mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-10-16 07:28:25 +02:00
fixed bug (no number) introduced when I was working on #2667. Setting broadcast address in the network object with netmask /31 to 255.255.255.255 broke rule shadowing algorithm.
235 lines
5.1 KiB
Bash
Executable File
235 lines
5.1 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_ipt v5.0.1.3585
|
|
#
|
|
# Generated Wed Nov 16 10:13:40 2011 PST by vadim
|
|
#
|
|
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
|
|
#
|
|
# Compiled for iptables (any version)
|
|
#
|
|
# Endian firewall appliance, 2 interfaces:
|
|
# br0 is GREEN
|
|
# eth1 is RED
|
|
# Do not forget to change IP addresses to
|
|
# match your firewall.
|
|
|
|
|
|
|
|
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
|
export PATH
|
|
|
|
|
|
|
|
LSMOD="/sbin/lsmod"
|
|
MODPROBE="/sbin/modprobe"
|
|
IPTABLES="/sbin/iptables"
|
|
IP6TABLES="/sbin/ip6tables"
|
|
IPTABLES_RESTORE="/sbin/iptables-restore"
|
|
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
|
IP="/sbin/ip"
|
|
IFCONFIG="/sbin/ifconfig"
|
|
VCONFIG="/sbin/vconfig"
|
|
BRCTL="/sbin/brctl"
|
|
IFENSLAVE="/sbin/ifenslave"
|
|
IPSET="/usr/sbin/ipset"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
|
|
}
|
|
|
|
check_file() {
|
|
test -r "$2" || {
|
|
echo "Can not find file $2 referenced by AddressTable object $1"
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
getInterfaceVarName() {
|
|
echo $1 | sed 's/\./_/'
|
|
}
|
|
|
|
# function getinterfaces is used to process wildcard interfaces
|
|
getinterfaces() {
|
|
NAME=$1
|
|
$IP link show | grep ": $NAME" | while read L; do
|
|
OIFS=$IFS
|
|
IFS=" :"
|
|
set $L
|
|
IFS=$OIFS
|
|
echo $2
|
|
done
|
|
}
|
|
|
|
find_program() {
|
|
PGM=$1
|
|
which $PGM >/dev/null 2>&1 || {
|
|
echo "\"$PGM\" not found"
|
|
exit 1
|
|
}
|
|
}
|
|
check_tools() {
|
|
find_program which
|
|
find_program $IPTABLES
|
|
find_program $MODPROBE
|
|
find_program $IP
|
|
}
|
|
reset_iptables_v4() {
|
|
$IPTABLES -P OUTPUT DROP
|
|
$IPTABLES -P INPUT DROP
|
|
$IPTABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip_tables_names | while read table; do
|
|
$IPTABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IPTABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IPTABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
reset_iptables_v6() {
|
|
$IP6TABLES -P OUTPUT DROP
|
|
$IP6TABLES -P INPUT DROP
|
|
$IP6TABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip6_tables_names | while read table; do
|
|
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IP6TABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IP6TABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
check_file() {
|
|
test -r "$2" || {
|
|
echo "Can not find file $2 referenced by address table object $1"
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
check_run_time_address_table_files() {
|
|
:
|
|
check_file "atbl.1" "addr-table-1.tbl"
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
echo "Verifying interfaces: et0 eth1"
|
|
for i in et0 eth1 ; do
|
|
$IP link show "$i" > /dev/null 2>&1 || {
|
|
log "Interface $i does not exist"
|
|
exit 1
|
|
}
|
|
done
|
|
}
|
|
|
|
prolog_commands() {
|
|
echo "Running prolog script"
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
echo "Running epilog script"
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
script_body() {
|
|
# ================ IPv4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ================ Table 'filter', rule set Policy
|
|
#
|
|
# Rule 0 (global)
|
|
#
|
|
echo "Rule 0 (global)"
|
|
#
|
|
$IPTABLES -A OUTPUT -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A FORWARD -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 1 (global)
|
|
#
|
|
echo "Rule 1 (global)"
|
|
#
|
|
$IPTABLES -N RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.1.1 -j RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.1.2 -j RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.1.3/30 -j RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.1.200 -j RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.1.201 -j RULE_1
|
|
$IPTABLES -A INPUT -s 192.168.2.128/25 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.1.1 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.1.2 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.1.3/30 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.1.200 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.1.201 -j RULE_1
|
|
$IPTABLES -A FORWARD -s 192.168.2.128/25 -j RULE_1
|
|
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
|
|
$IPTABLES -A RULE_1 -j DROP
|
|
#
|
|
# Rule 2 (global)
|
|
#
|
|
echo "Rule 2 (global)"
|
|
#
|
|
$IPTABLES -N RULE_2
|
|
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
|
|
set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -j RULE_2
|
|
done
|
|
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
|
|
set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -s $at_atbl_1 -j RULE_2
|
|
done
|
|
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
|
|
$IPTABLES -A RULE_2 -j DROP
|
|
}
|
|
|
|
reset_all() {
|
|
:
|
|
reset_iptables_v4
|
|
}
|
|
|
|
case "$1" in
|
|
start)
|
|
check_tools
|
|
check_run_time_address_table_files
|
|
|
|
verify_interfaces
|
|
prolog_commands
|
|
script_body
|
|
epilog_commands
|
|
;;
|
|
|
|
stop)
|
|
# on IPCOP "/etc/rc.firewall stop" purges all tables and chains
|
|
# and then calls this script with command "stop", but there is
|
|
# nothing left for us to do here.
|
|
;;
|
|
|
|
reload)
|
|
$0 stop
|
|
$0 start
|
|
;;
|
|
|
|
*)
|
|
echo "Usage $0 {start|stop|reload}"
|
|
;;
|
|
|
|
esac
|