|
|
|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
|
|
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
|
|
|
#
|
|
|
|
# Filename: package/.../iptables/rocknet_iptables.sh
|
|
|
|
# Copyright (C) 2008 - 2009 The OpenSDE Project
|
|
|
|
# Copyright (C) 2004 - 2006 The T2 SDE Project
|
|
|
|
#
|
|
|
|
# More information can be found in the files COPYING and README.
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation; version 2 of the License. A copy of the
|
|
|
|
# GNU General Public License can be found in the file COPYING.
|
|
|
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
|
|
|
|
|
|
|
iptables_init_if() {
|
|
|
|
if isfirst "iptables_$if"; then
|
|
|
|
# prepare INPUT
|
|
|
|
addcode up 1 1 "iptables -N firewall_$if"
|
|
|
|
addcode up 1 2 "iptables -A INPUT -i $if `
|
|
|
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
|
|
addcode up 1 3 "iptables -A INPUT -i $if -j firewall_$if"
|
|
|
|
|
|
|
|
# prepare FORWARD
|
|
|
|
addcode up 1 1 "iptables -N forward_$if"
|
|
|
|
addcode up 1 2 "iptables -A FORWARD -i $if `
|
|
|
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
|
|
addcode up 1 3 "iptables -A FORWARD -i $if -j forward_$if"
|
|
|
|
|
|
|
|
# clean INPUT
|
|
|
|
addcode down 1 3 "iptables -F firewall_$if"
|
|
|
|
addcode down 1 2 "iptables -D INPUT -i $if -j firewall_$if"
|
|
|
|
addcode down 1 2 "iptables -D INPUT -i $if `
|
|
|
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
|
|
addcode down 1 1 "iptables -X firewall_$if"
|
|
|
|
|
|
|
|
# clean FORWARD
|
|
|
|
addcode down 1 3 "iptables -F forward_$if"
|
|
|
|
addcode down 1 2 "iptables -D FORWARD -i $if -j forward_$if"
|
|
|
|
addcode down 1 2 "iptables -D FORWARD -i $if `
|
|
|
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
|
|
addcode down 1 1 "iptables -X forward_$if"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
iptables_parse_conditions() {
|
|
|
|
iptables_cond=
|
|
|
|
while [ -n "$1" ]
|
|
|
|
do
|
|
|
|
case "$1" in
|
|
|
|
all)
|
|
|
|
shift
|
|
|
|
;;
|
|
|
|
tcp|udp)
|
|
|
|
iptables_cond="$iptables_cond -p $1 --dport $2"
|
|
|
|
shift; shift
|
|
|
|
;;
|
|
|
|
icmp)
|
|
|
|
iptables_cond="$iptables_cond -p icmp --icmp-type $2"
|
|
|
|
shift; shift
|
|
|
|
;;
|
|
|
|
ip)
|
|
|
|
iptables_cond="$iptables_cond -s $2"
|
|
|
|
shift; shift
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
error "Unkown accept/reject/drop condition: $1"
|
|
|
|
shift
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
public_accept() {
|
|
|
|
iptables_parse_conditions "$@"
|
|
|
|
local level=6; [ "$ip" ] && level=5
|
|
|
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j ACCEPT"
|
|
|
|
iptables_init_if
|
|
|
|
}
|
|
|
|
|
|
|
|
public_reject() {
|
|
|
|
iptables_parse_conditions "$@"
|
|
|
|
local level=6; [ "$ip" ] && level=5
|
|
|
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j REJECT"
|
|
|
|
iptables_init_if
|
|
|
|
}
|
|
|
|
|
|
|
|
public_drop() {
|
|
|
|
iptables_parse_conditions "$@"
|
|
|
|
local level=6; [ "$ip" ] && level=5
|
|
|
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j DROP"
|
|
|
|
iptables_init_if
|
|
|
|
}
|
|
|
|
|
|
|
|
public_restrict() {
|
|
|
|
iptables_parse_conditions "$@"
|
|
|
|
local level=6; [ "$ip" ] && level=5
|
|
|
|
addcode up 1 $level "iptables -A forward_$if ${ip:+-d $ip} $iptables_cond -j DROP"
|
|
|
|
iptables_init_if
|
|
|
|
}
|
|
|
|
|
|
|
|
public_conduit() {
|
|
|
|
# conduit (tcp|udp) port targetip[:targetport]
|
|
|
|
#
|
|
|
|
local proto=$1 port=$2
|
|
|
|
local targetip=$3 targetport=$2 target=
|
|
|
|
local x=
|
|
|
|
shift 3
|
|
|
|
|
|
|
|
if [ "${targetip/:/}" != "$targetip" ]; then
|
|
|
|
targetport=${targetip#*:}
|
|
|
|
targetip=${targetip%:*}
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ "$targetport" = "$port" ]; then
|
|
|
|
target="$targetip"
|
|
|
|
else
|
|
|
|
target="$targetip:$targetport"
|
|
|
|
fi
|
|
|
|
|
|
|
|
addcode up 1 4 "iptables -t nat -A PREROUTING -i $if ${ip:+-d $ip} -p $proto \
|
|
|
|
--dport $port -j DNAT --to $target"
|
|
|
|
if [ $# -eq 0 ]; then
|
|
|
|
addcode up 1 4 "iptables -A forward_$if -p $proto -d $targetip \
|
|
|
|
--dport $targetport -j ACCEPT"
|
|
|
|
else
|
|
|
|
for x; do
|
|
|
|
addcode up 1 4 "iptables -A forward_$if -p $proto -s $x -d $targetip \
|
|
|
|
--dport $targetport -j ACCEPT"
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
iptables_init_if
|
|
|
|
}
|
|
|
|
|
|
|
|
public_clamp_mtu() {
|
|
|
|
addcode up 1 1 "iptables -A FORWARD ${if:+-o $if} -p tcp --tcp-flags SYN,RST SYN \
|
|
|
|
-j TCPMSS --clamp-mss-to-pmtu"
|
|
|
|
addcode down 9 1 "iptables -D FORWARD ${if:+-o $if} -p tcp --tcp-flags SYN,RST SYN \
|
|
|
|
-j TCPMSS --clamp-mss-to-pmtu"
|
|
|
|
}
|
|
|
|
|
|
|
|
public_masquerade() {
|
|
|
|
if [ "$ip" ]; then
|
|
|
|
addcode up 1 6 "iptables -t nat -A POSTROUTING ${1:+-s $1} -o $if \
|
|
|
|
-j SNAT --to $ip"
|
|
|
|
addcode down 9 6 "iptables -t nat -D POSTROUTING ${1:+-s $1} -o $if \
|
|
|
|
-j SNAT --to $ip"
|
|
|
|
else
|
|
|
|
addcode up 1 6 "iptables -t nat -A POSTROUTING ${1:+-s $1} -o $if \
|
|
|
|
-j MASQUERADE"
|
|
|
|
addcode down 9 6 "iptables -t nat -D POSTROUTING ${1:+-s $1} -o $if \
|
|
|
|
-j MASQUERADE"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|