brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Compare commits

base: brielle:master
Branches Tags
brielle:master
brielle:v2.2.1
brielle:2.1p2
brielle:2.1p1
brielle:2.1
brielle:v2.1a1
brielle:v2.0
brielle:v2.01a1
..
compare: brielle:v2.01a1
Branches Tags
brielle:master
brielle:v2.2.1
brielle:2.1p2
brielle:2.1p1
brielle:2.1
brielle:v2.1a1
brielle:v2.0
brielle:v2.01a1

No commits in common. "master" and "v2.01a1" have entirely different histories.
master ... v2.01a1

16 changed files with 72 additions and 223 deletions
Show Stats Expand all files Collapse all files

37
CHANGELOG
View File

@ -1,40 +1,3 @@
2.2.1 - 04/17/2021
- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT. These options are
applied at the beginning of the command line options to EVERY instance of $IPTABLES.
Useful for '-w' to deal with xtables lock issues.
2.2 - 04/09/2020
- Add multiport support to acl/forward
2.1p2 - 02/27/2020
- Fix issue with NAT variable not being reset after being changed
2.1p1 - 01/01/2020
- Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
2.1 Final - 07/12/2019
- Fix flush tables rule for raw
- Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
2.1 Beta 1 - 11/19/2018
- Add run-after and run-before rules (custom/runafter.sh and custom/runbefore.sh)
2.1 Alpha 3 - 04/25/2016
- Fix issue with erasing variables in two different setups
- mss clamp fix for fwd target
2.1 Alpha 2 - 03/15/2015
- Unset variables in loops to make sure theres no leakage of
variables into the next run of the loop
04/09/2015
- Allow use of 'all' in MSS rules to match all forwarding/out traffic
2.1 Alpha 1 - 11/29/2014
- Added support for custom fields in NAT and ACL rules, as this allows
definition of Policy rules in the ACL files (mostly useful for IPSec)
- NAT rules no longer add accept state rules, should be added in forward.conf
manually
2.01 Alpha 1 - 07/27/2014 2.01 Alpha 1 - 07/27/2014
- Fix executable bits on .sh files in custom - Fix executable bits on .sh files in custom
- Make MSS clamp optional and allow setting MSS size manually - Make MSS clamp optional and allow setting MSS size manually

12
INSTALL
View File

@ -1,4 +1,4 @@
SRFirewall v2.2.1 http://www.sosdg.org/freestuff/firewall SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall
Written by: Brielle Bruns <bruns@2mbit.com> Written by: Brielle Bruns <bruns@2mbit.com>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
@ -21,14 +21,14 @@ it:
=== Begin commands === === Begin commands ===
cd /usr/src cd /usr/src
git clone https://git.sosdg.org/brielle/SRFirewall.git svn checkout http://firewall-sosdg.googlecode.com/svn/srfirewall srfirewall-trunk
ln -s /usr/src/srfirewall/lib /usr/local/lib/srfirewall ln -s /usr/src/srfirewall-trunk/lib /usr/local/lib/srfirewall
ln -s /usr/src/srfirewall/bin/srfirewall /usr/local/bin/srfirewall ln -s /usr/src/srfirewall-trunk/bin/srfirewall /usr/local/bin/srfirewall
cp -R /usr/src/srfirewall/etc /usr/local/etc/srfirewall cp -R /usr/src/srfirewall-trunk/etc /usr/local/etc/srfirewall
=== End commands === === End commands ===
Then when you want to update to bleeding edge, all you have to run is Then when you want to update to bleeding edge, all you have to run is
'git pull'. 'svn update'.
You _will_ need to look for newly changed/added files and update You _will_ need to look for newly changed/added files and update
appropriately. appropriately.

5
README
View File

@ -1,6 +1,5 @@
SRFirewall v2.2.1 SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall Written by:
http://www.sosdg.org/freestuff/firewall Brielle Bruns <bruns@2mbit.com>
Written by: Brielle Bruns <bruns@2mbit.com>
SRFirewall is a complete rewrite of Firewall/SOSDG v1.1, from scratch, SRFirewall is a complete rewrite of Firewall/SOSDG v1.1, from scratch,
with a completely new and reorganized config and file layout. with a completely new and reorganized config and file layout.

24
bin/srfirewall
View File

@ -19,7 +19,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# Static config options, normally do not need to change # Static config options, normally do not need to change
FW_VERSION="2.2.1" FW_VERSION="2.0"
# Important directory locations # Important directory locations
FWPREFIX="/usr/local" FWPREFIX="/usr/local"
@ -155,16 +155,6 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
fi fi
fi fi
# Splice in iptables options via IPTABLESOPT and IP6TABLESOPT
if [ -x "${IPTABLES}" ] && [ -x "${IPTABLESOPT}" ]; then
IPTABLES="${IPTABLES} ${IPTABLESOPT}"
fi
if [ -x "${IP6TABLES}" ] && [ -x "${IP6TABLESOPT}" ]; then
IPTABLES="${IP6TABLES} ${IP6TABLESOPT}"
fi
# Set up proper state matching variables, since there is old and new style. # Set up proper state matching variables, since there is old and new style.
if [ "$StateMatching" ]; then if [ "$StateMatching" ]; then
case $StateMatching in case $StateMatching in
@ -184,10 +174,6 @@ fi
# Do IPv4 IPTables Rules # Do IPv4 IPTables Rules
if [ "${EnableIPv4}" == "yes" ]; then if [ "${EnableIPv4}" == "yes" ]; then
# Commands to run before everything else
if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
# First flush all rules # First flush all rules
iptables_rules_flush ipv4 iptables_rules_flush ipv4
@ -217,16 +203,10 @@ if [ "${EnableIPv4}" == "yes" ]; then
[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4 [[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4 [[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
# Commands to run after everything else
if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
fi fi
# Do IPv6 IPTables Rules # Do IPv6 IPTables Rules
if [ "${EnableIPv6}" == "yes" ]; then if [ "${EnableIPv6}" == "yes" ]; then
# Commands to run before everything else
if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
# First flush all rules # First flush all rules
iptables_rules_flush ipv6 iptables_rules_flush ipv6
@ -257,7 +237,5 @@ if [ "${EnableIPv6}" == "yes" ]; then
[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6 [[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6 [[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
[[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks [[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
# Commands to run after everything else
if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
fi fi

8
etc/ipv4/acl.conf
View File

@ -2,7 +2,7 @@
# Use this file to set up more complex access control lists. # Use this file to set up more complex access control lists.
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom> # <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
# #
# Direction: Required ( IN | OUT ) # Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP) # Action: Required (ACCEPT | DROP)
@ -14,12 +14,10 @@
# Protocol: Optional, Required if port is specified ( tcp | udp ) # Protocol: Optional, Required if port is specified ( tcp | udp )
# Syn: Optional, only match (not) syn packets (syn | notsyn ) # Syn: Optional, only match (not) syn packets (syn | notsyn )
# State: Optional, set the connection tracking states ( comma separated list ) # State: Optional, set the connection tracking states ( comma separated list )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
#
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom> #<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
#IN ACCEPT eth0 10.0.0.1 22 - - tcp - #IN ACCEPT eth0 10.0.0.1 22 - - tcp -
#IN DROP - - - - 22 tcp syn #IN DROP - - - - 22 tcp syn
#IN ACCEPT eth0 192.168.0.0/24 - 192.168.1.0/24 - - - -m policy --dir in --pol ipsec --proto esp

6
etc/ipv4/custom/runafter.sh
View File

@ -1,6 +0,0 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# After all other things are done when the script loads

6
etc/ipv4/custom/runbefore.sh
View File

@ -1,6 +0,0 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before all other things are done when the script loads

6
etc/ipv4/forward.conf
View File

@ -2,7 +2,7 @@
# Use this file to set up network address translation rules # Use this file to set up network address translation rules
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom> # <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
# #
# Action: Required ( ACCEPT | DROP ) # Action: Required ( ACCEPT | DROP )
# Source Interface: Optional ( interface name, aka eth0 ) # Source Interface: Optional ( interface name, aka eth0 )
@ -17,15 +17,13 @@
# Protocol: Optional, required if port numbers specified ( tcp | udp ) # Protocol: Optional, required if port numbers specified ( tcp | udp )
# Syn: Optional, only match (not) syn packets (syn | notsyn ) # Syn: Optional, only match (not) syn packets (syn | notsyn )
# State: Optional, set the connection tracking states ( comma separated list ) # State: Optional, set the connection tracking states ( comma separated list )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
# #
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom> #<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
#ACCEPT eth0 - eth1 - yes #ACCEPT eth0 - eth1 - yes
#DROP eth1 192.168.2.0/24 eth0 0/0 no #DROP eth1 192.168.2.0/24 eth0 0/0 no
#DROP eth0 - eth1 192.168.0.0/24 no - 1:1024 tcp syn NEW #DROP eth0 - eth1 192.168.0.0/24 no - 1:1024 tcp syn NEW
#ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED #ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
#IN ACCEPT eth0 192.168.0.0/24 eth1 192.168.1.0/24 yes - - - - - -m policy --dir in --pol ipsec --proto esp

15
etc/ipv4/nat.conf
View File

@ -2,20 +2,17 @@
# Use this file to set up network address translation rules # Use this file to set up network address translation rules
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom> # <type> <src-interface> <src-address> <dst-interface> <dst-address>
# #
# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT) # Type: Required ( SNAT | MASQ | NETMAP )
# Source Interface: Optional, ignored by NETMAP ( interface name, aka eth0 ) # Source Interface: Optional ( interface name, aka eth0 )
# Source Address: Optional ( IP address with optional netmask ) # Source Address: Optional ( IP address with optional netmask )
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 ) # Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
# Destination Address: Required for all but MASQ and NETMAP ( IP address with optional netmask ) # Destination Address: Required for all but MASQ ( IP address with optional netmask )
# Custom: Optional for all except NETMAP, set custom section after the source/dest and before ACCEPT/DROP
# Custom: Required for NETMAP, address to map TO, then all other custom options (see example)
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom> #<type> <src-interface> <src-address> <dst-interface> <dst-address>
#SNAT eth1 10.0.0.0/24 eth0 172.16.1.1 #SNAT eth1 10.0.0.0/24 eth0 172.16.1.1
#MASQ - - eth0 - #MASQ - - eth0 -
#NETMAP - 192.168.0.0/24 vpn0 - 172.16.0.0/24 #NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24
#^ ex: map src of 192.168.0.0/24 to 172.16.0.0/24 when it leaves via vpn0

7
etc/ipv6/acl.conf
View File

@ -2,7 +2,7 @@
# Use this file to set up more complex access control lists. # Use this file to set up more complex access control lists.
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom> # <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
# #
# Direction: Required ( IN | OUT ) # Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP) # Action: Required (ACCEPT | DROP)
@ -14,11 +14,10 @@
# Protocol: Optional, Required if port is specified ( tcp | udp ) # Protocol: Optional, Required if port is specified ( tcp | udp )
# Syn: Optional, only match (not) syn packets (syn | notsyn ) # Syn: Optional, only match (not) syn packets (syn | notsyn )
# State: Optional, set the connection tracking states ( comma separated list ) # State: Optional, set the connection tracking states ( comma separated list )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
# #
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom> #<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
#IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp - #IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp -
#IN DROP - - - - 22 tcp syn #IN DROP - - - - 22 tcp syn
#IN ACCEPT eth0 2002:dead:beef::/64 - 2002:dead:bfff::/64 - - - -m policy --dir in --pol ipsec --proto esp

6
etc/ipv6/custom/runafter.sh
View File

@ -1,6 +0,0 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# After all other things are done when the script loads

6
etc/ipv6/custom/runbefore.sh
View File

@ -1,6 +0,0 @@
# This file is sourced by the main srfirewall program to inject
# custom commands/rules during specific moments of the firewall
# setup.
#
# In particular this file injects/commands rules:
# Before all other things are done when the script loads

6
etc/ipv6/forward.conf
View File

@ -2,7 +2,7 @@
# Use this file to set up network address translation rules # Use this file to set up network address translation rules
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom> # <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
# #
# Action: Required ( ACCEPT | DROP ) # Action: Required ( ACCEPT | DROP )
# Source Interface: Optional ( interface name, aka eth0 ) # Source Interface: Optional ( interface name, aka eth0 )
@ -17,13 +17,11 @@
# Protocol: Optional, required if port numbers specified ( tcp | udp ) # Protocol: Optional, required if port numbers specified ( tcp | udp )
# Syn: Optional, only match (not) syn packets (syn | notsyn ) # Syn: Optional, only match (not) syn packets (syn | notsyn )
# State: Optional, set the connection tracking states ( comma separated list ) # State: Optional, set the connection tracking states ( comma separated list )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
# #
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom> #<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
#ACCEPT eth0 - eth1 - yes #ACCEPT eth0 - eth1 - yes
#DROP eth1 2002::/64 eth0 2001::/3 no #DROP eth1 2002::/64 eth0 2001::/3 no
#DROP eth0 2001::/3 eth1 2002:dead:beef::/64 no - 1:1024 tcp syn #DROP eth0 2001::/3 eth1 2002:dead:beef::/64 no - 1:1024 tcp syn
#ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED #ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
#IN ACCEPT eth0 2002:dead:beef::/64 eth1 2002:dead:bfff::/64 yes - - - - - -m policy --dir in --pol ipsec --proto esp

8
etc/ipv6/nat.conf
View File

@ -2,18 +2,16 @@
# Use this file to set up network address translation rules # Use this file to set up network address translation rules
# Use tabs or single space to separate # Use tabs or single space to separate
# #
# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom> # <type> <src-interface> <src-address> <dst-interface> <dst-address>
# #
# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT) # Type: Required ( SNAT | MASQ | NETMAP )
# Source Interface: Optional ( interface name, aka eth0 ) # Source Interface: Optional ( interface name, aka eth0 )
# Source Address: Optional ( IP address with optional netmask ) # Source Address: Optional ( IP address with optional netmask )
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 ) # Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
# Destination Address: Required for all but MASQ ( IP address with optional netmask ) # Destination Address: Required for all but MASQ ( IP address with optional netmask )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
#
# You can use '-' for optional fields # You can use '-' for optional fields
#============================================================ #============================================================
#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom> #<type> <src-interface> <src-address> <dst-interface> <dst-address>
#SNAT eth1 2002::/64 eth0 2001::1 #SNAT eth1 2002::/64 eth0 2001::1
#MASQ - - eth0 - #MASQ - - eth0 -
#NETMAP eth1 2002::/64 vpn0 fc00::/64 #NETMAP eth1 2002::/64 vpn0 fc00::/64

130
lib/iptables.inc
View File

@ -42,8 +42,6 @@ function iptables_rules_flush {
${VER_IPTABLES} -t nat -X &>/dev/null ${VER_IPTABLES} -t nat -X &>/dev/null
${VER_IPTABLES} -t mangle -F &>/dev/null ${VER_IPTABLES} -t mangle -F &>/dev/null
${VER_IPTABLES} -t mangle -X &>/dev/null ${VER_IPTABLES} -t mangle -X &>/dev/null
${VER_IPTABLES} -t raw -F &>/dev/null
${VER_IPTABLES} -t raw -X &>/dev/null
for i in `cat $TABLE_NAMES`; do for i in `cat $TABLE_NAMES`; do
${VER_IPTABLES} -F -t $i &>/dev/null ${VER_IPTABLES} -F -t $i &>/dev/null
done done
@ -177,25 +175,19 @@ function enable_mss_clamp {
while read -r interface mss type msssize; do while read -r interface mss type msssize; do
[[ ${interface} = \#* ]] && continue [[ ${interface} = \#* ]] && continue
[[ ${interface} = "" ]] && continue [[ ${interface} = "" ]] && continue
[[ ${interface} == "all" ]] && isallinterfaces="yes" [[ -z ${mss} ]] && mss="-"
#[[ -z ${mss} ]] && mss="-" [[ ${mss} == "-" ]] && mss="1400:1536"
[[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
[[ ${mss} == "-" ]] && mss=""
[[ -z ${type} ]] && type="-" [[ -z ${type} ]] && type="-"
[[ ${type} == "-" ]] && type="out" [[ ${type} == "-" ]] && type="${OutFilter}"
[[ ${type} == "out" ]] && type="${OutFilter}" [[ ${type} == "out" ]] && type="${OutFilter}"
[[ ${type} == "fwd" ]] && type="${FwdFilter}" [[ ${type} == "fwd" ]] && type="${FwdFilter}"
[[ -z ${msssize} ]] && msssize="-" [[ -z ${msssize} ]] && msssize="-"
[[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}" [[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
[[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu" [[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
#[[ ${interface} != "all" ]] && interface="-o ${interface}"
[[ ${type} == "${OutFilter}" ]] && interface="-o ${interface}"
[[ ${type} == "${FwdFilter}" ]] && interface="-o ${interface}"
[[ ${isallinterfaces} == "yes" ]] && interface=""
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
${interface} ${mss} ${msssize} -o ${interface} -m tcpmss --mss ${mss} ${msssize}
unset interface mss type msssize isallinterfaces unset interface mss type msssize
done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
@ -325,7 +317,7 @@ function enable_filtering {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state; do
[[ ${direction} = \#* ]] && continue [[ ${direction} = \#* ]] && continue
[[ ${direction} = "" ]] && continue [[ ${direction} = "" ]] && continue
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \ ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
@ -338,8 +330,8 @@ function enable_filtering {
[[ -z ${state} ]] && state="-" [[ -z ${state} ]] && state="-"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}" ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}" ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}" [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}" [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}" [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}" [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}" ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
@ -351,16 +343,7 @@ function enable_filtering {
[[ ${syn} == "syn" ]] && syn="--syn" [[ ${syn} == "syn" ]] && syn="--syn"
[[ ${syn} == "notsyn" ]] && syn="! --syn" [[ ${syn} == "notsyn" ]] && syn="! --syn"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn}"
dstmultiport="no"
srcmultiport="no"
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
# Blank variables that we're not going to use. # Blank variables that we're not going to use.
[[ ${interface} == "-" ]] && interface="" [[ ${interface} == "-" ]] && interface=""
@ -370,10 +353,8 @@ function enable_filtering {
[[ ${srcaddress} == "-" ]] && srcaddress="" [[ ${srcaddress} == "-" ]] && srcaddress=""
[[ ${protocol} == "-" ]] && protocol="" [[ ${protocol} == "-" ]] && protocol=""
[[ ${syn} == "-" ]] && syn="" [[ ${syn} == "-" ]] && syn=""
[[ ${custom} == "-" ]] && custom=""
${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action} ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
@ -390,7 +371,7 @@ function enable_forwarding {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state; do
unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
[[ ${action} = \#* ]] && continue [[ ${action} = \#* ]] && continue
[[ -z ${action} ]] && continue [[ -z ${action} ]] && continue
@ -408,8 +389,8 @@ function enable_forwarding {
[[ -z ${syn} ]] && syn="-" [[ -z ${syn} ]] && syn="-"
[[ -z ${state} ]] && state="-" [[ -z ${state} ]] && state="-"
#([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED" ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
#([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED" ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}" ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}" ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
@ -425,20 +406,10 @@ function enable_forwarding {
([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-" ([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
[[ ${syn} == "syn" ]] && syn="--syn" [[ ${syn} == "syn" ]] && syn="--syn"
[[ ${syn} == "notsyn" ]] && syn="! --syn" [[ ${syn} == "notsyn" ]] && syn="! --syn"
dstmultiport="no" [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
srcmultiport="no" [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes" ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes" ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
#([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
#([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}" [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
@ -454,11 +425,9 @@ function enable_forwarding {
[[ ${state} == "-" ]] && state="" [[ ${state} == "-" ]] && state=""
[[ ${protocol} == "-" ]] && protocol="" [[ ${protocol} == "-" ]] && protocol=""
[[ ${bidirectional} == "-" ]] && bidirectional="no" [[ ${bidirectional} == "-" ]] && bidirectional="no"
[[ ${custom} == "-" ]] && custom=""
${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action} ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action} [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} -j ${action}
unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
@ -478,60 +447,44 @@ function enable_nat {
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
ORIG_NAT=${NAT} while read -r type srcinterface srcaddress dstinterface dstaddress; do
while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
NAT=${ORIG_NAT}
[[ ${type} = \#* ]] && continue [[ ${type} = \#* ]] && continue
[[ ${type} = "" ]] && continue [[ ${type} = "" ]] && continue
([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \ ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue
# Do some creative work with variables to make building the iptables rules fairly painless # Do some creative work with variables to make building the iptables rules fairly painless
#[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}" [[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
#[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}" [[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
#[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}" [[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
#[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}" [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
[[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}" [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}" ([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
([[ ${srcinterface} != "-" ]] && [[ ${type} == "SNAT" ]]) && srcinterface="-"
([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE" ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \ ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \ ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
&& continue && continue
([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}" ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \ ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \ ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
&& continue && continue
[[ ${type} == "NETMAP" ]] && action="-j NETMAP" ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \
${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \
&& continue
([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}"
([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && dstaddress="-d ${dstaddress}"
# If we use a source interface, the rule can't go in a POSTROUTING table like what NAT is, so we punt it to PREROUTING
# or it won't work. Plus we remove the destination interface too.
([[ ${srcinterface} != "-" ]] && [[ ${type} != "SNAT" ]]) && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
#[[ ${srcinterface} != "-" ]] && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
# Blank variables that we're not going to use. # Blank variables that we're not going to use.
[[ ${srcinterface} == "-" ]] && srcinterface="" [[ ${srcinterface} == "-" ]] && srcinterface=""
[[ ${dstinterface} == "-" ]] && dstinterface="" [[ ${dstinterface} == "-" ]] && dstinterface=""
[[ ${dstaddress} == "-" ]] && dstaddress="" [[ ${dstaddress} == "-" ]] && dstaddress=""
[[ ${srcaddress} == "-" ]] && srcaddress="" [[ ${srcaddress} == "-" ]] && srcaddress=""
[[ ${custom} == "-" ]] && custom=""
${VER_IPTABLES} -A ${NAT} -t nat ${srcinterface} ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom} ${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress}
#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT ${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT ${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
unset type srcinterface srcaddress dstinterface dstaddress custom
done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi
@ -549,10 +502,10 @@ function enable_services {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
while read -r service protocol interface address srcaddress; do while read -r service protocol interface address srcaddress; do
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
multiport="no" multiport="no"
[[ ${service} = \#* ]] && continue [[ ${service} = \#* ]] && continue
[[ -z ${service} ]] && continue [[ -z ${service} ]] && continue
@ -560,7 +513,7 @@ function enable_services {
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
[[ ${protocol} == "-" ]] \ [[ ${protocol} == "-" ]] \
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
[[ ${service} =~ (-|:|,) ]] && multiport="yes" [[ ${service} =~ "," ]] && multiport="yes"
# Do some creative work with variables to make building the iptables rules fairly painless # Do some creative work with variables to make building the iptables rules fairly painless
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}" ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}" ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
@ -577,10 +530,9 @@ function enable_services {
[[ ${srcaddress} == "-" ]] && srcaddress="" [[ ${srcaddress} == "-" ]] && srcaddress=""
${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
unset service protocol interface address srcaddress conntrack_state
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
unset service protocol interface address srcaddress
fi fi
} }
@ -623,10 +575,10 @@ function enable_portfw {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
while read -r service protocol intip intport interface address srcaddress; do while read -r service protocol intip intport interface address srcaddress; do
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
[[ ${service} = \#* ]] && continue [[ ${service} = \#* ]] && continue
[[ -z ${service} ]] && continue [[ -z ${service} ]] && continue
[[ ${service} == "-" ]] \ [[ ${service} == "-" ]] \
@ -661,7 +613,7 @@ function enable_portfw {
${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest} ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT ${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
unset service protocol intip intport interface address srcaddress conntrack_state
done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi fi

7
release.json
View File

@ -1,7 +0,0 @@
{
"version": "2.2.1",
"state": "stable",
"scope": "minor fixes",
"changes": "See CHANGELOG",
"download": "https://git.sosdg.org/brielle/SRFirewall/releases"
}