brielle/Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Marking support

Browse Source
This commit is contained in:
bbruns@gmail.com 2010-09-23 02:17:08 +00:00
parent f21a1de6eb
commit 486594fdd0
4 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
0.9.7 - Brielle Bruns <bruns@2mbit.com>
- Support for marking packets, uses new config file and
IPv4_MARK file option
0.9.6 - Brielle Bruns <bruns@2mbit.com>
- Minor changes to procedures in planning of 1.0

34
bin/firewall-sosdg
View File

@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.6"
FW_VERSION="0.9.7"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default,
@ -354,6 +354,38 @@ if [ $LANDHCPSERVER ]; then
fi
if [ -s "$BASEDIR/include/ipv4_custom_mark" ]; then
display_c YELLOW "Loading custom mark rules..."
. "$BASEDIR/include/ipv4_custom_mark"
fi
if [ -r "$IPv4_MARK" ]; then
display_c YELLOW "Adding mark: "
for i in `grep -v "\#" $IPv4_MARK`; do
MARK=( ${i//:/ } )
INIF=${MARK[0]}
INIP=${MARK[1]}
DSTIP=${MARK[2]}
IPMARK=${MARK[3]}
case $INIP in
!*) INNEG="!"
INIP=${INIP#\!};;
esac
case $DSTIP in
!*) DSTNEG="!"
DSTIP=${DSTIP#\!};;
esac
$IPTABLES -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \
${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK}
display_c DEFAULT "\t${GREEN}${INNEG}${INIF}:${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP}:${RED}${IPMARK}"
unset INNEG DSTNET
done
echo -ne "\n"
fi
if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
display_c YELLOW "Loading custom nat rules..."

6
ipv4-marks Normal file
View File

@ -0,0 +1,6 @@
# IPv4 Packet Marking
# Used to mark packets for specific routing (or other) purposes
# incoming-interface:src-range:dst-range:mark-num
# Use ! before IP/range to negate
# eth0:192.168.0.0/24:192.168.1.0/24:5
# ORDER MATTERS!

2
options.default
View File

@ -57,6 +57,8 @@ DONTTRACK="127.0.0.1"
# IP range(s) to forward
ROUTING=$BASEDIR/ipv4-routing
# Mark ipv4 packets for advanced purposes
IPv4_MARK=$BASEDIR/ipv4-marks
# Hacks to either block specific kinds of attacks or fix problems
#