brielle/Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Adjusting NAT rules

Browse Source
This commit is contained in:
bbruns 2011-08-02 03:28:48 +00:00
parent c5947c45eb
commit b4bdbe17a3
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
bin/firewall-sosdg
View File

@ -339,10 +339,11 @@ fi
if [ "$CONNTRACK" ]; then if [ "$CONNTRACK" ]; then
#$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT #$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT # Now in the NAT rules
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT #$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
@ -686,6 +687,7 @@ if [ $NAT ]; then
SNAT) SNAT)
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@ -694,12 +696,6 @@ if [ $NAT ]; then
-s ${NAT_RULE[2]} -j ACCEPT -s ${NAT_RULE[2]} -j ACCEPT
INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
fi fi
# This code seems pointless, anyone else have an opinion?
#if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}:${NAT_RULE[4]}" ]]; then
# $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
# $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
# OUTIF_EXISTS="${OUTIF_EXISTS} ${NAT_RULE[3]}:${NAT_RULE[4]}"
#fi
if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-o ${NAT_RULE[3]} -j ACCEPT -o ${NAT_RULE[3]} -j ACCEPT
@ -710,6 +706,7 @@ if [ $NAT ]; then
;; ;;
MASQ) MASQ)
$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@ -728,6 +725,7 @@ if [ $NAT ]; then
;; ;;
NETMAP) NETMAP)
$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]} $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \