You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

657 lines
34 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  32. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  33. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  34. ${VER_IPTABLES} -F &>/dev/null
  35. ${VER_IPTABLES} -X &>/dev/null
  36. ${VER_IPTABLES} -F INPUT &>/dev/null
  37. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  38. ${VER_IPTABLES} -F FORWARD &>/dev/null
  39. ${VER_IPTABLES} -t nat -F &>/dev/null
  40. ${VER_IPTABLES} -t nat -X &>/dev/null
  41. ${VER_IPTABLES} -t mangle -F &>/dev/null
  42. ${VER_IPTABLES} -t mangle -X &>/dev/null
  43. for i in `cat $TABLE_NAMES`; do
  44. ${VER_IPTABLES} -F -t $i &>/dev/null
  45. done
  46. }
  47. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  48. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  49. # If no policy given, assume ACCEPT
  50. function default_policy_set {
  51. IP_VERSION=$1
  52. INPOLICY=${2=ACCEPT}
  53. OUTPOLICY=${3=ACCEPT}
  54. FWDPOLICY=${4=ACCEPT}
  55. case $IP_VERSION in
  56. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  57. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  58. esac
  59. ${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..."
  60. ${VER_IPTABLES} --policy INPUT ${INPOLICY}
  61. ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
  62. ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
  63. }
  64. # setup_iptables_chains (ipv4|ipv6)
  65. # Creates the default chains when called
  66. function setup_iptables_chains {
  67. IP_VERSION=$1
  68. case $IP_VERSION in
  69. ipv6) VER_IPTABLES=${IP6TABLES};
  70. IPVER="6" ;;
  71. ipv4|*) VER_IPTABLES=${IPTABLES}
  72. IPVER="4" ;;
  73. esac
  74. # Create the actual chains
  75. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  76. ${VER_IPTABLES} -N ${InPreRules}
  77. ${VER_IPTABLES} -N ${OutPreRules}
  78. ${VER_IPTABLES} -N ${InEasyBlock}
  79. ${VER_IPTABLES} -N ${OutEasyBlock}
  80. ${VER_IPTABLES} -N ${InFilter}
  81. ${VER_IPTABLES} -N ${OutFilter}
  82. ${VER_IPTABLES} -N ${FwdFilter}
  83. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  84. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  85. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  86. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  87. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
  88. ${VER_IPTABLES} -N ${InPostRules}
  89. ${VER_IPTABLES} -N ${OutPostRules}
  90. # Set up rules - the order matters - we do it separately here
  91. # for easy viewing of order
  92. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  93. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPreRules"
  94. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  95. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPreRules"
  96. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  97. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  98. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InEasyBlock"
  99. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  100. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutEasyBlock"
  101. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  102. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  103. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InFilter"
  104. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  105. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutFilter"
  106. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  107. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up FwdFilter"
  108. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  109. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  110. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up NAT"
  111. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  112. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  113. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  114. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up PortForward"
  115. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  116. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  117. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  118. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
  119. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
  120. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  121. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
  122. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  123. }
  124. function allow_all_loopback {
  125. IP_VERSION=$1
  126. case $IP_VERSION in
  127. ipv6) VER_IPTABLES=${IP6TABLES};
  128. IPVER="6" ;;
  129. ipv4|*) VER_IPTABLES=${IPTABLES}
  130. IPVER="4" ;;
  131. esac
  132. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loaded"
  133. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  134. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  135. }
  136. function allow_trusted_hosts {
  137. IP_VERSION=$1
  138. case $IP_VERSION in
  139. ipv6) VER_IPTABLES=${IP6TABLES};
  140. IPVER="6" ;;
  141. ipv4|*) VER_IPTABLES=${IPTABLES}
  142. IPVER="4" ;;
  143. esac
  144. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  145. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  146. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  147. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  148. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  149. done
  150. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  151. else
  152. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  153. ${display} RED "Error: can not load trusted hosts file."
  154. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  155. fi
  156. }
  157. function enable_mss_clamp {
  158. IP_VERSION=$1
  159. case $IP_VERSION in
  160. ipv6) VER_IPTABLES=${IP6TABLES};
  161. IPVER="6" ;;
  162. ipv4|*) VER_IPTABLES=${IPTABLES}
  163. IPVER="4" ;;
  164. esac
  165. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  166. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
  167. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
  168. while read -r interface mss type msssize; do
  169. [[ ${interface} = \#* ]] && continue
  170. [[ ${interface} = "" ]] && continue
  171. #[[ -z ${mss} ]] && mss="-"
  172. [[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
  173. [[ ${mss} == "-" ]] && mss=""
  174. [[ -z ${type} ]] && type="-"
  175. [[ ${type} == "-" ]] && type="${OutFilter}"
  176. [[ ${type} == "out" ]] && type="${OutFilter}"
  177. [[ ${type} == "fwd" ]] && type="${FwdFilter}"
  178. [[ -z ${msssize} ]] && msssize="-"
  179. [[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
  180. [[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
  181. [[ ${interface} != "all" ]] && interface="-o ${interface}"
  182. [[ ${interface} == "all" ]] && interface=""
  183. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
  184. ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  185. ${interface} ${mss} ${msssize}
  186. unset interface mss type msssize
  187. done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  188. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  189. else
  190. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  191. ${display} RED "Error: can not load mss clamp file."
  192. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  193. fi
  194. }
  195. function allow_resolvconf_servers {
  196. IP_VERSION=$1
  197. case $IP_VERSION in
  198. ipv6) VER_IPTABLES=${IP6TABLES};
  199. IPVER="6" ;;
  200. ipv4|*) VER_IPTABLES=${IPTABLES}
  201. IPVER="4" ;;
  202. esac
  203. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  204. [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
  205. [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
  206. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
  207. while read -r type server; do
  208. [[ ${type} != "nameserver" ]] && continue
  209. [[ ${type} = "" ]] && continue
  210. ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
  211. ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
  212. use_conntrack="no"
  213. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  214. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  215. if [[ ${use_conntrack} == "yes" ]]; then
  216. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  217. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  218. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  219. else
  220. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
  221. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  222. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  223. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  224. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  225. fi
  226. done < "${ResolvConfFile}"
  227. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  228. }
  229. function allow_dnsclient_manual {
  230. IP_VERSION=$1
  231. case $IP_VERSION in
  232. ipv6) VER_IPTABLES=${IP6TABLES};
  233. IPVER="6" ;;
  234. ipv4|*) VER_IPTABLES=${IPTABLES}
  235. IPVER="4" ;;
  236. esac
  237. DNS_SERVERS="$2"
  238. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  239. use_conntrack="no"
  240. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  241. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  242. for i in ${DNS_SERVERS}; do
  243. if [[ ${use_conntrack} == "yes" ]]; then
  244. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  245. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  246. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  247. else
  248. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
  249. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  250. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  251. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  252. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  253. fi
  254. done
  255. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  256. }
  257. function enable_easyblock {
  258. IP_VERSION=$1
  259. case $IP_VERSION in
  260. ipv6) VER_IPTABLES=${IP6TABLES};
  261. IPVER="6" ;;
  262. ipv4|*) VER_IPTABLES=${IPTABLES}
  263. IPVER="4" ;;
  264. esac
  265. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  266. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
  267. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
  268. while read -r direction interface address port protocol; do
  269. [[ ${direction} = \#* ]] && continue
  270. [[ ${direction} = "" ]] && continue
  271. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  272. && ${display} RED "easyblock.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${interface} ${address} ${port} ${protocol}" && continue
  273. # Do some creative work with variables to make building the iptables rules fairly painless
  274. [[ ${port} != "-" ]] && port="--dport ${port}"
  275. ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}"
  276. ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}"
  277. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  278. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  279. [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
  280. [[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
  281. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  282. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${direction} ${interface} ${address} ${port} ${protocol}"
  283. # Blank variables that we're not going to use.
  284. [[ ${interface} == "-" ]] && interface=""
  285. [[ ${port} == "-" ]] && port=""
  286. [[ ${address} == "-" ]] && address=""
  287. [[ ${protocol} == "-" ]] && protocol=""
  288. ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP
  289. done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
  290. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  291. fi
  292. }
  293. function enable_filtering {
  294. IP_VERSION=$1
  295. case $IP_VERSION in
  296. ipv6) VER_IPTABLES=${IP6TABLES};
  297. IPVER="6" ;;
  298. ipv4|*) VER_IPTABLES=${IPTABLES}
  299. IPVER="4" ;;
  300. esac
  301. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  302. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
  303. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
  304. while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do
  305. [[ ${direction} = \#* ]] && continue
  306. [[ ${direction} = "" ]] && continue
  307. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  308. && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  309. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
  310. && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  311. # Do some creative work with variables to make building the iptables rules fairly painless
  312. [[ -z ${state} ]] && state="-"
  313. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  314. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  315. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  316. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  317. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  318. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  319. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  320. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  321. [[ ${direction} == "OUT" ]] && chain="${OutFilter}"
  322. [[ ${direction} == "IN" ]] && chain="${InFilter}"
  323. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  324. [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
  325. [[ ${syn} == "syn" ]] && syn="--syn"
  326. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  327. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
  328. # Blank variables that we're not going to use.
  329. [[ ${interface} == "-" ]] && interface=""
  330. [[ ${dstport} == "-" ]] && dstport=""
  331. [[ ${srcport} == "-" ]] && srcport=""
  332. [[ ${dstaddress} == "-" ]] && dstaddress=""
  333. [[ ${srcaddress} == "-" ]] && srcaddress=""
  334. [[ ${protocol} == "-" ]] && protocol=""
  335. [[ ${syn} == "-" ]] && syn=""
  336. [[ ${custom} == "-" ]] && custom=""
  337. ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  338. unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
  339. done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
  340. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  341. fi
  342. }
  343. function enable_forwarding {
  344. IP_VERSION=$1
  345. case $IP_VERSION in
  346. ipv6) VER_IPTABLES=${IP6TABLES};
  347. IPVER="6" ;;
  348. ipv4|*) VER_IPTABLES=${IPTABLES}
  349. IPVER="4" ;;
  350. esac
  351. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  352. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
  353. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
  354. while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do
  355. unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
  356. [[ ${action} = \#* ]] && continue
  357. [[ -z ${action} ]] && continue
  358. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
  359. && ${display} RED "forward.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}" && continue
  360. # Do some creative work with variables to make building the iptables rules fairly painless
  361. # Although these next few rules seems like they duplicate some work, they
  362. # actually make handling later rules simpler even if we end up blanking
  363. # them yet again.
  364. [[ -z ${dstport} ]] && dstport="-"
  365. [[ -z ${srcport} ]] && srcport="-"
  366. [[ -z ${protocol} ]] && protocol="-"
  367. [[ -z ${syn} ]] && syn="-"
  368. [[ -z ${state} ]] && state="-"
  369. #([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  370. #([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  371. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  372. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  373. ([[ ${bidirectional} == "yes" ]] && [[ ${srcaddress} != "-" ]]) && revsrcaddress="-d ${srcaddress}"
  374. ([[ ${bidirectional} == "yes" ]] && [[ ${dstaddress} != "-" ]]) && revdstaddress="-s ${dstaddress}"
  375. ([[ ${bidirectional} == "yes" ]] && [[ ${dstinterface} != "-" ]]) && revdstinterface="-i ${dstinterface}"
  376. ([[ ${bidirectional} == "yes" ]] && [[ ${srcinterface} != "-" ]]) && revsrcinterface="-o ${srcinterface}"
  377. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  378. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  379. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  380. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  381. ([[ ${syn} == "syn" ]] && [[ ! -z ${conntrack_state} ]]) && conntrack_udp_new=",NEW"
  382. ([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
  383. [[ ${syn} == "syn" ]] && syn="--syn"
  384. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  385. [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  386. [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  387. ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
  388. ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
  389. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  390. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
  391. # Blank variables that we're not going to use.
  392. [[ ${srcinterface} == "-" ]] && srcinterface=""
  393. [[ ${dstinterface} == "-" ]] && dstinterface=""
  394. [[ ${dstaddress} == "-" ]] && dstaddress=""
  395. [[ ${srcaddress} == "-" ]] && srcaddress=""
  396. [[ ${dstport} == "-" ]] && dstport=""
  397. [[ ${srcport} == "-" ]] && srcport=""
  398. [[ ${syn} == "-" ]] && syn=""
  399. [[ ${state} == "-" ]] && state=""
  400. [[ ${protocol} == "-" ]] && protocol=""
  401. [[ ${bidirectional} == "-" ]] && bidirectional="no"
  402. [[ ${custom} == "-" ]] && custom=""
  403. ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  404. [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action}
  405. unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
  406. done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
  407. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  408. fi
  409. }
  410. function enable_nat {
  411. IP_VERSION=$1
  412. case $IP_VERSION in
  413. ipv6) VER_IPTABLES=${IP6TABLES};
  414. IPVER="6" ;;
  415. ipv4|*) VER_IPTABLES=${IPTABLES}
  416. IPVER="4" ;;
  417. esac
  418. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  419. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
  420. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
  421. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
  422. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
  423. while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
  424. [[ ${type} = \#* ]] && continue
  425. [[ ${type} = "" ]] && continue
  426. ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \
  427. && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue
  428. # Do some creative work with variables to make building the iptables rules fairly painless
  429. #[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
  430. #[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
  431. #[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
  432. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  433. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  434. ([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
  435. ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
  436. ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
  437. ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  438. && continue
  439. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
  440. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
  441. ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
  442. ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  443. && continue
  444. ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
  445. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"
  446. # Blank variables that we're not going to use.
  447. [[ ${srcinterface} == "-" ]] && srcinterface=""
  448. [[ ${dstinterface} == "-" ]] && dstinterface=""
  449. [[ ${dstaddress} == "-" ]] && dstaddress=""
  450. [[ ${srcaddress} == "-" ]] && srcaddress=""
  451. [[ ${custom} == "-" ]] && custom=""
  452. ${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom}
  453. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
  454. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
  455. unset type srcinterface srcaddress dstinterface dstaddress custom
  456. done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
  457. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  458. fi
  459. }
  460. function enable_services {
  461. IP_VERSION=$1
  462. case $IP_VERSION in
  463. ipv6) VER_IPTABLES=${IP6TABLES};
  464. IPVER="6" ;;
  465. ipv4|*) VER_IPTABLES=${IPTABLES}
  466. IPVER="4" ;;
  467. esac
  468. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  469. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
  470. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
  471. use_conntrack="no"
  472. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  473. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  474. while read -r service protocol interface address srcaddress; do
  475. multiport="no"
  476. [[ ${service} = \#* ]] && continue
  477. [[ -z ${service} ]] && continue
  478. [[ ${service} == "-" ]] \
  479. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  480. [[ ${protocol} == "-" ]] \
  481. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  482. [[ ${service} =~ "," ]] && multiport="yes"
  483. # Do some creative work with variables to make building the iptables rules fairly painless
  484. ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
  485. ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
  486. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  487. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  488. [[ ${address} != "-" ]] && srcaddress="-d ${address}"
  489. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  490. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
  491. # Blank variables that we're not going to use.
  492. [[ ${interface} == "-" ]] && interface=""
  493. [[ ${address} == "-" ]] && address=""
  494. [[ ${srcaddress} == "-" ]] && srcaddress=""
  495. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  496. unset service protocol interface address srcaddress conntrack_state
  497. done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
  498. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  499. unset service protocol interface address srcaddress
  500. fi
  501. }
  502. function enable_conntrack_int {
  503. IP_VERSION=$1
  504. case $IP_VERSION in
  505. ipv6) VER_IPTABLES=${IP6TABLES};
  506. IPVER="6" ;;
  507. ipv4|*) VER_IPTABLES=${IPTABLES}
  508. IPVER="4" ;;
  509. esac
  510. conntrack_int="$2"
  511. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  512. if [[ ${conntrack_int} == "all" ]]; then
  513. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
  514. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  515. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  516. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  517. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  518. else
  519. for i in ${conntrack_int}; do
  520. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
  521. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  522. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  523. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  524. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  525. done
  526. fi
  527. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  528. }
  529. function enable_portfw {
  530. IP_VERSION=$1
  531. case $IP_VERSION in
  532. ipv6) VER_IPTABLES=${IP6TABLES};
  533. IPVER="6" ;;
  534. ipv4|*) VER_IPTABLES=${IPTABLES}
  535. IPVER="4" ;;
  536. esac
  537. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  538. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
  539. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
  540. use_conntrack="no"
  541. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  542. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  543. while read -r service protocol intip intport interface address srcaddress; do
  544. [[ ${service} = \#* ]] && continue
  545. [[ -z ${service} ]] && continue
  546. [[ ${service} == "-" ]] \
  547. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  548. [[ ${protocol} == "-" ]] \
  549. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  550. # Do some creative work with variables to make building the iptables rules fairly painless
  551. # Although these next few rules seems like they duplicate some work, they
  552. # actually make handling later rules simpler even if we end up blanking
  553. # them yet again.
  554. [[ -z ${interface} ]] && interface="-"
  555. [[ -z ${address} ]] && address="-"
  556. [[ -z ${srcaddress} ]] && srcaddress="-"
  557. [[ ${service} != "-" ]] && service="--dport ${service}"
  558. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  559. [[ ${intip} != "-" ]] && intdest="--to-destination ${intip}:${intport}"
  560. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  561. [[ ${intip} != "-" ]] && intip="-d ${intip}"
  562. [[ ${intport} != "-" ]] && intport="--dport ${intport}"
  563. [[ ${address} != "-" ]] && address="-d ${address}"
  564. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  565. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${intip} ${intport} ${interface} ${address} ${srcaddress}"
  566. # Blank variables that we're not going to use.
  567. [[ ${interface} == "-" ]] && interface=""
  568. [[ ${address} == "-" ]] && address=""
  569. [[ ${srcaddress} == "-" ]] && srcaddress=""
  570. ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
  571. ${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
  572. unset service protocol intip intport interface address srcaddress conntrack_state
  573. done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
  574. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  575. fi
  576. }
  577. function enable_v6_critical_icmp {
  578. VER_IPTABLES=${IP6TABLES}
  579. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  580. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
  581. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
  582. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
  583. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
  584. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
  585. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
  586. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
  587. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
  588. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
  589. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
  590. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
  591. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
  592. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
  593. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
  594. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
  595. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
  596. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
  597. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
  598. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
  599. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
  600. }