onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/ipt/firewall1.fw.orig
Vadim Kurland 15bab71f49 * NATCompiler_ipt.cpp (compile): see #2456 Added support for 
single object negation in "Inbound Interface" and "Outbound
Interface" columns in compiler for iptables.

* NATCompiler_pf.cpp (compile): see #2456 Added support for single
object negation in "Interface" rule element of PF NAT rules. Now
compiler can produce PF commands such as "nat on ! em0 ... " (for
PF <4.7) or "match on ! em0 ..." (for PF >= 4.7)

* Compiler.cpp (singleObjectNegation::processNext): moved rule
processor that processes single object negation in any rule
element to the base class Compiler.
2011-06-03 17:54:14 -07:00

1329 lines
48 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.0.0.3547
#
# Generated Fri Jun 3 17:27:08 2011 PDT by vadim
#
# files: * firewall1.fw /etc/fw/firewall1.fw
#
# Compiled for iptables (any version)
#
# this object is used to test all kinds of negation in policy and NAT rules.
# Assume firewall is part of any is ON
FWBDEBUG=""
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr_internal() {
dev=$1
name=$2
af=$3
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
find_program() {
PGM=$1
command -v $PGM >/dev/null 2>&1 || {
echo "$PGM not found"
exit 1
}
}
check_tools() {
find_program $IPTABLES
find_program $IP
}
reset_iptables_v4() {
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
}
reset_iptables_v6() {
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
}
load_modules() {
:
}
verify_interfaces() {
:
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
# Configure interfaces
update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.0/24" ""
update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24" ""
update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.0/24" ""
update_addresses_of_interface "lo 127.0.0.1/8" ""
update_addresses_of_interface "eth3 22.22.23.23/24" ""
}
script_body() {
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
# ================ IPv4
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop packets that do not match any valid state and log them
$IPTABLES -N drop_invalid
$IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A INPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid
$IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
$IPTABLES -A drop_invalid -j DROP
# ================ Table 'nat', rule set NAT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
#
# Rule 1 (NAT)
#
echo "Rule 1 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23
#
# Rule 2 (NAT)
#
echo "Rule 2 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -s ! 192.168.1.0/24 -d 200.200.200.200 -j SNAT --to-source 22.22.22.23
#
# Rule 3 (NAT)
#
echo "Rule 3 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s ! 192.168.1.0/24 -d 200.200.200.200 --dport 80 -j SNAT --to-source 22.22.22.23
#
# Rule 4 (NAT)
#
echo "Rule 4 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1
#
# Rule 5 (NAT)
#
echo "Rule 5 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23
#
# Rule 6 (NAT)
#
echo "Rule 6 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23
#
# Rule 7 (NAT)
#
echo "Rule 7 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.23.23
#
# Rule 8 (NAT)
#
echo "Rule 8 (NAT)"
#
$IPTABLES -t nat -N Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 192.168.2.1
#
# Rule 9 (NAT)
#
echo "Rule 9 (NAT)"
#
$IPTABLES -t nat -N Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 192.168.2.1
#
# Rule 10 (NAT)
#
echo "Rule 10 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A POSTROUTING -o eth0 -s ! 192.168.2.0/24 -j SNAT --to-source 192.168.1.1
#
# Rule 11 (NAT)
#
echo "Rule 11 (NAT)"
#
$IPTABLES -t nat -N Cid3BD8D94B.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D94B.0
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.22.22 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.23.23 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.1.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.2.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 12 (NAT)
#
echo "Rule 12 (NAT)"
#
$IPTABLES -t nat -N Cid3BD8D9DD.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D9DD.0
$IPTABLES -t nat -A Cid3BD8D9DD.0 -d 192.168.1.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D9DD.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 13 (NAT)
#
echo "Rule 13 (NAT)"
#
$IPTABLES -t nat -N Cid3BBC0EA4.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.10 --dport 80 -j Cid3BBC0EA4.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.20 --dport 80 -j Cid3BBC0EA4.0
$IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3BBC0EA4.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 14 (NAT)
#
echo "Rule 14 (NAT)"
#
$IPTABLES -t nat -N Cid3BBC0F93.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j Cid3BBC0F93.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j Cid3BBC0F93.0
$IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.10 -j RETURN
$IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.20 -j RETURN
$IPTABLES -t nat -A Cid3BBC0F93.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 15 (NAT)
#
echo "Rule 15 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 16 (NAT)
#
echo "Rule 16 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 5000 -d 22.22.22.23 --dport 5000:5010 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 9000 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 6667,3128 -j DNAT --to-destination 192.168.1.10
#
# Rule 17 (NAT)
#
echo "Rule 17 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j DNAT --to-destination :3128
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j DNAT --to-destination :3128
#
# Rule 18 (NAT)
#
echo "Rule 18 (NAT)"
#
$IPTABLES -t nat -N Cid3EB38A91.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid3EB38A91.0
$IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38A91.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination :3128
# ================ Table 'filter', rule set GOOD_GUYS
#
# Rule GOOD_GUYS 0 (global)
#
echo "Rule GOOD_GUYS 0 (global)"
#
$IPTABLES -N GOOD_GUYS
$IPTABLES -N Cid40710X74808.0
$IPTABLES -A GOOD_GUYS -j Cid40710X74808.0
$IPTABLES -A Cid40710X74808.0 -s 1.1.1.0/24 -j RETURN
$IPTABLES -A Cid40710X74808.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -N GOOD_GUYS_0_3
$IPTABLES -A Cid40710X74808.0 -j GOOD_GUYS_0_3
$IPTABLES -A GOOD_GUYS_0_3 -j LOG --log-level debug
$IPTABLES -A GOOD_GUYS_0_3 -j DROP
# ================ Table 'filter', rule set Policy
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
$IPTABLES -N Cid3C5987DC.1
$IPTABLES -A INPUT -i eth0 -s 22.22.22.22 -j Cid3C5987DC.1
$IPTABLES -N Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.1 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.1 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.2
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j Cid3C5987DC.2
$IPTABLES -A Cid3C5987DC.2 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.2 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.3
$IPTABLES -A FORWARD -i eth0 -s 22.22.22.22 -j Cid3C5987DC.3
$IPTABLES -A Cid3C5987DC.3 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.3 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.4
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j Cid3C5987DC.4
$IPTABLES -A Cid3C5987DC.4 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.4 -p 50 -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3C5987DC.0 -d 192.168.1.1 -j RETURN
$IPTABLES -N In_RULE_0_3
$IPTABLES -A Cid3C5987DC.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j In_RULE_0_3
$IPTABLES -A In_RULE_0_3 -j LOG --log-level debug
$IPTABLES -A In_RULE_0_3 -j DROP
$IPTABLES -N Cid3C5987DC.6
$IPTABLES -A OUTPUT -o eth0 -s 22.22.22.22 -j Cid3C5987DC.6
$IPTABLES -N Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.6 -p icmp -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.6 -p 50 -j Cid3C5987DC.5
$IPTABLES -N Cid3C5987DC.7
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.1 -j Cid3C5987DC.7
$IPTABLES -A Cid3C5987DC.7 -p icmp -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.7 -p 50 -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.5 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3C5987DC.5 -d 192.168.1.1 -j RETURN
$IPTABLES -N Out_RULE_0_3
$IPTABLES -A Cid3C5987DC.5 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j Out_RULE_0_3
$IPTABLES -A Out_RULE_0_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_0_3 -j DROP
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
$IPTABLES -N Cid3CD34BEF.1
$IPTABLES -A INPUT -i eth0 -p icmp -j Cid3CD34BEF.1
$IPTABLES -A INPUT -i eth0 -p 50 -j Cid3CD34BEF.1
$IPTABLES -N Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.10 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.20 -j Cid3CD34BEF.0
$IPTABLES -N Cid3CD34BEF.2
$IPTABLES -A FORWARD -i eth0 -p icmp -j Cid3CD34BEF.2
$IPTABLES -A FORWARD -i eth0 -p 50 -j Cid3CD34BEF.2
$IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.10 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.20 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid3CD34BEF.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP
$IPTABLES -N Cid3CD34BEF.4
$IPTABLES -A FORWARD -o eth0 -p icmp -j Cid3CD34BEF.4
$IPTABLES -A FORWARD -o eth0 -p 50 -j Cid3CD34BEF.4
$IPTABLES -N Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.10 -j Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.20 -j Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid3CD34BEF.3 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP
#
# Rule 2 (eth1)
#
echo "Rule 2 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_2
$IPTABLES -A In_RULE_2 -j LOG --log-level debug
$IPTABLES -A In_RULE_2 -j DROP
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N Out_RULE_3
$IPTABLES -A OUTPUT -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3
$IPTABLES -A FORWARD -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3
$IPTABLES -A Out_RULE_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_3 -j DROP
#
# Rule 4 (eth1)
#
echo "Rule 4 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N Cid40DBCD36.0
$IPTABLES -A OUTPUT -o eth1 -j Cid40DBCD36.0
$IPTABLES -A Cid40DBCD36.0 -s 22.22.22.22 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 22.22.23.23 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 192.168.2.1 -j RETURN
$IPTABLES -N Out_RULE_4_3
$IPTABLES -A Cid40DBCD36.0 -j Out_RULE_4_3
$IPTABLES -A Out_RULE_4_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_4_3 -j DROP
$IPTABLES -N Cid40DBCD36.1
$IPTABLES -A FORWARD -o eth1 -j Cid40DBCD36.1
$IPTABLES -A Cid40DBCD36.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid40DBCD36.1 -j Out_RULE_4_3
#
# Rule 5 (eth2)
#
echo "Rule 5 (eth2)"
#
$IPTABLES -A INPUT -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
#
# Rule 6 (eth2)
#
echo "Rule 6 (eth2)"
#
$IPTABLES -N In_RULE_6
$IPTABLES -A INPUT -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6
$IPTABLES -A FORWARD -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6
$IPTABLES -A In_RULE_6 -j LOG --log-level debug
$IPTABLES -A In_RULE_6 -j DROP
#
# Rule 7 (eth1,eth3)
#
echo "Rule 7 (eth1,eth3)"
#
$IPTABLES -N In_RULE_7
$IPTABLES -A INPUT -i eth0 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A INPUT -i eth0 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A INPUT -i eth2 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A INPUT -i eth2 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A FORWARD -i eth0 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A FORWARD -i eth0 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A FORWARD -i eth2 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A FORWARD -i eth2 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A In_RULE_7 -j LOG --log-level debug
$IPTABLES -A In_RULE_7 -j DROP
#
# Rule 8 (lo)
#
echo "Rule 8 (lo)"
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 9 (eth0,eth2)
#
echo "Rule 9 (eth0,eth2)"
#
$IPTABLES -N Cid433D045026912.0
$IPTABLES -A INPUT -i eth0 -j Cid433D045026912.0
$IPTABLES -A INPUT -i eth2 -j Cid433D045026912.0
$IPTABLES -A FORWARD -i eth0 -j Cid433D045026912.0
$IPTABLES -A FORWARD -i eth2 -j Cid433D045026912.0
$IPTABLES -A Cid433D045026912.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid433D045026912.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N In_RULE_9_3
$IPTABLES -A Cid433D045026912.0 -j In_RULE_9_3
$IPTABLES -A In_RULE_9_3 -j LOG --log-level debug
$IPTABLES -A In_RULE_9_3 -j DROP
#
# Rule 10 (eth1,eth3)
#
echo "Rule 10 (eth1,eth3)"
#
$IPTABLES -N Cid434D389E26912.0
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A INPUT -i eth3 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A FORWARD -i eth3 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A Cid434D389E26912.0 -s 22.22.23.128/25 -j RETURN
$IPTABLES -A Cid434D389E26912.0 -s 33.33.33.0/24 -j RETURN
$IPTABLES -A Cid434D389E26912.0 -j ACCEPT
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
$IPTABLES -N RULE_11
$IPTABLES -A RULE_11 -j RETURN
$IPTABLES -A OUTPUT -j RULE_11
$IPTABLES -A INPUT -j RULE_11
$IPTABLES -A FORWARD -j RULE_11
#
# Rule 12 (global)
#
echo "Rule 12 (global)"
#
$IPTABLES -N RULE_12
$IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A RULE_12 -j LOG --log-level debug
$IPTABLES -A RULE_12 -j DROP
#
# Rule 13 (global)
#
echo "Rule 13 (global)"
#
$IPTABLES -N Cid3B9AB902.0
$IPTABLES -A OUTPUT -j Cid3B9AB902.0
$IPTABLES -A INPUT -j Cid3B9AB902.0
$IPTABLES -A FORWARD -j Cid3B9AB902.0
$IPTABLES -A Cid3B9AB902.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
$IPTABLES -N RULE_13_3
$IPTABLES -A Cid3B9AB902.0 -j RULE_13_3
$IPTABLES -A RULE_13_3 -j LOG --log-level debug
$IPTABLES -A RULE_13_3 -j DROP
#
# Rule 14 (global)
#
echo "Rule 14 (global)"
#
# hostF has the same IP address as firewal.
$IPTABLES -N RULE_14
$IPTABLES -A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14
$IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14
$IPTABLES -A RULE_14 -j LOG --log-level debug
$IPTABLES -A RULE_14 -j ACCEPT
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
$IPTABLES -N Cid434B03D526912.0
$IPTABLES -A OUTPUT -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A INPUT -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A FORWARD -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A Cid434B03D526912.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid434B03D526912.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid434B03D526912.0 -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid3B021E10.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A Cid3B021E10.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B021E10.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_16_3
$IPTABLES -A Cid3B021E10.0 -m limit --limit 10/minute -j RULE_16_3
$IPTABLES -A RULE_16_3 -j LOG --log-level debug
$IPTABLES -A RULE_16_3 -j DROP
#
# Rule 17 (global)
#
echo "Rule 17 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid40C0D096.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A Cid40C0D096.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid40C0D096.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_17_3
$IPTABLES -A Cid40C0D096.0 -m limit --limit 10/minute -j RULE_17_3
$IPTABLES -A RULE_17_3 -j LOG --log-level debug
$IPTABLES -A RULE_17_3 -j RETURN
#
# Rule 18 (global)
#
echo "Rule 18 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid40C0D10A.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A Cid40C0D10A.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid40C0D10A.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_18_3
$IPTABLES -A Cid40C0D10A.0 -m limit --limit 10/minute -j RULE_18_3
$IPTABLES -A RULE_18_3 -j LOG --log-level debug
$IPTABLES -A RULE_18_3 -j ACCEPT
#
# Rule 19 (global)
#
echo "Rule 19 (global)"
#
$IPTABLES -N Cid3B0B4A13.1
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.1
$IPTABLES -N Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 22.22.22.22 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 22.22.23.23 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 192.168.1.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 192.168.2.1 -j Cid3B0B4A13.0
$IPTABLES -N Cid3B0B4A13.2
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.2
$IPTABLES -A Cid3B0B4A13.2 -d 22.22.22.22 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 22.22.23.23 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 192.168.1.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 192.168.2.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_19_3
$IPTABLES -A Cid3B0B4A13.0 -j RULE_19_3
$IPTABLES -A RULE_19_3 -j LOG --log-level debug
$IPTABLES -A RULE_19_3 -j DROP
#
# Rule 20 (global)
#
echo "Rule 20 (global)"
#
$IPTABLES -N Cid3B5535B7.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid3B5535B7.0
$IPTABLES -A Cid3B5535B7.0 -s 22.22.22.22 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 22.22.23.23 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 192.168.2.1 -j RETURN
$IPTABLES -N Out_RULE_20_3
$IPTABLES -A Cid3B5535B7.0 -j Out_RULE_20_3
$IPTABLES -A Out_RULE_20_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_20_3 -j DROP
$IPTABLES -N Cid3B5535B7.1
$IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid3B5535B7.1
$IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid3B5535B7.1
$IPTABLES -A Cid3B5535B7.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_20_3
$IPTABLES -A Cid3B5535B7.1 -j RULE_20_3
$IPTABLES -A RULE_20_3 -j LOG --log-level debug
$IPTABLES -A RULE_20_3 -j DROP
#
# Rule 21 (global)
#
echo "Rule 21 (global)"
#
$IPTABLES -N Cid40F1D905.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid40F1D905.0
$IPTABLES -A Cid40F1D905.0 -s 192.168.1.1 -j RETURN
$IPTABLES -N Out_RULE_21_3
$IPTABLES -A Cid40F1D905.0 -j Out_RULE_21_3
$IPTABLES -A Out_RULE_21_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_21_3 -j DROP
$IPTABLES -N Cid40F1D905.1
$IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid40F1D905.1
$IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid40F1D905.1
$IPTABLES -A Cid40F1D905.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_21_3
$IPTABLES -A Cid40F1D905.1 -j RULE_21_3
$IPTABLES -A RULE_21_3 -j LOG --log-level debug
$IPTABLES -A RULE_21_3 -j DROP
#
# Rule 22 (global)
#
echo "Rule 22 (global)"
#
$IPTABLES -N Cid3E74DF71.0
$IPTABLES -A INPUT -s 222.222.222.40 -j Cid3E74DF71.0
$IPTABLES -A INPUT -s 222.222.222.41 -j Cid3E74DF71.0
$IPTABLES -A FORWARD -s 222.222.222.40 -j Cid3E74DF71.0
$IPTABLES -A FORWARD -s 222.222.222.41 -j Cid3E74DF71.0
$IPTABLES -A Cid3E74DF71.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3E74DF71.0 -d 192.168.1.20 -j RETURN
$IPTABLES -N RULE_22_3
$IPTABLES -A Cid3E74DF71.0 -j RULE_22_3
$IPTABLES -A RULE_22_3 -j LOG --log-level debug
$IPTABLES -A RULE_22_3 -j DROP
#
# Rule 23 (global)
#
echo "Rule 23 (global)"
#
$IPTABLES -N Cid3B11F63D.0
$IPTABLES -A INPUT -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A INPUT -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A OUTPUT -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A FORWARD -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A FORWARD -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A Cid3B11F63D.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B11F63D.0 -d 192.168.1.20 -j RETURN
$IPTABLES -N RULE_23_3
$IPTABLES -A Cid3B11F63D.0 -j RULE_23_3
$IPTABLES -A RULE_23_3 -j LOG --log-level debug
$IPTABLES -A RULE_23_3 -j DROP
#
# Rule 24 (global)
#
echo "Rule 24 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3B021E6F.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -j Cid3B021E6F.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -j Cid3B021E6F.0
$IPTABLES -A FORWARD -d 192.168.1.10 -j Cid3B021E6F.0
$IPTABLES -A FORWARD -d 192.168.1.20 -j Cid3B021E6F.0
$IPTABLES -A Cid3B021E6F.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN
$IPTABLES -N RULE_24_3
$IPTABLES -A Cid3B021E6F.0 -j RULE_24_3
$IPTABLES -A RULE_24_3 -j LOG --log-level debug
$IPTABLES -A RULE_24_3 -j DROP
#
# Rule 25 (global)
#
echo "Rule 25 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3CCA2CF4.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A Cid3CCA2CF4.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN
$IPTABLES -N RULE_25_3
$IPTABLES -A Cid3CCA2CF4.0 -j RULE_25_3
$IPTABLES -A RULE_25_3 -j LOG --log-level debug
$IPTABLES -A RULE_25_3 -j ACCEPT
#
# Rule 26 (global)
#
echo "Rule 26 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3EA925F1.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A Cid3EA925F1.0 -p tcp -m tcp --dport 25 -j RETURN
$IPTABLES -N RULE_26_3
$IPTABLES -A Cid3EA925F1.0 -j RULE_26_3
$IPTABLES -A RULE_26_3 -j LOG --log-level debug
$IPTABLES -A RULE_26_3 -j ACCEPT
#
# Rule 27 (global)
#
echo "Rule 27 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3EA9225C.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A Cid3EA9225C.0 -p icmp -m icmp --icmp-type any -j RETURN
$IPTABLES -N RULE_27_3
$IPTABLES -A Cid3EA9225C.0 -j RULE_27_3
$IPTABLES -A RULE_27_3 -j LOG --log-level debug
$IPTABLES -A RULE_27_3 -j ACCEPT
#
# Rule 28 (global)
#
echo "Rule 28 (global)"
#
# testing negation in service field
$IPTABLES -N Cid4144E299.1
$IPTABLES -A OUTPUT -m state --state NEW -j Cid4144E299.1
$IPTABLES -A INPUT -m state --state NEW -j Cid4144E299.1
$IPTABLES -A FORWARD -m state --state NEW -j Cid4144E299.1
$IPTABLES -A Cid4144E299.1 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid4144E299.1 -d 192.168.1.20 -j RETURN
$IPTABLES -N Cid4144E299.0
$IPTABLES -A Cid4144E299.1 -j Cid4144E299.0
$IPTABLES -A Cid4144E299.0 -p icmp -m icmp --icmp-type any -j RETURN
$IPTABLES -A Cid4144E299.0 -j ACCEPT
#
# Rule 29 (global)
#
echo "Rule 29 (global)"
#
# testing negation in service field
$IPTABLES -N Cid41449248.1
$IPTABLES -A OUTPUT -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.1
$IPTABLES -N Cid41449248.0
$IPTABLES -A Cid41449248.1 -d 192.168.1.10 -j Cid41449248.0
$IPTABLES -A Cid41449248.1 -d 192.168.1.20 -j Cid41449248.0
$IPTABLES -N Cid41449248.2
$IPTABLES -A FORWARD -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.2
$IPTABLES -A Cid41449248.2 -d 192.168.1.10 -j Cid41449248.0
$IPTABLES -A Cid41449248.2 -d 192.168.1.20 -j Cid41449248.0
$IPTABLES -A Cid41449248.0 -p tcp -m tcp --dport 80 -j RETURN
$IPTABLES -A Cid41449248.0 -j ACCEPT
#
# Rule 30 (global)
#
echo "Rule 30 (global)"
#
# testing negation in service field
$IPTABLES -N Cid414532F3.1
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A Cid414532F3.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -N Cid414532F3.0
$IPTABLES -A Cid414532F3.1 -j Cid414532F3.0
$IPTABLES -A Cid414532F3.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid414532F3.0 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid414532F3.0 -j ACCEPT
#
# Rule 31 (global)
#
echo "Rule 31 (global)"
#
# testing negation in service field
$IPTABLES -N Cid41449257.1
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid41449257.1
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid41449257.1
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid41449257.1
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid41449257.1
$IPTABLES -A Cid41449257.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -N Cid41449257.0
$IPTABLES -A Cid41449257.1 -j Cid41449257.0
$IPTABLES -A Cid41449257.0 -p tcp -m tcp --dport 80 -j RETURN
$IPTABLES -A Cid41449257.0 -j ACCEPT
#
# Rule 32 (global)
#
echo "Rule 32 (global)"
#
$IPTABLES -N Cid4368F08A15884.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.1
$IPTABLES -N Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 22.22.22.22 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 22.22.23.23 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 192.168.1.1 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 192.168.2.1 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 22.22.23.23 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -j ACCEPT
$IPTABLES -N Cid4368F08A15884.2
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.2
$IPTABLES -A Cid4368F08A15884.2 -s 22.22.22.22 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 22.22.23.23 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 192.168.1.1 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 192.168.2.1 -j ACCEPT
#
# Rule 33 (global)
#
echo "Rule 33 (global)"
#
$IPTABLES -N Cid3E74D8BB.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.1
$IPTABLES -N Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 22.22.22.22 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 22.22.23.23 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 192.168.1.1 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 192.168.2.1 -j Cid3E74D8BB.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 22.22.23.23 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -j ACCEPT
$IPTABLES -N Cid3E74D8BB.3
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.3
$IPTABLES -N Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 22.22.22.22 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 22.22.23.23 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 192.168.1.1 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 192.168.2.1 -j Cid3E74D8BB.2
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.2 -d 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid3E74D8BB.2 -j ACCEPT
#
# Rule 34 (global)
#
echo "Rule 34 (global)"
#
$IPTABLES -N Cid3B45739A.1
$IPTABLES -A INPUT -s 22.22.22.22 -j Cid3B45739A.1
$IPTABLES -N Cid3B45739A.0
$IPTABLES -A Cid3B45739A.1 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.1 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.2
$IPTABLES -A INPUT -s 192.168.1.1 -j Cid3B45739A.2
$IPTABLES -A Cid3B45739A.2 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.2 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.3
$IPTABLES -A OUTPUT -s 22.22.22.22 -j Cid3B45739A.3
$IPTABLES -A Cid3B45739A.3 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.3 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.4
$IPTABLES -A OUTPUT -s 192.168.1.1 -j Cid3B45739A.4
$IPTABLES -A Cid3B45739A.4 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.4 -p 50 -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3B45739A.0 -d 192.168.1.1 -j RETURN
$IPTABLES -N RULE_34_3
$IPTABLES -A Cid3B45739A.0 -j RULE_34_3
$IPTABLES -A RULE_34_3 -j LOG --log-level debug
$IPTABLES -A RULE_34_3 -j DROP
#
# Rule 35 (global)
#
echo "Rule 35 (global)"
#
# double negation rule
$IPTABLES -N Cid4067B2C2.1
$IPTABLES -A OUTPUT -j Cid4067B2C2.1
$IPTABLES -A INPUT -j Cid4067B2C2.1
$IPTABLES -A FORWARD -j Cid4067B2C2.1
$IPTABLES -A Cid4067B2C2.1 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid4067B2C2.1 -d 192.168.1.20 -j RETURN
$IPTABLES -N Cid4067B2C2.0
$IPTABLES -A Cid4067B2C2.1 -j Cid4067B2C2.0
$IPTABLES -A Cid4067B2C2.0 -p tcp -m tcp -m multiport --dports 3128,8080 -j RETURN
$IPTABLES -N RULE_35_3
$IPTABLES -A Cid4067B2C2.0 -j RULE_35_3
$IPTABLES -A RULE_35_3 -j LOG --log-level debug
$IPTABLES -A RULE_35_3 -j DROP
#
# Rule 36 (global)
#
echo "Rule 36 (global)"
#
$IPTABLES -N Cid41A88DF6.0
$IPTABLES -A INPUT -m state --state NEW -j Cid41A88DF6.0
$IPTABLES -A Cid41A88DF6.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid41A88DF6.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid41A88DF6.0 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
#
# Rule 37 (global)
#
echo "Rule 37 (global)"
#
$IPTABLES -N Cid41B5176E.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -m state --state NEW -j Cid41B5176E.0
$IPTABLES -A Cid41B5176E.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid41B5176E.0 -s 192.168.2.1 -j RETURN
$IPTABLES -A Cid41B5176E.0 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 38 (global)
#
echo "Rule 38 (global)"
#
$IPTABLES -N Cid4143BD3F.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RETURN
$IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sun -j RETURN
$IPTABLES -A Cid4143BD3F.0 -j ACCEPT
#
# Rule 39 (global)
#
echo "Rule 39 (global)"
#
$IPTABLES -N Cid4143BD1A.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A Cid4143BD1A.0 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -A Cid4143BD1A.0 -j ACCEPT
#
# Rule 40 (global)
#
echo "Rule 40 (global)"
#
$IPTABLES -N Cid1515316X29460.0
$IPTABLES -A INPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.0
$IPTABLES -A Cid1515316X29460.0 -s 22.22.22.22 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 22.22.23.23 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 192.168.1.1 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 192.168.2.1 -j DROP
$IPTABLES -N Cid1515316X29460.1
$IPTABLES -A OUTPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.1
$IPTABLES -A Cid1515316X29460.1 -s 22.22.22.22 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 22.22.23.23 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 192.168.1.1 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 192.168.2.1 -j DROP
#
# Rule 41 (global)
#
echo "Rule 41 (global)"
#
$IPTABLES -N Cid1515397X29460.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.0
$IPTABLES -A Cid1515397X29460.0 -d 22.22.22.22 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 22.22.23.23 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 192.168.1.1 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 192.168.2.1 -j DROP
$IPTABLES -N Cid1515397X29460.1
$IPTABLES -A INPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.1
$IPTABLES -A Cid1515397X29460.1 -d 22.22.22.22 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 22.22.23.23 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 192.168.1.1 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 192.168.2.1 -j DROP
}
ip_forward() {
:
}
reset_all() {
:
reset_iptables_v4
}
block_action() {
reset_all
}
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
check_iptables() {
IP_TABLES="$1"
[ ! -e $IP_TABLES ] && return 151
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
[ -z "$NF_TABLES" ] && return 152
return 0
}
status_action() {
check_iptables "/proc/net/ip_tables_names"
ret_ipv4=$?
check_iptables "/proc/net/ip6_tables_names"
ret_ipv6=$?
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
echo "iptables modules are not loaded"
}
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
echo "Firewall is not configured"
}
exit 3
}
# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'
cmd=$1
test -z "$cmd" && {
cmd="start"
}
case "$cmd" in
start)
log "Activating firewall script generated Fri Jun 3 17:27:08 2011 by vadim"
check_tools
check_run_time_address_table_files
load_modules "nat "
configure_interfaces
verify_interfaces
prolog_commands
reset_all
script_body
ip_forward
epilog_commands
RETVAL=$?
;;
stop)
stop_action
RETVAL=$?
;;
status)
status_action
RETVAL=$?
;;
block)
block_action
RETVAL=$?
;;
reload)
$0 stop
$0 start
RETVAL=$?
;;
interfaces)
configure_interfaces
RETVAL=$?
;;
test_interfaces)
FWBDEBUG="echo"
configure_interfaces
RETVAL=$?
;;
*)
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
;;
esac
exit $RETVAL
Reference in New Issue View Git Blame Copy Permalink