2014-03-29 10:53:22 -06:00
#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
# Copyright (C) 2009 - 2014 Brielle Bruns
# Copyright (C) 2009 - 2014 The Summit Open Source Development Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2014-03-29 11:06:08 -06:00
2014-03-29 10:53:22 -06:00
# iptables_rules_flush (ipv6|ipv4)
# Clear all rules from iptables - be very careful in how this is called as it
# could easily lock out the user from the network. Best way to be safe, is to
# call iptables_policy_reset first then this function.
function iptables_rules_flush {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES } ; TABLE_NAMES =/ proc / net / ip6_tables_names ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES } ; TABLE_NAMES =/ proc / net / ip_tables_names ;;
esac
2014-03-30 10:16:22 -06:00
$ { display } GREEN " Flushing ${ IP_VERSION } rules... "
2014-03-30 10:31:02 -06:00
$ { VER_IPTABLES } - F &>/ dev / null
$ { VER_IPTABLES } - X &>/ dev / null
$ { VER_IPTABLES } - F INPUT &>/ dev / null
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - F OUTPUT &>/ dev / null
2014-03-30 10:31:02 -06:00
$ { VER_IPTABLES } - F FORWARD &>/ dev / null
$ { VER_IPTABLES } - t nat - F &>/ dev / null
$ { VER_IPTABLES } - t nat - X &>/ dev / null
$ { VER_IPTABLES } - t mangle - F &>/ dev / null
$ { VER_IPTABLES } - t mangle - X &>/ dev / null
$ { VER_IPTABLES } - P INPUT ACCEPT &>/ dev / null
$ { VER_IPTABLES } - P OUTPUT ACCEPT &>/ dev / null
$ { VER_IPTABLES } - P FORWARD ACCEPT &>/ dev / null
#for i in `cat $TABLE_NAMES`; do
# ${VER_IPTABLES} -F -t $i &>/dev/null
#done
#${VER_IPTABLES} -X
2014-03-29 10:53:22 -06:00
}
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
# If no policy given, assume ACCEPT
function iptables_policy_reset {
IP_VERSION = $ 1
SET_POLICY = $ { 2 = ACCEPT }
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES } ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES } ;;
esac
$ { display_c } RED " Setting ${ IP_VERSION } policies to ${ SET_POLICY } ... "
$ { VER_IPTABLES } -- policy INPUT $ { SET_POLICY }
$ { VER_IPTABLES } -- policy OUTPUT $ { SET_POLICY }
$ { VER_IPTABLES } -- policy FORWARD $ { SET_POLICY }
}
# setup_iptables_chains (ipv4|ipv6)
# Creates the default chains when called
function setup_iptables_chains {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
# Create the actual chains
2014-03-29 11:11:26 -06:00
$ { display } GREEN " Setting up chains for ${ IP_VERSION } ... "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - N $ { InPreRules }
$ { VER_IPTABLES } - N $ { OutPreRules }
$ { VER_IPTABLES } - N $ { InEasyBlock }
$ { VER_IPTABLES } - N $ { OutEasyBlock }
$ { VER_IPTABLES } - N $ { InFilter }
$ { VER_IPTABLES } - N $ { OutFilter }
$ { VER_IPTABLES } - N $ { FwdFilter }
2014-03-29 12:04:41 -06:00
$ { VER_IPTABLES } - N $ { NAT } - t nat
$ { VER_IPTABLES } - N $ { PortForward } - t nat
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - N $ { InPostRules }
$ { VER_IPTABLES } - N $ { OutPostRules }
# Set up rules - the order matters - we do it separately here
# for easy viewing of order
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / prerun . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / prerun . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InPreRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InPreRules }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutPreRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutPreRules }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / easyblock . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / easyblock . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InEasyBlock "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InEasyBlock }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutEasyBlock "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutEasyBlock }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / filter . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / filter . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InFilter }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutFilter }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up FwdFilter "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A FORWARD - j $ { FwdFilter }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / nat . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / nat . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up NAT "
2014-03-29 12:02:46 -06:00
$ { VER_IPTABLES } - A POSTROUTING - t nat - j $ { NAT }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / portfw . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / portfw . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up PortForward "
2014-03-29 12:02:46 -06:00
$ { VER_IPTABLES } - A PREROUTING - t nat - j $ { PortForward }
2014-03-29 11:51:58 -06:00
if [ - x $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / postrun . sh ]; then . $ { FWCONFIGDIR } / ipv $ { IPVER } / custom / postrun . sh ; fi
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up InPostRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A INPUT - j $ { InPostRules }
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Setting up OutPostRules "
2014-03-29 10:53:22 -06:00
$ { VER_IPTABLES } - A OUTPUT - j $ { OutPostRules }
2014-03-30 10:16:22 -06:00
}
function allow_all_loopback {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loaded "
2014-03-30 10:16:22 -06:00
$ { VER_IPTABLES } - A $ { InPreRules } - i lo - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - o lo - j ACCEPT
2014-03-30 10:53:31 -06:00
}
function allow_trusted_hosts {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 10:53:31 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /trusted.conf " ]; then
for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"` ; do
$ { VER_IPTABLES } - A $ { InPreRules } - s $i - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - d $i - j ACCEPT
done
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 10:53:31 -06:00
else
$ { display } RED " File Missing: ${ FWCONFIGDIR}/ipv${IPVER } /trusted.conf "
$ { display } RED " Error: can not load trusted hosts file. "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } failed "
2014-03-30 12:18:26 -06:00
fi
}
function enable_mss_clamp {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 12:18:26 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf " ]; then
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf successful "
2014-03-30 12:32:52 -06:00
while read - r interface mss type ; do
[[ $ { interface } = \ #* ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { interface } = " " ]] && continue
2014-03-30 12:32:52 -06:00
[[ $ { mss } == " - " ]] && mss = " 1400:1536 "
[[ $ { type } == " - " ]] && type = " ${ OutFilter } "
[[ $ { type } == " out " ]] && type = " ${ OutFilter } "
[[ $ { type } == " fwd " ]] && type = " ${ FwdFilter } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Read: ${ interface } ${ mss } ${ type } "
2014-03-30 12:32:52 -06:00
$ { VER_IPTABLES } - A $ { type } - p tcp -- tcp - flags SYN , RST SYN - j TCPMSS \
2014-03-30 12:35:02 -06:00
-- clamp - mss - to - pmtu - o $ { interface } - m tcpmss -- mss $ { mss }
2014-03-30 12:32:52 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf "
2014-03-30 12:18:26 -06:00
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 12:18:26 -06:00
else
$ { display } RED " File Missing: ${ FWCONFIGDIR}/ipv${IPVER } /mss-clamp.conf "
$ { display } RED " Error: can not load mss clamp file. "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } failed "
2014-03-30 10:53:31 -06:00
fi
2014-03-30 13:18:45 -06:00
}
function allow_resolvconf_servers {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 13:18:45 -06:00
[[ $ { IP_VERSION } = " ipv4 " ]] && ResolvConfFile = " ${ ResolvConfv4File } "
[[ $ { IP_VERSION } = " ipv6 " ]] && ResolvConfFile = " ${ ResolvConfv6File } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Using ${ ResolvConfFile } as resolv.conf "
2014-03-30 13:18:45 -06:00
while read - r type server ; do
[[ $ { type } != " nameserver " ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { type } = " " ]] && continue
2014-03-30 13:18:45 -06:00
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
([[ $ { server } =~ " : " ]] && [[ $ { IP_VERSION } = " ipv4 " ]]) && continue
2014-03-31 17:52:56 -06:00
([[ ! $ { server } =~ " : " ]] && [[ $ { IP_VERSION } = " ipv6 " ]]) && continue
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ server } to DNS client trusted list "
2014-03-30 13:18:45 -06:00
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - s $ { server } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - d $ { server } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - p tcp - s $ { server } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p tcp - d $ { server } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
done < " ${ ResolvConfFile } "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-30 13:36:55 -06:00
}
function allow_dnsclient_manual {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-30 13:47:03 -06:00
DNS_SERVERS = " $ 2 "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-30 13:36:55 -06:00
for i in $ { DNS_SERVERS }; do
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Added ${ i } to DNS client trusted list "
2014-03-30 13:36:55 -06:00
$ { VER_IPTABLES } - A $ { OutPreRules } - p udp - s $ { i } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p udp - d $ { i } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { OutPreRules } - p tcp - s $ { i } -- sport 1024 : 65535 -- dport 53 - j ACCEPT
$ { VER_IPTABLES } - A $ { InPreRules } - p tcp - d $ { i } -- dport 1024 : 65535 -- sport 53 - j ACCEPT
done
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-31 17:37:38 -06:00
}
function enable_easyblock {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
2014-03-31 17:37:38 -06:00
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf " ]; then
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf successful "
2014-03-31 17:50:42 -06:00
while read - r direction interface address port protocol ; do
2014-03-31 17:37:38 -06:00
[[ $ { direction } = \ #* ]] && continue
2014-03-31 18:46:35 -06:00
[[ $ { direction } = " " ]] && continue
2014-03-31 19:16:17 -06:00
([[ $ { direction } != " IN " ]] && [[ $ { direction } != " OUT " ]]) \
&& $ { display } RED " easyblock.conf: Error - must begin with IN/OUT: ${ DEFAULT_COLOR}${direction } ${ interface } ${ address } ${ port } ${ protocol } " && continue
2014-03-31 17:37:38 -06:00
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { port } != " - " ]] && port = " --dport ${ port } "
2014-03-31 18:46:35 -06:00
([[ $ { address } != " - " ]] && [[ $ { direction } == " IN " ]]) && address = " -s ${ address } "
([[ $ { address } != " - " ]] && [[ $ { direction } == " OUT " ]]) && address = " -d ${ address } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " IN " ]]) && interface = " -i ${ interface } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " OUT " ]]) && interface = " -o ${ interface } "
2014-03-31 17:37:38 -06:00
[[ $ { direction } == " OUT " ]] && chain = " ${ OutEasyBlock } "
[[ $ { direction } == " IN " ]] && chain = " ${ InEasyBlock } "
2014-03-31 17:50:42 -06:00
[[ $ { protocol } != " - " ]] && protocol = " -p ${ protocol } "
2014-03-31 17:37:38 -06:00
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } Read: ${ direction } ${ interface } ${ address } ${ port } ${ protocol } "
2014-03-31 17:37:38 -06:00
# Blank variables that we're not going to use.
[[ $ { interface } == " - " ]] && interface = " "
[[ $ { port } == " - " ]] && port = " "
[[ $ { address } == " - " ]] && address = " "
2014-03-31 17:50:42 -06:00
[[ $ { protocol } == " - " ]] && protocol = " "
2014-03-31 17:37:38 -06:00
2014-04-05 11:40:00 -06:00
$ { VER_IPTABLES } - A $ { chain } $ { interface } $ { address } $ { protocol } $ { port } - j DROP
2014-03-31 18:46:35 -06:00
2014-03-31 17:37:38 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /easyblock.conf "
2014-03-31 19:16:17 -06:00
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
2014-03-31 18:46:35 -06:00
fi
2014-04-05 11:26:08 -06:00
}
function enable_filtering {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf successful "
2014-04-05 11:40:00 -06:00
while read - r direction action interface srcaddress srcport dstaddress dstport protocol ; do
[[ $ { direction } = \ #* ]] && continue
[[ $ { direction } = " " ]] && continue
([[ $ { direction } != " IN " ]] && [[ $ { direction } != " OUT " ]]) \
&& $ { display } RED " acl.conf: Error - must begin with IN/OUT: ${ DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ dstaddress } ${ dstport } ${ srcaddress } ${ srcport } ${ protocol } " && continue
2014-04-05 12:10:00 -06:00
([[ $ { action } != " ACCEPT " ]] && [[ $ { action } != " DROP " ]]) \
&& $ { display } RED " acl.conf: Error - action must be either ACCEPT or DROP : ${ DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ dstaddress } ${ dstport } ${ srcaddress } ${ srcport } ${ protocol } " && continue
2014-04-05 11:40:00 -06:00
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { dstport } != " - " ]] && dstport = " --dport ${ dstport } "
[[ $ { srcport } != " - " ]] && srcport = " --sport ${ srcport } "
[[ $ { srcaddress } != " - " ]] && srcaddress = " -s ${ srcaddress } "
[[ $ { dstaddress } != " - " ]] && dstaddress = " -d ${ dstaddress } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " IN " ]]) && interface = " -i ${ interface } "
([[ $ { interface } != " - " ]] && [[ $ { direction } == " OUT " ]]) && interface = " -o ${ interface } "
[[ $ { direction } == " OUT " ]] && chain = " ${ OutFilter } "
[[ $ { direction } == " IN " ]] && chain = " ${ InFilter } "
[[ $ { protocol } != " - " ]] && protocol = " -p ${ protocol } "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } "
# Blank variables that we're not going to use.
[[ $ { interface } == " - " ]] && interface = " "
[[ $ { dstport } == " - " ]] && dstport = " "
[[ $ { srcport } == " - " ]] && srcport = " "
[[ $ { dstaddress } == " - " ]] && dstaddress = " "
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
[[ $ { protocol } == " - " ]] && protocol = " "
$ { VER_IPTABLES } - A $ { chain } $ { interface } $ { protocol } $ { srcaddress } $ { srcport } $ { dstaddress } $ { dstport } - j $ { action }
2014-04-05 11:26:08 -06:00
done < " ${ FWCONFIGDIR}/ipv${IPVER } /acl.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
2014-04-05 14:53:01 -06:00
}
function enable_nat {
IP_VERSION = $ 1
case $IP_VERSION in
ipv6 ) VER_IPTABLES = $ { IP6TABLES };
IPVER = " 6 " ;;
ipv4 |* ) VER_IPTABLES = $ { IPTABLES }
IPVER = " 4 " ;;
esac
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } loading "
if [ - e " ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf " ]; then
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } read ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf successful "
while read - r type srcinterface srcaddress dstinterface dstaddress ; do
[[ $ { type } = \ #* ]] && continue
[[ $ { type } = " " ]] && continue
([[ $ { type } != " SNAT " ]] && [[ $ { type } != " MASQ " ]] && [[ $ { type } != " NETMAP " ]]) \
&& $ { display } RED " nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " && continue
# Do some creative work with variables to make building the iptables rules fairly painless
[[ $ { srcinterface } != " - " ]] && srcinterface = " -i ${ srcinterface } "
[[ $ { dstinterface } != " - " ]] && dstinterface = " -o ${ dstinterface } "
2014-04-05 15:11:01 -06:00
([[ $ { srcaddress } != " - " ]] && [[ $ { type } != " NETMAP " ]]) && srcaddress = " -s ${ srcaddress } "
2014-04-05 14:53:01 -06:00
2014-04-05 15:11:01 -06:00
([[ $ { dstinterface } != " - " ]] && [[ $ { type } == " MASQ " ]]) && action = " -j MASQUERADE "
2014-04-05 14:53:01 -06:00
([[ $ { dstinterface } == " - " ]] && [[ $ { type } == " MASQ " ]]) && \
$ { display } RED " nat.conf: Error - MASQ rule can not have empty destination interface: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " \
&& continue
([[ $ { dstaddress } != " - " ]] && [[ $ { type } == " SNAT " ]]) && action = " -j SNAT " && dstaddress = " --to-source ${ dstaddress } "
([[ $ { dstaddress } == " - " ]] && [[ $ { type } == " SNAT " ]]) && \
$ { display } RED " nat.conf: Error - SNAT rule can not have empty destination address: ${ DEFAULT_COLOR}${type } ${ srcinterface } ${ srcaddress } ${ dstinterface } ${ dstaddress } " \
&& continue
([[ $ { srcaddress } != " - " ]] && [[ $ { dstaddress } != " - " ]] && [[ $ { type } == " NETMAP " ]]) && action = " -j NETMAP " && srcaddress = " -d ${ srcaddress } " && dstaddress = " --to ${ dstaddress } "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR}${direction } ${ action } ${ interface } ${ srcaddress } ${ srcport } ${ dstaddress } ${ dstport } ${ protocol } "
# Blank variables that we're not going to use.
[[ $ { srcinterface } == " - " ]] && srcinterface = " "
[[ $ { dstinterface } == " - " ]] && dstinterface = " "
[[ $ { dstaddress } == " - " ]] && dstaddress = " "
[[ $ { srcaddress } == " - " ]] && srcaddress = " "
2014-04-05 15:11:01 -06:00
$ { VER_IPTABLES } - A $ { NAT } - t nat $ { srcaddress } $ { action } $ { dstinterface } $ { dstaddress }
2014-04-05 14:53:01 -06:00
$ { VER_IPTABLES } - A $ { FwdFilter } $ { M_STATE } $ { C_STATE } RELATED , ESTABLISHED $ { srcinterface } $ { srcaddress } $ { dstinterface } - j ACCEPT
done < " ${ FWCONFIGDIR}/ipv${IPVER } /nat.conf "
$ { debug } $ { DebugColor } " ${ FUNCNAME}:${DEFAULT_COLOR } done "
fi
2014-03-01 09:57:03 -07:00
}