You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

641 lines
33 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  32. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  33. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  34. ${VER_IPTABLES} -F &>/dev/null
  35. ${VER_IPTABLES} -X &>/dev/null
  36. ${VER_IPTABLES} -F INPUT &>/dev/null
  37. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  38. ${VER_IPTABLES} -F FORWARD &>/dev/null
  39. #${VER_IPTABLES} -t nat -F &>/dev/null
  40. #${VER_IPTABLES} -t nat -X &>/dev/null
  41. ${VER_IPTABLES} -t mangle -F &>/dev/null
  42. ${VER_IPTABLES} -t mangle -X &>/dev/null
  43. for i in `cat $TABLE_NAMES`; do
  44. ${VER_IPTABLES} -F -t $i &>/dev/null
  45. done
  46. ${VER_IPTABLES} -X &>/dev/null
  47. }
  48. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  49. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  50. # If no policy given, assume ACCEPT
  51. function default_policy_set {
  52. IP_VERSION=$1
  53. INPOLICY=${2=ACCEPT}
  54. OUTPOLICY=${3=ACCEPT}
  55. FWDPOLICY=${4=ACCEPT}
  56. case $IP_VERSION in
  57. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  58. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  59. esac
  60. ${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..."
  61. ${VER_IPTABLES} --policy INPUT ${INPOLICY}
  62. ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
  63. ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
  64. }
  65. # setup_iptables_chains (ipv4|ipv6)
  66. # Creates the default chains when called
  67. function setup_iptables_chains {
  68. IP_VERSION=$1
  69. case $IP_VERSION in
  70. ipv6) VER_IPTABLES=${IP6TABLES};
  71. IPVER="6" ;;
  72. ipv4|*) VER_IPTABLES=${IPTABLES}
  73. IPVER="4" ;;
  74. esac
  75. # Create the actual chains
  76. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  77. ${VER_IPTABLES} -N ${InPreRules}
  78. ${VER_IPTABLES} -N ${OutPreRules}
  79. ${VER_IPTABLES} -N ${InEasyBlock}
  80. ${VER_IPTABLES} -N ${OutEasyBlock}
  81. ${VER_IPTABLES} -N ${InFilter}
  82. ${VER_IPTABLES} -N ${OutFilter}
  83. ${VER_IPTABLES} -N ${FwdFilter}
  84. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  85. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  86. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  87. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  88. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
  89. ${VER_IPTABLES} -N ${InPostRules}
  90. ${VER_IPTABLES} -N ${OutPostRules}
  91. # Set up rules - the order matters - we do it separately here
  92. # for easy viewing of order
  93. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  94. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPreRules"
  95. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  96. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPreRules"
  97. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  98. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  99. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InEasyBlock"
  100. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  101. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutEasyBlock"
  102. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  103. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  104. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InFilter"
  105. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  106. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutFilter"
  107. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  108. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up FwdFilter"
  109. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  110. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  111. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up NAT"
  112. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  113. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  114. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  115. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up PortForward"
  116. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  117. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  118. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  119. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
  120. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
  121. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  122. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
  123. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  124. }
  125. function allow_all_loopback {
  126. IP_VERSION=$1
  127. case $IP_VERSION in
  128. ipv6) VER_IPTABLES=${IP6TABLES};
  129. IPVER="6" ;;
  130. ipv4|*) VER_IPTABLES=${IPTABLES}
  131. IPVER="4" ;;
  132. esac
  133. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loaded"
  134. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  135. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  136. }
  137. function allow_trusted_hosts {
  138. IP_VERSION=$1
  139. case $IP_VERSION in
  140. ipv6) VER_IPTABLES=${IP6TABLES};
  141. IPVER="6" ;;
  142. ipv4|*) VER_IPTABLES=${IPTABLES}
  143. IPVER="4" ;;
  144. esac
  145. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  146. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  147. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  148. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  149. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  150. done
  151. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  152. else
  153. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  154. ${display} RED "Error: can not load trusted hosts file."
  155. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  156. fi
  157. }
  158. function enable_mss_clamp {
  159. IP_VERSION=$1
  160. case $IP_VERSION in
  161. ipv6) VER_IPTABLES=${IP6TABLES};
  162. IPVER="6" ;;
  163. ipv4|*) VER_IPTABLES=${IPTABLES}
  164. IPVER="4" ;;
  165. esac
  166. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  167. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
  168. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
  169. while read -r interface mss type; do
  170. [[ ${interface} = \#* ]] && continue
  171. [[ ${interface} = "" ]] && continue
  172. [[ ${mss} == "-" ]] && mss="1400:1536"
  173. [[ ${type} == "-" ]] && type="${OutFilter}"
  174. [[ ${type} == "out" ]] && type="${OutFilter}"
  175. [[ ${type} == "fwd" ]] && type="${FwdFilter}"
  176. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type}"
  177. ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  178. --clamp-mss-to-pmtu -o ${interface} -m tcpmss --mss ${mss}
  179. done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  180. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  181. else
  182. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  183. ${display} RED "Error: can not load mss clamp file."
  184. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  185. fi
  186. }
  187. function allow_resolvconf_servers {
  188. IP_VERSION=$1
  189. case $IP_VERSION in
  190. ipv6) VER_IPTABLES=${IP6TABLES};
  191. IPVER="6" ;;
  192. ipv4|*) VER_IPTABLES=${IPTABLES}
  193. IPVER="4" ;;
  194. esac
  195. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  196. [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
  197. [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
  198. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
  199. while read -r type server; do
  200. [[ ${type} != "nameserver" ]] && continue
  201. [[ ${type} = "" ]] && continue
  202. ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
  203. ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
  204. use_conntrack="no"
  205. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  206. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  207. if [[ ${use_conntrack} == "yes" ]]; then
  208. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  209. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  210. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  211. else
  212. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
  213. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  214. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  215. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  216. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  217. fi
  218. done < "${ResolvConfFile}"
  219. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  220. }
  221. function allow_dnsclient_manual {
  222. IP_VERSION=$1
  223. case $IP_VERSION in
  224. ipv6) VER_IPTABLES=${IP6TABLES};
  225. IPVER="6" ;;
  226. ipv4|*) VER_IPTABLES=${IPTABLES}
  227. IPVER="4" ;;
  228. esac
  229. DNS_SERVERS="$2"
  230. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  231. use_conntrack="no"
  232. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  233. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  234. for i in ${DNS_SERVERS}; do
  235. if [[ ${use_conntrack} == "yes" ]]; then
  236. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  237. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  238. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  239. else
  240. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
  241. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  242. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  243. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  244. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  245. fi
  246. done
  247. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  248. }
  249. function enable_easyblock {
  250. IP_VERSION=$1
  251. case $IP_VERSION in
  252. ipv6) VER_IPTABLES=${IP6TABLES};
  253. IPVER="6" ;;
  254. ipv4|*) VER_IPTABLES=${IPTABLES}
  255. IPVER="4" ;;
  256. esac
  257. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  258. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
  259. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
  260. while read -r direction interface address port protocol; do
  261. [[ ${direction} = \#* ]] && continue
  262. [[ ${direction} = "" ]] && continue
  263. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  264. && ${display} RED "easyblock.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${interface} ${address} ${port} ${protocol}" && continue
  265. # Do some creative work with variables to make building the iptables rules fairly painless
  266. [[ ${port} != "-" ]] && port="--dport ${port}"
  267. ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}"
  268. ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}"
  269. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  270. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  271. [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
  272. [[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
  273. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  274. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${direction} ${interface} ${address} ${port} ${protocol}"
  275. # Blank variables that we're not going to use.
  276. [[ ${interface} == "-" ]] && interface=""
  277. [[ ${port} == "-" ]] && port=""
  278. [[ ${address} == "-" ]] && address=""
  279. [[ ${protocol} == "-" ]] && protocol=""
  280. ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP
  281. done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
  282. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  283. fi
  284. }
  285. function enable_filtering {
  286. IP_VERSION=$1
  287. case $IP_VERSION in
  288. ipv6) VER_IPTABLES=${IP6TABLES};
  289. IPVER="6" ;;
  290. ipv4|*) VER_IPTABLES=${IPTABLES}
  291. IPVER="4" ;;
  292. esac
  293. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  294. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
  295. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
  296. while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state; do
  297. [[ ${direction} = \#* ]] && continue
  298. [[ ${direction} = "" ]] && continue
  299. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  300. && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  301. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
  302. && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  303. # Do some creative work with variables to make building the iptables rules fairly painless
  304. [[ -z ${state} ]] && state="-"
  305. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  306. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  307. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  308. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  309. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  310. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  311. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  312. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  313. [[ ${direction} == "OUT" ]] && chain="${OutFilter}"
  314. [[ ${direction} == "IN" ]] && chain="${InFilter}"
  315. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  316. [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
  317. [[ ${syn} == "syn" ]] && syn="--syn"
  318. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  319. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn}"
  320. # Blank variables that we're not going to use.
  321. [[ ${interface} == "-" ]] && interface=""
  322. [[ ${dstport} == "-" ]] && dstport=""
  323. [[ ${srcport} == "-" ]] && srcport=""
  324. [[ ${dstaddress} == "-" ]] && dstaddress=""
  325. [[ ${srcaddress} == "-" ]] && srcaddress=""
  326. [[ ${protocol} == "-" ]] && protocol=""
  327. [[ ${syn} == "-" ]] && syn=""
  328. ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
  329. done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
  330. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  331. fi
  332. }
  333. function enable_forwarding {
  334. IP_VERSION=$1
  335. case $IP_VERSION in
  336. ipv6) VER_IPTABLES=${IP6TABLES};
  337. IPVER="6" ;;
  338. ipv4|*) VER_IPTABLES=${IPTABLES}
  339. IPVER="4" ;;
  340. esac
  341. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  342. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
  343. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
  344. while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state; do
  345. unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
  346. [[ ${action} = \#* ]] && continue
  347. [[ -z ${action} ]] && continue
  348. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
  349. && ${display} RED "forward.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}" && continue
  350. # Do some creative work with variables to make building the iptables rules fairly painless
  351. # Although these next few rules seems like they duplicate some work, they
  352. # actually make handling later rules simpler even if we end up blanking
  353. # them yet again.
  354. [[ -z ${dstport} ]] && dstport="-"
  355. [[ -z ${srcport} ]] && srcport="-"
  356. [[ -z ${protocol} ]] && protocol="-"
  357. [[ -z ${syn} ]] && syn="-"
  358. [[ -z ${state} ]] && state="-"
  359. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  360. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  361. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  362. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  363. ([[ ${bidirectional} == "yes" ]] && [[ ${srcaddress} != "-" ]]) && revsrcaddress="-d ${srcaddress}"
  364. ([[ ${bidirectional} == "yes" ]] && [[ ${dstaddress} != "-" ]]) && revdstaddress="-s ${dstaddress}"
  365. ([[ ${bidirectional} == "yes" ]] && [[ ${dstinterface} != "-" ]]) && revdstinterface="-i ${dstinterface}"
  366. ([[ ${bidirectional} == "yes" ]] && [[ ${srcinterface} != "-" ]]) && revsrcinterface="-o ${srcinterface}"
  367. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  368. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  369. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  370. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  371. ([[ ${syn} == "syn" ]] && [[ ! -z ${conntrack_state} ]]) && conntrack_udp_new=",NEW"
  372. ([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
  373. [[ ${syn} == "syn" ]] && syn="--syn"
  374. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  375. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  376. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  377. ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
  378. ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
  379. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  380. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
  381. # Blank variables that we're not going to use.
  382. [[ ${srcinterface} == "-" ]] && srcinterface=""
  383. [[ ${dstinterface} == "-" ]] && dstinterface=""
  384. [[ ${dstaddress} == "-" ]] && dstaddress=""
  385. [[ ${srcaddress} == "-" ]] && srcaddress=""
  386. [[ ${dstport} == "-" ]] && dstport=""
  387. [[ ${srcport} == "-" ]] && srcport=""
  388. [[ ${syn} == "-" ]] && syn=""
  389. [[ ${state} == "-" ]] && state=""
  390. [[ ${protocol} == "-" ]] && protocol=""
  391. [[ ${bidirectional} == "-" ]] && bidirectional="no"
  392. [[ ${action} == "DROP" ]] && conntrack_state=""
  393. ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
  394. [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} -j ${action}
  395. done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
  396. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  397. fi
  398. }
  399. function enable_nat {
  400. IP_VERSION=$1
  401. case $IP_VERSION in
  402. ipv6) VER_IPTABLES=${IP6TABLES};
  403. IPVER="6" ;;
  404. ipv4|*) VER_IPTABLES=${IPTABLES}
  405. IPVER="4" ;;
  406. esac
  407. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  408. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
  409. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
  410. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
  411. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
  412. while read -r type srcinterface srcaddress dstinterface dstaddress; do
  413. [[ ${type} = \#* ]] && continue
  414. [[ ${type} = "" ]] && continue
  415. ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
  416. && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue
  417. # Do some creative work with variables to make building the iptables rules fairly painless
  418. [[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
  419. [[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
  420. [[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
  421. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  422. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  423. ([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
  424. ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
  425. ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
  426. ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  427. && continue
  428. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
  429. ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
  430. ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  431. && continue
  432. ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
  433. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
  434. # Blank variables that we're not going to use.
  435. [[ ${srcinterface} == "-" ]] && srcinterface=""
  436. [[ ${dstinterface} == "-" ]] && dstinterface=""
  437. [[ ${dstaddress} == "-" ]] && dstaddress=""
  438. [[ ${srcaddress} == "-" ]] && srcaddress=""
  439. ${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress}
  440. ${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
  441. ${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
  442. done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
  443. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  444. fi
  445. }
  446. function enable_services {
  447. IP_VERSION=$1
  448. case $IP_VERSION in
  449. ipv6) VER_IPTABLES=${IP6TABLES};
  450. IPVER="6" ;;
  451. ipv4|*) VER_IPTABLES=${IPTABLES}
  452. IPVER="4" ;;
  453. esac
  454. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  455. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
  456. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
  457. use_conntrack="no"
  458. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  459. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  460. while read -r service protocol interface address srcaddress; do
  461. multiport="no"
  462. [[ ${service} = \#* ]] && continue
  463. [[ -z ${service} ]] && continue
  464. [[ ${service} == "-" ]] \
  465. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  466. [[ ${protocol} == "-" ]] \
  467. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  468. [[ ${service} =~ "," ]] && multiport="yes"
  469. # Do some creative work with variables to make building the iptables rules fairly painless
  470. ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
  471. ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
  472. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  473. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  474. [[ ${address} != "-" ]] && srcaddress="-d ${address}"
  475. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  476. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
  477. # Blank variables that we're not going to use.
  478. [[ ${interface} == "-" ]] && interface=""
  479. [[ ${address} == "-" ]] && address=""
  480. [[ ${srcaddress} == "-" ]] && srcaddress=""
  481. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  482. done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
  483. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  484. fi
  485. }
  486. function enable_conntrack_int {
  487. IP_VERSION=$1
  488. case $IP_VERSION in
  489. ipv6) VER_IPTABLES=${IP6TABLES};
  490. IPVER="6" ;;
  491. ipv4|*) VER_IPTABLES=${IPTABLES}
  492. IPVER="4" ;;
  493. esac
  494. conntrack_int="$2"
  495. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  496. if [[ ${conntrack_int} == "all" ]]; then
  497. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
  498. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  499. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  500. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  501. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  502. else
  503. for i in ${conntrack_int}; do
  504. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
  505. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  506. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  507. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  508. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  509. done
  510. fi
  511. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  512. }
  513. function enable_portfw {
  514. IP_VERSION=$1
  515. case $IP_VERSION in
  516. ipv6) VER_IPTABLES=${IP6TABLES};
  517. IPVER="6" ;;
  518. ipv4|*) VER_IPTABLES=${IPTABLES}
  519. IPVER="4" ;;
  520. esac
  521. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  522. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
  523. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
  524. use_conntrack="no"
  525. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  526. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  527. while read -r service protocol intip intport interface address srcaddress; do
  528. [[ ${service} = \#* ]] && continue
  529. [[ -z ${service} ]] && continue
  530. [[ ${service} == "-" ]] \
  531. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  532. [[ ${protocol} == "-" ]] \
  533. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  534. # Do some creative work with variables to make building the iptables rules fairly painless
  535. # Although these next few rules seems like they duplicate some work, they
  536. # actually make handling later rules simpler even if we end up blanking
  537. # them yet again.
  538. [[ -z ${interface} ]] && interface="-"
  539. [[ -z ${address} ]] && address="-"
  540. [[ -z ${srcaddress} ]] && srcaddress="-"
  541. [[ ${service} != "-" ]] && service="--dport ${service}"
  542. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  543. [[ ${intip} != "-" ]] && intdest="--to-destination ${intip}:${intport}"
  544. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  545. [[ ${address} != "-" ]] && address="-d ${address}"
  546. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  547. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${intip} ${intport} ${interface} ${address} ${srcaddress}"
  548. # Blank variables that we're not going to use.
  549. [[ ${interface} == "-" ]] && interface=""
  550. [[ ${address} == "-" ]] && address=""
  551. [[ ${srcaddress} == "-" ]] && srcaddress=""
  552. ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
  553. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  554. done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
  555. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  556. fi
  557. }
  558. function enable_v6_critical_icmp {
  559. VER_IPTABLES=${IP6TABLES}
  560. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  561. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
  562. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
  563. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
  564. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
  565. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
  566. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134-j ACCEPT
  567. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135-j ACCEPT
  568. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
  569. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
  570. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
  571. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
  572. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
  573. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
  574. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
  575. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
  576. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
  577. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
  578. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
  579. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
  580. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
  581. }