onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 22:57:33 +02:00
Code Issues Releases Wiki Activity
fwbuilder/test/ipt/firewall1.fw.orig
Vadim Kurland c5ca42940f fixes SF bug 3489096, Shell code that restores old static routing 
table entries in case of an error with commands adding new routing
entries was broken and left the machine with no routes at all.

Also, using mktemp to create temporary directory. If mktemp is not
available, fall back onto less secure but guaranteed to work method
where I generate randomized the name of the temporary directory using
process ID.
2012-02-20 14:18:10 -08:00

1337 lines
48 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.0.2.3595
#
# Generated Mon Feb 20 14:09:42 2012 PST by vadim
#
# files: * firewall1.fw /etc/fw/firewall1.fw
#
# Compiled for iptables (any version)
#
# this object is used to test all kinds of negation in policy and NAT rules.
# Assume firewall is part of any is ON
FWBDEBUG=""
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr_internal() {
dev=$1
name=$2
af=$3
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
find_program() {
PGM=$1
which $PGM >/dev/null 2>&1 || {
echo "\"$PGM\" not found"
exit 1
}
}
check_tools() {
find_program which
find_program $IPTABLES
find_program $IP
}
reset_iptables_v4() {
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
}
reset_iptables_v6() {
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
}
load_modules() {
:
}
verify_interfaces() {
:
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
# Configure interfaces
# See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429689
# this ensures that secondary ip address is "promoted" to primary
# when primary address is deleted, instead of deleting both
# primary and secondary addresses. It looks like this is only
# available starting from Linux 2.6.16
test -f /proc/sys/net/ipv4/conf/all/promote_secondaries && \
echo 1 > /proc/sys/net/ipv4/conf/all/promote_secondaries
update_addresses_of_interface "eth0 192.168.1.1/24 192.168.1.0/24" ""
update_addresses_of_interface "eth1 22.22.22.22/24 22.22.22.23/24" ""
update_addresses_of_interface "eth2 192.168.2.1/24 192.168.2.0/24" ""
update_addresses_of_interface "lo 127.0.0.1/8" ""
update_addresses_of_interface "eth3 22.22.23.23/24" ""
}
script_body() {
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
# ================ IPv4
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop packets that do not match any valid state and log them
$IPTABLES -N drop_invalid
$IPTABLES -A OUTPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A INPUT -m state --state INVALID -j drop_invalid
$IPTABLES -A FORWARD -m state --state INVALID -j drop_invalid
$IPTABLES -A drop_invalid -j LOG --log-level debug --log-prefix "INVALID state -- DENY "
$IPTABLES -A drop_invalid -j DROP
# ================ Table 'nat', rule set NAT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
#
# Rule 1 (NAT)
#
echo "Rule 1 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -s 192.168.1.10 -j SNAT --to-source 22.22.22.23
#
# Rule 2 (NAT)
#
echo "Rule 2 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -s ! 192.168.1.0/24 -d 200.200.200.200 -j SNAT --to-source 22.22.22.23
#
# Rule 3 (NAT)
#
echo "Rule 3 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp -s ! 192.168.1.0/24 -d 200.200.200.200 --dport 80 -j SNAT --to-source 22.22.22.23
#
# Rule 4 (NAT)
#
echo "Rule 4 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1
#
# Rule 5 (NAT)
#
echo "Rule 5 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j SNAT --to-source 22.22.23.23
#
# Rule 6 (NAT)
#
echo "Rule 6 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -d ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23
#
# Rule 7 (NAT)
#
echo "Rule 7 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -p tcp -m tcp -s 192.168.1.0/24 -d ! 192.168.2.0/24 --dport 80 -j SNAT --to-source 22.22.23.23
#
# Rule 8 (NAT)
#
echo "Rule 8 (NAT)"
#
$IPTABLES -t nat -N Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3CCA1B57.0
$IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3CCA1B57.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A Cid3CCA1B57.0 -j SNAT --to-source 192.168.2.1
#
# Rule 9 (NAT)
#
echo "Rule 9 (NAT)"
#
$IPTABLES -t nat -N Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth3 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -j Cid3EB38983.0
$IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38983.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A Cid3EB38983.0 -j SNAT --to-source 192.168.2.1
#
# Rule 10 (NAT)
#
echo "Rule 10 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eth1 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.22.22
$IPTABLES -t nat -A POSTROUTING -o eth3 -s ! 192.168.2.0/24 -j SNAT --to-source 22.22.23.23
$IPTABLES -t nat -A POSTROUTING -o eth0 -s ! 192.168.2.0/24 -j SNAT --to-source 192.168.1.1
#
# Rule 11 (NAT)
#
echo "Rule 11 (NAT)"
#
$IPTABLES -t nat -N Cid3BD8D94B.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D94B.0
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.22.22 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 22.22.23.23 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.1.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -d 192.168.2.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D94B.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 12 (NAT)
#
echo "Rule 12 (NAT)"
#
$IPTABLES -t nat -N Cid3BD8D9DD.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j Cid3BD8D9DD.0
$IPTABLES -t nat -A Cid3BD8D9DD.0 -d 192.168.1.1 -j RETURN
$IPTABLES -t nat -A Cid3BD8D9DD.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 13 (NAT)
#
echo "Rule 13 (NAT)"
#
$IPTABLES -t nat -N Cid3BBC0EA4.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.10 --dport 80 -j Cid3BBC0EA4.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.20 --dport 80 -j Cid3BBC0EA4.0
$IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3BBC0EA4.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3BBC0EA4.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 14 (NAT)
#
echo "Rule 14 (NAT)"
#
$IPTABLES -t nat -N Cid3BBC0F93.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j Cid3BBC0F93.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j Cid3BBC0F93.0
$IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.10 -j RETURN
$IPTABLES -t nat -A Cid3BBC0F93.0 -s 192.168.1.20 -j RETURN
$IPTABLES -t nat -A Cid3BBC0F93.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 15 (NAT)
#
echo "Rule 15 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s ! 192.168.1.10 --dport 80 -j REDIRECT --to-ports 3128
#
# Rule 16 (NAT)
#
echo "Rule 16 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 22.22.22.23 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 5000 -d 22.22.22.23 --dport 5000:5010 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --sport 9000 -d 22.22.22.23 -j DNAT --to-destination 192.168.1.10
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -m multiport -d 22.22.22.23 --dports 6667,3128 -j DNAT --to-destination 192.168.1.10
#
# Rule 17 (NAT)
#
echo "Rule 17 (NAT)"
#
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j DNAT --to-destination :3128
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j DNAT --to-destination :3128
#
# Rule 18 (NAT)
#
echo "Rule 18 (NAT)"
#
$IPTABLES -t nat -N Cid3EB38A91.0
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j Cid3EB38A91.0
$IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.1.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38A91.0 -d 192.168.2.0/24 -j RETURN
$IPTABLES -t nat -A Cid3EB38A91.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination :3128
# ================ Table 'filter', rule set GOOD_GUYS
#
# Rule GOOD_GUYS 0 (global)
#
echo "Rule GOOD_GUYS 0 (global)"
#
$IPTABLES -N GOOD_GUYS
$IPTABLES -N Cid40710X74808.0
$IPTABLES -A GOOD_GUYS -j Cid40710X74808.0
$IPTABLES -A Cid40710X74808.0 -s 1.1.1.0/24 -j RETURN
$IPTABLES -A Cid40710X74808.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -N GOOD_GUYS_0_3
$IPTABLES -A Cid40710X74808.0 -j GOOD_GUYS_0_3
$IPTABLES -A GOOD_GUYS_0_3 -j LOG --log-level debug
$IPTABLES -A GOOD_GUYS_0_3 -j DROP
# ================ Table 'filter', rule set Policy
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
$IPTABLES -N Cid3C5987DC.1
$IPTABLES -A INPUT -i eth0 -s 22.22.22.22 -j Cid3C5987DC.1
$IPTABLES -N Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.1 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.1 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.2
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -j Cid3C5987DC.2
$IPTABLES -A Cid3C5987DC.2 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.2 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.3
$IPTABLES -A FORWARD -i eth0 -s 22.22.22.22 -j Cid3C5987DC.3
$IPTABLES -A Cid3C5987DC.3 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.3 -p 50 -j Cid3C5987DC.0
$IPTABLES -N Cid3C5987DC.4
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -j Cid3C5987DC.4
$IPTABLES -A Cid3C5987DC.4 -p icmp -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.4 -p 50 -j Cid3C5987DC.0
$IPTABLES -A Cid3C5987DC.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3C5987DC.0 -d 192.168.1.1 -j RETURN
$IPTABLES -N In_RULE_0_3
$IPTABLES -A Cid3C5987DC.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j In_RULE_0_3
$IPTABLES -A In_RULE_0_3 -j LOG --log-level debug
$IPTABLES -A In_RULE_0_3 -j DROP
$IPTABLES -N Cid3C5987DC.6
$IPTABLES -A OUTPUT -o eth0 -s 22.22.22.22 -j Cid3C5987DC.6
$IPTABLES -N Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.6 -p icmp -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.6 -p 50 -j Cid3C5987DC.5
$IPTABLES -N Cid3C5987DC.7
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.1 -j Cid3C5987DC.7
$IPTABLES -A Cid3C5987DC.7 -p icmp -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.7 -p 50 -j Cid3C5987DC.5
$IPTABLES -A Cid3C5987DC.5 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3C5987DC.5 -d 192.168.1.1 -j RETURN
$IPTABLES -N Out_RULE_0_3
$IPTABLES -A Cid3C5987DC.5 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode srcip,srcport --hashlimit-name htable_rule_0 -j Out_RULE_0_3
$IPTABLES -A Out_RULE_0_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_0_3 -j DROP
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
$IPTABLES -N Cid3CD34BEF.1
$IPTABLES -A INPUT -i eth0 -p icmp -j Cid3CD34BEF.1
$IPTABLES -A INPUT -i eth0 -p 50 -j Cid3CD34BEF.1
$IPTABLES -N Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.10 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.1 -s 192.168.1.20 -j Cid3CD34BEF.0
$IPTABLES -N Cid3CD34BEF.2
$IPTABLES -A FORWARD -i eth0 -p icmp -j Cid3CD34BEF.2
$IPTABLES -A FORWARD -i eth0 -p 50 -j Cid3CD34BEF.2
$IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.10 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.2 -s 192.168.1.20 -j Cid3CD34BEF.0
$IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3CD34BEF.0 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid3CD34BEF.0 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP
$IPTABLES -N Cid3CD34BEF.4
$IPTABLES -A FORWARD -o eth0 -p icmp -j Cid3CD34BEF.4
$IPTABLES -A FORWARD -o eth0 -p 50 -j Cid3CD34BEF.4
$IPTABLES -N Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.10 -j Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.4 -s 192.168.1.20 -j Cid3CD34BEF.3
$IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3CD34BEF.3 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid3CD34BEF.3 -m hashlimit --hashlimit 1/hour --hashlimit-burst 2 --hashlimit-mode dstip,dstport --hashlimit-name htable_rule_1 -j DROP
#
# Rule 2 (eth1)
#
echo "Rule 2 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 22.22.22.22 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 22.22.23.23 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.1.1 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.2.1 -j In_RULE_2
$IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 22.22.22.22 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 22.22.23.23 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.1 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.2.1 -j In_RULE_2
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_2
$IPTABLES -A In_RULE_2 -j LOG --log-level debug
$IPTABLES -A In_RULE_2 -j DROP
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N Out_RULE_3
$IPTABLES -A OUTPUT -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3
$IPTABLES -A FORWARD -o eth1 -s ! 192.168.1.0/24 -j Out_RULE_3
$IPTABLES -A Out_RULE_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_3 -j DROP
#
# Rule 4 (eth1)
#
echo "Rule 4 (eth1)"
#
# Anti-spoofing rule
$IPTABLES -N Cid40DBCD36.0
$IPTABLES -A OUTPUT -o eth1 -j Cid40DBCD36.0
$IPTABLES -A Cid40DBCD36.0 -s 22.22.22.22 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 22.22.23.23 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid40DBCD36.0 -s 192.168.2.1 -j RETURN
$IPTABLES -N Out_RULE_4_3
$IPTABLES -A Cid40DBCD36.0 -j Out_RULE_4_3
$IPTABLES -A Out_RULE_4_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_4_3 -j DROP
$IPTABLES -N Cid40DBCD36.1
$IPTABLES -A FORWARD -o eth1 -j Cid40DBCD36.1
$IPTABLES -A Cid40DBCD36.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid40DBCD36.1 -j Out_RULE_4_3
#
# Rule 5 (eth2)
#
echo "Rule 5 (eth2)"
#
$IPTABLES -A INPUT -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth2 -s 192.168.2.0/24 -m state --state NEW -j ACCEPT
#
# Rule 6 (eth2)
#
echo "Rule 6 (eth2)"
#
$IPTABLES -N In_RULE_6
$IPTABLES -A INPUT -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6
$IPTABLES -A FORWARD -i ! eth2 -s 192.168.2.0/24 -j In_RULE_6
$IPTABLES -A In_RULE_6 -j LOG --log-level debug
$IPTABLES -A In_RULE_6 -j DROP
#
# Rule 7 (eth1,eth3)
#
echo "Rule 7 (eth1,eth3)"
#
$IPTABLES -N In_RULE_7
$IPTABLES -A INPUT -i eth0 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A INPUT -i eth0 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A INPUT -i eth2 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A INPUT -i eth2 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A FORWARD -i eth0 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A FORWARD -i eth0 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A FORWARD -i eth2 -s 22.22.23.128/25 -j In_RULE_7
$IPTABLES -A FORWARD -i eth2 -s 33.33.33.0/24 -j In_RULE_7
$IPTABLES -A In_RULE_7 -j LOG --log-level debug
$IPTABLES -A In_RULE_7 -j DROP
#
# Rule 8 (lo)
#
echo "Rule 8 (lo)"
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 9 (eth0,eth2)
#
echo "Rule 9 (eth0,eth2)"
#
$IPTABLES -N Cid433D045026912.0
$IPTABLES -A INPUT -i eth0 -j Cid433D045026912.0
$IPTABLES -A INPUT -i eth2 -j Cid433D045026912.0
$IPTABLES -A FORWARD -i eth0 -j Cid433D045026912.0
$IPTABLES -A FORWARD -i eth2 -j Cid433D045026912.0
$IPTABLES -A Cid433D045026912.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid433D045026912.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N In_RULE_9_3
$IPTABLES -A Cid433D045026912.0 -j In_RULE_9_3
$IPTABLES -A In_RULE_9_3 -j LOG --log-level debug
$IPTABLES -A In_RULE_9_3 -j DROP
#
# Rule 10 (eth1,eth3)
#
echo "Rule 10 (eth1,eth3)"
#
$IPTABLES -N Cid434D389E26912.0
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A INPUT -i eth3 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A FORWARD -i eth3 -m state --state NEW -j Cid434D389E26912.0
$IPTABLES -A Cid434D389E26912.0 -s 22.22.23.128/25 -j RETURN
$IPTABLES -A Cid434D389E26912.0 -s 33.33.33.0/24 -j RETURN
$IPTABLES -A Cid434D389E26912.0 -j ACCEPT
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
$IPTABLES -N RULE_11
$IPTABLES -A RULE_11 -j RETURN
$IPTABLES -A OUTPUT -j RULE_11
$IPTABLES -A INPUT -j RULE_11
$IPTABLES -A FORWARD -j RULE_11
#
# Rule 12 (global)
#
echo "Rule 12 (global)"
#
$IPTABLES -N RULE_12
$IPTABLES -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RULE_12
$IPTABLES -A RULE_12 -j LOG --log-level debug
$IPTABLES -A RULE_12 -j DROP
#
# Rule 13 (global)
#
echo "Rule 13 (global)"
#
$IPTABLES -N Cid3B9AB902.0
$IPTABLES -A OUTPUT -j Cid3B9AB902.0
$IPTABLES -A INPUT -j Cid3B9AB902.0
$IPTABLES -A FORWARD -j Cid3B9AB902.0
$IPTABLES -A Cid3B9AB902.0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
$IPTABLES -N RULE_13_3
$IPTABLES -A Cid3B9AB902.0 -j RULE_13_3
$IPTABLES -A RULE_13_3 -j LOG --log-level debug
$IPTABLES -A RULE_13_3 -j DROP
#
# Rule 14 (global)
#
echo "Rule 14 (global)"
#
# hostF has the same IP address as firewal.
$IPTABLES -N RULE_14
$IPTABLES -A OUTPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14
$IPTABLES -A INPUT -p icmp -m icmp -d 192.168.1.1 --icmp-type 8/0 -m state --state NEW -j RULE_14
$IPTABLES -A RULE_14 -j LOG --log-level debug
$IPTABLES -A RULE_14 -j ACCEPT
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
$IPTABLES -N Cid434B03D526912.0
$IPTABLES -A OUTPUT -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A INPUT -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A FORWARD -m state --state NEW -j Cid434B03D526912.0
$IPTABLES -A Cid434B03D526912.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid434B03D526912.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid434B03D526912.0 -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid3B021E10.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid3B021E10.0
$IPTABLES -A Cid3B021E10.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B021E10.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_16_3
$IPTABLES -A Cid3B021E10.0 -m limit --limit 10/minute -j RULE_16_3
$IPTABLES -A RULE_16_3 -j LOG --log-level debug
$IPTABLES -A RULE_16_3 -j DROP
#
# Rule 17 (global)
#
echo "Rule 17 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid40C0D096.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -j Cid40C0D096.0
$IPTABLES -A Cid40C0D096.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid40C0D096.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_17_3
$IPTABLES -A Cid40C0D096.0 -m limit --limit 10/minute -j RULE_17_3
$IPTABLES -A RULE_17_3 -j LOG --log-level debug
$IPTABLES -A RULE_17_3 -j RETURN
#
# Rule 18 (global)
#
echo "Rule 18 (global)"
#
# testing negation in the policy rule
$IPTABLES -N Cid40C0D10A.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid40C0D10A.0
$IPTABLES -A Cid40C0D10A.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid40C0D10A.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_18_3
$IPTABLES -A Cid40C0D10A.0 -m limit --limit 10/minute -j RULE_18_3
$IPTABLES -A RULE_18_3 -j LOG --log-level debug
$IPTABLES -A RULE_18_3 -j ACCEPT
#
# Rule 19 (global)
#
echo "Rule 19 (global)"
#
$IPTABLES -N Cid3B0B4A13.1
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.1
$IPTABLES -N Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 22.22.22.22 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 22.22.23.23 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 192.168.1.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.1 -d 192.168.2.1 -j Cid3B0B4A13.0
$IPTABLES -N Cid3B0B4A13.2
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid3B0B4A13.2
$IPTABLES -A Cid3B0B4A13.2 -d 22.22.22.22 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 22.22.23.23 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 192.168.1.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.2 -d 192.168.2.1 -j Cid3B0B4A13.0
$IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B0B4A13.0 -s 192.168.1.20 -j RETURN
$IPTABLES -N RULE_19_3
$IPTABLES -A Cid3B0B4A13.0 -j RULE_19_3
$IPTABLES -A RULE_19_3 -j LOG --log-level debug
$IPTABLES -A RULE_19_3 -j DROP
#
# Rule 20 (global)
#
echo "Rule 20 (global)"
#
$IPTABLES -N Cid3B5535B7.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid3B5535B7.0
$IPTABLES -A Cid3B5535B7.0 -s 22.22.22.22 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 22.22.23.23 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid3B5535B7.0 -s 192.168.2.1 -j RETURN
$IPTABLES -N Out_RULE_20_3
$IPTABLES -A Cid3B5535B7.0 -j Out_RULE_20_3
$IPTABLES -A Out_RULE_20_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_20_3 -j DROP
$IPTABLES -N Cid3B5535B7.1
$IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid3B5535B7.1
$IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid3B5535B7.1
$IPTABLES -A Cid3B5535B7.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_20_3
$IPTABLES -A Cid3B5535B7.1 -j RULE_20_3
$IPTABLES -A RULE_20_3 -j LOG --log-level debug
$IPTABLES -A RULE_20_3 -j DROP
#
# Rule 21 (global)
#
echo "Rule 21 (global)"
#
$IPTABLES -N Cid40F1D905.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j Cid40F1D905.0
$IPTABLES -A Cid40F1D905.0 -s 192.168.1.1 -j RETURN
$IPTABLES -N Out_RULE_21_3
$IPTABLES -A Cid40F1D905.0 -j Out_RULE_21_3
$IPTABLES -A Out_RULE_21_3 -j LOG --log-level debug
$IPTABLES -A Out_RULE_21_3 -j DROP
$IPTABLES -N Cid40F1D905.1
$IPTABLES -A INPUT -d 192.168.1.0/24 -j Cid40F1D905.1
$IPTABLES -A FORWARD -d 192.168.1.0/24 -j Cid40F1D905.1
$IPTABLES -A Cid40F1D905.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_21_3
$IPTABLES -A Cid40F1D905.1 -j RULE_21_3
$IPTABLES -A RULE_21_3 -j LOG --log-level debug
$IPTABLES -A RULE_21_3 -j DROP
#
# Rule 22 (global)
#
echo "Rule 22 (global)"
#
$IPTABLES -N Cid3E74DF71.0
$IPTABLES -A INPUT -s 222.222.222.40 -j Cid3E74DF71.0
$IPTABLES -A INPUT -s 222.222.222.41 -j Cid3E74DF71.0
$IPTABLES -A FORWARD -s 222.222.222.40 -j Cid3E74DF71.0
$IPTABLES -A FORWARD -s 222.222.222.41 -j Cid3E74DF71.0
$IPTABLES -A Cid3E74DF71.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3E74DF71.0 -d 192.168.1.20 -j RETURN
$IPTABLES -N RULE_22_3
$IPTABLES -A Cid3E74DF71.0 -j RULE_22_3
$IPTABLES -A RULE_22_3 -j LOG --log-level debug
$IPTABLES -A RULE_22_3 -j DROP
#
# Rule 23 (global)
#
echo "Rule 23 (global)"
#
$IPTABLES -N Cid3B11F63D.0
$IPTABLES -A INPUT -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A INPUT -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A OUTPUT -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A FORWARD -s 192.168.1.0/24 -j Cid3B11F63D.0
$IPTABLES -A FORWARD -s 192.168.2.0/24 -j Cid3B11F63D.0
$IPTABLES -A Cid3B11F63D.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid3B11F63D.0 -d 192.168.1.20 -j RETURN
$IPTABLES -N RULE_23_3
$IPTABLES -A Cid3B11F63D.0 -j RULE_23_3
$IPTABLES -A RULE_23_3 -j LOG --log-level debug
$IPTABLES -A RULE_23_3 -j DROP
#
# Rule 24 (global)
#
echo "Rule 24 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3B021E6F.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -j Cid3B021E6F.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -j Cid3B021E6F.0
$IPTABLES -A FORWARD -d 192.168.1.10 -j Cid3B021E6F.0
$IPTABLES -A FORWARD -d 192.168.1.20 -j Cid3B021E6F.0
$IPTABLES -A Cid3B021E6F.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN
$IPTABLES -N RULE_24_3
$IPTABLES -A Cid3B021E6F.0 -j RULE_24_3
$IPTABLES -A RULE_24_3 -j LOG --log-level debug
$IPTABLES -A RULE_24_3 -j DROP
#
# Rule 25 (global)
#
echo "Rule 25 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3CCA2CF4.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3CCA2CF4.0
$IPTABLES -A Cid3CCA2CF4.0 -p tcp -m tcp -m multiport --dports 25,22 -j RETURN
$IPTABLES -N RULE_25_3
$IPTABLES -A Cid3CCA2CF4.0 -j RULE_25_3
$IPTABLES -A RULE_25_3 -j LOG --log-level debug
$IPTABLES -A RULE_25_3 -j ACCEPT
#
# Rule 26 (global)
#
echo "Rule 26 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3EA925F1.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA925F1.0
$IPTABLES -A Cid3EA925F1.0 -p tcp -m tcp --dport 25 -j RETURN
$IPTABLES -N RULE_26_3
$IPTABLES -A Cid3EA925F1.0 -j RULE_26_3
$IPTABLES -A RULE_26_3 -j LOG --log-level debug
$IPTABLES -A RULE_26_3 -j ACCEPT
#
# Rule 27 (global)
#
echo "Rule 27 (global)"
#
# testing negation in service field
$IPTABLES -N Cid3EA9225C.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid3EA9225C.0
$IPTABLES -A Cid3EA9225C.0 -p icmp -m icmp --icmp-type any -j RETURN
$IPTABLES -N RULE_27_3
$IPTABLES -A Cid3EA9225C.0 -j RULE_27_3
$IPTABLES -A RULE_27_3 -j LOG --log-level debug
$IPTABLES -A RULE_27_3 -j ACCEPT
#
# Rule 28 (global)
#
echo "Rule 28 (global)"
#
# testing negation in service field
$IPTABLES -N Cid4144E299.1
$IPTABLES -A OUTPUT -m state --state NEW -j Cid4144E299.1
$IPTABLES -A INPUT -m state --state NEW -j Cid4144E299.1
$IPTABLES -A FORWARD -m state --state NEW -j Cid4144E299.1
$IPTABLES -A Cid4144E299.1 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid4144E299.1 -d 192.168.1.20 -j RETURN
$IPTABLES -N Cid4144E299.0
$IPTABLES -A Cid4144E299.1 -j Cid4144E299.0
$IPTABLES -A Cid4144E299.0 -p icmp -m icmp --icmp-type any -j RETURN
$IPTABLES -A Cid4144E299.0 -j ACCEPT
#
# Rule 29 (global)
#
echo "Rule 29 (global)"
#
# testing negation in service field
$IPTABLES -N Cid41449248.1
$IPTABLES -A OUTPUT -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.1
$IPTABLES -N Cid41449248.0
$IPTABLES -A Cid41449248.1 -d 192.168.1.10 -j Cid41449248.0
$IPTABLES -A Cid41449248.1 -d 192.168.1.20 -j Cid41449248.0
$IPTABLES -N Cid41449248.2
$IPTABLES -A FORWARD -m state --state NEW -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j Cid41449248.2
$IPTABLES -A Cid41449248.2 -d 192.168.1.10 -j Cid41449248.0
$IPTABLES -A Cid41449248.2 -d 192.168.1.20 -j Cid41449248.0
$IPTABLES -A Cid41449248.0 -p tcp -m tcp --dport 80 -j RETURN
$IPTABLES -A Cid41449248.0 -j ACCEPT
#
# Rule 30 (global)
#
echo "Rule 30 (global)"
#
# testing negation in service field
$IPTABLES -N Cid414532F3.1
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -m state --state NEW -j Cid414532F3.1
$IPTABLES -A Cid414532F3.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -N Cid414532F3.0
$IPTABLES -A Cid414532F3.1 -j Cid414532F3.0
$IPTABLES -A Cid414532F3.0 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid414532F3.0 -d 192.168.1.20 -j RETURN
$IPTABLES -A Cid414532F3.0 -j ACCEPT
#
# Rule 31 (global)
#
echo "Rule 31 (global)"
#
# testing negation in service field
$IPTABLES -N Cid41449257.1
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid41449257.1
$IPTABLES -A OUTPUT -d 192.168.1.20 -m state --state NEW -j Cid41449257.1
$IPTABLES -A FORWARD -d 192.168.1.10 -m state --state NEW -j Cid41449257.1
$IPTABLES -A FORWARD -d 192.168.1.20 -m state --state NEW -j Cid41449257.1
$IPTABLES -A Cid41449257.1 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -N Cid41449257.0
$IPTABLES -A Cid41449257.1 -j Cid41449257.0
$IPTABLES -A Cid41449257.0 -p tcp -m tcp --dport 80 -j RETURN
$IPTABLES -A Cid41449257.0 -j ACCEPT
#
# Rule 32 (global)
#
echo "Rule 32 (global)"
#
$IPTABLES -N Cid4368F08A15884.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.1
$IPTABLES -N Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 22.22.22.22 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 22.22.23.23 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 192.168.1.1 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.1 -s 192.168.2.1 -j Cid4368F08A15884.0
$IPTABLES -A Cid4368F08A15884.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 22.22.23.23 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid4368F08A15884.0 -j ACCEPT
$IPTABLES -N Cid4368F08A15884.2
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid4368F08A15884.2
$IPTABLES -A Cid4368F08A15884.2 -s 22.22.22.22 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 22.22.23.23 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 192.168.1.1 -j ACCEPT
$IPTABLES -A Cid4368F08A15884.2 -s 192.168.2.1 -j ACCEPT
#
# Rule 33 (global)
#
echo "Rule 33 (global)"
#
$IPTABLES -N Cid3E74D8BB.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.1
$IPTABLES -N Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 22.22.22.22 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 22.22.23.23 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 192.168.1.1 -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.1 -s 192.168.2.1 -j Cid3E74D8BB.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.0
$IPTABLES -A Cid3E74D8BB.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 22.22.23.23 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid3E74D8BB.0 -j ACCEPT
$IPTABLES -N Cid3E74D8BB.3
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j Cid3E74D8BB.3
$IPTABLES -N Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 22.22.22.22 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 22.22.23.23 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 192.168.1.1 -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.3 -s 192.168.2.1 -j Cid3E74D8BB.2
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.0/24 --dport 22 -m state --state NEW -j Cid3E74D8BB.2
$IPTABLES -A Cid3E74D8BB.2 -d 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid3E74D8BB.2 -j ACCEPT
#
# Rule 34 (global)
#
echo "Rule 34 (global)"
#
$IPTABLES -N Cid3B45739A.1
$IPTABLES -A INPUT -s 22.22.22.22 -j Cid3B45739A.1
$IPTABLES -N Cid3B45739A.0
$IPTABLES -A Cid3B45739A.1 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.1 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.2
$IPTABLES -A INPUT -s 192.168.1.1 -j Cid3B45739A.2
$IPTABLES -A Cid3B45739A.2 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.2 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.3
$IPTABLES -A OUTPUT -s 22.22.22.22 -j Cid3B45739A.3
$IPTABLES -A Cid3B45739A.3 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.3 -p 50 -j Cid3B45739A.0
$IPTABLES -N Cid3B45739A.4
$IPTABLES -A OUTPUT -s 192.168.1.1 -j Cid3B45739A.4
$IPTABLES -A Cid3B45739A.4 -p icmp -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.4 -p 50 -j Cid3B45739A.0
$IPTABLES -A Cid3B45739A.0 -d 22.22.22.22 -j RETURN
$IPTABLES -A Cid3B45739A.0 -d 192.168.1.1 -j RETURN
$IPTABLES -N RULE_34_3
$IPTABLES -A Cid3B45739A.0 -j RULE_34_3
$IPTABLES -A RULE_34_3 -j LOG --log-level debug
$IPTABLES -A RULE_34_3 -j DROP
#
# Rule 35 (global)
#
echo "Rule 35 (global)"
#
# double negation rule
$IPTABLES -N Cid4067B2C2.1
$IPTABLES -A OUTPUT -j Cid4067B2C2.1
$IPTABLES -A INPUT -j Cid4067B2C2.1
$IPTABLES -A FORWARD -j Cid4067B2C2.1
$IPTABLES -A Cid4067B2C2.1 -d 192.168.1.10 -j RETURN
$IPTABLES -A Cid4067B2C2.1 -d 192.168.1.20 -j RETURN
$IPTABLES -N Cid4067B2C2.0
$IPTABLES -A Cid4067B2C2.1 -j Cid4067B2C2.0
$IPTABLES -A Cid4067B2C2.0 -p tcp -m tcp -m multiport --dports 3128,8080 -j RETURN
$IPTABLES -N RULE_35_3
$IPTABLES -A Cid4067B2C2.0 -j RULE_35_3
$IPTABLES -A RULE_35_3 -j LOG --log-level debug
$IPTABLES -A RULE_35_3 -j DROP
#
# Rule 36 (global)
#
echo "Rule 36 (global)"
#
$IPTABLES -N Cid41A88DF6.0
$IPTABLES -A INPUT -m state --state NEW -j Cid41A88DF6.0
$IPTABLES -A Cid41A88DF6.0 -d 192.168.1.1 -j RETURN
$IPTABLES -A Cid41A88DF6.0 -d 192.168.2.1 -j RETURN
$IPTABLES -A Cid41A88DF6.0 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
#
# Rule 37 (global)
#
echo "Rule 37 (global)"
#
$IPTABLES -N Cid41B5176E.0
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -m state --state NEW -j Cid41B5176E.0
$IPTABLES -A Cid41B5176E.0 -s 192.168.1.1 -j RETURN
$IPTABLES -A Cid41B5176E.0 -s 192.168.2.1 -j RETURN
$IPTABLES -A Cid41B5176E.0 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 38 (global)
#
echo "Rule 38 (global)"
#
$IPTABLES -N Cid4143BD3F.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 25 -m state --state NEW -j Cid4143BD3F.0
$IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sat -j RETURN
$IPTABLES -A Cid4143BD3F.0 -m time --timestart 00:00 --timestop 23:59 --days Sun -j RETURN
$IPTABLES -A Cid4143BD3F.0 -j ACCEPT
#
# Rule 39 (global)
#
echo "Rule 39 (global)"
#
$IPTABLES -N Cid4143BD1A.0
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -m state --state NEW -j Cid4143BD1A.0
$IPTABLES -A Cid4143BD1A.0 -m time --timestart 09:00 --timestop 17:00 --days Mon,Tue,Wed,Thu,Fri -j RETURN
$IPTABLES -A Cid4143BD1A.0 -j ACCEPT
#
# Rule 40 (global)
#
echo "Rule 40 (global)"
#
$IPTABLES -N Cid1515316X29460.0
$IPTABLES -A INPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.0
$IPTABLES -A Cid1515316X29460.0 -s 22.22.22.22 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 22.22.23.23 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 192.168.1.1 -j DROP
$IPTABLES -A Cid1515316X29460.0 -s 192.168.2.1 -j DROP
$IPTABLES -N Cid1515316X29460.1
$IPTABLES -A OUTPUT -p tcp -m tcp -d ! 192.168.1.0/24 --dport 80 -j Cid1515316X29460.1
$IPTABLES -A Cid1515316X29460.1 -s 22.22.22.22 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 22.22.23.23 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 192.168.1.1 -j DROP
$IPTABLES -A Cid1515316X29460.1 -s 192.168.2.1 -j DROP
#
# Rule 41 (global)
#
echo "Rule 41 (global)"
#
$IPTABLES -N Cid1515397X29460.0
$IPTABLES -A OUTPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.0
$IPTABLES -A Cid1515397X29460.0 -d 22.22.22.22 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 22.22.23.23 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 192.168.1.1 -j DROP
$IPTABLES -A Cid1515397X29460.0 -d 192.168.2.1 -j DROP
$IPTABLES -N Cid1515397X29460.1
$IPTABLES -A INPUT -p tcp -m tcp -s ! 192.168.1.0/24 --dport 80 -j Cid1515397X29460.1
$IPTABLES -A Cid1515397X29460.1 -d 22.22.22.22 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 22.22.23.23 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 192.168.1.1 -j DROP
$IPTABLES -A Cid1515397X29460.1 -d 192.168.2.1 -j DROP
}
ip_forward() {
:
}
reset_all() {
:
reset_iptables_v4
}
block_action() {
reset_all
}
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
check_iptables() {
IP_TABLES="$1"
[ ! -e $IP_TABLES ] && return 151
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
[ -z "$NF_TABLES" ] && return 152
return 0
}
status_action() {
check_iptables "/proc/net/ip_tables_names"
ret_ipv4=$?
check_iptables "/proc/net/ip6_tables_names"
ret_ipv6=$?
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
echo "iptables modules are not loaded"
}
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
echo "Firewall is not configured"
}
exit 3
}
# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'
cmd=$1
test -z "$cmd" && {
cmd="start"
}
case "$cmd" in
start)
log "Activating firewall script generated Mon Feb 20 14:09:42 2012 by vadim"
check_tools
check_run_time_address_table_files
load_modules "nat "
configure_interfaces
verify_interfaces
prolog_commands
reset_all
script_body
ip_forward
epilog_commands
RETVAL=$?
;;
stop)
stop_action
RETVAL=$?
;;
status)
status_action
RETVAL=$?
;;
block)
block_action
RETVAL=$?
;;
reload)
$0 stop
$0 start
RETVAL=$?
;;
interfaces)
configure_interfaces
RETVAL=$?
;;
test_interfaces)
FWBDEBUG="echo"
configure_interfaces
RETVAL=$?
;;
*)
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
;;
esac
exit $RETVAL
Reference in New Issue View Git Blame Copy Permalink