From 58ed0f4df263ae420d17ecc57a96b617f072de88 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Thu, 3 Feb 2011 10:06:20 -0800 Subject: [PATCH] re-ran tests --- test/iosacl/auto-interface-test.fw.orig | 4 +- test/iosacl/c3620.fw.orig | 4 +- test/iosacl/ccie4u-r1.fw.orig | 4 +- test/iosacl/dynamips1-og.fw.orig | 4 +- test/iosacl/firewall-ipv6-1.fw.orig | 4 +- test/iosacl/firewall-ipv6-2.fw.orig | 4 +- test/iosacl/firewall-ipv6-3.fw.orig | 4 +- test/iosacl/testios1-1.fw.orig | 4 +- test/iosacl/testios1.fw.orig | 4 +- test/iosacl/testios2.fw.orig | 4 +- test/iosacl/testios20-v12.3.fw.orig | 4 +- test/iosacl/testios20.fw.orig | 4 +- test/iosacl/testios3.fw.orig | 4 +- test/iosacl/testios4.fw.orig | 4 +- test/iosacl/testios5-1.fw.orig | 4 +- test/iosacl/testios5.fw.orig | 4 +- test/ipt/fwbuilder.fw.orig | 517 ++++++++++++++++++++++++ 17 files changed, 549 insertions(+), 32 deletions(-) create mode 100755 test/ipt/fwbuilder.fw.orig diff --git a/test/iosacl/auto-interface-test.fw.orig b/test/iosacl/auto-interface-test.fw.orig index 627d80d23..ee05104e2 100755 --- a/test/iosacl/auto-interface-test.fw.orig +++ b/test/iosacl/auto-interface-test.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:53 2011 PST by vadim +! Generated Thu Feb 3 10:04:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/c3620.fw.orig b/test/iosacl/c3620.fw.orig index cd1b8d255..cac92d5e1 100755 --- a/test/iosacl/c3620.fw.orig +++ b/test/iosacl/c3620.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:53 2011 PST by vadim +! Generated Thu Feb 3 10:04:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/ccie4u-r1.fw.orig b/test/iosacl/ccie4u-r1.fw.orig index f0723772f..4f002d4f5 100755 --- a/test/iosacl/ccie4u-r1.fw.orig +++ b/test/iosacl/ccie4u-r1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:53 2011 PST by vadim +! Generated Thu Feb 3 10:04:19 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/dynamips1-og.fw.orig b/test/iosacl/dynamips1-og.fw.orig index 00d13716d..1ffe384b3 100755 --- a/test/iosacl/dynamips1-og.fw.orig +++ b/test/iosacl/dynamips1-og.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:53 2011 PST by vadim +! Generated Thu Feb 3 10:04:19 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/firewall-ipv6-1.fw.orig b/test/iosacl/firewall-ipv6-1.fw.orig index 5f7d0df20..6e10b5362 100755 --- a/test/iosacl/firewall-ipv6-1.fw.orig +++ b/test/iosacl/firewall-ipv6-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:54 2011 PST by vadim +! Generated Thu Feb 3 10:04:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/firewall-ipv6-2.fw.orig b/test/iosacl/firewall-ipv6-2.fw.orig index 464d37a58..dd2911bdb 100755 --- a/test/iosacl/firewall-ipv6-2.fw.orig +++ b/test/iosacl/firewall-ipv6-2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:54 2011 PST by vadim +! Generated Thu Feb 3 10:04:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/firewall-ipv6-3.fw.orig b/test/iosacl/firewall-ipv6-3.fw.orig index 3857bce80..c5cbffd25 100755 --- a/test/iosacl/firewall-ipv6-3.fw.orig +++ b/test/iosacl/firewall-ipv6-3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:54 2011 PST by vadim +! Generated Thu Feb 3 10:04:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios1-1.fw.orig b/test/iosacl/testios1-1.fw.orig index 267894637..234301dc0 100755 --- a/test/iosacl/testios1-1.fw.orig +++ b/test/iosacl/testios1-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:55 2011 PST by vadim +! Generated Thu Feb 3 10:04:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios1.fw.orig b/test/iosacl/testios1.fw.orig index fb7c86cde..a0be22cbf 100755 --- a/test/iosacl/testios1.fw.orig +++ b/test/iosacl/testios1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:54 2011 PST by vadim +! Generated Thu Feb 3 10:04:20 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios2.fw.orig b/test/iosacl/testios2.fw.orig index 60afc831e..e98e36e00 100755 --- a/test/iosacl/testios2.fw.orig +++ b/test/iosacl/testios2.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:55 2011 PST by vadim +! Generated Thu Feb 3 10:04:21 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios20-v12.3.fw.orig b/test/iosacl/testios20-v12.3.fw.orig index 005f1b404..8fee79439 100755 --- a/test/iosacl/testios20-v12.3.fw.orig +++ b/test/iosacl/testios20-v12.3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:55 2011 PST by vadim +! Generated Thu Feb 3 10:04:21 2011 PST by vadim ! ! Compiled for iosacl 12.3 ! diff --git a/test/iosacl/testios20.fw.orig b/test/iosacl/testios20.fw.orig index e2992eb31..65cd57ffe 100755 --- a/test/iosacl/testios20.fw.orig +++ b/test/iosacl/testios20.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:55 2011 PST by vadim +! Generated Thu Feb 3 10:04:21 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/testios3.fw.orig b/test/iosacl/testios3.fw.orig index 130861503..745780eda 100755 --- a/test/iosacl/testios3.fw.orig +++ b/test/iosacl/testios3.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:55 2011 PST by vadim +! Generated Thu Feb 3 10:04:21 2011 PST by vadim ! ! Compiled for iosacl 12.1 ! diff --git a/test/iosacl/testios4.fw.orig b/test/iosacl/testios4.fw.orig index 862326374..0d089d433 100755 --- a/test/iosacl/testios4.fw.orig +++ b/test/iosacl/testios4.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:56 2011 PST by vadim +! Generated Thu Feb 3 10:04:21 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/testios5-1.fw.orig b/test/iosacl/testios5-1.fw.orig index c68951d5e..c34d355d8 100755 --- a/test/iosacl/testios5-1.fw.orig +++ b/test/iosacl/testios5-1.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:56 2011 PST by vadim +! Generated Thu Feb 3 10:04:22 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/iosacl/testios5.fw.orig b/test/iosacl/testios5.fw.orig index 54853b1cc..4d402b692 100755 --- a/test/iosacl/testios5.fw.orig +++ b/test/iosacl/testios5.fw.orig @@ -1,9 +1,9 @@ ! ! This is automatically generated file. DO NOT MODIFY ! ! -! Firewall Builder fwb_iosacl v4.2.0.3455 +! Firewall Builder fwb_iosacl v4.2.0.3457 ! -! Generated Mon Jan 31 18:35:56 2011 PST by vadim +! Generated Thu Feb 3 10:04:22 2011 PST by vadim ! ! Compiled for iosacl 12.4 ! diff --git a/test/ipt/fwbuilder.fw.orig b/test/ipt/fwbuilder.fw.orig new file mode 100755 index 000000000..b57797106 --- /dev/null +++ b/test/ipt/fwbuilder.fw.orig @@ -0,0 +1,517 @@ +#!/bin/sh /etc/rc.common +# +# This is automatically generated file. DO NOT MODIFY ! +# +# Firewall Builder fwb_ipt v4.2.0.3457 +# +# Generated Thu Feb 3 09:58:06 2011 PST by vadim +# +# files: * fwbuilder.fw +# +# Compiled for iptables 1.4.3 +# +# testing run time address table objects with module set +# use module set is turned off + +# firewall41-2::: warning: Can not add virtual address for object atbl.1 + +START=46 + +EXTRA_COMMANDS="status interfaces test_interfaces" + + +FWBDEBUG="" + +PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" +export PATH + + + +LSMOD="/sbin/lsmod" +MODPROBE="" +IPTABLES="/usr/sbin/iptables" +IP6TABLES="/usr/sbin/ip6tables" +IPTABLES_RESTORE="/usr/sbin/iptables-restore" +IP6TABLES_RESTORE="/usr/sbin/ip6tables-restore" +IP="/usr/sbin/ip" +IFCONFIG="/sbin/ifconfig" +VCONFIG="/sbin/vconfig" +BRCTL="/usr/sbin/brctl" +IFENSLAVE="/sbin/ifenslave" +IPSET="/usr/sbin/ipset" +LOGGER="/usr/bin/logger" + +log() { + echo "$1" + test -x "$LOGGER" && $LOGGER -p info "$1" +} + +getInterfaceVarName() { + echo $1 | sed 's/\./_/' +} + +getaddr_internal() { + dev=$1 + name=$2 + af=$3 + L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') + test -z "$L" && { + eval "$name=''" + return + } + eval "${name}_list=\"$L\"" +} + +getaddr() { + getaddr_internal $1 $2 "-4" +} + +getaddr6() { + getaddr_internal $1 $2 "-6" +} + +# function getinterfaces is used to process wildcard interfaces +getinterfaces() { + NAME=$1 + $IP link show | grep ": $NAME" | while read L; do + OIFS=$IFS + IFS=" :" + set $L + IFS=$OIFS + echo $2 + done +} + +diff_intf() { + func=$1 + list1=$2 + list2=$3 + cmd=$4 + for intf in $list1 + do + echo $list2 | grep -q $intf || { + # $vlan is absent in list 2 + $func $intf $cmd + } + done +} + +find_program() { + PGM=$1 + $PGM >/dev/null 2>&1; test $? = 127 && { + echo "$PGM not found" + exit 1 + } +} +check_tools() { + find_program $IP +} +reset_iptables_v4() { + $IPTABLES -P OUTPUT DROP + $IPTABLES -P INPUT DROP + $IPTABLES -P FORWARD DROP + +cat /proc/net/ip_tables_names | while read table; do + $IPTABLES -t $table -L -n | while read c chain rest; do + if test "X$c" = "XChain" ; then + $IPTABLES -t $table -F $chain + fi + done + $IPTABLES -t $table -X +done +} + +reset_iptables_v6() { + $IP6TABLES -P OUTPUT DROP + $IP6TABLES -P INPUT DROP + $IP6TABLES -P FORWARD DROP + +cat /proc/net/ip6_tables_names | while read table; do + $IP6TABLES -t $table -L -n | while read c chain rest; do + if test "X$c" = "XChain" ; then + $IP6TABLES -t $table -F $chain + fi + done + $IP6TABLES -t $table -X +done +} + + +P2P_INTERFACE_WARNING="" + +missing_address() { + address=$1 + cmd=$2 + + oldIFS=$IFS + IFS="@" + set $address + addr=$1 + interface=$2 + IFS=$oldIFS + + + + $IP addr show dev $interface | grep -q POINTOPOINT && { + test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" + P2P_INTERFACE_WARNING="yes" + return + } + + test "$cmd" = "add" && { + echo "# Adding ip address: $interface $addr" + echo $addr | grep -q ':' && { + $FWBDEBUG $IP addr $cmd $addr dev $interface + } || { + $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface + } + } + + test "$cmd" = "del" && { + echo "# Removing ip address: $interface $addr" + $FWBDEBUG $IP addr $cmd $addr dev $interface + } + + $FWBDEBUG $IP link set $interface up +} + +list_addresses_by_scope() { + interface=$1 + scope=$2 + ignore_list=$3 + $IP addr ls dev $interface | \ + awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ + 'BEGIN { + split(IGNORED,ignored_arr); + for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} + } + (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ + while read addr; do + echo "${addr}@$interface" + done | sort +} + + +update_addresses_of_interface() { + ignore_list=$2 + set $1 + interface=$1 + shift + + FWB_ADDRS=$( + for addr in $*; do + echo "${addr}@$interface" + done | sort + ) + + CURRENT_ADDRS_ALL_SCOPES="" + CURRENT_ADDRS_GLOBAL_SCOPE="" + + $IP link show dev $interface >/dev/null 2>&1 && { + CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") + CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") + } || { + echo "# Interface $interface does not exist" + # Stop the script if we are not in test mode + test -z "$FWBDEBUG" && exit 1 + } + + diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add + diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del +} + +clear_addresses_except_known_interfaces() { + $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ + 'BEGIN { + split(IGNORED,ignored_arr); + for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} + } + (/state/ && !($2 in ignored_dict)) {print $2;}' | \ + while read intf; do + echo "# Removing addresses not configured in fwbuilder from interface $intf" + $FWBDEBUG $IP addr flush dev $intf scope global + $FWBDEBUG $IP link set $intf down + done +} + +check_file() { + test -r "$2" || { + echo "Can not find file $2 referenced by address table object $1" + exit 1 + } +} + +check_run_time_address_table_files() { + : + check_file "atbl.1" "addr-table-1.tbl" +check_file "block_these" "block-hosts.tbl" +} + +load_modules() { + : + OPTS=$1 + MODULES_DIR="/lib/modules/`uname -r`/" + MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/') + echo $OPTS | grep -q nat && { + MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" + } + echo $OPTS | grep -q ipv6 && { + MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')" + } + for module in $MODULES; do + if $LSMOD | grep ${module} >/dev/null; then continue; fi + insmod ${module} || exit 1 + done +} + +verify_interfaces() { + : + echo "Verifying interfaces: eth0 eth1" + for i in eth0 eth1 ; do + $IP link show "$i" > /dev/null 2>&1 || { + log "Interface $i does not exist" + exit 1 + } + done +} + +prolog_commands() { + echo "Running prolog script" + +} + +epilog_commands() { + echo "Running epilog script" + +} + +run_epilog_and_exit() { + epilog_commands + exit $1 +} + +configure_interfaces() { + : + # Configure interfaces + update_addresses_of_interface "eth0 1.1.1.1/24" "" + update_addresses_of_interface "eth1 2.2.2.2/24" "" +} + +script_body() { + # ================ IPv4 + + + # ================ Table 'filter', automatic rules + # accept established sessions + $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # ================ Table 'nat', rule set NAT + # + # Rule 0 (NAT) + # + echo "Rule 0 (NAT)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -t nat -A POSTROUTING -o eth+ -s $at_atbl_1 -j SNAT --to-source 1.1.1.1 + done + # + # Rule 1 (NAT) + # + echo "Rule 1 (NAT)" + # + $IPTABLES -t nat -N Cid2101361X9995.0 + $IPTABLES -t nat -A POSTROUTING -o eth+ -j Cid2101361X9995.0 + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -t nat -A Cid2101361X9995.0 -s $at_atbl_1 -j RETURN + done + $IPTABLES -t nat -A Cid2101361X9995.0 -o eth+ -j SNAT --to-source 1.1.1.1 + # + # Rule 2 (NAT) + # + echo "Rule 2 (NAT)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -t nat -A PREROUTING -d $at_atbl_1 -j DNAT --to-destination 192.168.1.10 + done + + + + # ================ Table 'filter', rule set Policy + # + # Rule 0 (global) + # + echo "Rule 0 (global)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT + done + # + # Rule 1 (global) + # + echo "Rule 1 (global)" + # + $IPTABLES -N Cid4374297X29460.0 + $IPTABLES -A INPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 + $IPTABLES -A INPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 + $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374297X29460.0 + $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374297X29460.0 + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A Cid4374297X29460.0 -d $at_atbl_1 -j RETURN + done + $IPTABLES -A Cid4374297X29460.0 -j ACCEPT + # + # Rule 2 (global) + # + echo "Rule 2 (global)" + # + $IPTABLES -N Cid4374309X29460.0 + $IPTABLES -A OUTPUT -s 1.1.1.1 -m state --state NEW -j Cid4374309X29460.0 + $IPTABLES -A OUTPUT -s 2.2.2.2 -m state --state NEW -j Cid4374309X29460.0 + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A Cid4374309X29460.0 -d $at_atbl_1 -j RETURN + done + $IPTABLES -A Cid4374309X29460.0 -j ACCEPT + # + # Rule 3 (global) + # + echo "Rule 3 (global)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -m state --state NEW -j ACCEPT + done + grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do + set $L; at_block_these=$1; $IPTABLES -A OUTPUT -d $at_block_these -m state --state NEW -j ACCEPT + done + # + # Rule 4 (global) + # + echo "Rule 4 (global)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT + done + # + # Rule 5 (global) + # + echo "Rule 5 (global)" + # + $IPTABLES -N Cid4374346X29460.0 + $IPTABLES -A OUTPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 + $IPTABLES -A OUTPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 + $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374346X29460.0 + $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374346X29460.0 + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A Cid4374346X29460.0 -s $at_atbl_1 -j RETURN + done + $IPTABLES -A Cid4374346X29460.0 -j ACCEPT + # + # Rule 6 (global) + # + echo "Rule 6 (global)" + # + $IPTABLES -N Cid4374358X29460.0 + $IPTABLES -A INPUT -d 1.1.1.1 -m state --state NEW -j Cid4374358X29460.0 + $IPTABLES -A INPUT -d 2.2.2.2 -m state --state NEW -j Cid4374358X29460.0 + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A Cid4374358X29460.0 -s $at_atbl_1 -j RETURN + done + $IPTABLES -A Cid4374358X29460.0 -j ACCEPT + # + # Rule 7 (global) + # + echo "Rule 7 (global)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -m state --state NEW -j ACCEPT + done + grep -Ev '^#|^;|^\s*$' block-hosts.tbl | while read L ; do + set $L; at_block_these=$1; $IPTABLES -A INPUT -s $at_block_these -m state --state NEW -j ACCEPT + done + # + # Rule 8 (global) + # + echo "Rule 8 (global)" + # + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A OUTPUT -d $at_atbl_1 -j DROP + done + grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do + set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -d $at_atbl_1 -j DROP + done +} + +ip_forward() { + : + echo 1 > /proc/sys/net/ipv4/ip_forward +} + +reset_all() { + : + reset_iptables_v4 +} + +stop_action() { + reset_all + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT +} + +check_iptables() { + IP_TABLES="$1" + [ ! -e $IP_TABLES ] && return 151 + NF_TABLES=$(cat $IP_TABLES 2>/dev/null) + [ -z "$NF_TABLES" ] && return 152 + return 0 +} +status_action() { + check_iptables "/proc/net/ip_tables_names" + ret_ipv4=$? + check_iptables "/proc/net/ip6_tables_names" + ret_ipv6=$? + [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 + [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { + echo "iptables modules are not loaded" + } + [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { + echo "Firewall is not configured" + } + exit 3 +} + +start() { + log "Activating firewall script generated Thu Feb 3 09:58:06 2011 by vadim" + check_tools + prolog_commands + check_run_time_address_table_files + + load_modules "nat " + configure_interfaces + verify_interfaces + + reset_all + + script_body + ip_forward + epilog_commands +} + +stop() { + stop_action +} + +status() { + status_action +} + +interfaces() { + configure_interfaces +} + +test_interfaces() { + FWBDEBUG="echo" + configure_interfaces +}