Browse Source

tags/v2.01a1
bbruns 6 years ago
parent
commit
38de7898dc
1 changed files with 36 additions and 2 deletions
  1. +36
    -2
      lib/iptables.inc

+ 36
- 2
lib/iptables.inc View File

@@ -351,6 +351,9 @@ function enable_forwarding {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional; do
[[ ${action} = \#* ]] && continue
[[ ${action} = "" ]] && continue
@@ -376,8 +379,10 @@ function enable_forwarding {
[[ ${srcaddress} == "-" ]] && srcaddress=""
[[ ${bidirectional} == "-" ]] && bidirectional="no"
${VER_IPTABLES} -A ${FwdFilter} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} -j ${action}
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${revsrcinterface} ${revsrcaddress} ${revdstinterface} ${revdstaddress} -j ${action}
[[ ${action} == "DROP" ]] && conntrack_state=""
${VER_IPTABLES} -A ${FwdFilter} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${conntrack_state} -j ${action}
[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${revsrcinterface} ${revsrcaddress} ${revdstinterface} ${revdstaddress} ${conntrack_state} -j ${action}
done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
@@ -481,3 +486,32 @@ function enable_services {
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

function enable_conntrack_int {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
conntrack_int="$2"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [[ ${conntrack_int} == "all" ]]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
else
for i in ${conntrack_int}; do
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
done
fi
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

Loading…
Cancel
Save