Intercept rules

master
bbruns 2011-02-18 17:53:36 +00:00
parent 261286113a
commit 329d9ad0ce
3 changed files with 55 additions and 0 deletions

View File

@ -29,6 +29,15 @@ BASEDIR=/etc/firewall-sosdg
PATH=/usr/sbin:/usr/bin:/sbin:/bin
#BASEDIR=`pwd`
# We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then
echo "Error: We can only run with bash 3.0 or higher. Please upgrade your version"
echo "of bash to something more recent, preferably the latest which is, as of this"
echo "writing, 4.x"
exit 1
fi
TWEAKS=$BASEDIR/tweaks
if [ ! -r $BASEDIR/include/static ] || [ ! -r $BASEDIR/include/functions ]; then
@ -439,6 +448,39 @@ if [ "$ALLOWEDPROTO" ]; then
reset_color
fi
if [ "$IPV4_INTERCEPT" ]; then
display_c YELLOW "Adding packet interception rules: " N
for i in `grep -v "\#" $IPV4_INTERCEPT`; do
IFS_OLD=${IFS};IFS=\|
INTERCEPTADD=($i)
IFS=${IFS_OLD}
SRCIF=${INTERCEPTADD[0]}
SRCIP=${INTERCEPTADD[1]}
DSTIP=${INTERCEPTADD[2]}
DSTPROTO=${INTERCEPTADD[3]}
DSTPORT=${INTERCEPTADD[4]}
PROXY=${INTERCEPTADD[5]}
if [ "$SRCIF" ]; then
SRCIF="-i ${SRCIF}"
fi
if [ "$SRCIP" ]; then
SRCIP="-s ${SRCIP}"
fi
if [ "$DSTIP" ]; then
DSTIP="-d $DSTIP"
fi
if [ "$PROXY" != "BYPASS" ]; then
FINAL_RULE="-j DNAT --to-destination ${PROXY}"
else
FINAL_RULE="-j ACCEPT"
fi
$IPTABLES -t nat -A PREROUTING ${SRCIF} ${SRCIP} ${DSTIP} -p ${DSTPROTO} --dport ${DSTPORT} \
${FINAL_RULE}
display_c DEFAULT "\t${GREEN}${INTERCEPTADD[0]}:${BLUE}${INTERCEPTADD[1]}:${PURPLE}${INTERCEPTADD[2]}->${INTERCEPTADD[3]}:${INTERCEPTADD[4]}${AQUA}:proxy->${BLUE}${INTERCEPTADD[5]} "
done
reset_color
fi
if [ -s "$BASEDIR/include/ipv4_custom_notrack" ]; then
display_c YELLOW "Loading custom NOTRACK rules..."

View File

@ -74,3 +74,13 @@ EXTIP_FIND="$BASEDIR/bin/get_default_ip"
# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1
# IPv4 and IPv6 regex matches to determine if entry is valid. These may need
# to be tweaked over time. At the moment, we use by default the pattern here:
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH=""

View File

@ -109,6 +109,9 @@ TRUSTEDIP="127.0.0.1"
# use otherwise.
DONTTRACK="127.0.0.1"
# Intercept IPv4 packets for use in a transparent proxy
#IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept
# IP range(s) to forward
#ROUTING=$BASEDIR/conf/ipv4-routing