From a1852a5e66a518fd989f2ca0e9c96979efdde64e Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sat, 1 Mar 2014 18:42:17 +0000 Subject: [PATCH] --- bin/srfirewall | 2 +- etc/chains.conf | 4 ++-- lib/iptables.inc | 35 ++++++++++++++++++++++++++++++----- 3 files changed, 33 insertions(+), 8 deletions(-) diff --git a/bin/srfirewall b/bin/srfirewall index aa91adf..70d5e41 100644 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -60,7 +60,7 @@ if [[ "${EnableIPv4}" == "yes" ]]; then # Create the chain sets we'll need and the ones that can be # customized by users in their custom rules - + setup_iptables_chains ipv4 fi diff --git a/etc/chains.conf b/etc/chains.conf index 17c0d1d..7b12cae 100644 --- a/etc/chains.conf +++ b/etc/chains.conf @@ -25,11 +25,11 @@ InFilter="In-Filter" OutFilter="Out-Filter" -CustomNAT="CustomNAT" +CustomPostRouting="CustomPostRouting" NAT="NAT" -CustomPortForward="Custom-PortFW" +CustomPreRouting="Custom-PreRouting" PortForward="PortForward" diff --git a/lib/iptables.inc b/lib/iptables.inc index 9e87d45..f7ee75b 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -57,13 +57,14 @@ function iptables_policy_reset { # setup_iptables_chains (ipv4|ipv6) # Creates the default chains when called -function setup_uptables_chains { +function setup_iptables_chains { IP_VERSION=$1 case $IP_VERSION in ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;; esac - ${display_c} GREEN "Setting up default chains for ${IP_VERSION}..." + # Create the actual chains + ${display_c} GREEN "Setting up chains for ${IP_VERSION}..." ${VER_IPTABLES} -N ${InCustomPreRules} ${VER_IPTABLES} -N ${InPreRules} ${VER_IPTABLES} -N ${OutCustomPreRules} @@ -77,12 +78,36 @@ function setup_uptables_chains { ${VER_IPTABLES} -N ${OutFilter} ${VER_IPTABLES} -N ${FwdCustomFilter} ${VER_IPTABLES} -N ${FwdFilter} - ${VER_IPTABLES} -N ${CustomNAT} + ${VER_IPTABLES} -N ${CustomPostRouting} ${VER_IPTABLES} -N ${NAT} - ${VER_IPTABLES} -N ${CustomPortForward} + ${VER_IPTABLES} -N ${CustomPreRouting} ${VER_IPTABLES} -N ${PortForward} ${VER_IPTABLES} -N ${InCustomPostRules} ${VER_IPTABLES} -N ${InPostRules} ${VER_IPTABLES} -N ${OutCustomPostRules} - ${VER_IPTABLES} -N ${InPostRules} + ${VER_IPTABLES} -N ${OutPostRules} + + # Set up rules - the order matters - we do it separately here + # for easy viewing of order + ${VER_IPTABLES} -A INPUT -j ${InCustomPreRules} + ${VER_IPTABLES} -A INPUT -j ${InPreRules} + ${VER_IPTABLES} -A OUTPUT -j ${OutCustomPreRules} + ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules} + ${VER_IPTABLES} -A INPUT -j ${Trusted} + ${VER_IPTABLES} -A INPUT -j ${InEasyBlock} + ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock} + ${VER_IPTABLES} -A INPUT -j ${InCustomFilter} + ${VER_IPTABLES} -A INPUT -j ${InFilter} + ${VER_IPTABLES} -A OUTPUT -j ${OutCustomFilter} + ${VER_IPTABLES} -A OUTPUT -j ${OutFilter} + ${VER_IPTABLES} -A FORWARD -j ${FwdCustomFilter} + ${VER_IPTABLES} -A FORWARD -j ${FwdFilter} + ${VER_IPTABLES} -A POSTROUTING -j ${CustomPostRouting} + ${VER_IPTABLES} -A POSTROUTING -j ${NAT} + ${VER_IPTABLES} -A PREROUTING -j ${CustomPreRouting} + ${VER_IPTABLES} -A PREROUTING -j ${PortForward} + ${VER_IPTABLES} -A INPUT -j ${InCustomPostRules} + ${VER_IPTABLES} -A INPUT -j ${InPostRules} + ${VER_IPTABLES} -A OUTPUT -j ${OutCustomPostRules} + ${VER_IPTABLES} -A OUTPUT -j${OutPostRules} } \ No newline at end of file