display_c YELLOW "Loading custom conntrack rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_conntrack"
|
|
|
|
fi
|
|
|
|
|
2010-11-11 17:52:23 -07:00
|
|
|
if [ "$CONNTRACK" ]; then
|
2011-02-21 19:42:09 -07:00
|
|
|
#$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
2010-11-25 11:11:12 -07:00
|
|
|
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
2011-08-01 21:28:48 -06:00
|
|
|
# Now in the NAT rules
|
|
|
|
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
2010-11-25 11:11:12 -07:00
|
|
|
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
2011-08-01 21:28:48 -06:00
|
|
|
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
#$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
2010-11-25 11:11:12 -07:00
|
|
|
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
|
|
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
2011-08-01 21:47:51 -06:00
|
|
|
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
|
|
|
|
display_c YELLOW "Loading custom blocked outbound port rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_blockoutports"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then
|
|
|
|
display_c YELLOW "Blocking outbound port: " N
|
|
|
|
|
|
|
|
if [ "$BLOCKTCPPORTS" ]; then
|
|
|
|
for i in $BLOCKTCPPORTS; do
|
|
|
|
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
$IPTABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ "$BLOCKUDPPORTS" ]; then
|
|
|
|
for i in $BLOCKUDPPORTS; do
|
|
|
|
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
$IPTABLES -A OUTPUT -p udp --dport $i -j DROP
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
|
2010-09-26 13:45:51 -06:00
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
|
|
|
|
display_c YELLOW "Adding allowed port: " N
|
|
|
|
if [ "$TCPPORTS" ]; then
|
2010-09-27 14:14:09 -06:00
|
|
|
if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
|
2010-09-26 15:47:05 -06:00
|
|
|
TCPPORTS=($TCPPORTS)
|
2010-09-26 15:13:54 -06:00
|
|
|
PORTS_COUNT=${#TCPPORTS[@]}
|
|
|
|
PORTS_COUNT_CURR=0
|
2010-09-27 14:31:20 -06:00
|
|
|
while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
|
2010-09-26 16:10:18 -06:00
|
|
|
for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do
|
2010-09-26 15:57:34 -06:00
|
|
|
if [ ${TCPPORTS[$i]} ]; then
|
|
|
|
PORTS="${PORTS},${TCPPORTS[$i]}"
|
2010-09-26 15:13:54 -06:00
|
|
|
fi
|
|
|
|
done
|
2010-09-26 16:11:20 -06:00
|
|
|
echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} "
|
2010-09-26 15:30:45 -06:00
|
|
|
$IPTABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT
|
2010-09-26 15:13:54 -06:00
|
|
|
unset PORTS
|
2010-09-26 16:06:12 -06:00
|
|
|
PORTS_COUNT_CURR=$i
|
2010-09-26 15:13:54 -06:00
|
|
|
done
|
2010-09-27 14:14:09 -06:00
|
|
|
unset i PORTS PORTS_COUNT_CURR PORTS_COUNT
|
2010-09-26 15:13:54 -06:00
|
|
|
else
|
|
|
|
for i in $TCPPORTS; do
|
|
|
|
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
if [ "$UDPPORTS" ]; then
|
|
|
|
for i in $UDPPORTS; do
|
|
|
|
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
#$IPTABLES -A INPUT -p udp --dport $i -j ACCEPT
|
|
|
|
$IPTABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
|
2010-09-26 16:23:51 -06:00
|
|
|
$IPTABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
|
2010-09-16 17:41:50 -06:00
|
|
|
$IPTABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_proto" ]; then
|
|
|
|
display_c YELLOW "Loading custom protocol rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_proto"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$ALLOWEDPROTO" ]; then
|
|
|
|
display_c YELLOW "Adding allowed protocols: " N
|
|
|
|
for i in $ALLOWEDPROTO; do
|
|
|
|
echo -n "$i "
|
|
|
|
$IPTABLES -A INPUT -p $i -j ACCEPT
|
|
|
|
$IPTABLES -A OUTPUT -p $i -j ACCEPT
|
|
|
|
done
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
|
2011-02-18 10:53:36 -07:00
|
|
|
if [ "$IPV4_INTERCEPT" ]; then
|
2011-02-18 10:58:02 -07:00
|
|
|
display_c YELLOW "Adding packet interception rules: "
|
2011-02-18 10:53:36 -07:00
|
|
|
for i in `grep -v "\#" $IPV4_INTERCEPT`; do
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
INTERCEPTADD=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${INTERCEPTADD[0]}
|
|
|
|
SRCIP=${INTERCEPTADD[1]}
|
|
|
|
DSTIP=${INTERCEPTADD[2]}
|
|
|
|
DSTPROTO=${INTERCEPTADD[3]}
|
|
|
|
DSTPORT=${INTERCEPTADD[4]}
|
|
|
|
PROXY=${INTERCEPTADD[5]}
|
|
|
|
if [ "$SRCIF" ]; then
|
|
|
|
SRCIF="-i ${SRCIF}"
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP}"
|
|
|
|
fi
|
|
|
|
if [ "$DSTIP" ]; then
|
|
|
|
DSTIP="-d $DSTIP"
|
|
|
|
fi
|
|
|
|
if [ "$PROXY" != "BYPASS" ]; then
|
|
|
|
FINAL_RULE="-j DNAT --to-destination ${PROXY}"
|
|
|
|
else
|
|
|
|
FINAL_RULE="-j ACCEPT"
|
|
|
|
fi
|
|
|
|
$IPTABLES -t nat -A PREROUTING ${SRCIF} ${SRCIP} ${DSTIP} -p ${DSTPROTO} --dport ${DSTPORT} \
|
|
|
|
${FINAL_RULE}
|
|
|
|
display_c DEFAULT "\t${GREEN}${INTERCEPTADD[0]}:${BLUE}${INTERCEPTADD[1]}:${PURPLE}${INTERCEPTADD[2]}->${INTERCEPTADD[3]}:${INTERCEPTADD[4]}${AQUA}:proxy->${BLUE}${INTERCEPTADD[5]} "
|
|
|
|
done
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
|
|
|
|
display_c YELLOW "Loading custom NOTRACK rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_notrack"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ $CONNTRACK ]; then
|
|
|
|
for i in $DONTTRACK; do
|
|
|
|
$IPTABLES -t raw -I PREROUTING -s $i -j NOTRACK
|
|
|
|
$IPTABLES -t raw -I PREROUTING -d $i -j NOTRACK
|
|
|
|
$IPTABLES -t raw -I OUTPUT -s $i -j NOTRACK
|
|
|
|
$IPTABLES -t raw -I OUTPUT -d $i -j NOTRACK
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_routing" ]; then
|
|
|
|
display_c YELLOW "Loading custom routing rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_routing"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ $ROUTING ]; then
|
|
|
|
display_c YELLOW "Adding route: "
|
|
|
|
for i in `grep -v "\#" $ROUTING`; do
|
|
|
|
ROUTE=( ${i//:/ } )
|
|
|
|
FWINT1=${ROUTE[0]}
|
|
|
|
FWINT2=${ROUTE[2]}
|
|
|
|
FWIP1=${ROUTE[1]}
|
|
|
|
FWIP2=${ROUTE[3]}
|
|
|
|
|
|
|
|
if [ -e "/proc/sys/net/ipv4/conf/$FWINT1/forwarding" ]; then
|
|
|
|
echo 1 > /proc/sys/net/ipv4/conf/$FWINT1/forwarding
|
|
|
|
fi
|
|
|
|
if [ -e "/proc/sys/net/ipv4/conf/$FWINT2/forwarding" ]; then
|
|
|
|
echo 1 > /proc/sys/net/ipv4/conf/$FWINT2/forwarding
|
|
|
|
fi
|
|
|
|
$IPTABLES -A FORWARD -i $FWINT1 -o $FWINT2 \
|
|
|
|
-s $FWIP1 -d $FWIP2 -j ACCEPT
|
|
|
|
if [ ${ROUTE[4]} == "1" ]; then
|
|
|
|
display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}<->${BLUE}$FWINT2:$FWIP2"
|
|
|
|
$IPTABLES -A FORWARD -o $FWINT1 -i $FWINT2 \
|
|
|
|
-d $FWIP1 -s $FWIP2 -j ACCEPT
|
|
|
|
else
|
|
|
|
display_c DEFAULT "\t${GREEN}$FWINT1:${PURPLE}$FWIP1${AQUA}->${BLUE}$FWINT2:$FWIP2"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
|
|
|
|
display_c YELLOW "Loading custom port forwarding rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_portforward"
|
|
|
|
fi
|
|
|
|
|
2010-10-06 12:23:08 -06:00
|
|
|
if [ "$PORTFW" ] && [ "$NAT" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c YELLOW "Adding port forward for:"
|
|
|
|
for i in `grep -v "\#" $PORTFW`; do
|
2010-12-18 12:19:26 -07:00
|
|
|
IFS_OLD=${IFS};IFS=\:
|
|
|
|
PORTFWADD=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
DSTIF=${PORTFWADD[0]}
|
|
|
|
SRCIP=${PORTFWADD[1]}
|
|
|
|
DSTIP=${PORTFWADD[2]}
|
|
|
|
DSTPORT=${PORTFWADD[3]}
|
|
|
|
DSTPROTO=${PORTFWADD[4]}
|
|
|
|
DSTINTIP=${PORTFWADD[5]}
|
|
|
|
DSTINTPORT=${PORTFWADD[6]}
|
|
|
|
if [ "$DSTIF" ]; then
|
|
|
|
DSTIF="-i ${DSTIF}"
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP}"
|
|
|
|
fi
|
2010-12-18 15:22:46 -07:00
|
|
|
if [ "$DSTIP" ]; then
|
2010-12-18 15:21:07 -07:00
|
|
|
DSTIP="-d $DSTIP"
|
2010-12-18 15:24:48 -07:00
|
|
|
fi
|
|
|
|
if [ ! "$DSTIP" ] && [ ! "$DSTIF" ]; then
|
2010-12-18 15:22:46 -07:00
|
|
|
DSTIP="-d $EXTIP"
|
2010-12-18 14:58:45 -07:00
|
|
|
fi
|
2010-12-18 12:21:15 -07:00
|
|
|
#PORTADD=( ${i//:/ } )
|
2010-12-18 12:19:26 -07:00
|
|
|
$IPTABLES -A PREROUTING -t nat ${DSTIF} -p ${DSTPROTO} ${SRCIP} \
|
2010-12-18 15:25:22 -07:00
|
|
|
--dport ${DSTPORT} ${DSTIP} -j DNAT --to \
|
2010-12-18 12:19:26 -07:00
|
|
|
${DSTINTIP}:${DSTINTPORT}
|
|
|
|
$IPTABLES -A INPUT -p ${DSTPROTO} ${M_STATE} ${C_STATE} NEW ${DSTIF} ${SRCIP} \
|
2010-12-18 15:21:07 -07:00
|
|
|
--dport ${DSTPORT} ${DSTIP} -j ACCEPT
|
2010-12-18 12:19:26 -07:00
|
|
|
display_c DEFAULT "\t${GREEN}${PORTFWADD[0]}:${BLUE}${PORTFWADD[1]}:${PURPLE}${PORTFWADD[2]}:${PORTFWADD[3]}:${PORTFWADD[4]}${AQUA}->${BLUE}${PORTFWADD[5]}:${PORTFWADD[6]} "
|
2010-09-16 17:41:50 -06:00
|
|
|
done
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
|
2010-10-01 21:39:51 -06:00
|
|
|
if [ "$LANDHCPSERVER" ]; then
|
|
|
|
for i in $LANDHCPSERVER; do
|
2011-12-28 16:12:57 -07:00
|
|
|
$IPTABLES -A INPUT -i $i -p udp --sport 67:68 --dport 67:68 -j ACCEPT
|
|
|
|
$IPTABLES -A OUTPUT -o $i -p udp --sport 67:68 --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A INPUT -i $i -s 0.0.0.0 -j ACCEPT
|
|
|
|
#$IPTABLES -A INPUT -i $i -p udp --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A INPUT -i $i -p tcp --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A OUTPUT -o $i -p udp --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A OUTPUT -o $i -p tcp --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A INPUT -i $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A INPUT -i $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A OUTPUT -o $i -p udp -d 255.255.255.255 --dport 67:68 -j ACCEPT
|
|
|
|
#$IPTABLES -A OUTPUT -o $i -p tcp -d 255.255.255.255 --dport 67:68 -j ACCEPT
|
2010-10-01 21:39:51 -06:00
|
|
|
done
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
2010-09-22 20:17:08 -06:00
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_mark" ]; then
|
|
|
|
display_c YELLOW "Loading custom mark rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_mark"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -r "$IPv4_MARK" ]; then
|
|
|
|
display_c YELLOW "Adding mark: "
|
|
|
|
for i in `grep -v "\#" $IPv4_MARK`; do
|
2010-10-13 14:43:20 -06:00
|
|
|
MARK=( ${i//|/ } )
|
2010-09-22 20:17:08 -06:00
|
|
|
INIF=${MARK[0]}
|
|
|
|
INIP=${MARK[1]}
|
|
|
|
DSTIP=${MARK[2]}
|
|
|
|
IPMARK=${MARK[3]}
|
|
|
|
|
|
|
|
case $INIP in
|
|
|
|
!*) INNEG="!"
|
|
|
|
INIP=${INIP#\!};;
|
|
|
|
esac
|
|
|
|
case $DSTIP in
|
|
|
|
!*) DSTNEG="!"
|
|
|
|
DSTIP=${DSTIP#\!};;
|
|
|
|
esac
|
|
|
|
|
|
|
|
$IPTABLES -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
|
|
|
|
${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
|
|
|
|
display_c DEFAULT "\t${GREEN}${INNEG}${INIF}:${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP}:${RED}${IPMARK}"
|
2010-09-22 20:22:53 -06:00
|
|
|
unset INNEG DSTNEG
|
2010-09-22 20:17:08 -06:00
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
|
|
|
|
display_c YELLOW "Loading custom nat rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_nat"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ $NAT ]; then
|
|
|
|
if [ "$NAT_RANGE" ]; then
|
|
|
|
display_c YELLOW "Adding NAT rule:"
|
2010-11-12 22:18:03 -07:00
|
|
|
unset INIF_EXISTS FWDIF_EXISTS
|
2010-09-16 17:41:50 -06:00
|
|
|
for i in $NAT_RANGE; do
|
|
|
|
NAT_RULE=( ${i//:/ } )
|
|
|
|
case ${NAT_RULE[0]} in
|
|
|
|
SNAT)
|
|
|
|
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
|
|
|
|
-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
|
2013-11-12 23:24:11 -07:00
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
|
2013-11-12 23:34:55 -07:00
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
|
2010-11-12 22:18:03 -07:00
|
|
|
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
|
2010-11-11 18:03:34 -07:00
|
|
|
fi
|
2010-11-12 22:18:03 -07:00
|
|
|
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
|
2010-11-11 18:05:39 -07:00
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
;;
|
|
|
|
MASQ)
|
|
|
|
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
|
2013-11-12 23:34:55 -07:00
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
|
2010-11-12 22:18:03 -07:00
|
|
|
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
|
2010-11-11 18:03:34 -07:00
|
|
|
fi
|
2010-11-12 22:18:03 -07:00
|
|
|
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
|
2010-11-11 18:05:39 -07:00
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
;;
|
2010-11-12 21:57:32 -07:00
|
|
|
NETMAP)
|
|
|
|
$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
|
2013-11-12 23:34:55 -07:00
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
|
2010-11-12 22:18:03 -07:00
|
|
|
display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
|
|
|
|
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
|
|
|
|
-s ${NAT_RULE[2]} -j ACCEPT
|
|
|
|
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
|
|
|
|
fi
|
|
|
|
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
|
|
|
-o ${NAT_RULE[3]} -j ACCEPT
|
|
|
|
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
|
|
|
|
fi
|
2010-11-12 21:57:32 -07:00
|
|
|
;;
|
2010-09-16 17:41:50 -06:00
|
|
|
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
reset_color
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2011-02-18 13:17:13 -07:00
|
|
|
$IPTABLES --policy INPUT ${IPV4_PINPUT}
|
|
|
|
$IPTABLES --policy OUTPUT ${IPV4_POUTPUT}
|
|
|
|
$IPTABLES --policy FORWARD ${IPV4_PFORWARD}
|
2010-09-16 17:41:50 -06:00
|
|
|
|
2011-02-21 19:37:27 -07:00
|
|
|
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
|
|
|
|
display_c YELLOW "Loading custom incoming blocked rules..."
|
|
|
|
. "$BASEDIR/include/ipv4_custom_blockincoming"
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ $BLOCKINCOMING ]; then
|
|
|
|
$IPTABLES -A INPUT -p tcp --syn -j DROP
|
|
|
|
$IPTABLES -A INPUT -p udp -j DROP
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
#================[IPv6]================
|
|
|
|
if [ $IPV6 ]; then
|
|
|
|
iptables_rules_flush ipv6
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_flush" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 flush rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_flush"
|
|
|
|
fi
|
|
|
|
|
|
|
|
display_c YELLOW "Adding trusted IPv6: " N
|
|
|
|
|
|
|
|
$IP6TABLES -A INPUT -i lo -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT -o lo -j ACCEPT
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_trust" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 trust rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_trust"
|
|
|
|
fi
|
2010-10-13 15:46:32 -06:00
|
|
|
if [ "$IPV6_TRUSTED" ]; then
|
|
|
|
for i in $IPV6_TRUSTED; do
|
|
|
|
echo -n "$i "
|
|
|
|
$IP6TABLES -A INPUT -s $i -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT -d $i -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
reset_color
|
2010-10-06 14:11:59 -06:00
|
|
|
|
2010-11-21 00:14:27 -07:00
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
|
2011-02-09 00:08:51 -07:00
|
|
|
display_c YELLOW "Loading custom IPv6 block rules..."
|
2010-11-21 00:14:27 -07:00
|
|
|
. "$BASEDIR/include/ipv6_custom_blockip"
|
2010-10-06 14:11:59 -06:00
|
|
|
fi
|
|
|
|
|
2011-04-10 16:28:45 -06:00
|
|
|
if [ "$IPV6_LANDHCPSERVER" ]; then
|
|
|
|
for i in $IPV6_LANDHCPSERVER; do
|
|
|
|
$IP6TABLES -A INPUT -i $i -p udp --sport 546:547 --dport 546:547 -j ACCEPT
|
2011-12-28 16:33:34 -07:00
|
|
|
#$IP6TABLES -A INPUT -i $i -p tcp --sport 546:547 --dport 546:547 -j ACCEPT
|
2011-04-10 16:28:45 -06:00
|
|
|
$IP6TABLES -A OUTPUT -o $i -p udp --sport 546:547 --dport 546:547 -j ACCEPT
|
2011-12-28 16:33:34 -07:00
|
|
|
#$IP6TABLES -A OUTPUT -o $i -p tcp --sport 546:547 --dport 546:547 -j ACCEPT
|
2011-04-10 16:28:45 -06:00
|
|
|
#$IP6TABLES -A INPUT -i $i -p udp -d ff02::1:2 --sport 546:547 --dport 546:547 -j ACCEPT
|
|
|
|
#$IP6TABLES -A INPUT -i $i -p tcp -d ff02::1:2 --sport 546:547 --dport 546:547 -j ACCEPT
|
|
|
|
#$IP6TABLES -A OUTPUT -o $i -p udp -d fe80::/16 --sport 546:547 --dport 546:547 -j ACCEPT
|
|
|
|
#$IP6TABLES -A OUTPUT -o $i -p tcp -d fe80::/16 --sport 546:547 --dport 546:547 -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
2011-02-09 00:08:51 -07:00
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_conntrack"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$IPV6_CONNTRACK" ]; then
|
2011-02-22 12:06:20 -07:00
|
|
|
#$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
2011-02-09 00:08:51 -07:00
|
|
|
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
|
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
|
|
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
|
|
fi
|
|
|
|
|
2010-10-13 14:27:41 -06:00
|
|
|
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
|
|
|
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
|
|
|
|
for i in $DNS_REQUESTS_OUT; do
|
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
DNSREQ=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${DNSREQ[0]}
|
|
|
|
DNSIP_NUM=${#DNSREQ[@]}
|
|
|
|
DNSIP_COUNT_CURR=1
|
|
|
|
for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
|
|
|
|
if [ ${DNSREQ[$i]} ]; then
|
|
|
|
${IP6TABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
else
|
|
|
|
${IP6TABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_blockoutports"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$IPV6_BLOCKEDIP" ]; then
|
2010-10-06 14:11:59 -06:00
|
|
|
display_c YELLOW "Adding blocked IPv6 addresses... "
|
2010-10-13 15:15:10 -06:00
|
|
|
for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do
|
2010-10-06 14:11:59 -06:00
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
ADVBLKIP=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${ADVBLKIP[0]}
|
|
|
|
SRCIP=${ADVBLKIP[1]}
|
|
|
|
SRCPORT=${ADVBLKIP[2]}
|
|
|
|
DSTIF=${ADVBLKIP[3]}
|
|
|
|
DSTIP=${ADVBLKIP[4]}
|
|
|
|
DSTPORT=${ADVBLKIP[5]}
|
|
|
|
DIRECTION=${ADVBLKIP[6]}
|
|
|
|
PROTO=${ADVBLKIP[7]}
|
|
|
|
if [ "$SRCIF" ]; then
|
|
|
|
SRCIF="-i ${SRCIF} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCPORT" ]; then
|
|
|
|
SRCPORT="--sport ${SRCPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIF" ]; then
|
|
|
|
DSTIF="-o ${DSTIF} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIP" ]; then
|
|
|
|
DSTIP="-d ${DSTIP} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTPORT" ]; then
|
|
|
|
DSTPORT="--dport ${DSTPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$PROTO" ]; then
|
|
|
|
case $PROTO in
|
|
|
|
TCP|tcp) PROTO="-p tcp";;
|
|
|
|
UDP|udp) PROTO="-p udp";;
|
|
|
|
*) PROTO="-p ${PROTO}";;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
case $DIRECTION in
|
|
|
|
IN) DIRECTION="INPUT" ;;
|
|
|
|
OUT) DIRECTION="OUTPUT" ;;
|
|
|
|
FWD) DIRECTION="FORWARD" ;;
|
|
|
|
*) DIRECTION="INPUT" ;;
|
|
|
|
esac
|
|
|
|
${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP
|
|
|
|
else
|
|
|
|
$IP6TABLES -A INPUT -s $i -j DROP
|
|
|
|
$IP6TABLES -A OUTPUT -d $i -j DROP
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
|
2011-02-12 13:20:11 -07:00
|
|
|
if [ "$IPV6_ICMP_CRITICAL" ]; then
|
|
|
|
# This is necessary to make sure that PMTU works
|
|
|
|
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
|
|
|
|
-j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
|
|
|
|
-j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
|
|
|
|
-j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
|
|
|
|
-j ACCEPT
|
|
|
|
if [ "$IPV6_FORWARDRANGE" ]; then
|
|
|
|
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
|
|
|
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2011-02-12 13:41:43 -07:00
|
|
|
if [ "$IPV6_ICMP_OPT" ]; then
|
|
|
|
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
|
|
|
|
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
|
|
|
|
if [ "$IPV6_FORWARDRANGE" ]; then
|
|
|
|
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
|
|
|
|
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2010-09-16 17:41:50 -06:00
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_mssclamp"
|
|
|
|
fi
|
|
|
|
|
2011-02-12 13:20:11 -07:00
|
|
|
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ "$IPV6_CLAMPMSS" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c YELLOW "Clamping IPV6 MSS to PMTU..."
|
2010-10-13 15:15:10 -06:00
|
|
|
for i in $IPV6_CLAMPMSS; do
|
2010-09-16 17:41:50 -06:00
|
|
|
$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
|
|
|
|
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
|
|
|
--mss 1280:1536
|
|
|
|
$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
|
|
|
|
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
|
|
|
--mss 1280:1536
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 allowed port rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_allowedports"
|
|
|
|
fi
|
2011-02-22 11:55:52 -07:00
|
|
|
|
|
|
|
if [ "$IPV6_ALLOWED" ]; then
|
|
|
|
display_c YELLOW "Adding allowed IPv6 IPs and ports... "
|
|
|
|
for i in `grep -v "\#" $IPV6_ALLOWED`; do
|
|
|
|
if [[ "$i" =~ "|" ]]; then
|
|
|
|
IFS_OLD=${IFS};IFS=\|
|
|
|
|
ADVALLOWIP=($i)
|
|
|
|
IFS=${IFS_OLD}
|
|
|
|
SRCIF=${ADVALLOWIP[0]}
|
|
|
|
SRCIP=${ADVALLOWIP[1]}
|
|
|
|
SRCPORT=${ADVALLOWIP[2]}
|
|
|
|
DSTIF=${ADVALLOWIP[3]}
|
|
|
|
DSTIP=${ADVALLOWIP[4]}
|
|
|
|
DSTPORT=${ADVALLOWIP[5]}
|
|
|
|
DIRECTION=${ADVALLOWIP[6]}
|
|
|
|
PROTO=${ADVALLOWIP[7]}
|
|
|
|
if [ "$SRCIF" ]; then
|
|
|
|
SRCIF="-i ${SRCIF} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCIP" ]; then
|
|
|
|
SRCIP="-s ${SRCIP} "
|
|
|
|
fi
|
|
|
|
if [ "$SRCPORT" ]; then
|
|
|
|
SRCPORT="--sport ${SRCPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIF" ]; then
|
|
|
|
DSTIF="-o ${DSTIF} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTIP" ]; then
|
|
|
|
DSTIP="-d ${DSTIP} "
|
|
|
|
fi
|
|
|
|
if [ "$DSTPORT" ]; then
|
|
|
|
DSTPORT="--dport ${DSTPORT/-/:} "
|
|
|
|
fi
|
|
|
|
if [ "$PROTO" ]; then
|
|
|
|
case $PROTO in
|
|
|
|
TCP|tcp) PROTO="-p tcp";;
|
|
|
|
UDP|udp) PROTO="-p udp";;
|
|
|
|
*) PROTO="-p ${PROTO}";;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
case $DIRECTION in
|
|
|
|
IN) DIRECTION="INPUT" ;;
|
|
|
|
OUT) DIRECTION="OUTPUT" ;;
|
|
|
|
FWD) DIRECTION="FORWARD" ;;
|
|
|
|
*) DIRECTION="INPUT" ;;
|
|
|
|
esac
|
|
|
|
${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
display_c YELLOW "Adding allowed IPv6 port: " N
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ "$IPV6_TCPPORTS" ]; then
|
2010-09-27 14:14:09 -06:00
|
|
|
if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
|
2010-10-13 15:15:10 -06:00
|
|
|
IPV6_TCPPORTS=($IPV6_TCPPORTS)
|
2010-10-17 23:37:56 -06:00
|
|
|
PORTS_COUNT=${#IPV6_TCPPORTS[@]}
|
2010-09-26 15:13:54 -06:00
|
|
|
PORTS_COUNT_CURR=0
|
2010-09-27 14:31:20 -06:00
|
|
|
while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
|
2010-09-26 16:10:18 -06:00
|
|
|
for ((i=$PORTS_COUNT_CURR; i <=(($PORTS_COUNT_CURR+(($NF_MULTIPORT_MAX_PORTS-1)))); i++)); do
|
2010-10-17 23:39:25 -06:00
|
|
|
if [ ${IPV6_TCPPORTS[$i]} ]; then
|
|
|
|
PORTS="${PORTS},${IPV6_TCPPORTS[$i]}"
|
2010-09-26 15:13:54 -06:00
|
|
|
fi
|
2010-09-26 16:08:47 -06:00
|
|
|
done
|
2010-09-26 16:11:20 -06:00
|
|
|
echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,} "
|
2010-09-26 16:08:47 -06:00
|
|
|
$IP6TABLES -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT
|
|
|
|
unset PORTS
|
|
|
|
PORTS_COUNT_CURR=$i
|
2010-09-26 15:13:54 -06:00
|
|
|
done
|
2010-09-27 14:14:09 -06:00
|
|
|
unset i PORTS PORTS_COUNT_CURR PORTS_COUNT
|
2010-11-25 20:12:40 -07:00
|
|
|
else
|
2010-11-25 20:06:16 -07:00
|
|
|
for i in $IPV6_TCPPORTS; do
|
2010-09-26 15:13:54 -06:00
|
|
|
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
|
|
|
|
done
|
2010-11-25 20:12:40 -07:00
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ "$IPV6_UDPPORTS" ]; then
|
|
|
|
for i in $IPV6_UDPPORTS; do
|
2010-09-16 17:41:50 -06:00
|
|
|
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
|
|
|
|
$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
|
|
|
|
$IP6TABLES -A INPUT -p udp --sport $i --dport 1:65535 -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
reset_color
|
|
|
|
fi
|
2010-10-13 14:43:20 -06:00
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 mark rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_mark"
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ -r "$IPV6_MARK" ]; then
|
2010-10-13 14:43:20 -06:00
|
|
|
display_c YELLOW "Adding IPv6 mark: "
|
2010-10-13 15:15:10 -06:00
|
|
|
for i in `grep -v "\#" $IPV6_MARK`; do
|
2010-10-13 14:43:20 -06:00
|
|
|
MARK=( ${i//|/ } )
|
|
|
|
INIF=${MARK[0]}
|
|
|
|
INIP=${MARK[1]}
|
|
|
|
DSTIP=${MARK[2]}
|
|
|
|
IPMARK=${MARK[3]}
|
|
|
|
|
|
|
|
case $INIP in
|
|
|
|
!*) INNEG="!"
|
|
|
|
INIP=${INIP#\!};;
|
|
|
|
esac
|
|
|
|
case $DSTIP in
|
|
|
|
!*) DSTNEG="!"
|
|
|
|
DSTIP=${DSTIP#\!};;
|
|
|
|
esac
|
|
|
|
|
|
|
|
${IP6TABLES} -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
|
|
|
|
${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
|
|
|
|
display_c DEFAULT "\t${GREEN}${INNEG}${INIF};${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP};${RED}${IPMARK}"
|
|
|
|
unset INNEG DSTNEG
|
|
|
|
done
|
|
|
|
echo -ne "\n"
|
|
|
|
fi
|
2010-10-13 14:27:41 -06:00
|
|
|
|
2011-02-09 00:08:51 -07:00
|
|
|
if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
|
|
|
|
for i in $IPV6_ROUTEDCLIENTBLOCK; do
|
|
|
|
$IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
|
|
|
|
$IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
|
|
|
|
$IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
|
|
|
|
$IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
|
|
|
|
done
|
2010-09-16 17:41:50 -06:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 routing rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_routing"
|
|
|
|
fi
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ "$IPV6_FORWARDRANGE" ]; then
|
|
|
|
for i in $IPV6_FORWARDRANGE; do
|
2010-09-16 17:41:50 -06:00
|
|
|
$IP6TABLES -A FORWARD -s $i -j ACCEPT
|
|
|
|
$IP6TABLES -A FORWARD -d $i -j ACCEPT
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -s "$BASEDIR/include/ipv6_custom_blockincoming" ]; then
|
|
|
|
display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
|
|
|
|
. "$BASEDIR/include/ipv6_custom_blockincoming"
|
|
|
|
fi
|
2010-10-13 15:15:10 -06:00
|
|
|
if [ $IPV6_BLOCKINCOMING ]; then
|
2010-09-16 17:41:50 -06:00
|
|
|
$IP6TABLES -A INPUT -p tcp --syn -j DROP
|
|
|
|
$IP6TABLES -A INPUT -p udp -j DROP
|
|
|
|
fi
|
2011-02-18 13:17:13 -07:00
|
|
|
$IP6TABLES --policy INPUT ${IPV6_PINPUT}
|
|
|
|
$IP6TABLES --policy OUTPUT ${IPV6_POUTPUT}
|
|
|
|
$IP6TABLES --policy FORWARD ${IPV6_PFORWARD}
|
2011-02-18 13:09:54 -07:00
|
|
|
fi
|
2010-09-16 17:41:50 -06:00
|
|
|
|
|
|
|
if [ $TWEAKS ]; then
|
|
|
|
for i in `grep -v "\#" $TWEAKS`; do
|
|
|
|
PROCOPT=( ${i//=/ } )
|
2012-05-12 17:54:57 -06:00
|
|
|
echo ${PROCOPT[1]} > /proc/sys/net/${PROCOPT[0]}
|
2010-09-16 17:41:50 -06:00
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -x $POSTRUN ]; then
|
|
|
|
$POSTRUN
|
|
|
|
fi
|