diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 3c691e0..4ff9770 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -81,12 +81,12 @@ echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= redistribute it under certain conditions. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" -if [ $UID != "0" ]; then +if [ "$UID" != "0" ]; then display_c RED "You must be root to run this script." exit 2 fi -if [ ! -x $IPTABLES ]; then +if [ ! -x "$IPTABLES" ]; then display_c RED "iptables command not found. Please make sure you have the iptables" display_c RED "installed (package or source) and you have the IPTABLES option properly" display_c RED "defined in the 'options' file." @@ -94,7 +94,7 @@ if [ ! -x $IPTABLES ]; then fi -if [ ! -x $IP6TABLES ] && [ $IPV6 == "1" ]; then +if [ ! -x "$IP6TABLES" ] && [ $IPV6 == "1" ]; then display_c RED "ip6tables command not found. Please make sure you have the iptables" display_c RED "installed (package or source) and you have the IP6TABLES option properly" display_c RED "defined in the 'options' file." @@ -108,7 +108,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_flush" ]; then . "$BASEDIR/include/ipv4_custom_flush" fi -if [ -x $PRERUN ]; then +if [ -x "$PRERUN" ]; then $PRERUN fi @@ -147,14 +147,14 @@ if [ "$CLAMPMSS" ]; then $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 # This is necessary to make sure that PMTU works - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ - -o $i -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ - -i $i -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ - -o $i -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ - -i $i -j ACCEPT + #$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \ + # -o $i -j ACCEPT + #$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ + # -i $i -j ACCEPT + #$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ + # -o $i -j ACCEPT + #$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \ + # -i $i -j ACCEPT done echo -en "\n" fi @@ -292,7 +292,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then . "$BASEDIR/include/ipv4_custom_conntrack" fi -if [ $CONNTRACK ]; then +if [ "$CONNTRACK" ]; then $IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -537,14 +537,22 @@ if [ $NAT ]; then $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; MASQ) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;; esac