You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
159 lines
4.2 KiB
159 lines
4.2 KiB
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|
# |
|
# Filename: package/.../iptables/rocknet_iptables.sh |
|
# Copyright (C) 2008 - 2010 The OpenSDE Project |
|
# Copyright (C) 2004 - 2006 The T2 SDE Project |
|
# |
|
# More information can be found in the files COPYING and README. |
|
# |
|
# This program is free software; you can redistribute it and/or modify |
|
# it under the terms of the GNU General Public License as published by |
|
# the Free Software Foundation; version 2 of the License. A copy of the |
|
# GNU General Public License can be found in the file COPYING. |
|
# --- SDE-COPYRIGHT-NOTE-END --- |
|
|
|
iptables_init_if() { |
|
if isfirst "iptables_$if"; then |
|
# prepare INPUT |
|
addcode up 1 1 "iptables -N firewall_$if" |
|
addcode up 1 2 "iptables -A INPUT -i $if ` |
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT" |
|
addcode up 1 3 "iptables -A INPUT -i $if -j firewall_$if" |
|
|
|
# prepare FORWARD |
|
addcode up 1 1 "iptables -N forward_$if" |
|
addcode up 1 2 "iptables -A FORWARD -i $if ` |
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT" |
|
addcode up 1 3 "iptables -A FORWARD -i $if -j forward_$if" |
|
|
|
# clean INPUT |
|
addcode down 1 3 "iptables -F firewall_$if" |
|
addcode down 1 2 "iptables -D INPUT -i $if -j firewall_$if" |
|
addcode down 1 2 "iptables -D INPUT -i $if ` |
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT" |
|
addcode down 1 1 "iptables -X firewall_$if" |
|
|
|
# clean FORWARD |
|
addcode down 1 3 "iptables -F forward_$if" |
|
addcode down 1 2 "iptables -D FORWARD -i $if -j forward_$if" |
|
addcode down 1 2 "iptables -D FORWARD -i $if ` |
|
`-m state --state ESTABLISHED,RELATED -j ACCEPT" |
|
addcode down 1 1 "iptables -X forward_$if" |
|
fi |
|
} |
|
|
|
iptables_parse_conditions() { |
|
iptables_cond= |
|
while [ -n "$1" ] |
|
do |
|
case "$1" in |
|
all) |
|
shift |
|
;; |
|
tcp|udp) |
|
iptables_cond="$iptables_cond -p $1 --dport $2" |
|
shift; shift |
|
;; |
|
icmp) |
|
iptables_cond="$iptables_cond -p icmp --icmp-type $2" |
|
shift; shift |
|
;; |
|
ip) |
|
iptables_cond="$iptables_cond -s $2" |
|
shift; shift |
|
;; |
|
*) |
|
error "Unkown accept/reject/drop condition: $1" |
|
shift |
|
esac |
|
done |
|
} |
|
|
|
public_accept() { |
|
iptables_parse_conditions "$@" |
|
local level=6; [ "$ip" ] && level=5 |
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j ACCEPT" |
|
iptables_init_if |
|
} |
|
|
|
public_reject() { |
|
iptables_parse_conditions "$@" |
|
local level=6; [ "$ip" ] && level=5 |
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j REJECT" |
|
iptables_init_if |
|
} |
|
|
|
public_drop() { |
|
iptables_parse_conditions "$@" |
|
local level=6; [ "$ip" ] && level=5 |
|
addcode up 1 $level "iptables -A firewall_$if ${ip:+-d $ip} $iptables_cond -j DROP" |
|
iptables_init_if |
|
} |
|
|
|
public_restrict() { |
|
iptables_parse_conditions "$@" |
|
local level=6; [ "$ip" ] && level=5 |
|
addcode up 1 $level "iptables -A forward_$if ${ip:+-d $ip} $iptables_cond -j DROP" |
|
iptables_init_if |
|
} |
|
|
|
public_conduit() { |
|
# conduit (tcp|udp) port targetip[:targetport] |
|
# |
|
local proto=$1 port=$2 |
|
local targetip=$3 targetport=$2 target= |
|
local x= |
|
shift 3 |
|
|
|
if [ "${targetip/:/}" != "$targetip" ]; then |
|
targetport=${targetip#*:} |
|
targetip=${targetip%:*} |
|
fi |
|
|
|
if [ "$targetport" = "$port" ]; then |
|
target="$targetip" |
|
else |
|
target="$targetip:$targetport" |
|
fi |
|
|
|
addcode up 1 4 "iptables -t nat -A PREROUTING -i $if ${ip:+-d $ip} -p $proto \ |
|
--dport $port -j DNAT --to $target" |
|
if [ $# -eq 0 ]; then |
|
addcode up 1 4 "iptables -A forward_$if -p $proto -d $targetip \ |
|
--dport $targetport -j ACCEPT" |
|
else |
|
for x; do |
|
addcode up 1 4 "iptables -A forward_$if -p $proto -s $x -d $targetip \ |
|
--dport $targetport -j ACCEPT" |
|
done |
|
fi |
|
|
|
iptables_init_if |
|
} |
|
|
|
public_clamp_mtu() { |
|
addcode up 1 1 "iptables -A FORWARD ${if:+-o $if} -p tcp --tcp-flags SYN,RST SYN \ |
|
-j TCPMSS --clamp-mss-to-pmtu" |
|
addcode down 9 1 "iptables -D FORWARD ${if:+-o $if} -p tcp --tcp-flags SYN,RST SYN \ |
|
-j TCPMSS --clamp-mss-to-pmtu" |
|
} |
|
|
|
public_masquerade() { |
|
local src= action="-A" |
|
local tgt= jump=MASQUERADE |
|
|
|
[ -z "$1" ] || src="-s $1" |
|
if [ -n "$ip" ]; then |
|
tgt="--to $ip" |
|
jump="SNAT" |
|
fi |
|
|
|
case "$src" in |
|
*/32) action=-I ;; |
|
esac |
|
|
|
addcode up 1 6 "iptables -t nat $action POSTROUTING $src -o $if -j $jump $tgt" |
|
addcode down 9 6 "iptables -t nat -D POSTROUTING $src -o $if -j $jump $tgt" |
|
} |
|
|
|
|