Option to use old style state or new conntrack state
parent
58ef439312
commit
ff2cae92ef
|
@ -121,6 +121,21 @@ if [ "$MODULES_LOAD" ]; then
|
|||
echo -ne "\n"
|
||||
fi
|
||||
|
||||
if [ "$STATE_TYPE" ]; then
|
||||
case $STATE_TYPE in
|
||||
conntrack|CONNTRACK|*)
|
||||
M_STATE="-m conntrack"
|
||||
C_STATE="--ctstate"
|
||||
;;
|
||||
state|STATE)
|
||||
M_STATE="-m state"
|
||||
C_STATE="--state"
|
||||
esac
|
||||
else
|
||||
M_STATE="-m conntrack"
|
||||
C_STATE="--ctstate"
|
||||
fi
|
||||
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
|
@ -293,15 +308,15 @@ if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
|
|||
fi
|
||||
|
||||
if [ "$CONNTRACK" ]; then
|
||||
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -m state --state INVALID -j DROP
|
||||
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
|
||||
|
@ -468,7 +483,7 @@ if [ "$PORTFW" ] && [ "$NAT" ]; then
|
|||
$IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \
|
||||
--dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \
|
||||
${PORTADD[5]}:${PORTADD[6]}
|
||||
$IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \
|
||||
$IPTABLES -A INPUT -p ${PORTADD[4]} ${M_STATE} ${C_STATE} NEW -s ${PORTADD[1]} \
|
||||
--dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT
|
||||
display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} "
|
||||
done
|
||||
|
@ -833,15 +848,15 @@ fi
|
|||
fi
|
||||
|
||||
if [ "$IPV6_CONNTRACK" ]; then
|
||||
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT -m state --state INVALID -j DROP
|
||||
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
fi
|
||||
|
||||
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
|
||||
|
|
|
@ -56,3 +56,6 @@ NF_MULTIPORT_MAX_PORTS="7"
|
|||
|
||||
# RFC 1918 Space
|
||||
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
|
||||
|
||||
# By default, use conntrack instead of state
|
||||
STATE_TYPE="conntrack"
|
||||
|
|
|
@ -30,6 +30,10 @@ POSTRUN="$BASEDIR/conf/postrun"
|
|||
#CONNTRACK=1
|
||||
#FORWARD=1
|
||||
|
||||
# Use old style state matches or new conntrack matches?
|
||||
# By default, lets use conntrack.
|
||||
#STATE_TYPE="conntrack"
|
||||
|
||||
# Blocking incoming connections by default?
|
||||
#BLOCKINCOMING=1
|
||||
|
||||
|
|
Loading…
Reference in New Issue