Option to use old style state or new conntrack state

master
bbruns 2010-11-25 18:11:12 +00:00
parent 58ef439312
commit ff2cae92ef
3 changed files with 41 additions and 19 deletions

View File

@ -121,6 +121,21 @@ if [ "$MODULES_LOAD" ]; then
echo -ne "\n" echo -ne "\n"
fi fi
if [ "$STATE_TYPE" ]; then
case $STATE_TYPE in
conntrack|CONNTRACK|*)
M_STATE="-m conntrack"
C_STATE="--ctstate"
;;
state|STATE)
M_STATE="-m state"
C_STATE="--state"
esac
else
M_STATE="-m conntrack"
C_STATE="--ctstate"
fi
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
@ -293,15 +308,15 @@ if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
fi fi
if [ "$CONNTRACK" ]; then if [ "$CONNTRACK" ]; then
$IPTABLES -A INPUT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT #$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
fi fi
if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then if [ -s "$BASEDIR/include/ipv4_custom_blockoutports" ]; then
@ -468,7 +483,7 @@ if [ "$PORTFW" ] && [ "$NAT" ]; then
$IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \ $IPTABLES -A PREROUTING -t nat -i ${PORTADD[0]} -p ${PORTADD[4]} -s ${PORTADD[1]} \
--dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \ --dport ${PORTADD[3]} -d ${PORTADD[2]} -j DNAT --to \
${PORTADD[5]}:${PORTADD[6]} ${PORTADD[5]}:${PORTADD[6]}
$IPTABLES -A INPUT -p ${PORTADD[4]} -m state --state NEW -s ${PORTADD[1]} \ $IPTABLES -A INPUT -p ${PORTADD[4]} ${M_STATE} ${C_STATE} NEW -s ${PORTADD[1]} \
--dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT --dport ${PORTADD[3]} -d ${PORTADD[2]} -i ${PORTADD[0]} -j ACCEPT
display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} " display_c DEFAULT "\t${GREEN}${PORTADD[0]}:${BLUE}${PORTADD[1]}:${PURPLE}${PORTADD[2]}:${PORTADD[3]}:${PORTADD[4]}${AQUA}->${BLUE}${PORTADD[5]}:${PORTADD[6]} "
done done
@ -833,15 +848,15 @@ fi
fi fi
if [ "$IPV6_CONNTRACK" ]; then if [ "$IPV6_CONNTRACK" ]; then
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state NEW -j ACCEPT #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state INVALID -j DROP $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A OUTPUT -m state --state INVALID -j DROP $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
fi fi
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then if [ $IPV6_ROUTEDCLIENTBLOCK ]; then

View File

@ -56,3 +56,6 @@ NF_MULTIPORT_MAX_PORTS="7"
# RFC 1918 Space # RFC 1918 Space
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# By default, use conntrack instead of state
STATE_TYPE="conntrack"

View File

@ -30,6 +30,10 @@ POSTRUN="$BASEDIR/conf/postrun"
#CONNTRACK=1 #CONNTRACK=1
#FORWARD=1 #FORWARD=1
# Use old style state matches or new conntrack matches?
# By default, lets use conntrack.
#STATE_TYPE="conntrack"
# Blocking incoming connections by default? # Blocking incoming connections by default?
#BLOCKINCOMING=1 #BLOCKINCOMING=1