brielle/Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Code optimization

Browse Source
This commit is contained in:
bbruns 2010-11-13 05:18:03 +00:00
parent 34fa66b7ba
commit 6c03b7d069
3 changed files with 49 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -3,6 +3,8 @@
fix an issue I noticed during testing
- Move icmp allow code
- Prevent duplicate icmp allow rules in NAT code
- NETMAP support in NAT code
- Removed pointless(?) and unneeded dupe codeâ
0.9.9a - Brielle Bruns <bruns@2mbit.com>
- Minor bug fixes for my coding errors introduced in

68
bin/firewall-sosdg
View File

@ -530,7 +530,7 @@ fi
if [ $NAT ]; then
if [ "$NAT_RANGE" ]; then
display_c YELLOW "Adding NAT rule:"
unset INIF_EXISTS OUTIF_EXISTS
unset INIF_EXISTS FWDIF_EXISTS
for i in $NAT_RANGE; do
NAT_RULE=( ${i//:/ } )
case ${NAT_RULE[0]} in
@ -538,38 +538,62 @@ if [ $NAT ]; then
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} $i"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
fi
if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
OUTIF_EXISTS="${OUTIF_EXISTS} $i"
# This code seems pointless, anyone else have an opinion?
#if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}:${NAT_RULE[4]}" ]]; then
# $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
# $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
# OUTIF_EXISTS="${OUTIF_EXISTS} ${NAT_RULE[3]}:${NAT_RULE[4]}"
#fi
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
fi
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
;;
MASQ)
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} $i"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
fi
if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
OUTIF_EXISTS="${OUTIF_EXISTS} $i"
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
fi
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT
;;
NETMAP)
$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \
-s ${NAT_RULE[2]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
fi
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT
FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}"
fi
;;
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
esac

2
options.default
View File

@ -80,7 +80,7 @@ DONTTRACK="127.0.0.1"
# IP NAT Rules
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
# MASQ:<INT IF>:<INT IP>:<EXT IF>
# NETMAP::<INT IP RANGE>::<EXT IP RANGE>
# NETMAP:<INT IF>:<INT IP RANGE>:<EXT IF>:<EXT IP RANGE>
#NAT_RANGE=""