brielle/SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases1 Wiki Activity

Browse Source
This commit is contained in:
bbruns 2014-04-06 17:52:32 +00:00
parent fcae1e266f
commit 38de7898dc
1 changed files with 36 additions and 2 deletions

38
lib/iptables.inc

@ -351,6 +351,9 @@ function enable_forwarding {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional; do while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional; do
[[ ${action} = \#* ]] && continue [[ ${action} = \#* ]] && continue
[[ ${action} = "" ]] && continue [[ ${action} = "" ]] && continue
@ -376,8 +379,10 @@ function enable_forwarding {
[[ ${srcaddress} == "-" ]] && srcaddress="" [[ ${srcaddress} == "-" ]] && srcaddress=""
[[ ${bidirectional} == "-" ]] && bidirectional="no" [[ ${bidirectional} == "-" ]] && bidirectional="no"
${VER_IPTABLES} -A ${FwdFilter} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} -j ${action} [[ ${action} == "DROP" ]] && conntrack_state=""
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${revsrcinterface} ${revsrcaddress} ${revdstinterface} ${revdstaddress} -j ${action}
${VER_IPTABLES} -A ${FwdFilter} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${conntrack_state} -j ${action}
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${revsrcinterface} ${revsrcaddress} ${revdstinterface} ${revdstaddress} ${conntrack_state} -j ${action}
done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
@ -481,3 +486,32 @@ function enable_services {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
} }
function enable_conntrack_int {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
conntrack_int="$2"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [[ ${conntrack_int} == "all" ]]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
else
for i in ${conntrack_int}; do
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
done
fi
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}