mirror of https://github.com/fwbuilder/fwbuilder
removed test objects for secuwall
This commit is contained in:
Vadim Kurland
parent
3520002f56
commit
24416b751a
|
|
@ -34,21 +34,6 @@
|
|||
</ul>
|
||||
|
||||
|
||||
<!-- ######################################################################### -->
|
||||
<a name="import"></a>
|
||||
<h2>Changes in policy importer for all supported platforms</h2>
|
||||
|
||||
<h3>Changes that affect import of PIX configurations</h3>
|
||||
<ul>
|
||||
|
||||
<li>
|
||||
<p>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<!-- ######################################################################### -->
|
||||
<a name="iptables"></a>
|
||||
<h2>Changes in support for iptables</h2>
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,669 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# This is automatically generated file. DO NOT MODIFY !
|
||||
#
|
||||
# Firewall Builder fwb_ipt v5.0.2.3596
|
||||
#
|
||||
# Generated Sun Mar 18 21:17:40 2012 PDT by vadim
|
||||
#
|
||||
# files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw
|
||||
#
|
||||
# Compiled for iptables (any version)
|
||||
#
|
||||
# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.
|
||||
# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0
|
||||
|
||||
|
||||
|
||||
|
||||
FWBDEBUG=""
|
||||
|
||||
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
||||
export PATH
|
||||
|
||||
|
||||
|
||||
LSMOD="/bin/lsmod"
|
||||
MODPROBE="/sbin/modprobe"
|
||||
IPTABLES="/sbin/iptables"
|
||||
IP6TABLES="/sbin/ip6tables"
|
||||
IPTABLES_RESTORE="/sbin/iptables-restore"
|
||||
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
||||
IP="/sbin/ip"
|
||||
IFCONFIG="/sbin/ifconfig"
|
||||
VCONFIG="/sbin/vconfig"
|
||||
BRCTL="/sbin/brctl"
|
||||
IFENSLAVE="/sbin/ifenslave"
|
||||
IPSET="/usr/sbin/ipset"
|
||||
LOGGER="/usr/bin/logger"
|
||||
|
||||
log() {
|
||||
echo "$1"
|
||||
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
||||
}
|
||||
|
||||
getInterfaceVarName() {
|
||||
echo $1 | sed 's/\./_/'
|
||||
}
|
||||
|
||||
getaddr_internal() {
|
||||
dev=$1
|
||||
name=$2
|
||||
af=$3
|
||||
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
|
||||
test -z "$L" && {
|
||||
eval "$name=''"
|
||||
return
|
||||
}
|
||||
eval "${name}_list=\"$L\""
|
||||
}
|
||||
|
||||
getnet_internal() {
|
||||
dev=$1
|
||||
name=$2
|
||||
af=$3
|
||||
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
|
||||
test -z "$L" && {
|
||||
eval "$name=''"
|
||||
return
|
||||
}
|
||||
eval "${name}_list=\"$L\""
|
||||
}
|
||||
|
||||
|
||||
getaddr() {
|
||||
getaddr_internal $1 $2 "-4"
|
||||
}
|
||||
|
||||
getaddr6() {
|
||||
getaddr_internal $1 $2 "-6"
|
||||
}
|
||||
|
||||
getnet() {
|
||||
getnet_internal $1 $2 "-4"
|
||||
}
|
||||
|
||||
getnet6() {
|
||||
getnet_internal $1 $2 "-6"
|
||||
}
|
||||
|
||||
# function getinterfaces is used to process wildcard interfaces
|
||||
getinterfaces() {
|
||||
NAME=$1
|
||||
$IP link show | grep ": $NAME" | while read L; do
|
||||
OIFS=$IFS
|
||||
IFS=" :"
|
||||
set $L
|
||||
IFS=$OIFS
|
||||
echo $2
|
||||
done
|
||||
}
|
||||
|
||||
diff_intf() {
|
||||
func=$1
|
||||
list1=$2
|
||||
list2=$3
|
||||
cmd=$4
|
||||
for intf in $list1
|
||||
do
|
||||
echo $list2 | grep -q $intf || {
|
||||
# $vlan is absent in list 2
|
||||
$func $intf $cmd
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
find_program() {
|
||||
PGM=$1
|
||||
which $PGM >/dev/null 2>&1 || {
|
||||
echo "\"$PGM\" not found"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
check_tools() {
|
||||
find_program which
|
||||
find_program $IPTABLES
|
||||
find_program $MODPROBE
|
||||
find_program $IP
|
||||
}
|
||||
reset_iptables_v4() {
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip_tables_names | while read table; do
|
||||
$IPTABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IPTABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IPTABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
reset_iptables_v6() {
|
||||
$IP6TABLES -P OUTPUT DROP
|
||||
$IP6TABLES -P INPUT DROP
|
||||
$IP6TABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip6_tables_names | while read table; do
|
||||
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IP6TABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IP6TABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
P2P_INTERFACE_WARNING=""
|
||||
|
||||
missing_address() {
|
||||
address=$1
|
||||
cmd=$2
|
||||
|
||||
oldIFS=$IFS
|
||||
IFS="@"
|
||||
set $address
|
||||
addr=$1
|
||||
interface=$2
|
||||
IFS=$oldIFS
|
||||
|
||||
|
||||
|
||||
$IP addr show dev $interface | grep -q POINTOPOINT && {
|
||||
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
|
||||
P2P_INTERFACE_WARNING="yes"
|
||||
return
|
||||
}
|
||||
|
||||
test "$cmd" = "add" && {
|
||||
echo "# Adding ip address: $interface $addr"
|
||||
echo $addr | grep -q ':' && {
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface
|
||||
} || {
|
||||
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
|
||||
}
|
||||
}
|
||||
|
||||
test "$cmd" = "del" && {
|
||||
echo "# Removing ip address: $interface $addr"
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
|
||||
}
|
||||
|
||||
$FWBDEBUG $IP link set $interface up
|
||||
}
|
||||
|
||||
list_addresses_by_scope() {
|
||||
interface=$1
|
||||
scope=$2
|
||||
ignore_list=$3
|
||||
$IP addr ls dev $interface | \
|
||||
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read addr; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
}
|
||||
|
||||
|
||||
update_addresses_of_interface() {
|
||||
ignore_list=$2
|
||||
set $1
|
||||
interface=$1
|
||||
shift
|
||||
|
||||
FWB_ADDRS=$(
|
||||
for addr in $*; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
)
|
||||
|
||||
CURRENT_ADDRS_ALL_SCOPES=""
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
||||
|
||||
$IP link show dev $interface >/dev/null 2>&1 && {
|
||||
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
|
||||
} || {
|
||||
echo "# Interface $interface does not exist"
|
||||
# Stop the script if we are not in test mode
|
||||
test -z "$FWBDEBUG" && exit 1
|
||||
}
|
||||
|
||||
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
||||
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
||||
}
|
||||
|
||||
clear_addresses_except_known_interfaces() {
|
||||
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read intf; do
|
||||
echo "# Removing addresses not configured in fwbuilder from interface $intf"
|
||||
$FWBDEBUG $IP addr flush dev $intf scope global
|
||||
$FWBDEBUG $IP link set $intf down
|
||||
done
|
||||
}
|
||||
|
||||
check_file() {
|
||||
test -r "$2" || {
|
||||
echo "Can not find file $2 referenced by address table object $1"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
check_run_time_address_table_files() {
|
||||
:
|
||||
|
||||
}
|
||||
|
||||
load_modules() {
|
||||
:
|
||||
echo "Modules are loaded only at startup!"
|
||||
}
|
||||
|
||||
verify_interfaces() {
|
||||
:
|
||||
echo "Verifying interfaces: eth0 eth1 lo"
|
||||
for i in eth0 eth1 lo ; do
|
||||
$IP link show "$i" > /dev/null 2>&1 || {
|
||||
log "Interface $i does not exist"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
prolog_commands() {
|
||||
echo "Running prolog script"
|
||||
|
||||
}
|
||||
|
||||
epilog_commands() {
|
||||
echo "Running epilog script"
|
||||
|
||||
}
|
||||
|
||||
run_epilog_and_exit() {
|
||||
epilog_commands
|
||||
exit $1
|
||||
}
|
||||
|
||||
configure_interfaces() {
|
||||
for runstop in keepalived conntrackd network ; do
|
||||
/etc/init.d/${runstop} stop
|
||||
done
|
||||
|
||||
/sbin/ifclear all
|
||||
|
||||
for runstart in management network keepalived conntrackd ; do
|
||||
/etc/init.d/${runstart} start
|
||||
done
|
||||
}
|
||||
|
||||
script_body() {
|
||||
# ================ IPv4
|
||||
|
||||
|
||||
# ================ Table 'filter', automatic rules
|
||||
# accept established sessions
|
||||
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# client DNS for the firewall
|
||||
|
||||
|
||||
# ================ Table 'nat', rule set NAT
|
||||
#
|
||||
# Rule 0 (NAT)
|
||||
#
|
||||
echo "Rule 0 (NAT)"
|
||||
#
|
||||
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1
|
||||
#
|
||||
# Rule 1 (NAT)
|
||||
#
|
||||
echo "Rule 1 (NAT)"
|
||||
#
|
||||
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128
|
||||
|
||||
|
||||
|
||||
# ================ Table 'filter', rule set Policy
|
||||
#
|
||||
# Rule -8 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -8 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o lo -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -7 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -7 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i lo -p vrrp -s 127.0.0.1 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -6 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -6 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -5 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -5 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -4 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -4 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -3 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -3 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -2 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -2 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
#
|
||||
# Rule -1 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -1 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
#
|
||||
# Rule 0 (eth0)
|
||||
#
|
||||
echo "Rule 0 (eth0)"
|
||||
#
|
||||
# anti spoofing rule
|
||||
$IPTABLES -N In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
|
||||
$IPTABLES -A In_RULE_0 -j DROP
|
||||
#
|
||||
# Rule 1 (lo)
|
||||
#
|
||||
echo "Rule 1 (lo)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 2 (eth0)
|
||||
#
|
||||
echo "Rule 2 (eth0)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 3 (eth0)
|
||||
#
|
||||
echo "Rule 3 (eth0)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 4 (eth0)
|
||||
#
|
||||
echo "Rule 4 (eth0)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 5 (eth0,eth1)
|
||||
#
|
||||
echo "Rule 5 (eth0,eth1)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -N Cid8117X67022.0
|
||||
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.0
|
||||
$IPTABLES -A Cid8117X67022.0 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 192.168.1.2 -j ACCEPT
|
||||
$IPTABLES -N Cid8117X67022.1
|
||||
$IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.1
|
||||
$IPTABLES -A Cid8117X67022.1 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 192.168.1.2 -j ACCEPT
|
||||
#
|
||||
# Rule 6 (cl1 intf 0,1)
|
||||
#
|
||||
echo "Rule 6 (cl1 intf 0,1)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -N Cid39519X67022.0
|
||||
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.0
|
||||
$IPTABLES -A Cid39519X67022.0 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 192.168.1.2 -j ACCEPT
|
||||
$IPTABLES -N Cid39519X67022.1
|
||||
$IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.1
|
||||
$IPTABLES -A Cid39519X67022.1 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 192.168.1.2 -j ACCEPT
|
||||
#
|
||||
# Rule 7 (eth0,eth1)
|
||||
#
|
||||
echo "Rule 7 (eth0,eth1)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 8 (cl1 intf 0,1)
|
||||
#
|
||||
echo "Rule 8 (cl1 intf 0,1)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 9 (global)
|
||||
#
|
||||
echo "Rule 9 (global)"
|
||||
#
|
||||
# SSH Access to firewall is permitted
|
||||
# only from internal network
|
||||
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 10 (global)
|
||||
#
|
||||
echo "Rule 10 (global)"
|
||||
#
|
||||
# Firewall uses one of the machines
|
||||
# on internal network for DNS
|
||||
$IPTABLES -N RULE_10
|
||||
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10
|
||||
$IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10
|
||||
$IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT "
|
||||
$IPTABLES -A RULE_10 -j ACCEPT
|
||||
#
|
||||
# Rule 11 (global)
|
||||
#
|
||||
echo "Rule 11 (global)"
|
||||
#
|
||||
# All other attempts to connect to
|
||||
# the firewall are denied and logged
|
||||
$IPTABLES -N RULE_11
|
||||
$IPTABLES -A OUTPUT -d 172.24.0.1 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 172.24.0.2 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 192.168.1.2 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A INPUT -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY "
|
||||
$IPTABLES -A RULE_11 -j DROP
|
||||
#
|
||||
# Rule 12 (global)
|
||||
#
|
||||
echo "Rule 12 (global)"
|
||||
#
|
||||
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 13 (global)
|
||||
#
|
||||
echo "Rule 13 (global)"
|
||||
#
|
||||
$IPTABLES -N RULE_13
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A INPUT -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A FORWARD -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY "
|
||||
$IPTABLES -A RULE_13 -j DROP
|
||||
}
|
||||
|
||||
ip_forward() {
|
||||
:
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
}
|
||||
|
||||
reset_all() {
|
||||
:
|
||||
reset_iptables_v4
|
||||
}
|
||||
|
||||
block_action() {
|
||||
reset_all
|
||||
}
|
||||
|
||||
stop_action() {
|
||||
reset_all
|
||||
$IPTABLES -P OUTPUT ACCEPT
|
||||
$IPTABLES -P INPUT ACCEPT
|
||||
$IPTABLES -P FORWARD ACCEPT
|
||||
}
|
||||
|
||||
check_iptables() {
|
||||
IP_TABLES="$1"
|
||||
[ ! -e $IP_TABLES ] && return 151
|
||||
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
|
||||
[ -z "$NF_TABLES" ] && return 152
|
||||
return 0
|
||||
}
|
||||
status_action() {
|
||||
check_iptables "/proc/net/ip_tables_names"
|
||||
ret_ipv4=$?
|
||||
check_iptables "/proc/net/ip6_tables_names"
|
||||
ret_ipv6=$?
|
||||
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
|
||||
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
|
||||
echo "iptables modules are not loaded"
|
||||
}
|
||||
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
|
||||
echo "Firewall is not configured"
|
||||
}
|
||||
exit 3
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
# For backwards compatibility missing argument is equivalent to 'start'
|
||||
|
||||
cmd=$1
|
||||
test -z "$cmd" && {
|
||||
cmd="start"
|
||||
}
|
||||
|
||||
case "$cmd" in
|
||||
start)
|
||||
log "Activating firewall script generated Sun Mar 18 21:17:40 2012 by vadim"
|
||||
log "Database was cluster-tests.fwb"
|
||||
check_tools
|
||||
check_run_time_address_table_files
|
||||
|
||||
prolog_commands
|
||||
load_modules "nat "
|
||||
configure_interfaces
|
||||
verify_interfaces
|
||||
|
||||
reset_all
|
||||
|
||||
script_body
|
||||
ip_forward
|
||||
epilog_commands
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
status)
|
||||
status_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
block)
|
||||
block_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload)
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
interfaces)
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
test_interfaces)
|
||||
FWBDEBUG="echo"
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage $0 {start|stop|status|block|reload|interfaces|test_interfaces}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
|
|
@ -4,7 +4,7 @@
|
|||
#
|
||||
# Firewall Builder fwb_ipt v5.0.2.3596
|
||||
#
|
||||
# Generated Sun Mar 18 21:17:36 2012 PDT by vadim
|
||||
# Generated Sun Mar 18 21:31:01 2012 PDT by vadim
|
||||
#
|
||||
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,647 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# This is automatically generated file. DO NOT MODIFY !
|
||||
#
|
||||
# Firewall Builder fwb_ipt v4.2.0.3499
|
||||
#
|
||||
# Generated Sat Mar 12 19:38:36 2011 PST by vadim
|
||||
#
|
||||
# files: * secuwall-1.fw /etc/secuwall-1.fw
|
||||
#
|
||||
# Compiled for iptables (any version)
|
||||
#
|
||||
# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.
|
||||
# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0
|
||||
|
||||
|
||||
|
||||
|
||||
FWBDEBUG=""
|
||||
|
||||
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
||||
export PATH
|
||||
|
||||
|
||||
|
||||
LSMOD="/bin/lsmod"
|
||||
MODPROBE="/sbin/modprobe"
|
||||
IPTABLES="/sbin/iptables"
|
||||
IP6TABLES="/sbin/ip6tables"
|
||||
IPTABLES_RESTORE="/sbin/iptables-restore"
|
||||
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
||||
IP="/sbin/ip"
|
||||
IFCONFIG="/sbin/ifconfig"
|
||||
VCONFIG="/sbin/vconfig"
|
||||
BRCTL="/sbin/brctl"
|
||||
IFENSLAVE="/sbin/ifenslave"
|
||||
IPSET="/usr/sbin/ipset"
|
||||
LOGGER="/usr/bin/logger"
|
||||
|
||||
log() {
|
||||
echo "$1"
|
||||
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
||||
}
|
||||
|
||||
getInterfaceVarName() {
|
||||
echo $1 | sed 's/\./_/'
|
||||
}
|
||||
|
||||
getaddr_internal() {
|
||||
dev=$1
|
||||
name=$2
|
||||
af=$3
|
||||
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
|
||||
test -z "$L" && {
|
||||
eval "$name=''"
|
||||
return
|
||||
}
|
||||
eval "${name}_list=\"$L\""
|
||||
}
|
||||
|
||||
getaddr() {
|
||||
getaddr_internal $1 $2 "-4"
|
||||
}
|
||||
|
||||
getaddr6() {
|
||||
getaddr_internal $1 $2 "-6"
|
||||
}
|
||||
|
||||
# function getinterfaces is used to process wildcard interfaces
|
||||
getinterfaces() {
|
||||
NAME=$1
|
||||
$IP link show | grep ": $NAME" | while read L; do
|
||||
OIFS=$IFS
|
||||
IFS=" :"
|
||||
set $L
|
||||
IFS=$OIFS
|
||||
echo $2
|
||||
done
|
||||
}
|
||||
|
||||
diff_intf() {
|
||||
func=$1
|
||||
list1=$2
|
||||
list2=$3
|
||||
cmd=$4
|
||||
for intf in $list1
|
||||
do
|
||||
echo $list2 | grep -q $intf || {
|
||||
# $vlan is absent in list 2
|
||||
$func $intf $cmd
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
find_program() {
|
||||
PGM=$1
|
||||
command -v $PGM >/dev/null 2>&1 || {
|
||||
echo "$PGM not found"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
check_tools() {
|
||||
find_program $IPTABLES
|
||||
find_program $MODPROBE
|
||||
find_program $IP
|
||||
}
|
||||
reset_iptables_v4() {
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip_tables_names | while read table; do
|
||||
$IPTABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IPTABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IPTABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
reset_iptables_v6() {
|
||||
$IP6TABLES -P OUTPUT DROP
|
||||
$IP6TABLES -P INPUT DROP
|
||||
$IP6TABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip6_tables_names | while read table; do
|
||||
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IP6TABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IP6TABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
P2P_INTERFACE_WARNING=""
|
||||
|
||||
missing_address() {
|
||||
address=$1
|
||||
cmd=$2
|
||||
|
||||
oldIFS=$IFS
|
||||
IFS="@"
|
||||
set $address
|
||||
addr=$1
|
||||
interface=$2
|
||||
IFS=$oldIFS
|
||||
|
||||
|
||||
|
||||
$IP addr show dev $interface | grep -q POINTOPOINT && {
|
||||
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
|
||||
P2P_INTERFACE_WARNING="yes"
|
||||
return
|
||||
}
|
||||
|
||||
test "$cmd" = "add" && {
|
||||
echo "# Adding ip address: $interface $addr"
|
||||
echo $addr | grep -q ':' && {
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface
|
||||
} || {
|
||||
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
|
||||
}
|
||||
}
|
||||
|
||||
test "$cmd" = "del" && {
|
||||
echo "# Removing ip address: $interface $addr"
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
|
||||
}
|
||||
|
||||
$FWBDEBUG $IP link set $interface up
|
||||
}
|
||||
|
||||
list_addresses_by_scope() {
|
||||
interface=$1
|
||||
scope=$2
|
||||
ignore_list=$3
|
||||
$IP addr ls dev $interface | \
|
||||
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read addr; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
}
|
||||
|
||||
|
||||
update_addresses_of_interface() {
|
||||
ignore_list=$2
|
||||
set $1
|
||||
interface=$1
|
||||
shift
|
||||
|
||||
FWB_ADDRS=$(
|
||||
for addr in $*; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
)
|
||||
|
||||
CURRENT_ADDRS_ALL_SCOPES=""
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
||||
|
||||
$IP link show dev $interface >/dev/null 2>&1 && {
|
||||
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
|
||||
} || {
|
||||
echo "# Interface $interface does not exist"
|
||||
# Stop the script if we are not in test mode
|
||||
test -z "$FWBDEBUG" && exit 1
|
||||
}
|
||||
|
||||
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
||||
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
||||
}
|
||||
|
||||
clear_addresses_except_known_interfaces() {
|
||||
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read intf; do
|
||||
echo "# Removing addresses not configured in fwbuilder from interface $intf"
|
||||
$FWBDEBUG $IP addr flush dev $intf scope global
|
||||
$FWBDEBUG $IP link set $intf down
|
||||
done
|
||||
}
|
||||
|
||||
check_file() {
|
||||
test -r "$2" || {
|
||||
echo "Can not find file $2 referenced by address table object $1"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
check_run_time_address_table_files() {
|
||||
:
|
||||
|
||||
}
|
||||
|
||||
load_modules() {
|
||||
:
|
||||
echo "Modules are loaded only at startup!"
|
||||
}
|
||||
|
||||
verify_interfaces() {
|
||||
:
|
||||
echo "Verifying interfaces: eth0 eth1 lo"
|
||||
for i in eth0 eth1 lo ; do
|
||||
$IP link show "$i" > /dev/null 2>&1 || {
|
||||
log "Interface $i does not exist"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
prolog_commands() {
|
||||
echo "Running prolog script"
|
||||
|
||||
}
|
||||
|
||||
epilog_commands() {
|
||||
echo "Running epilog script"
|
||||
|
||||
}
|
||||
|
||||
run_epilog_and_exit() {
|
||||
epilog_commands
|
||||
exit $1
|
||||
}
|
||||
|
||||
configure_interfaces() {
|
||||
for runstop in keepalived conntrackd network ; do
|
||||
/etc/init.d/${runstop} stop
|
||||
done
|
||||
|
||||
/sbin/ifclear all
|
||||
|
||||
for runstart in management network keepalived conntrackd ; do
|
||||
/etc/init.d/${runstart} start
|
||||
done
|
||||
}
|
||||
|
||||
script_body() {
|
||||
# ================ IPv4
|
||||
|
||||
|
||||
# ================ Table 'filter', automatic rules
|
||||
# accept established sessions
|
||||
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# client DNS for the firewall
|
||||
|
||||
|
||||
# ================ Table 'nat', rule set NAT
|
||||
#
|
||||
# Rule 0 (NAT)
|
||||
#
|
||||
echo "Rule 0 (NAT)"
|
||||
#
|
||||
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1
|
||||
#
|
||||
# Rule 1 (NAT)
|
||||
#
|
||||
echo "Rule 1 (NAT)"
|
||||
#
|
||||
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128
|
||||
|
||||
|
||||
|
||||
# ================ Table 'filter', rule set Policy
|
||||
#
|
||||
# Rule -8 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -8 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o lo -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -7 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -7 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i lo -p vrrp -s 127.0.0.1 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -6 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -6 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -5 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -5 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -4 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -4 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -3 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -3 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -2 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -2 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
#
|
||||
# Rule -1 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -1 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
#
|
||||
# Rule 0 (eth0)
|
||||
#
|
||||
echo "Rule 0 (eth0)"
|
||||
#
|
||||
# anti spoofing rule
|
||||
$IPTABLES -N In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
||||
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
|
||||
$IPTABLES -A In_RULE_0 -j DROP
|
||||
#
|
||||
# Rule 1 (lo)
|
||||
#
|
||||
echo "Rule 1 (lo)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 2 (eth0)
|
||||
#
|
||||
echo "Rule 2 (eth0)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 3 (eth0)
|
||||
#
|
||||
echo "Rule 3 (eth0)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 4 (eth0)
|
||||
#
|
||||
echo "Rule 4 (eth0)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 5 (eth0,eth1)
|
||||
#
|
||||
echo "Rule 5 (eth0,eth1)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -N Cid8117X67022.0
|
||||
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.0
|
||||
$IPTABLES -A Cid8117X67022.0 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.0 -d 192.168.1.2 -j ACCEPT
|
||||
$IPTABLES -N Cid8117X67022.1
|
||||
$IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.1
|
||||
$IPTABLES -A Cid8117X67022.1 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid8117X67022.1 -d 192.168.1.2 -j ACCEPT
|
||||
#
|
||||
# Rule 6 (cl1 intf 0,1)
|
||||
#
|
||||
echo "Rule 6 (cl1 intf 0,1)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -N Cid39519X67022.0
|
||||
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.0
|
||||
$IPTABLES -A Cid39519X67022.0 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.0 -d 192.168.1.2 -j ACCEPT
|
||||
$IPTABLES -N Cid39519X67022.1
|
||||
$IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.1
|
||||
$IPTABLES -A Cid39519X67022.1 -d 172.24.0.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 172.24.0.2 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 192.168.1.1 -j ACCEPT
|
||||
$IPTABLES -A Cid39519X67022.1 -d 192.168.1.2 -j ACCEPT
|
||||
#
|
||||
# Rule 7 (eth0,eth1)
|
||||
#
|
||||
echo "Rule 7 (eth0,eth1)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 8 (cl1 intf 0,1)
|
||||
#
|
||||
echo "Rule 8 (cl1 intf 0,1)"
|
||||
#
|
||||
# "firewall is part of any" OFF
|
||||
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 9 (global)
|
||||
#
|
||||
echo "Rule 9 (global)"
|
||||
#
|
||||
# SSH Access to firewall is permitted
|
||||
# only from internal network
|
||||
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 10 (global)
|
||||
#
|
||||
echo "Rule 10 (global)"
|
||||
#
|
||||
# Firewall uses one of the machines
|
||||
# on internal network for DNS
|
||||
$IPTABLES -N RULE_10
|
||||
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10
|
||||
$IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10
|
||||
$IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT "
|
||||
$IPTABLES -A RULE_10 -j ACCEPT
|
||||
#
|
||||
# Rule 11 (global)
|
||||
#
|
||||
echo "Rule 11 (global)"
|
||||
#
|
||||
# All other attempts to connect to
|
||||
# the firewall are denied and logged
|
||||
$IPTABLES -N RULE_11
|
||||
$IPTABLES -A OUTPUT -d 172.24.0.1 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 172.24.0.2 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A OUTPUT -d 192.168.1.2 -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A INPUT -m state --state NEW -j RULE_11
|
||||
$IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY "
|
||||
$IPTABLES -A RULE_11 -j DROP
|
||||
#
|
||||
# Rule 12 (global)
|
||||
#
|
||||
echo "Rule 12 (global)"
|
||||
#
|
||||
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
||||
#
|
||||
# Rule 13 (global)
|
||||
#
|
||||
echo "Rule 13 (global)"
|
||||
#
|
||||
$IPTABLES -N RULE_13
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A INPUT -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A FORWARD -m state --state NEW -j RULE_13
|
||||
$IPTABLES -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY "
|
||||
$IPTABLES -A RULE_13 -j DROP
|
||||
}
|
||||
|
||||
ip_forward() {
|
||||
:
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
}
|
||||
|
||||
reset_all() {
|
||||
:
|
||||
reset_iptables_v4
|
||||
}
|
||||
|
||||
block_action() {
|
||||
reset_all
|
||||
}
|
||||
|
||||
stop_action() {
|
||||
reset_all
|
||||
$IPTABLES -P OUTPUT ACCEPT
|
||||
$IPTABLES -P INPUT ACCEPT
|
||||
$IPTABLES -P FORWARD ACCEPT
|
||||
}
|
||||
|
||||
check_iptables() {
|
||||
IP_TABLES="$1"
|
||||
[ ! -e $IP_TABLES ] && return 151
|
||||
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
|
||||
[ -z "$NF_TABLES" ] && return 152
|
||||
return 0
|
||||
}
|
||||
status_action() {
|
||||
check_iptables "/proc/net/ip_tables_names"
|
||||
ret_ipv4=$?
|
||||
check_iptables "/proc/net/ip6_tables_names"
|
||||
ret_ipv6=$?
|
||||
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
|
||||
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
|
||||
echo "iptables modules are not loaded"
|
||||
}
|
||||
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
|
||||
echo "Firewall is not configured"
|
||||
}
|
||||
exit 3
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
# For backwards compatibility missing argument is equivalent to 'start'
|
||||
|
||||
cmd=$1
|
||||
test -z "$cmd" && {
|
||||
cmd="start"
|
||||
}
|
||||
|
||||
case "$cmd" in
|
||||
start)
|
||||
log "Activating firewall script generated Sat Mar 12 19:38:36 2011 by vadim"
|
||||
log "Database was cluster-tests.fwb"
|
||||
check_tools
|
||||
check_run_time_address_table_files
|
||||
|
||||
prolog_commands
|
||||
load_modules "nat "
|
||||
configure_interfaces
|
||||
verify_interfaces
|
||||
|
||||
reset_all
|
||||
|
||||
script_body
|
||||
ip_forward
|
||||
epilog_commands
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
status)
|
||||
status_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
block)
|
||||
block_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload)
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
interfaces)
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
test_interfaces)
|
||||
FWBDEBUG="echo"
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage $0 {start|stop|status|block|reload|interfaces|test_interfaces}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
|
|
@ -1,486 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# This is automatically generated file. DO NOT MODIFY !
|
||||
#
|
||||
# Firewall Builder fwb_ipt v5.0.2.3596
|
||||
#
|
||||
# Generated Sun Mar 18 21:17:42 2012 PDT by vadim
|
||||
#
|
||||
# files: * secuwall_cluster_1_secuwall-1.fw /etc/secuwall_cluster_1_secuwall-1.fw
|
||||
#
|
||||
# Compiled for iptables (any version)
|
||||
#
|
||||
# This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.
|
||||
# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0
|
||||
|
||||
|
||||
|
||||
|
||||
FWBDEBUG=""
|
||||
|
||||
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
||||
export PATH
|
||||
|
||||
|
||||
|
||||
LSMOD="/bin/lsmod"
|
||||
MODPROBE="/sbin/modprobe"
|
||||
IPTABLES="/sbin/iptables"
|
||||
IP6TABLES="/sbin/ip6tables"
|
||||
IPTABLES_RESTORE="/sbin/iptables-restore"
|
||||
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
||||
IP="/sbin/ip"
|
||||
IFCONFIG="/sbin/ifconfig"
|
||||
VCONFIG="/sbin/vconfig"
|
||||
BRCTL="/sbin/brctl"
|
||||
IFENSLAVE="/sbin/ifenslave"
|
||||
IPSET="/usr/sbin/ipset"
|
||||
LOGGER="/usr/bin/logger"
|
||||
|
||||
log() {
|
||||
echo "$1"
|
||||
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
||||
}
|
||||
|
||||
getInterfaceVarName() {
|
||||
echo $1 | sed 's/\./_/'
|
||||
}
|
||||
|
||||
getaddr_internal() {
|
||||
dev=$1
|
||||
name=$2
|
||||
af=$3
|
||||
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
|
||||
test -z "$L" && {
|
||||
eval "$name=''"
|
||||
return
|
||||
}
|
||||
eval "${name}_list=\"$L\""
|
||||
}
|
||||
|
||||
getnet_internal() {
|
||||
dev=$1
|
||||
name=$2
|
||||
af=$3
|
||||
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
|
||||
test -z "$L" && {
|
||||
eval "$name=''"
|
||||
return
|
||||
}
|
||||
eval "${name}_list=\"$L\""
|
||||
}
|
||||
|
||||
|
||||
getaddr() {
|
||||
getaddr_internal $1 $2 "-4"
|
||||
}
|
||||
|
||||
getaddr6() {
|
||||
getaddr_internal $1 $2 "-6"
|
||||
}
|
||||
|
||||
getnet() {
|
||||
getnet_internal $1 $2 "-4"
|
||||
}
|
||||
|
||||
getnet6() {
|
||||
getnet_internal $1 $2 "-6"
|
||||
}
|
||||
|
||||
# function getinterfaces is used to process wildcard interfaces
|
||||
getinterfaces() {
|
||||
NAME=$1
|
||||
$IP link show | grep ": $NAME" | while read L; do
|
||||
OIFS=$IFS
|
||||
IFS=" :"
|
||||
set $L
|
||||
IFS=$OIFS
|
||||
echo $2
|
||||
done
|
||||
}
|
||||
|
||||
diff_intf() {
|
||||
func=$1
|
||||
list1=$2
|
||||
list2=$3
|
||||
cmd=$4
|
||||
for intf in $list1
|
||||
do
|
||||
echo $list2 | grep -q $intf || {
|
||||
# $vlan is absent in list 2
|
||||
$func $intf $cmd
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
find_program() {
|
||||
PGM=$1
|
||||
which $PGM >/dev/null 2>&1 || {
|
||||
echo "\"$PGM\" not found"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
check_tools() {
|
||||
find_program which
|
||||
find_program $IPTABLES
|
||||
find_program $MODPROBE
|
||||
find_program $IP
|
||||
}
|
||||
reset_iptables_v4() {
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip_tables_names | while read table; do
|
||||
$IPTABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IPTABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IPTABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
reset_iptables_v6() {
|
||||
$IP6TABLES -P OUTPUT DROP
|
||||
$IP6TABLES -P INPUT DROP
|
||||
$IP6TABLES -P FORWARD DROP
|
||||
|
||||
cat /proc/net/ip6_tables_names | while read table; do
|
||||
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
||||
if test "X$c" = "XChain" ; then
|
||||
$IP6TABLES -t $table -F $chain
|
||||
fi
|
||||
done
|
||||
$IP6TABLES -t $table -X
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
P2P_INTERFACE_WARNING=""
|
||||
|
||||
missing_address() {
|
||||
address=$1
|
||||
cmd=$2
|
||||
|
||||
oldIFS=$IFS
|
||||
IFS="@"
|
||||
set $address
|
||||
addr=$1
|
||||
interface=$2
|
||||
IFS=$oldIFS
|
||||
|
||||
|
||||
|
||||
$IP addr show dev $interface | grep -q POINTOPOINT && {
|
||||
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
|
||||
P2P_INTERFACE_WARNING="yes"
|
||||
return
|
||||
}
|
||||
|
||||
test "$cmd" = "add" && {
|
||||
echo "# Adding ip address: $interface $addr"
|
||||
echo $addr | grep -q ':' && {
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface
|
||||
} || {
|
||||
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
|
||||
}
|
||||
}
|
||||
|
||||
test "$cmd" = "del" && {
|
||||
echo "# Removing ip address: $interface $addr"
|
||||
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
|
||||
}
|
||||
|
||||
$FWBDEBUG $IP link set $interface up
|
||||
}
|
||||
|
||||
list_addresses_by_scope() {
|
||||
interface=$1
|
||||
scope=$2
|
||||
ignore_list=$3
|
||||
$IP addr ls dev $interface | \
|
||||
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read addr; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
}
|
||||
|
||||
|
||||
update_addresses_of_interface() {
|
||||
ignore_list=$2
|
||||
set $1
|
||||
interface=$1
|
||||
shift
|
||||
|
||||
FWB_ADDRS=$(
|
||||
for addr in $*; do
|
||||
echo "${addr}@$interface"
|
||||
done | sort
|
||||
)
|
||||
|
||||
CURRENT_ADDRS_ALL_SCOPES=""
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
||||
|
||||
$IP link show dev $interface >/dev/null 2>&1 && {
|
||||
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
|
||||
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
|
||||
} || {
|
||||
echo "# Interface $interface does not exist"
|
||||
# Stop the script if we are not in test mode
|
||||
test -z "$FWBDEBUG" && exit 1
|
||||
}
|
||||
|
||||
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
||||
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
||||
}
|
||||
|
||||
clear_addresses_except_known_interfaces() {
|
||||
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
|
||||
'BEGIN {
|
||||
split(IGNORED,ignored_arr);
|
||||
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
||||
}
|
||||
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
|
||||
while read intf; do
|
||||
echo "# Removing addresses not configured in fwbuilder from interface $intf"
|
||||
$FWBDEBUG $IP addr flush dev $intf scope global
|
||||
$FWBDEBUG $IP link set $intf down
|
||||
done
|
||||
}
|
||||
|
||||
check_file() {
|
||||
test -r "$2" || {
|
||||
echo "Can not find file $2 referenced by address table object $1"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
check_run_time_address_table_files() {
|
||||
:
|
||||
|
||||
}
|
||||
|
||||
load_modules() {
|
||||
:
|
||||
echo "Modules are loaded only at startup!"
|
||||
}
|
||||
|
||||
verify_interfaces() {
|
||||
:
|
||||
echo "Verifying interfaces: eth0 eth1 lo vrrp0 vrrp1"
|
||||
for i in eth0 eth1 lo vrrp0 vrrp1 ; do
|
||||
$IP link show "$i" > /dev/null 2>&1 || {
|
||||
log "Interface $i does not exist"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
}
|
||||
|
||||
prolog_commands() {
|
||||
echo "Running prolog script"
|
||||
|
||||
}
|
||||
|
||||
epilog_commands() {
|
||||
echo "Running epilog script"
|
||||
|
||||
}
|
||||
|
||||
run_epilog_and_exit() {
|
||||
epilog_commands
|
||||
exit $1
|
||||
}
|
||||
|
||||
configure_interfaces() {
|
||||
for runstop in keepalived conntrackd network ; do
|
||||
/etc/init.d/${runstop} stop
|
||||
done
|
||||
|
||||
/sbin/ifclear all
|
||||
|
||||
for runstart in management network keepalived conntrackd ; do
|
||||
/etc/init.d/${runstart} start
|
||||
done
|
||||
}
|
||||
|
||||
script_body() {
|
||||
# ================ IPv4
|
||||
|
||||
|
||||
# ================ Table 'filter', automatic rules
|
||||
# accept established sessions
|
||||
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# client DNS for the firewall
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# ================ Table 'filter', rule set Policy
|
||||
#
|
||||
# Rule -6 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -6 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -5 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -5 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -4 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -4 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -3 VRRP (automatic)
|
||||
#
|
||||
echo "Rule -3 VRRP (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT
|
||||
#
|
||||
# Rule -2 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -2 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
#
|
||||
# Rule -1 CONNTRACK (automatic)
|
||||
#
|
||||
echo "Rule -1 CONNTRACK (automatic)"
|
||||
#
|
||||
$IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT
|
||||
}
|
||||
|
||||
ip_forward() {
|
||||
:
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
}
|
||||
|
||||
reset_all() {
|
||||
:
|
||||
reset_iptables_v4
|
||||
}
|
||||
|
||||
block_action() {
|
||||
reset_all
|
||||
}
|
||||
|
||||
stop_action() {
|
||||
reset_all
|
||||
$IPTABLES -P OUTPUT ACCEPT
|
||||
$IPTABLES -P INPUT ACCEPT
|
||||
$IPTABLES -P FORWARD ACCEPT
|
||||
}
|
||||
|
||||
check_iptables() {
|
||||
IP_TABLES="$1"
|
||||
[ ! -e $IP_TABLES ] && return 151
|
||||
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
|
||||
[ -z "$NF_TABLES" ] && return 152
|
||||
return 0
|
||||
}
|
||||
status_action() {
|
||||
check_iptables "/proc/net/ip_tables_names"
|
||||
ret_ipv4=$?
|
||||
check_iptables "/proc/net/ip6_tables_names"
|
||||
ret_ipv6=$?
|
||||
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
|
||||
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
|
||||
echo "iptables modules are not loaded"
|
||||
}
|
||||
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
|
||||
echo "Firewall is not configured"
|
||||
}
|
||||
exit 3
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
# For backwards compatibility missing argument is equivalent to 'start'
|
||||
|
||||
cmd=$1
|
||||
test -z "$cmd" && {
|
||||
cmd="start"
|
||||
}
|
||||
|
||||
case "$cmd" in
|
||||
start)
|
||||
log "Activating firewall script generated Sun Mar 18 21:17:42 2012 by vadim"
|
||||
log "Database was cluster-tests.fwb"
|
||||
check_tools
|
||||
check_run_time_address_table_files
|
||||
|
||||
prolog_commands
|
||||
load_modules " "
|
||||
configure_interfaces
|
||||
verify_interfaces
|
||||
|
||||
reset_all
|
||||
|
||||
script_body
|
||||
ip_forward
|
||||
epilog_commands
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
status)
|
||||
status_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
block)
|
||||
block_action
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload)
|
||||
$0 stop
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
interfaces)
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
test_interfaces)
|
||||
FWBDEBUG="echo"
|
||||
configure_interfaces
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage $0 {start|stop|status|block|reload|interfaces|test_interfaces}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
Loading…
Reference in New Issue