Compare commits
No commits in common. "master" and "v2.01a1" have entirely different histories.
37
CHANGELOG
37
CHANGELOG
|
|
@ -1,40 +1,3 @@
|
|||
2.2.1 - 04/17/2021
|
||||
- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT. These options are
|
||||
applied at the beginning of the command line options to EVERY instance of $IPTABLES.
|
||||
Useful for '-w' to deal with xtables lock issues.
|
||||
|
||||
2.2 - 04/09/2020
|
||||
- Add multiport support to acl/forward
|
||||
|
||||
2.1p2 - 02/27/2020
|
||||
- Fix issue with NAT variable not being reset after being changed
|
||||
|
||||
2.1p1 - 01/01/2020
|
||||
- Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
|
||||
|
||||
2.1 Final - 07/12/2019
|
||||
- Fix flush tables rule for raw
|
||||
- Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
|
||||
|
||||
2.1 Beta 1 - 11/19/2018
|
||||
- Add run-after and run-before rules (custom/runafter.sh and custom/runbefore.sh)
|
||||
|
||||
2.1 Alpha 3 - 04/25/2016
|
||||
- Fix issue with erasing variables in two different setups
|
||||
- mss clamp fix for fwd target
|
||||
|
||||
2.1 Alpha 2 - 03/15/2015
|
||||
- Unset variables in loops to make sure theres no leakage of
|
||||
variables into the next run of the loop
|
||||
04/09/2015
|
||||
- Allow use of 'all' in MSS rules to match all forwarding/out traffic
|
||||
|
||||
2.1 Alpha 1 - 11/29/2014
|
||||
- Added support for custom fields in NAT and ACL rules, as this allows
|
||||
definition of Policy rules in the ACL files (mostly useful for IPSec)
|
||||
- NAT rules no longer add accept state rules, should be added in forward.conf
|
||||
manually
|
||||
|
||||
2.01 Alpha 1 - 07/27/2014
|
||||
- Fix executable bits on .sh files in custom
|
||||
- Make MSS clamp optional and allow setting MSS size manually
|
||||
|
|
|
|||
12
INSTALL
12
INSTALL
|
|
@ -1,4 +1,4 @@
|
|||
SRFirewall v2.2.1 http://www.sosdg.org/freestuff/firewall
|
||||
SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall
|
||||
Written by: Brielle Bruns <bruns@2mbit.com>
|
||||
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
|
||||
|
|
@ -21,14 +21,14 @@ it:
|
|||
|
||||
=== Begin commands ===
|
||||
cd /usr/src
|
||||
git clone https://git.sosdg.org/brielle/SRFirewall.git
|
||||
ln -s /usr/src/srfirewall/lib /usr/local/lib/srfirewall
|
||||
ln -s /usr/src/srfirewall/bin/srfirewall /usr/local/bin/srfirewall
|
||||
cp -R /usr/src/srfirewall/etc /usr/local/etc/srfirewall
|
||||
svn checkout http://firewall-sosdg.googlecode.com/svn/srfirewall srfirewall-trunk
|
||||
ln -s /usr/src/srfirewall-trunk/lib /usr/local/lib/srfirewall
|
||||
ln -s /usr/src/srfirewall-trunk/bin/srfirewall /usr/local/bin/srfirewall
|
||||
cp -R /usr/src/srfirewall-trunk/etc /usr/local/etc/srfirewall
|
||||
=== End commands ===
|
||||
|
||||
Then when you want to update to bleeding edge, all you have to run is
|
||||
'git pull'.
|
||||
'svn update'.
|
||||
|
||||
You _will_ need to look for newly changed/added files and update
|
||||
appropriately.
|
||||
|
|
|
|||
5
README
5
README
|
|
@ -1,6 +1,5 @@
|
|||
SRFirewall v2.2.1
|
||||
http://www.sosdg.org/freestuff/firewall
|
||||
Written by: Brielle Bruns <bruns@2mbit.com>
|
||||
SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall Written by:
|
||||
Brielle Bruns <bruns@2mbit.com>
|
||||
|
||||
SRFirewall is a complete rewrite of Firewall/SOSDG v1.1, from scratch,
|
||||
with a completely new and reorganized config and file layout.
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Static config options, normally do not need to change
|
||||
FW_VERSION="2.2.1"
|
||||
FW_VERSION="2.0"
|
||||
|
||||
# Important directory locations
|
||||
FWPREFIX="/usr/local"
|
||||
|
|
@ -155,16 +155,6 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
|
|||
fi
|
||||
fi
|
||||
|
||||
# Splice in iptables options via IPTABLESOPT and IP6TABLESOPT
|
||||
if [ -x "${IPTABLES}" ] && [ -x "${IPTABLESOPT}" ]; then
|
||||
IPTABLES="${IPTABLES} ${IPTABLESOPT}"
|
||||
fi
|
||||
|
||||
if [ -x "${IP6TABLES}" ] && [ -x "${IP6TABLESOPT}" ]; then
|
||||
IPTABLES="${IP6TABLES} ${IP6TABLESOPT}"
|
||||
fi
|
||||
|
||||
|
||||
# Set up proper state matching variables, since there is old and new style.
|
||||
if [ "$StateMatching" ]; then
|
||||
case $StateMatching in
|
||||
|
|
@ -184,10 +174,6 @@ fi
|
|||
|
||||
# Do IPv4 IPTables Rules
|
||||
if [ "${EnableIPv4}" == "yes" ]; then
|
||||
|
||||
# Commands to run before everything else
|
||||
if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
|
||||
|
||||
# First flush all rules
|
||||
iptables_rules_flush ipv4
|
||||
|
||||
|
|
@ -217,16 +203,10 @@ if [ "${EnableIPv4}" == "yes" ]; then
|
|||
[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
|
||||
[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
|
||||
|
||||
# Commands to run after everything else
|
||||
if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
|
||||
|
||||
fi
|
||||
|
||||
# Do IPv6 IPTables Rules
|
||||
if [ "${EnableIPv6}" == "yes" ]; then
|
||||
# Commands to run before everything else
|
||||
if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
|
||||
|
||||
# First flush all rules
|
||||
iptables_rules_flush ipv6
|
||||
|
||||
|
|
@ -257,7 +237,5 @@ if [ "${EnableIPv6}" == "yes" ]; then
|
|||
[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
|
||||
[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
|
||||
[[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
|
||||
# Commands to run after everything else
|
||||
if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# Use this file to set up more complex access control lists.
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
|
||||
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
|
||||
#
|
||||
# Direction: Required ( IN | OUT )
|
||||
# Action: Required (ACCEPT | DROP)
|
||||
|
|
@ -14,12 +14,10 @@
|
|||
# Protocol: Optional, Required if port is specified ( tcp | udp )
|
||||
# Syn: Optional, only match (not) syn packets (syn | notsyn )
|
||||
# State: Optional, set the connection tracking states ( comma separated list )
|
||||
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
|
||||
#
|
||||
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
|
||||
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
|
||||
#IN ACCEPT eth0 10.0.0.1 22 - - tcp -
|
||||
#IN DROP - - - - 22 tcp syn
|
||||
#IN ACCEPT eth0 192.168.0.0/24 - 192.168.1.0/24 - - - -m policy --dir in --pol ipsec --proto esp
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
# This file is sourced by the main srfirewall program to inject
|
||||
# custom commands/rules during specific moments of the firewall
|
||||
# setup.
|
||||
#
|
||||
# In particular this file injects/commands rules:
|
||||
# After all other things are done when the script loads
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# This file is sourced by the main srfirewall program to inject
|
||||
# custom commands/rules during specific moments of the firewall
|
||||
# setup.
|
||||
#
|
||||
# In particular this file injects/commands rules:
|
||||
# Before all other things are done when the script loads
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
# Use this file to set up network address translation rules
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
|
||||
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
|
||||
#
|
||||
# Action: Required ( ACCEPT | DROP )
|
||||
# Source Interface: Optional ( interface name, aka eth0 )
|
||||
|
|
@ -17,15 +17,13 @@
|
|||
# Protocol: Optional, required if port numbers specified ( tcp | udp )
|
||||
# Syn: Optional, only match (not) syn packets (syn | notsyn )
|
||||
# State: Optional, set the connection tracking states ( comma separated list )
|
||||
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
|
||||
#
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
|
||||
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
|
||||
#ACCEPT eth0 - eth1 - yes
|
||||
#DROP eth1 192.168.2.0/24 eth0 0/0 no
|
||||
#DROP eth0 - eth1 192.168.0.0/24 no - 1:1024 tcp syn NEW
|
||||
#ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
|
||||
#IN ACCEPT eth0 192.168.0.0/24 eth1 192.168.1.0/24 yes - - - - - -m policy --dir in --pol ipsec --proto esp
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -2,20 +2,17 @@
|
|||
# Use this file to set up network address translation rules
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
|
||||
# <type> <src-interface> <src-address> <dst-interface> <dst-address>
|
||||
#
|
||||
# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT)
|
||||
# Source Interface: Optional, ignored by NETMAP ( interface name, aka eth0 )
|
||||
# Type: Required ( SNAT | MASQ | NETMAP )
|
||||
# Source Interface: Optional ( interface name, aka eth0 )
|
||||
# Source Address: Optional ( IP address with optional netmask )
|
||||
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
|
||||
# Destination Address: Required for all but MASQ and NETMAP ( IP address with optional netmask )
|
||||
# Custom: Optional for all except NETMAP, set custom section after the source/dest and before ACCEPT/DROP
|
||||
# Custom: Required for NETMAP, address to map TO, then all other custom options (see example)
|
||||
# Destination Address: Required for all but MASQ ( IP address with optional netmask )
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
|
||||
#<type> <src-interface> <src-address> <dst-interface> <dst-address>
|
||||
#SNAT eth1 10.0.0.0/24 eth0 172.16.1.1
|
||||
#MASQ - - eth0 -
|
||||
#NETMAP - 192.168.0.0/24 vpn0 - 172.16.0.0/24
|
||||
#^ ex: map src of 192.168.0.0/24 to 172.16.0.0/24 when it leaves via vpn0
|
||||
#NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24
|
||||
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# Use this file to set up more complex access control lists.
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
|
||||
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
|
||||
#
|
||||
# Direction: Required ( IN | OUT )
|
||||
# Action: Required (ACCEPT | DROP)
|
||||
|
|
@ -14,11 +14,10 @@
|
|||
# Protocol: Optional, Required if port is specified ( tcp | udp )
|
||||
# Syn: Optional, only match (not) syn packets (syn | notsyn )
|
||||
# State: Optional, set the connection tracking states ( comma separated list )
|
||||
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
|
||||
#
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
|
||||
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
|
||||
#IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp -
|
||||
#IN DROP - - - - 22 tcp syn
|
||||
#IN ACCEPT eth0 2002:dead:beef::/64 - 2002:dead:bfff::/64 - - - -m policy --dir in --pol ipsec --proto esp
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
# This file is sourced by the main srfirewall program to inject
|
||||
# custom commands/rules during specific moments of the firewall
|
||||
# setup.
|
||||
#
|
||||
# In particular this file injects/commands rules:
|
||||
# After all other things are done when the script loads
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# This file is sourced by the main srfirewall program to inject
|
||||
# custom commands/rules during specific moments of the firewall
|
||||
# setup.
|
||||
#
|
||||
# In particular this file injects/commands rules:
|
||||
# Before all other things are done when the script loads
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
# Use this file to set up network address translation rules
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
|
||||
# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
|
||||
#
|
||||
# Action: Required ( ACCEPT | DROP )
|
||||
# Source Interface: Optional ( interface name, aka eth0 )
|
||||
|
|
@ -17,13 +17,11 @@
|
|||
# Protocol: Optional, required if port numbers specified ( tcp | udp )
|
||||
# Syn: Optional, only match (not) syn packets (syn | notsyn )
|
||||
# State: Optional, set the connection tracking states ( comma separated list )
|
||||
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
|
||||
#
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
|
||||
#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
|
||||
#ACCEPT eth0 - eth1 - yes
|
||||
#DROP eth1 2002::/64 eth0 2001::/3 no
|
||||
#DROP eth0 2001::/3 eth1 2002:dead:beef::/64 no - 1:1024 tcp syn
|
||||
#ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
|
||||
#IN ACCEPT eth0 2002:dead:beef::/64 eth1 2002:dead:bfff::/64 yes - - - - - -m policy --dir in --pol ipsec --proto esp
|
||||
|
|
|
|||
|
|
@ -2,18 +2,16 @@
|
|||
# Use this file to set up network address translation rules
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
|
||||
# <type> <src-interface> <src-address> <dst-interface> <dst-address>
|
||||
#
|
||||
# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT)
|
||||
# Type: Required ( SNAT | MASQ | NETMAP )
|
||||
# Source Interface: Optional ( interface name, aka eth0 )
|
||||
# Source Address: Optional ( IP address with optional netmask )
|
||||
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
|
||||
# Destination Address: Required for all but MASQ ( IP address with optional netmask )
|
||||
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
|
||||
#
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
|
||||
#<type> <src-interface> <src-address> <dst-interface> <dst-address>
|
||||
#SNAT eth1 2002::/64 eth0 2001::1
|
||||
#MASQ - - eth0 -
|
||||
#NETMAP eth1 2002::/64 vpn0 fc00::/64
|
||||
|
|
|
|||
122
lib/iptables.inc
122
lib/iptables.inc
|
|
@ -42,8 +42,6 @@ function iptables_rules_flush {
|
|||
${VER_IPTABLES} -t nat -X &>/dev/null
|
||||
${VER_IPTABLES} -t mangle -F &>/dev/null
|
||||
${VER_IPTABLES} -t mangle -X &>/dev/null
|
||||
${VER_IPTABLES} -t raw -F &>/dev/null
|
||||
${VER_IPTABLES} -t raw -X &>/dev/null
|
||||
for i in `cat $TABLE_NAMES`; do
|
||||
${VER_IPTABLES} -F -t $i &>/dev/null
|
||||
done
|
||||
|
|
@ -177,25 +175,19 @@ function enable_mss_clamp {
|
|||
while read -r interface mss type msssize; do
|
||||
[[ ${interface} = \#* ]] && continue
|
||||
[[ ${interface} = "" ]] && continue
|
||||
[[ ${interface} == "all" ]] && isallinterfaces="yes"
|
||||
#[[ -z ${mss} ]] && mss="-"
|
||||
[[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
|
||||
[[ ${mss} == "-" ]] && mss=""
|
||||
[[ -z ${mss} ]] && mss="-"
|
||||
[[ ${mss} == "-" ]] && mss="1400:1536"
|
||||
[[ -z ${type} ]] && type="-"
|
||||
[[ ${type} == "-" ]] && type="out"
|
||||
[[ ${type} == "-" ]] && type="${OutFilter}"
|
||||
[[ ${type} == "out" ]] && type="${OutFilter}"
|
||||
[[ ${type} == "fwd" ]] && type="${FwdFilter}"
|
||||
[[ -z ${msssize} ]] && msssize="-"
|
||||
[[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
|
||||
[[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
|
||||
#[[ ${interface} != "all" ]] && interface="-o ${interface}"
|
||||
[[ ${type} == "${OutFilter}" ]] && interface="-o ${interface}"
|
||||
[[ ${type} == "${FwdFilter}" ]] && interface="-o ${interface}"
|
||||
[[ ${isallinterfaces} == "yes" ]] && interface=""
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
|
||||
${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||
${interface} ${mss} ${msssize}
|
||||
unset interface mss type msssize isallinterfaces
|
||||
-o ${interface} -m tcpmss --mss ${mss} ${msssize}
|
||||
unset interface mss type msssize
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
|
|
@ -325,7 +317,7 @@ function enable_filtering {
|
|||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
|
||||
while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do
|
||||
while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state; do
|
||||
[[ ${direction} = \#* ]] && continue
|
||||
[[ ${direction} = "" ]] && continue
|
||||
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
|
||||
|
|
@ -338,8 +330,8 @@ function enable_filtering {
|
|||
[[ -z ${state} ]] && state="-"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
||||
[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
|
||||
([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
|
||||
|
|
@ -351,16 +343,7 @@ function enable_filtering {
|
|||
[[ ${syn} == "syn" ]] && syn="--syn"
|
||||
[[ ${syn} == "notsyn" ]] && syn="! --syn"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
|
||||
|
||||
dstmultiport="no"
|
||||
srcmultiport="no"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn}"
|
||||
|
||||
# Blank variables that we're not going to use.
|
||||
[[ ${interface} == "-" ]] && interface=""
|
||||
|
|
@ -370,10 +353,8 @@ function enable_filtering {
|
|||
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
||||
[[ ${protocol} == "-" ]] && protocol=""
|
||||
[[ ${syn} == "-" ]] && syn=""
|
||||
[[ ${custom} == "-" ]] && custom=""
|
||||
|
||||
${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
|
||||
unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
|
||||
${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
fi
|
||||
|
|
@ -390,7 +371,7 @@ function enable_forwarding {
|
|||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
|
||||
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do
|
||||
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state; do
|
||||
unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
|
||||
[[ ${action} = \#* ]] && continue
|
||||
[[ -z ${action} ]] && continue
|
||||
|
|
@ -408,8 +389,8 @@ function enable_forwarding {
|
|||
[[ -z ${syn} ]] && syn="-"
|
||||
[[ -z ${state} ]] && state="-"
|
||||
|
||||
#([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
|
||||
#([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
|
||||
|
|
@ -425,20 +406,10 @@ function enable_forwarding {
|
|||
([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
|
||||
[[ ${syn} == "syn" ]] && syn="--syn"
|
||||
[[ ${syn} == "notsyn" ]] && syn="! --syn"
|
||||
dstmultiport="no"
|
||||
srcmultiport="no"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
|
||||
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
#([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
|
||||
#([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
|
||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
|
||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
|
||||
|
|
@ -454,11 +425,9 @@ function enable_forwarding {
|
|||
[[ ${state} == "-" ]] && state=""
|
||||
[[ ${protocol} == "-" ]] && protocol=""
|
||||
[[ ${bidirectional} == "-" ]] && bidirectional="no"
|
||||
[[ ${custom} == "-" ]] && custom=""
|
||||
|
||||
${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
|
||||
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action}
|
||||
unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
|
||||
${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
|
||||
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} -j ${action}
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
fi
|
||||
|
|
@ -478,60 +447,44 @@ function enable_nat {
|
|||
|
||||
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
|
||||
ORIG_NAT=${NAT}
|
||||
while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
|
||||
NAT=${ORIG_NAT}
|
||||
while read -r type srcinterface srcaddress dstinterface dstaddress; do
|
||||
[[ ${type} = \#* ]] && continue
|
||||
[[ ${type} = "" ]] && continue
|
||||
([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \
|
||||
&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue
|
||||
([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
|
||||
&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue
|
||||
|
||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||
#[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
|
||||
#[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
|
||||
#[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
|
||||
#[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
|
||||
[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
|
||||
[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
|
||||
[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
|
||||
[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
|
||||
[[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
|
||||
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
||||
([[ ${srcinterface} != "-" ]] && [[ ${type} == "SNAT" ]]) && srcinterface="-"
|
||||
([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
|
||||
|
||||
([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
|
||||
([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
|
||||
${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
|
||||
&& continue
|
||||
|
||||
([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
|
||||
([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
|
||||
([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
|
||||
${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
|
||||
&& continue
|
||||
|
||||
[[ ${type} == "NETMAP" ]] && action="-j NETMAP"
|
||||
([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \
|
||||
${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \
|
||||
&& continue
|
||||
([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}"
|
||||
([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && dstaddress="-d ${dstaddress}"
|
||||
|
||||
# If we use a source interface, the rule can't go in a POSTROUTING table like what NAT is, so we punt it to PREROUTING
|
||||
# or it won't work. Plus we remove the destination interface too.
|
||||
([[ ${srcinterface} != "-" ]] && [[ ${type} != "SNAT" ]]) && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
|
||||
#[[ ${srcinterface} != "-" ]] && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
|
||||
([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
|
||||
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
|
||||
|
||||
# Blank variables that we're not going to use.
|
||||
[[ ${srcinterface} == "-" ]] && srcinterface=""
|
||||
[[ ${dstinterface} == "-" ]] && dstinterface=""
|
||||
[[ ${dstaddress} == "-" ]] && dstaddress=""
|
||||
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
||||
[[ ${custom} == "-" ]] && custom=""
|
||||
|
||||
${VER_IPTABLES} -A ${NAT} -t nat ${srcinterface} ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom}
|
||||
#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
|
||||
#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
|
||||
unset type srcinterface srcaddress dstinterface dstaddress custom
|
||||
${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress}
|
||||
${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
|
||||
${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
fi
|
||||
|
|
@ -549,10 +502,10 @@ function enable_services {
|
|||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
|
||||
while read -r service protocol interface address srcaddress; do
|
||||
use_conntrack="no"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
while read -r service protocol interface address srcaddress; do
|
||||
multiport="no"
|
||||
[[ ${service} = \#* ]] && continue
|
||||
[[ -z ${service} ]] && continue
|
||||
|
|
@ -560,7 +513,7 @@ function enable_services {
|
|||
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${protocol} == "-" ]] \
|
||||
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${service} =~ (-|:|,) ]] && multiport="yes"
|
||||
[[ ${service} =~ "," ]] && multiport="yes"
|
||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
|
||||
([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
|
||||
|
|
@ -577,10 +530,9 @@ function enable_services {
|
|||
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
||||
|
||||
${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
|
||||
unset service protocol interface address srcaddress conntrack_state
|
||||
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
unset service protocol interface address srcaddress
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -623,10 +575,10 @@ function enable_portfw {
|
|||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
|
||||
while read -r service protocol intip intport interface address srcaddress; do
|
||||
use_conntrack="no"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
while read -r service protocol intip intport interface address srcaddress; do
|
||||
[[ ${service} = \#* ]] && continue
|
||||
[[ -z ${service} ]] && continue
|
||||
[[ ${service} == "-" ]] \
|
||||
|
|
@ -661,7 +613,7 @@ function enable_portfw {
|
|||
|
||||
${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
|
||||
${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
|
||||
unset service protocol intip intport interface address srcaddress conntrack_state
|
||||
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,7 +0,0 @@
|
|||
{
|
||||
"version": "2.2.1",
|
||||
"state": "stable",
|
||||
"scope": "minor fixes",
|
||||
"changes": "See CHANGELOG",
|
||||
"download": "https://git.sosdg.org/brielle/SRFirewall/releases"
|
||||
}
|
||||
Loading…
Reference in New Issue