From ff2cae92ef700f0ef937798f8fafc30950aa1098 Mon Sep 17 00:00:00 2001 From: bbruns Date: Thu, 25 Nov 2010 18:11:12 +0000 Subject: [PATCH] Option to use old style state or new conntrack state --- bin/firewall-sosdg | 53 +++++++++++++++++++++++++++++----------------- include/static | 3 +++ options.default | 4 ++++ 3 files changed, 41 insertions(+), 19 deletions(-) diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 3e19d56..6a87319 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -121,6 +121,21 @@ if [ "$MODULES_LOAD" ]; then echo -ne "\n" fi +if [ "$STATE_TYPE" ]; then + case $STATE_TYPE in + conntrack|CONNTRACK|*) + M_STATE="-m conntrack" + C_STATE="--ctstate" + ;; + state|STATE) + M_STATE="-m state" + C_STATE="--state" + esac +else + M_STATE="-m conntrack" + C_STATE="--ctstate" +fi + $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT @@ -293,15 +308,15 @@ if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then fi if [ "$CONNTRACK" ]; then - $IPTABLES -A INPUT -m state --state NEW -j ACCEPT - $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPTABLES -A FORWARD -m state --state NEW -j ACCEPT - $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT - $IPTABLES -A INPUT -m state --state INVALID -j DROP - $IPTABLES -A OUTPUT -m state --state INVALID -j DROP - $IPTABLES -A FORWARD -m state --state INVALID -j DROP + $IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP fi if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then @@ -468,7 +483,7 @@ if [ "$PORTFW" ] && [ "$NAT" ]; then $IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \ --dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \ ${PORTADD[5]}:${PORTADD[6]} - $IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \ + $IPTABLES -A INPUT -p ${PORTADD[4]} ${M_STATE} ${C_STATE} NEW -s ${PORTADD[1]} \ --dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} " done @@ -833,15 +848,15 @@ fi fi if [ "$IPV6_CONNTRACK" ]; then - $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT - $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - $IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT - $IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - $IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT - $IP6TABLES -A INPUT -m state --state INVALID -j DROP - $IP6TABLES -A OUTPUT -m state --state INVALID -j DROP - $IP6TABLES -A FORWARD -m state --state INVALID -j DROP + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP fi if [ $IPV6_ROUTEDCLIENTBLOCK ]; then diff --git a/include/static b/include/static index 6cb4946..ed34c5b 100755 --- a/include/static +++ b/include/static @@ -56,3 +56,6 @@ NF_MULTIPORT_MAX_PORTS="7" # RFC 1918 Space RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" + +# By default, use conntrack instead of state +STATE_TYPE="conntrack" diff --git a/options.default b/options.default index 781b8eb..7e1487f 100755 --- a/options.default +++ b/options.default @@ -30,6 +30,10 @@ POSTRUN="$BASEDIR/conf/postrun" #CONNTRACK=1 #FORWARD=1 +# Use old style state matches or new conntrack matches? +# By default, lets use conntrack. +#STATE_TYPE="conntrack" + # Blocking incoming connections by default? #BLOCKINCOMING=1