選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

iptables.inc 34 KiB

6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
6年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661
  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  32. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  33. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  34. ${VER_IPTABLES} -F &>/dev/null
  35. ${VER_IPTABLES} -X &>/dev/null
  36. ${VER_IPTABLES} -F INPUT &>/dev/null
  37. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  38. ${VER_IPTABLES} -F FORWARD &>/dev/null
  39. ${VER_IPTABLES} -t nat -F &>/dev/null
  40. ${VER_IPTABLES} -t nat -X &>/dev/null
  41. ${VER_IPTABLES} -t mangle -F &>/dev/null
  42. ${VER_IPTABLES} -t mangle -X &>/dev/null
  43. ${VER_IPTABLES} -t raw -F &>/dev/null
  44. ${VER_IPTABLES} -t raw -X &>/dev/null
  45. for i in `cat $TABLE_NAMES`; do
  46. ${VER_IPTABLES} -F -t $i &>/dev/null
  47. done
  48. }
  49. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  50. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  51. # If no policy given, assume ACCEPT
  52. function default_policy_set {
  53. IP_VERSION=$1
  54. INPOLICY=${2=ACCEPT}
  55. OUTPOLICY=${3=ACCEPT}
  56. FWDPOLICY=${4=ACCEPT}
  57. case $IP_VERSION in
  58. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  59. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  60. esac
  61. ${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..."
  62. ${VER_IPTABLES} --policy INPUT ${INPOLICY}
  63. ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
  64. ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
  65. }
  66. # setup_iptables_chains (ipv4|ipv6)
  67. # Creates the default chains when called
  68. function setup_iptables_chains {
  69. IP_VERSION=$1
  70. case $IP_VERSION in
  71. ipv6) VER_IPTABLES=${IP6TABLES};
  72. IPVER="6" ;;
  73. ipv4|*) VER_IPTABLES=${IPTABLES}
  74. IPVER="4" ;;
  75. esac
  76. # Create the actual chains
  77. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  78. ${VER_IPTABLES} -N ${InPreRules}
  79. ${VER_IPTABLES} -N ${OutPreRules}
  80. ${VER_IPTABLES} -N ${InEasyBlock}
  81. ${VER_IPTABLES} -N ${OutEasyBlock}
  82. ${VER_IPTABLES} -N ${InFilter}
  83. ${VER_IPTABLES} -N ${OutFilter}
  84. ${VER_IPTABLES} -N ${FwdFilter}
  85. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  86. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  87. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  88. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  89. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
  90. ${VER_IPTABLES} -N ${InPostRules}
  91. ${VER_IPTABLES} -N ${OutPostRules}
  92. # Set up rules - the order matters - we do it separately here
  93. # for easy viewing of order
  94. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  95. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPreRules"
  96. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  97. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPreRules"
  98. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  99. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  100. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InEasyBlock"
  101. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  102. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutEasyBlock"
  103. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  104. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  105. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InFilter"
  106. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  107. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutFilter"
  108. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  109. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up FwdFilter"
  110. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  111. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  112. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up NAT"
  113. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  114. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  115. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  116. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up PortForward"
  117. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  118. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  119. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  120. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
  121. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
  122. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  123. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
  124. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  125. }
  126. function allow_all_loopback {
  127. IP_VERSION=$1
  128. case $IP_VERSION in
  129. ipv6) VER_IPTABLES=${IP6TABLES};
  130. IPVER="6" ;;
  131. ipv4|*) VER_IPTABLES=${IPTABLES}
  132. IPVER="4" ;;
  133. esac
  134. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loaded"
  135. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  136. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  137. }
  138. function allow_trusted_hosts {
  139. IP_VERSION=$1
  140. case $IP_VERSION in
  141. ipv6) VER_IPTABLES=${IP6TABLES};
  142. IPVER="6" ;;
  143. ipv4|*) VER_IPTABLES=${IPTABLES}
  144. IPVER="4" ;;
  145. esac
  146. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  147. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  148. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  149. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  150. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  151. done
  152. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  153. else
  154. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  155. ${display} RED "Error: can not load trusted hosts file."
  156. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  157. fi
  158. }
  159. function enable_mss_clamp {
  160. IP_VERSION=$1
  161. case $IP_VERSION in
  162. ipv6) VER_IPTABLES=${IP6TABLES};
  163. IPVER="6" ;;
  164. ipv4|*) VER_IPTABLES=${IPTABLES}
  165. IPVER="4" ;;
  166. esac
  167. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  168. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
  169. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
  170. while read -r interface mss type msssize; do
  171. [[ ${interface} = \#* ]] && continue
  172. [[ ${interface} = "" ]] && continue
  173. [[ ${interface} == "all" ]] && isallinterfaces="yes"
  174. #[[ -z ${mss} ]] && mss="-"
  175. [[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
  176. [[ ${mss} == "-" ]] && mss=""
  177. [[ -z ${type} ]] && type="-"
  178. [[ ${type} == "-" ]] && type="out"
  179. [[ ${type} == "out" ]] && type="${OutFilter}"
  180. [[ ${type} == "fwd" ]] && type="${FwdFilter}"
  181. [[ -z ${msssize} ]] && msssize="-"
  182. [[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
  183. [[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
  184. #[[ ${interface} != "all" ]] && interface="-o ${interface}"
  185. [[ ${type} == "${OutFilter}" ]] && interface="-o ${interface}"
  186. [[ ${type} == "${FwdFilter}" ]] && interface="-o ${interface}"
  187. [[ ${isallinterfaces} == "yes" ]] && interface=""
  188. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
  189. ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  190. ${interface} ${mss} ${msssize}
  191. unset interface mss type msssize isallinterfaces
  192. done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  193. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  194. else
  195. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  196. ${display} RED "Error: can not load mss clamp file."
  197. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  198. fi
  199. }
  200. function allow_resolvconf_servers {
  201. IP_VERSION=$1
  202. case $IP_VERSION in
  203. ipv6) VER_IPTABLES=${IP6TABLES};
  204. IPVER="6" ;;
  205. ipv4|*) VER_IPTABLES=${IPTABLES}
  206. IPVER="4" ;;
  207. esac
  208. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  209. [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
  210. [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
  211. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
  212. while read -r type server; do
  213. [[ ${type} != "nameserver" ]] && continue
  214. [[ ${type} = "" ]] && continue
  215. ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
  216. ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
  217. use_conntrack="no"
  218. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  219. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  220. if [[ ${use_conntrack} == "yes" ]]; then
  221. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  222. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  223. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  224. else
  225. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
  226. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  227. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  228. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  229. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  230. fi
  231. done < "${ResolvConfFile}"
  232. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  233. }
  234. function allow_dnsclient_manual {
  235. IP_VERSION=$1
  236. case $IP_VERSION in
  237. ipv6) VER_IPTABLES=${IP6TABLES};
  238. IPVER="6" ;;
  239. ipv4|*) VER_IPTABLES=${IPTABLES}
  240. IPVER="4" ;;
  241. esac
  242. DNS_SERVERS="$2"
  243. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  244. use_conntrack="no"
  245. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  246. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  247. for i in ${DNS_SERVERS}; do
  248. if [[ ${use_conntrack} == "yes" ]]; then
  249. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  250. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  251. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  252. else
  253. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
  254. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  255. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  256. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  257. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  258. fi
  259. done
  260. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  261. }
  262. function enable_easyblock {
  263. IP_VERSION=$1
  264. case $IP_VERSION in
  265. ipv6) VER_IPTABLES=${IP6TABLES};
  266. IPVER="6" ;;
  267. ipv4|*) VER_IPTABLES=${IPTABLES}
  268. IPVER="4" ;;
  269. esac
  270. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  271. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
  272. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
  273. while read -r direction interface address port protocol; do
  274. [[ ${direction} = \#* ]] && continue
  275. [[ ${direction} = "" ]] && continue
  276. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  277. && ${display} RED "easyblock.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${interface} ${address} ${port} ${protocol}" && continue
  278. # Do some creative work with variables to make building the iptables rules fairly painless
  279. [[ ${port} != "-" ]] && port="--dport ${port}"
  280. ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}"
  281. ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}"
  282. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  283. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  284. [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
  285. [[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
  286. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  287. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${direction} ${interface} ${address} ${port} ${protocol}"
  288. # Blank variables that we're not going to use.
  289. [[ ${interface} == "-" ]] && interface=""
  290. [[ ${port} == "-" ]] && port=""
  291. [[ ${address} == "-" ]] && address=""
  292. [[ ${protocol} == "-" ]] && protocol=""
  293. ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP
  294. done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
  295. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  296. fi
  297. }
  298. function enable_filtering {
  299. IP_VERSION=$1
  300. case $IP_VERSION in
  301. ipv6) VER_IPTABLES=${IP6TABLES};
  302. IPVER="6" ;;
  303. ipv4|*) VER_IPTABLES=${IPTABLES}
  304. IPVER="4" ;;
  305. esac
  306. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  307. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
  308. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
  309. while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do
  310. [[ ${direction} = \#* ]] && continue
  311. [[ ${direction} = "" ]] && continue
  312. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  313. && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  314. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
  315. && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  316. # Do some creative work with variables to make building the iptables rules fairly painless
  317. [[ -z ${state} ]] && state="-"
  318. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  319. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  320. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  321. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  322. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  323. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  324. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  325. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  326. [[ ${direction} == "OUT" ]] && chain="${OutFilter}"
  327. [[ ${direction} == "IN" ]] && chain="${InFilter}"
  328. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  329. [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
  330. [[ ${syn} == "syn" ]] && syn="--syn"
  331. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  332. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
  333. # Blank variables that we're not going to use.
  334. [[ ${interface} == "-" ]] && interface=""
  335. [[ ${dstport} == "-" ]] && dstport=""
  336. [[ ${srcport} == "-" ]] && srcport=""
  337. [[ ${dstaddress} == "-" ]] && dstaddress=""
  338. [[ ${srcaddress} == "-" ]] && srcaddress=""
  339. [[ ${protocol} == "-" ]] && protocol=""
  340. [[ ${syn} == "-" ]] && syn=""
  341. [[ ${custom} == "-" ]] && custom=""
  342. ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  343. unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
  344. done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
  345. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  346. fi
  347. }
  348. function enable_forwarding {
  349. IP_VERSION=$1
  350. case $IP_VERSION in
  351. ipv6) VER_IPTABLES=${IP6TABLES};
  352. IPVER="6" ;;
  353. ipv4|*) VER_IPTABLES=${IPTABLES}
  354. IPVER="4" ;;
  355. esac
  356. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  357. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
  358. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
  359. while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do
  360. unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
  361. [[ ${action} = \#* ]] && continue
  362. [[ -z ${action} ]] && continue
  363. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
  364. && ${display} RED "forward.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}" && continue
  365. # Do some creative work with variables to make building the iptables rules fairly painless
  366. # Although these next few rules seems like they duplicate some work, they
  367. # actually make handling later rules simpler even if we end up blanking
  368. # them yet again.
  369. [[ -z ${dstport} ]] && dstport="-"
  370. [[ -z ${srcport} ]] && srcport="-"
  371. [[ -z ${protocol} ]] && protocol="-"
  372. [[ -z ${syn} ]] && syn="-"
  373. [[ -z ${state} ]] && state="-"
  374. #([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  375. #([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  376. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  377. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  378. ([[ ${bidirectional} == "yes" ]] && [[ ${srcaddress} != "-" ]]) && revsrcaddress="-d ${srcaddress}"
  379. ([[ ${bidirectional} == "yes" ]] && [[ ${dstaddress} != "-" ]]) && revdstaddress="-s ${dstaddress}"
  380. ([[ ${bidirectional} == "yes" ]] && [[ ${dstinterface} != "-" ]]) && revdstinterface="-i ${dstinterface}"
  381. ([[ ${bidirectional} == "yes" ]] && [[ ${srcinterface} != "-" ]]) && revsrcinterface="-o ${srcinterface}"
  382. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  383. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  384. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  385. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  386. ([[ ${syn} == "syn" ]] && [[ ! -z ${conntrack_state} ]]) && conntrack_udp_new=",NEW"
  387. ([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
  388. [[ ${syn} == "syn" ]] && syn="--syn"
  389. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  390. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  391. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  392. ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
  393. ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
  394. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  395. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
  396. # Blank variables that we're not going to use.
  397. [[ ${srcinterface} == "-" ]] && srcinterface=""
  398. [[ ${dstinterface} == "-" ]] && dstinterface=""
  399. [[ ${dstaddress} == "-" ]] && dstaddress=""
  400. [[ ${srcaddress} == "-" ]] && srcaddress=""
  401. [[ ${dstport} == "-" ]] && dstport=""
  402. [[ ${srcport} == "-" ]] && srcport=""
  403. [[ ${syn} == "-" ]] && syn=""
  404. [[ ${state} == "-" ]] && state=""
  405. [[ ${protocol} == "-" ]] && protocol=""
  406. [[ ${bidirectional} == "-" ]] && bidirectional="no"
  407. [[ ${custom} == "-" ]] && custom=""
  408. ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  409. [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action}
  410. unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
  411. done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
  412. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  413. fi
  414. }
  415. function enable_nat {
  416. IP_VERSION=$1
  417. case $IP_VERSION in
  418. ipv6) VER_IPTABLES=${IP6TABLES};
  419. IPVER="6" ;;
  420. ipv4|*) VER_IPTABLES=${IPTABLES}
  421. IPVER="4" ;;
  422. esac
  423. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  424. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
  425. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
  426. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
  427. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
  428. while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
  429. [[ ${type} = \#* ]] && continue
  430. [[ ${type} = "" ]] && continue
  431. ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \
  432. && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue
  433. # Do some creative work with variables to make building the iptables rules fairly painless
  434. #[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
  435. #[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
  436. #[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
  437. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  438. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  439. ([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
  440. ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
  441. ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
  442. ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  443. && continue
  444. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
  445. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
  446. ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
  447. ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  448. && continue
  449. ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
  450. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"
  451. # Blank variables that we're not going to use.
  452. [[ ${srcinterface} == "-" ]] && srcinterface=""
  453. [[ ${dstinterface} == "-" ]] && dstinterface=""
  454. [[ ${dstaddress} == "-" ]] && dstaddress=""
  455. [[ ${srcaddress} == "-" ]] && srcaddress=""
  456. [[ ${custom} == "-" ]] && custom=""
  457. ${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom}
  458. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
  459. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
  460. unset type srcinterface srcaddress dstinterface dstaddress custom
  461. done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
  462. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  463. fi
  464. }
  465. function enable_services {
  466. IP_VERSION=$1
  467. case $IP_VERSION in
  468. ipv6) VER_IPTABLES=${IP6TABLES};
  469. IPVER="6" ;;
  470. ipv4|*) VER_IPTABLES=${IPTABLES}
  471. IPVER="4" ;;
  472. esac
  473. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  474. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
  475. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
  476. while read -r service protocol interface address srcaddress; do
  477. use_conntrack="no"
  478. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  479. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  480. multiport="no"
  481. [[ ${service} = \#* ]] && continue
  482. [[ -z ${service} ]] && continue
  483. [[ ${service} == "-" ]] \
  484. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  485. [[ ${protocol} == "-" ]] \
  486. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  487. [[ ${service} =~ "," ]] && multiport="yes"
  488. # Do some creative work with variables to make building the iptables rules fairly painless
  489. ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
  490. ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
  491. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  492. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  493. [[ ${address} != "-" ]] && srcaddress="-d ${address}"
  494. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  495. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
  496. # Blank variables that we're not going to use.
  497. [[ ${interface} == "-" ]] && interface=""
  498. [[ ${address} == "-" ]] && address=""
  499. [[ ${srcaddress} == "-" ]] && srcaddress=""
  500. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  501. unset service protocol interface address srcaddress conntrack_state
  502. done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
  503. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  504. unset service protocol interface address srcaddress
  505. fi
  506. }
  507. function enable_conntrack_int {
  508. IP_VERSION=$1
  509. case $IP_VERSION in
  510. ipv6) VER_IPTABLES=${IP6TABLES};
  511. IPVER="6" ;;
  512. ipv4|*) VER_IPTABLES=${IPTABLES}
  513. IPVER="4" ;;
  514. esac
  515. conntrack_int="$2"
  516. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  517. if [[ ${conntrack_int} == "all" ]]; then
  518. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
  519. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  520. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  521. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  522. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  523. else
  524. for i in ${conntrack_int}; do
  525. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
  526. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  527. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  528. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  529. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  530. done
  531. fi
  532. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  533. }
  534. function enable_portfw {
  535. IP_VERSION=$1
  536. case $IP_VERSION in
  537. ipv6) VER_IPTABLES=${IP6TABLES};
  538. IPVER="6" ;;
  539. ipv4|*) VER_IPTABLES=${IPTABLES}
  540. IPVER="4" ;;
  541. esac
  542. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  543. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
  544. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
  545. while read -r service protocol intip intport interface address srcaddress; do
  546. use_conntrack="no"
  547. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  548. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  549. [[ ${service} = \#* ]] && continue
  550. [[ -z ${service} ]] && continue
  551. [[ ${service} == "-" ]] \
  552. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  553. [[ ${protocol} == "-" ]] \
  554. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  555. # Do some creative work with variables to make building the iptables rules fairly painless
  556. # Although these next few rules seems like they duplicate some work, they
  557. # actually make handling later rules simpler even if we end up blanking
  558. # them yet again.
  559. [[ -z ${interface} ]] && interface="-"
  560. [[ -z ${address} ]] && address="-"
  561. [[ -z ${srcaddress} ]] && srcaddress="-"
  562. [[ ${service} != "-" ]] && service="--dport ${service}"
  563. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  564. [[ ${intip} != "-" ]] && intdest="--to-destination ${intip}:${intport}"
  565. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  566. [[ ${intip} != "-" ]] && intip="-d ${intip}"
  567. [[ ${intport} != "-" ]] && intport="--dport ${intport}"
  568. [[ ${address} != "-" ]] && address="-d ${address}"
  569. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  570. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${intip} ${intport} ${interface} ${address} ${srcaddress}"
  571. # Blank variables that we're not going to use.
  572. [[ ${interface} == "-" ]] && interface=""
  573. [[ ${address} == "-" ]] && address=""
  574. [[ ${srcaddress} == "-" ]] && srcaddress=""
  575. ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
  576. ${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
  577. unset service protocol intip intport interface address srcaddress conntrack_state
  578. done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
  579. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  580. fi
  581. }
  582. function enable_v6_critical_icmp {
  583. VER_IPTABLES=${IP6TABLES}
  584. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  585. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
  586. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
  587. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
  588. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
  589. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
  590. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
  591. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
  592. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
  593. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
  594. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
  595. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
  596. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
  597. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
  598. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
  599. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
  600. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
  601. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
  602. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
  603. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
  604. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
  605. }