Intercept rules

master
bbruns 13 years ago
parent 261286113a
commit 329d9ad0ce

@ -29,6 +29,15 @@ BASEDIR=/etc/firewall-sosdg
PATH=/usr/sbin:/usr/bin:/sbin:/bin
#BASEDIR=`pwd`
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
TWEAKS=$BASEDIR/tweaks
if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
@ -439,6 +448,39 @@ if [ "$ALLOWEDPROTO" ]; then
reset_color
fi
if [ "$IPV4_INTERCEPT" ]; then
display_c YELLOW "Adding packet interception rules: " N
for i in `grep -v "\#" $IPV4_INTERCEPT`; do
IFS_OLD=${IFS};IFS=\|
INTERCEPTADD=($i)
IFS=${IFS_OLD}
SRCIF=${INTERCEPTADD[0]}
SRCIP=${INTERCEPTADD[1]}
DSTIP=${INTERCEPTADD[2]}
DSTPROTO=${INTERCEPTADD[3]}
DSTPORT=${INTERCEPTADD[4]}
PROXY=${INTERCEPTADD[5]}
if [ "$SRCIF" ]; then
SRCIF="-i ${SRCIF}"
fi
if [ "$SRCIP" ]; then
SRCIP="-s ${SRCIP}"
fi
if [ "$DSTIP" ]; then
DSTIP="-d $DSTIP"
fi
if [ "$PROXY" != "BYPASS" ]; then
FINAL_RULE="-j DNAT --to-destination ${PROXY}"
else
FINAL_RULE="-j ACCEPT"
fi
$IPTABLES -t nat -A PREROUTING ${SRCIF} ${SRCIP} ${DSTIP} -p ${DSTPROTO} --dport ${DSTPORT} \
${FINAL_RULE}
display_c DEFAULT "\t${GREEN}${INTERCEPTADD[0]}:${BLUE}${INTERCEPTADD[1]}:${PURPLE}${INTERCEPTADD[2]}->${INTERCEPTADD[3]}:${INTERCEPTADD[4]}${AQUA}:proxy->${BLUE}${INTERCEPTADD[5]} "
done
reset_color
fi
if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
display_c YELLOW "Loading custom NOTRACK rules..."

@ -74,3 +74,13 @@ EXTIP_FIND="$BASEDIR/bin/get_default_ip"
# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1
# IPv4 and IPv6 regex matches to determine if entry is valid. These may need
# to be tweaked over time. At the moment, we use by default the pattern here:
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH=""

@ -109,6 +109,9 @@ TRUSTEDIP="127.0.0.1"
# use otherwise.
DONTTRACK="127.0.0.1"
# Intercept IPv4 packets for use in a transparent proxy
#IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept
# IP range(s) to forward
#ROUTING=$BASEDIR/conf/ipv4-routing

Loading…
Cancel
Save