brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Minor changes to icmp allows

master
bbruns 2010-11-12 00:52:23 +00:00
parent a178e473d3
commit 29d3359115
1 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
bin/firewall-sosdg
View File

@ -81,12 +81,12 @@ echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
redistribute it under certain conditions. redistribute it under certain conditions.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
if [ $UID != "0" ]; then if [ "$UID" != "0" ]; then
display_c RED "You must be root to run this script." display_c RED "You must be root to run this script."
exit 2 exit 2
fi fi
if [ ! -x $IPTABLES ]; then if [ ! -x "$IPTABLES" ]; then
display_c RED "iptables command not found. Please make sure you have the iptables" display_c RED "iptables command not found. Please make sure you have the iptables"
display_c RED "installed (package or source) and you have the IPTABLES option properly" display_c RED "installed (package or source) and you have the IPTABLES option properly"
display_c RED "defined in the 'options' file." display_c RED "defined in the 'options' file."
@ -94,7 +94,7 @@ if [ ! -x $IPTABLES ]; then
fi fi
if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then if [ ! -x "$IP6TABLES" ] && [ $IPV6 == "1" ]; then
display_c RED "ip6tables command not found. Please make sure you have the iptables" display_c RED "ip6tables command not found. Please make sure you have the iptables"
display_c RED "installed (package or source) and you have the IP6TABLES option properly" display_c RED "installed (package or source) and you have the IP6TABLES option properly"
display_c RED "defined in the 'options' file." display_c RED "defined in the 'options' file."
@ -108,7 +108,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then
. "$BASEDIR/include/ipv4_custom_flush" . "$BASEDIR/include/ipv4_custom_flush"
fi fi
if [ -x $PRERUN ]; then if [ -x "$PRERUN" ]; then
$PRERUN $PRERUN
fi fi
@ -147,14 +147,14 @@ if [ "$CLAMPMSS" ]; then
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
# This is necessary to make sure that PMTU works # This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ #$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-o $i -j ACCEPT # -o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ #$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-i $i -j ACCEPT # -i $i -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ #$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $i -j ACCEPT # -o $i -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ #$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-i $i -j ACCEPT # -i $i -j ACCEPT
done done
echo -en "\n" echo -en "\n"
fi fi
@ -292,7 +292,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
. "$BASEDIR/include/ipv4_custom_conntrack" . "$BASEDIR/include/ipv4_custom_conntrack"
fi fi
if [ $CONNTRACK ]; then if [ "$CONNTRACK" ]; then
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
@ -537,14 +537,22 @@ if [ $NAT ]; then
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
;; ;;
MASQ) MASQ)
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
;; ;;
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
esac esac