Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux HostsFree MagazinesJobs
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Linux Networking
Reload this Page my firewall script sucks
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Linux Networking Hardware/Software related, Modems, Internet connection sharing, IPTables etc.

Reply
 
Thread Tools Display Modes
Old 07-16-2005   #1 (permalink)
Just Joined!
 
Join Date: May 2005
Posts: 9
Send a message via ICQ to igornix Send a message via MSN to igornix
my firewall script sucks
Hi
PLEASE C an anybody look through my script and say what is wrong with it. Because I got the following error: Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.
#!/bin/sh

################################################## #############################
#
# Original by Dinesh Kandiah
# - additions by Daniel Carrera
# - additions by Paul Moore, pcmoore@engin.umich.edu
#
# Copyright (C) 2000-2004 Point Clark Networks
# Copyright (C) 2003 Paul Moore
#
# $Id: rc.firewall,v 1.31 2005/04/29 19:37:34 peter Exp $
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# Inspired by...
# - Trinity OS
# - Linux Security
# - linux-firewall-tools.com
# - Usenet
#
################################################## #############################
#
# Semantics:
# - Incoming - packets destined for *this* machine
# - Outgoing - packets from the LAN/DMZ to the outside world
# - Forward - packets from the outside world to the LAN/DMZ
#
################################################## #############################


################################################## #############################
#
# C O N S T A N T S
#
################################################## #############################

# Field seperator
IFS='
'

# Path
PATH=/sbin:/bin:/usr/bin

# ACCEPT and DROP default chain names
FW_DROP="DROP"
FW_ACCEPT="ACCEPT"

# Configuration
FW_CONF=${FW_CONF:-"/etc/firewall"}
FW_ADHOC=${FW_ADHOC:-"/etc/rc.d/rc.firewall.local"}
FW_TYPES="/etc/rc.d/rc.firewall.types"

# Default mode
FW_DEFAULT_MODE="trustedstandalone"

# Binaries
IPBIN="/sbin/ip"
TCBIN="/sbin/tc"
IPCALC="/bin/ipcalc"
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
SYSCTL="/sbin/sysctl"

# Logging
FW_TODO=${FW_TODO:-"/bin/echo"}
FW_FACILITY=${FW_FACILITY:-"local6"}
FW_DEBUG=${FW_DEBUG:-"/usr/bin/logger -p $FW_FACILITY.notice -t firewall"}
FW_ERROR=${FW_ERROR:-"/usr/bin/logger -p $FW_FACILITY.error -t firewall"}
FW_NOTICE=${FW_NOTICE:-"/usr/bin/logger -p $FW_FACILITY.notice -t firewall"}
FW_WARNING=${FW_WARNING:-"/usr/bin/logger -p $FW_FACILITY.warning -t firewall"}

# Shorthand
FW_ALLIP="0.0.0.0/0"

# Declare these as integer
declare -i FWR_TYPE
declare -i FWR_PROTO

# This blob translates PHP firewall type defines into bash declarations.
# This way, there is is only one source for firewall types (firewallrule.class).
FWR_CLASS="/var/webconfig/classes/firewallrule.class"

if [ "$FWR_CLASS" -nt "$FW_TYPES" -o ! -f "$FW_TYPES" ]; then
echo "# Generated by: $0" > $FW_TYPES
echo "# Created from: $FWR_CLASS" >> $FW_TYPES
/bin/egrep "^define.*FWR_.*0x" "$FWR_CLASS" | \
/bin/sed -e 's/define(/declare -i /' -e 's/, /=/' -e 's/);.*$//' >>\
$FW_TYPES || exit 1
echo "# vi: syntax=sh" >> $FW_TYPES
fi

source $FW_TYPES || exit 1


################################################## #############################
#
# F U N C T I O N S
#
################################################## #############################

################################################## #############################
#
# SetKernelSettings
# -----------------
#
# Defines some default kernel settings... mostly for added security.
#
################################################## #############################

SetKernelSettings() {
$FW_NOTICE "Setting kernel parameters"

# Enable IP Forwarding, not really required for standalone mode
$SYSCTL -w net.ipv4.ip_forward=1 >/dev/null

# Enable TCP SYN Cookie protection:
$SYSCTL -w net.ipv4.tcp_syncookies=1 >/dev/null

# Enabling dynamic TCP/IP address hacking.
$SYSCTL -w net.ipv4.ip_dynaddr=1 >/dev/null

# Log spoofed, source-routed, and redirect packets
$SYSCTL -w net.ipv4.conf.all.log_martians=0 >/dev/null

# Disable ICMP Re-directs
$SYSCTL -w net.ipv4.conf.all.accept_redirects=0 >/dev/null
$SYSCTL -w net.ipv4.conf.all.send_redirects=0 >/dev/null

# Ensure that source-routed packets are dropped
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0 >/dev/null

# Disable ICMP broadcast echo protection
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null

# Enable bad error message protection
$SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 >/dev/null
}


################################################## #############################
#
# SetPolicyToAccept
# -----------------
#
# Sets default firewall policy to accept.
#
################################################## #############################

SetPolicyToAccept() {
$FW_NOTICE "Setting default policy to $FW_ACCEPT"

for TABLE in filter nat mangle; do
$IPTABLES -t $TABLE -F # Flush all previous rules.
$IPTABLES -t $TABLE -X # Delete user-defined chains.
done

$IPTABLES -P INPUT $FW_ACCEPT
$IPTABLES -P OUTPUT $FW_ACCEPT
$IPTABLES -P FORWARD $FW_ACCEPT
}


################################################## #############################
#
# SetPolicyToDrop
# ---------------
#
# Sets default firewall policy to drop.
#
################################################## #############################

SetPolicyToDrop() {
$FW_NOTICE "Setting default policy to DROP"

for TABLE in filter nat mangle; do
$IPTABLES -t $TABLE -F # Flush all previous rules.
$IPTABLES -t $TABLE -X # Delete user-defined chains.
done

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
}


################################################## #############################
#
# DefineChains
# ------------
#
# Define any custom chains here. Custom chains include:
# - drop-reserved - for logging invalid IPs appearing on the network
# - drop-lan - for logging LAN traffic trying to escape the LAN
#
# Use the FW_DROP and FW_ACCEPT variable to override DROP and ACCEPT.
# This can be handy for troubleshooting.
#
################################################## #############################

DefineChains() {
$FW_NOTICE "Defining custom chains"

# Create a default DROP for easy debugging
#-----------------------------------------
if [ "$FW_DROP" != "DROP" ]; then
$IPTABLES -N $FW_DROP
# useful for debug: $IPTABLES -t filter -A $FW_DROP -j LOG --log-prefix "Drop: "
$IPTABLES -t filter -A $FW_DROP -j $FW_DROP
fi

# Create a default ACCEPT for easy debugging
#-------------------------------------------
if [ "$FW_ACCEPT" != "ACCEPT" ]; then
$IPTABLES -N $FW_ACCEPT
# useful for debug: $IPTABLES -t filter -A $FW_ACCEPT -j LOG --log-prefix "Accept: "
$IPTABLES -t filter -A $FW_ACCEPT -j $FW_ACCEPT
fi

# Create a chain for dropping reserved network IPs
#-------------------------------------------------
$IPTABLES -N drop-reserved
# useful for debug: $IPTABLES -t filter -A drop-reserved -j LOG --log-prefix "Drop - reserved network: "
$IPTABLES -t filter -A drop-reserved -j $FW_DROP

# Create a chain for dropping services that shouldn't leave the LAN
#------------------------------------------------------------------
$IPTABLES -N drop-lan
# useful for debug: $IPTABLES -t filter -A drop-lan -j LOG --log-prefix "Drop - LAN only: "
$IPTABLES -t filter -A drop-lan -j $FW_DROP
}


################################################## #############################
#
# LoadKernelModules
# -----------------
#
# Loads kernel modules. Most modules will automatically load... but
# some require a little help
#
################################################## #############################

LoadKernelModules() {
$FW_NOTICE "Loading kernel modules"

$MODPROBE ipt_LOG # Add LOG target.
$MODPROBE ipt_REJECT # Add REJECT target.
$MODPROBE ipt_MASQUERADE # Add MASQUERADE target.
$MODPROBE ipt_owner # Allows you to match for the owner.
$MODPROBE ip_conntrack_ftp # Connection tracking for FTP.
$MODPROBE ip_conntrack_irc # Connection tracking for IRC.
$MODPROBE ip_nat_ftp # Active FTP
$MODPROBE ip_nat_irc # IRC stuff

# PPTP and dependencies don't always auto-load...
# Office Edition only.
$MODPROBE ppp_generic > /dev/null 2>&1
$MODPROBE ppp_mppe > /dev/null 2>&1
$MODPROBE ip_conntrack_proto_gre > /dev/null 2>&1
$MODPROBE ip_conntrack_pptp > /dev/null 2>&1
$MODPROBE ip_nat_proto_gre > /dev/null 2>&1

# Ipp2p module (if installed)
$MODPROBE ipt_ipp2p > /dev/null 2>&1
}


################################################## #############################
#
# RunAdhocRules
# -------------
#
# Run custom rules in FW_ADHOC
#
################################################## #############################

RunAdhocRules() {
$FW_DEBUG "Checking for ad-hoc rules in $FW_ADHOC"

if [ -x "$FW_ADHOC" ]; then
$FW_NOTICE "Running ad-hoc rules in $FW_ADHOC"
source "$FW_ADHOC"
$FW_DEBUG "Finished ad-hoc rules in $FW_ADHOC"
fi
}


################################################## #############################
#
# RunCommonRules
# --------------
#
# Rules that should be included in *all* firewall types should go here.
# This function:
# - allows all traffic on the loopback interface
# - blocks invalid IP ranges
# - allows ICMP (RFC compliance)
# - allows DHCP traffic
#
################################################## #############################

RunCommonRules() {
$FW_NOTICE "Running common rules"

# Allow some ICMP (ping)
#-----------------------
# ICMP can be used for attacks.. we allow as little as possible.
# The following are necessary ports we *can't* do without:
# 0 Needed to ping hosts outside the network.
# 3 Needed by all networks.
# 11 Needed by the traceroute program.
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j $FW_ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j $FW_ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j $FW_ACCEPT

# This allows other hosts to ping you. You should keep this rule.
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j $FW_ACCEPT
$IPTABLES -A INPUT -p icmp -j $FW_DROP
$IPTABLES -A OUTPUT -p icmp -j $FW_ACCEPT

# UDP injection
#--------------
# TODO: run a Nessus scan for details
# $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
# $IPTABLES -A INPUT -p udp --sport 53 -j DROP

# SYN bit issues
#---------------
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow everything on the loopback
#---------------------------------
$IPTABLES -A INPUT -i lo -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o lo -j $FW_ACCEPT

# Allow everything on trusted interfaces
#---------------------------------------
if [ ! -z "$TRUSTEDIF" ]; then
$IPTABLES -A INPUT -i $TRUSTEDIF -j $FW_ACCEPT
fi
# TODO: this makes output lines below redundant
$IPTABLES -A OUTPUT -j $FW_ACCEPT

# Block IPs that should never show up on our external interface
#--------------------------------------------------------------
$IPTABLES -A INPUT -i $EXTIF -s 127.0.0.0/8 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 2.0.0.0/8 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 96.0.0.0/3 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 223.0.0.0/8 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -j drop-reserved
$IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/4 -j drop-reserved

# Allow DHCP client to respond
#-----------------------------
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --dport bootpc --sport bootps -j $FW_ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport bootpc --sport bootps -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport bootpc --dport bootps -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport bootpc --dport bootps -j $FW_ACCEPT

if [ "$FW_MODE" == "dmz" ]; then
for IF in $DMZIF; do
GetInterfaceInfo $IF

# Allow DMZ DHCP clients to respond
#----------------------------------
$IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p udp --dport bootps --sport bootpc
$IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p tcp --dport bootps --sport bootpc
$IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p tcp --sport bootps --dport bootpc
$IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p udp --sport bootps --dport bootpc

# Allow DMZ DNS servers to respond
#---------------------------------
$IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p tcp --dport domain -s $IFNETWORK/$IFNETMASK
$IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p udp --dport domain -s $IFNETWORK/$IFNETMASK
$IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p tcp --sport domain -d $IFNETWORK/$IFNETMASK
$IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p udp --sport domain -d $IFNETWORK/$IFNETMASK
done
fi
}


################################################## #############################
#
# RunIncomingAllowedDefaults
# --------------------------
#
################################################## #############################

RunIncomingAllowedDefaults() {
$FW_NOTICE "Running default incoming rules"

# Allow high ports
#-----------------
$IPTABLES -A OUTPUT -s $EXTIP -j $FW_ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j $FW_ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j $FW_ACCEPT
}


################################################## #############################
#
# RunIncomingAllowed
# ------------------
#
################################################## #############################

RunIncomingAllowed() {
$FW_NOTICE "Running user-defined incoming rules"

# Standard ports and port ranges
#-------------------------------
for RULE in $INCOMING_ALLOW; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
PORT=`echo $RULE | cut -d '|' -f2`
$FW_DEBUG "Allowing incoming $PROTOCOL port $PORT"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p $PROTOCOL --dport $PORT -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p $PROTOCOL --sport $PORT -j $FW_ACCEPT
done
for RULE in $INCOMING_ALLOW_RANGE; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
RANGE=`echo $RULE | cut -d '|' -f2`
$FW_DEBUG "Allowing incoming $PROTOCOL range $RANGE"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p $PROTOCOL --dport $RANGE -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p $PROTOCOL --sport $RANGE -j $FW_ACCEPT
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_INCOMING_ALLOW ] -eq 0 ] && continue

INPUT="-A INPUT -p $FWR_PROTO -i $EXTIF -d $EXTIP"
OUTPUT="-A OUTPUT -p $FWR_PROTO -o $EXTIF -s $EXTIP"

if [ ! -z "$FWR_ADDR" ]; then
INPUT="$INPUT -s $FWR_ADDR"
OUTPUT="$OUTPUT -d $FWR_ADDR"
fi

$FW_DEBUG ">>> Allowing incoming $FWR_PROTO port/range $FWR_PORT"
$IPTABLES $INPUT --dport $FWR_PORT -j $FW_ACCEPT
$IPTABLES $OUTPUT --sport $FWR_PORT -j $FW_ACCEPT
done

# PPTP server
#------------
if [ "$PPTP_SERVER" == "on" ]; then
$RMMOD ip_nat_pptp > /dev/null 2>&1
$FW_DEBUG ">>> Allowing incoming GRE protocol 47 for PPTP server"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 47 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 47 -j $FW_ACCEPT
$FW_DEBUG ">>> Allowing incoming TCP port 1723 for PPTP server"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport 1723 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport 1723 -j $FW_ACCEPT
else
# Temporary: disable this module
# $MODPROBE ip_nat_pptp > /dev/null 2>&1
$RMMOD ip_nat_pptp > /dev/null 2>&1
fi

# IPsec server
#-------------
if [ "$IPSEC_SERVER" == "on" ]; then
# IKE negotiations
$FW_DEBUG ">>> Allowing incoming UDP port 500 for IPsec server"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --sport 500 --dport 500 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport 500 --dport 500 -j $FW_ACCEPT

# ESP/AH encryption and authentication
$FW_DEBUG ">>> Allowing incoming ESP/AH for IPsec server"
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 50 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 50 -j $FW_ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 51 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 51 -j $FW_ACCEPT

# Mark all incoming encrypted packets
$IPTABLES -t mangle -A PREROUTING -p esp -j MARK --set-mark 100

# Direct un-encrypted (already authenticated) packets to the proper chain.
# Packets destined for this box on any interface (LAN, WAN) are allowed.
$IPTABLES -A INPUT -d $EXTIP --match mark --mark 100 -j $FW_ACCEPT
for LIF in $LANIF; do
GetInterfaceInfo $LIF
$IPTABLES -A INPUT -d $IFIP --match mark --mark 100 -j $FW_ACCEPT
$IPTABLES -A OUTPUT -s $IFIP -j $FW_ACCEPT
done

# Packets destined to the LAN are allowed.
$IPTABLES -A FORWARD --match mark --mark 100 -j $FW_ACCEPT

# Do not masquerade VPN traffic
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -p esp -j $FW_ACCEPT
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -p ah -j $FW_ACCEPT
fi
}


################################################## #############################
#
# RunIncomingDeniedDefaults
# -------------------------
#
# Block everything that is not already defined
#
################################################## #############################

RunIncomingDeniedDefaults() {
$FW_NOTICE "Running incoming denied defaults"
$IPTABLES -A INPUT -i $EXTIF -s $FW_ALLIP -d $FW_ALLIP -j $FW_DROP
$IPTABLES -A OUTPUT -o $EXTIF -s $FW_ALLIP -d $FW_ALLIP -j $FW_DROP
}


################################################## #############################
#
# RunIncomingDenied
# -----------------
#
################################################## #############################

RunIncomingDenied() {
$FW_NOTICE "Running incoming denied rules"

# MAC filter rules
if [ ! -z "$WIFIF" ]; then
$FW_NOTICE "Checking for wireless MAC filtering on $WIFIF"

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_MAC_FILTER ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_WIFI ] -eq 0 ] && continue

WIFIMACFILTER="yes"
$FW_NOTICE ">>> Adding wireless MAC filtering for $FWR_ADDR"
$IPTABLES -t nat -A PREROUTING -i $WIFIF -m mac --mac-source $FWR_ADDR -j $FW_ACCEPT
done

if [ "$WIFIMACFILTER" == "yes" ]; then
$IPTABLES -t nat -A PREROUTING -i $WIFIF -j $FW_DROP
else
$FW_NOTICE "MAC filtering disabled on $WIFIF"
fi
fi

# Block host rules
for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_WIFI ] -ne 0 ] && continue
[ -z "$FWR_ADDR" ] && continue

$FW_DEBUG ">>> Blocking incoming host: $FWR_ADDR"
$IPTABLES -A INPUT -d $EXTIP -i $EXTIF -s $FWR_ADDR -j $FW_DROP
$IPTABLES -A OUTPUT -s $EXTIP -o $EXTIF -d $FWR_ADDR -j $FW_DROP
done

# Block P2P network rules
P2P_TYPES=""
for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_P2P ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue

Ipp2pType $[ $FWR_TYPE & ~($FWR_ENABLED | $FWR_P2P | $FWR_INCOMING_BLOCK) ]
P2P_TYPES=`echo $P2P_TYPES $P2P_TYPE | sort | uniq`
done

if [ ! -z "$P2P_TYPES" ]; then
$FW_DEBUG ">>> Blocking P2P network(s): $P2P_TYPES"
$IPTABLES -A FORWARD -m ipp2p $P2P_TYPES -j $FW_DROP
fi
}


################################################## #############################
#
# RunOutgoingDenied
# -----------------
#
################################################## #############################

RunOutgoingDenied() {
$FW_NOTICE "Running user-defined block outgoing rules"

for RULE in $OUTGOING_BLOCK; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
PORT=`echo $RULE | cut -d '|' -f2`
$FW_DEBUG "Blocking outgoing $PROTOCOL port $PORT"

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $PROTOCOL --dport $PORT -j $FW_DROP
done
done
for RULE in $OUTGOING_BLOCK_RANGE; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
RANGE=`echo $RULE | cut -d '|' -f2`
$FW_DEBUG "Blocking outgoing $PROTOCOL range $RANGE"

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $PROTOCOL --dport $RANGE -j $FW_DROP
done
done
for HOST in $OUTGOING_BLOCK_DESTS; do
$FW_DEBUG "Blocking traffic to $HOST"

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d $HOST -j $FW_DROP
done
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_OUTGOING_BLOCK ] -eq 0 ] && continue

if [ $FWR_PROTO -ne 0 ]; then
$FW_DEBUG ">>> Blocking outgoing $FWR_PROTO port $FWR_PORT"

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $FWR_PROTO --dport $FWR_PORT -j $FW_DROP
done
else
$FW_DEBUG ">>> Blocking outgoing traffic to $FWR_ADDR"

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d $FWR_ADDR -j $FW_DROP
done
fi
done
}


################################################## #############################
#
# RunOutgoingDeniedDefaults
# -------------------------
#
################################################## #############################

RunOutgoingDeniedDefaults() {
$FW_NOTICE "Running default block outgoing rules"

# Block services from leaving the LAN (low port numbers)
# Snort will log suspicious traffic in high port ranges
#-------------------------------------------------------
# TODO: the ipsec0 interface (or lack of one) makes this harder to implement
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 111 # RPC stuff
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 111 # RPC stuff
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 137:139 # Samba
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 137:139 # Samba
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 635 # Mountd
#$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 635 # Mountd
}


################################################## #############################
#
# RunPortForwardRules
# -------------------
#
################################################## #############################

RunPortForwardRules() {
$FW_NOTICE "Running user-defined port forward rules"

for RULE in $FORWARD; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
FROMPORT=`echo $RULE | cut -d '|' -f3`
TO=`echo $RULE | cut -d '|' -f4`

TOIP=`echo $TO | cut -d ':' -f1`
TOPORT=`echo $TO | cut -d ':' -f2`

$FW_DEBUG "Port forwarding $PROTOCOL $FROMPORT to $TOIP $TOPORT"
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p $PROTOCOL --dport $FROMPORT -j DNAT --to $TO

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -t nat -A POSTROUTING -d $TOIP -p $PROTOCOL -s $IFNETWORK/$IFNETMASK --dport $FROMPORT -j SNAT --to $IFIP
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -d $TOIP --dport $TOPORT
done
done
for RULE in $FORWARD_RANGE; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
RANGE=`echo $RULE | cut -d '|' -f3`
TOIP=`echo $RULE | cut -d '|' -f4`
$FW_DEBUG "Port forwarding $PROTOCOL range $RANGE to $TOIP"
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p $PROTOCOL --dport $RANGE -j DNAT --to $TOIP

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -t nat -A POSTROUTING -d $TOIP -p $PROTOCOL -s $IFNETWORK/$IFNETMASK --dport $RANGE -j SNAT --to $IFIP
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -d $TOIP --dport $RANGE
done
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_FORWARD ] -eq 0 ] && continue

$FW_DEBUG ">>> Port forwarding $FWR_PROTO $FWR_PARAM to $FWR_ADDR $FWR_PORT"

if [ -z "$FWR_PORT" ]; then
DPORT=$FWR_PARAM
TO="$FWR_ADDR"
else
DPORT=$FWR_PORT
TO="$FWR_ADDR:$FWR_PORT"
fi

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p $FWR_PROTO --dport $FWR_PARAM -j DNAT --to $TO

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -t nat -A POSTROUTING -d $FWR_ADDR -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK --dport $FWR_PARAM -j SNAT --to $IFIP
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR --dport $DPORT
done
done

if [ ! -z "$PPTP_FORWARD" ]; then
$FW_DEBUG "Forwarding PPTP traffic to $PPTP_FORWARD"
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p 47 -j DNAT --to $PPTP_FORWARD
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1723 -j DNAT --to $PPTP_FORWARD

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p 47 -d $PPTP_FORWARD
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p TCP -d $PPTP_FORWARD --dport 1723
done
fi

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_PPTP_FORWARD ] -eq 0 ] && continue

$FW_DEBUG ">>> Forwarding PPTP traffic to $FWR_ADDR"
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p $FWR_PROTO -j DNAT --to $FWR_ADDR
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport $FWR_PORT -j DNAT --to $FWR_ADDR

for IF in $LANIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p TCP -d $FWR_ADDR --dport $FWR_PORT
done

# XXX: Can only have one of these...
break
done
}


################################################## #############################
#
# RunRemapPorts
# -------------
#
################################################## #############################

RunRemapPorts() {
$FW_NOTICE "Running user-defined port re-map rules"

if [ "$SQUID_TRANSPARENT" == "on" ]; then
# Is a content filter in transparent mode too?
if [ ! -z "$SQUID_FILTER_TRANSPARENT" ]; then
$FW_DEBUG "Enabled Proxy+Filter transparent mode for filter port $SQUID_FILTER_TRANSPARENT"
$IPTABLES -t nat -A PREROUTING -i ! $EXTIF -p tcp -d ! $EXTIP --dport 80 -j REDIRECT --to-port $SQUID_FILTER_TRANSPARENT
$FW_DEBUG "Blocking proxy port 3128 for Proxy+Filter transparent mode"
$IPTABLES -t nat -I PREROUTING -p tcp -s ! 127.0.0.1 --dport 3128 -j $FW_DROP
else
$FW_DEBUG "Enabled proxy transparent mode"
$IPTABLES -t nat -A PREROUTING -i ! $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
fi
fi
}


################################################## #############################
#
# RunCustomRules
# -----------------
#
################################################## #############################

RunCustomRules() {
$FW_NOTICE "Running custom rules"

for RULE in $RULES; do
FW_INPUT=""
FW_OUTPUT=""
FW_FORWARD=""
FW_PREROUTING=""

for LIF in $LANIF; do
eval "FW_FORWARD_$LIF=\"\""
eval "FW_POSTROUTING_$LIF=\"\""
done

CustomRule $RULE || continue

[ ! -z "$FW_INPUT" ] && $FW_INPUT
[ ! -z "$FW_OUTPUT" ] && $FW_OUTPUT
[ ! -z "$FW_FORWARD" ] && $FW_FORWARD
[ ! -z "$FW_PREROUTING" ] && $FW_PREROUTING

for LIF in $LANIF; do
eval "VAR=\"\$FW_FORWARD_$LIF\""
[ ! -z "$VAR" ] && $VAR
eval "VAR=\"\$FW_POSTROUTING_$LIF\""
[ ! -z "$VAR" ] && $VAR
done
done
}


################################################## #############################
#
# RunBandwidthRules
# -----------------
# Initialize HTB qdisc. Set external up/down bandwidth. Create classes,
# firewall mark rules for up/down rates, and associated tc filter rules.
#
################################################## #############################

RunBandwidthRules() {
[ "$BANDWIDTH_QOS" != "on" ] && return
[ -z "$BANDWIDTH_UPSTREAM" -o -z "$BANDWIDTH_DOWNSTREAM" ] && return

$FW_NOTICE "Initializing bandwidth manager: $BANDWIDTH_UPSTREAM kbits up, $BANDWIDTH_DOWNSTREAM kbits down"

# external WAN (EXTIF) and LAN (LANIF) interfaces...
$TCBIN qdisc del dev $PHYSEXTIF root handle 1: htb >/dev/null 2>&1
$TCBIN qdisc add dev $PHYSEXTIF root handle 1: htb default 2 r2q 1

for IF in $LANIF; do
$TCBIN qdisc del dev $IF root handle 1: htb >/dev/null 2>&1
$TCBIN qdisc add dev $IF root handle 1: htb default 2 r2q 1
done

# Just incase an interface role was changed
for IF in $DMZIF; do
$TCBIN qdisc del dev $IF root handle 1: htb >/dev/null 2>&1
$TCBIN qdisc add dev $IF root handle 1: htb default 2 r2q 1
done

# Class 1:1 specifies maximum upstream/downstream rates
# Class 1:2 is a low priority default class for catch-all traffic
$TCBIN class add dev $PHYSEXTIF parent 1: classid 1:1 htb \
rate "$BANDWIDTH_UPSTREAM"kbit
$TCBIN class add dev $PHYSEXTIF parent 1:1 classid 1:2 htb \
rate "$BANDWIDTH_UPSTREAM"kbit prio 7

for IF in $LANIF; do
$TCBIN class add dev $IF parent 1: classid 1:1 htb \
rate "$BANDWIDTH_DOWNSTREAM"kbit
$TCBIN class add dev $IF parent 1:1 classid 1:2 htb \
rate "$BANDWIDTH_DOWNSTREAM"kbit prio 7
done

for IF in $DMZIF; do
$TCBIN class add dev $IF parent 1: classid 1:1 htb \
rate "$BANDWIDTH_DOWNSTREAM"kbit
$TCBIN class add dev $IF parent 1:1 classid 1:2 htb \
rate "$BANDWIDTH_DOWNSTREAM"kbit prio 7
done

declare -i CLSID=10
declare -i FWMARK=0x9000

# Convert bandwidth rules to classes
for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_P2P ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_BANDWIDTH_MARK ] -eq 0 ] && continue

BW_PRIO=`echo $FWR_PARAM | cut -d':' -f1`
BW_UPSTREAM=`echo $FWR_PARAM | cut -d':' -f2`
BW_DOWNSTREAM=`echo $FWR_PARAM | cut -d':' -f3`

# Create upstream FORWARD MARK rules
if [ ! -z "$BW_UPSTREAM" ]; then
BW_MATCH=""
STR_FWMARK=`printf "0x%04x" $FWMARK`
$FW_DEBUG ">>> HTB Class 1:$CLSID, mark: $STR_FWMARK, priority: $BW_PRIO, $BW_UPSTREAM kbits up"

# Create class
$TCBIN class add dev $PHYSEXTIF parent 1:1 classid 1:$CLSID htb rate \
"$BW_UPSTREAM"kbit prio $BW_PRIO

# Create rule
BW_RULE="-A FORWARD -t mangle -i ! $EXTIF -j MARK --set-mark $STR_FWMARK"

# Handle IP range
HI_ADDR=`echo $FWR_ADDR | cut -d':' -f2`

if [ -z "$HI_ADDR" ]; then
# Single IP, or IP/netmask
if [ ! -z "$FWR_ADDR" ]; then
BW_MATCH="-s $FWR_ADDR"
fi

if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
BW_MATCH="$BW_MATCH --dport $FWR_PORT"
fi

if [ -z "$BW_MATCH" ]; then
$FW_WARNING "Invalid bandwidth match criteria."
else
$IPTABLES $BW_RULE -p TCP $BW_MATCH
$IPTABLES $BW_RULE -p UDP $BW_MATCH

# Create filter
$TCBIN filter add dev $PHYSEXTIF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID
fi
else
# IP range
LO_ADDR=`echo $FWR_ADDR | cut -d':' -f1`

Ip2Bin $LO_ADDR || continue
LO_ADDR=$BIN
Ip2Bin $HI_ADDR || continue
HI_ADDR=$BIN

while [ $LO_ADDR -le $HI_ADDR ]; do
Bin2Ip $LO_ADDR || continue

BW_MATCH="-s $A.$B.$C.$D"

if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
BW_MATCH="$BW_MATCH --dport $FWR_PORT"
fi

$IPTABLES $BW_RULE -p TCP $BW_MATCH
$IPTABLES $BW_RULE -p UDP $BW_MATCH

# Create filter
$TCBIN filter add dev $PHYSEXTIF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID

LO_ADDR=$[ $LO_ADDR + 1];
done
fi

CLSID=$[ $CLSID + 1 ]
FWMARK=$[ $FWMARK + 1 ]
fi

# Create downstream FORWARD MARK rules
if [ ! -z "$BW_DOWNSTREAM" ]; then
BW_MATCH=""
STR_FWMARK=`printf "0x%04x" $FWMARK`
$FW_DEBUG ">>> HTB Class 1:$CLSID, mark: $STR_FWMARK, priority: $BW_PRIO, $BW_DOWNSTREAM kbits down"

# Create class
for IF in $LANIF; do
$TCBIN class add dev $IF parent 1:1 classid 1:$CLSID htb rate \
"$BW_DOWNSTREAM"kbit prio $BW_PRIO
done

# Create class
for IF in $DMZIF; do
$TCBIN class add dev $IF parent 1:1 classid 1:$CLSID htb rate \
"$BW_DOWNSTREAM"kbit prio $BW_PRIO
done

# Create rule
BW_RULE="-A FORWARD -t mangle -i $EXTIF -j MARK --set-mark $STR_FWMARK"

# Check for IP range
HI_ADDR=`echo $FWR_ADDR | cut -d':' -f2`

if [ -z "$HI_ADDR" ]; then
# Single IP, or IP/netmask
if [ ! -z "$FWR_ADDR" ]; then
BW_MATCH="-d $FWR_ADDR"
fi

if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
BW_MATCH="$BW_MATCH --sport $FWR_PORT"
fi

if [ -z "$BW_MATCH" ]; then
$FW_WARNING "Invalid bandwidth match criteria."
else
$IPTABLES $BW_RULE -p TCP $BW_MATCH
$IPTABLES $BW_RULE -p UDP $BW_MATCH

# Create filter for LAN
for IF in $LANIF; do
$TCBIN filter add dev $IF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID
done

# Create filter for DMZ
for IF in $DMZIF; do
$TCBIN filter add dev $IF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID
done
fi
else
# IP range
LO_ADDR=`echo $FWR_ADDR | cut -d':' -f1`

Ip2Bin $LO_ADDR || continue
LO_ADDR=$BIN
Ip2Bin $HI_ADDR || continue
HI_ADDR=$BIN

while [ $LO_ADDR -le $HI_ADDR ]; do
Bin2Ip $LO_ADDR || continue

BW_MATCH="-d $A.$B.$C.$D"

if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
BW_MATCH="$BW_MATCH --sport $FWR_PORT"
fi

$IPTABLES $BW_RULE -p TCP $BW_MATCH
$IPTABLES $BW_RULE -p UDP $BW_MATCH

# Create filter for LAN
for IF in $LANIF; do
$TCBIN filter add dev $IF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID
done

# Create filter for DMZ
for IF in $DMZIF; do
$TCBIN filter add dev $IF protocol ip parent 1:0 \
prio 1 handle $STR_FWMARK fw classid 1:$CLSID
done

LO_ADDR=$[ $LO_ADDR + 1];
done
fi

# Handle transparent squid mode
if [ "$SQUID_TRANSPARENT" == "on" ]; then
BW_MATCH=""

if [ ! -z "$FWR_ADDR" ]; then
BW_MATCH="-d $FWR_ADDR"
fi

if [ -z "$FWR_PORT" -o "$FWR_PORT" == "80" ]; then
$IPTABLES -A OUTPUT -t mangle -p TCP \
$BW_MATCH --sport 3128 -j MARK --set-mark $STR_FWMARK
fi
fi

CLSID=$[ $CLSID + 1 ]
FWMARK=$[ $FWMARK + 1 ]
fi
done
}


################################################## #############################
#
# RunDMZPinhole
# -------------
#
################################################## #############################

RunDMZPinhole() {
$FW_NOTICE "Running DMZ pinhole rules"
for RULE in $DMZ_PINHOLE; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
IP=`echo $RULE | cut -d '|' -f2`
PORT=`echo $RULE | cut -d '|' -f3`

if [ "$PORT" == "0" ]; then
$FW_DEBUG "Adding DMZ pinhole $PROTOCOL $IP"

for LIF in $LANIF; do
for DIF in $DMZIF; do
GetInterfaceInfo $DIF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $PROTOCOL -s $IP -d $IFNETWORK/$IFNETMASK
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $PROTOCOL -s $IFNETWORK/$IFNETMASK -d $IP
done
done
else
$FW_DEBUG "Adding DMZ pinhole $PROTOCOL $IP:$PORT"

for LIF in $LANIF; do
for DIF in $DMZIF; do
GetInterfaceInfo $DIF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $PROTOCOL --sport $PORT -s $IP -d $IFNETWORK/$IFNETMASK
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $PROTOCOL --dport $PORT -s $IFNETWORK/$IFNETMASK -d $IP
done
done
fi
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_DMZ_PINHOLE ] -eq 0 ] && continue

for LIF in $LANIF; do
for DIF in $DMZIF; do
GetInterfaceInfo $DIF
LAN="-A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $FWR_PROTO -s $FWR_ADDR -d $IFNETWORK/$IFNETMASK"
DMZ="-A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK -d $FWR_ADDR"

if [ -z "$FWR_PORT" ]; then
$FW_DEBUG ">>> Adding DMZ pinhole $LIF -> $DIF: $FWR_PROTO $FWR_ADDR"
$IPTABLES $LAN
$IPTABLES $DMZ
else
$FW_DEBUG ">>> Adding DMZ pinhole $DIF -> $LIF: $FWR_PROTO $FWR_ADDR:$FWR_PORT"
$IPTABLES $LAN --sport $FWR_PORT
$IPTABLES $DMZ --dport $FWR_PORT
fi
done
done
done
}


################################################## #############################
#
# RunDMZIncoming
# --------------
#
################################################## #############################

RunDMZIncoming() {
$FW_NOTICE "Running DMZ incoming rules"

# Selective ports/IPs open in DMZ
#--------------------------------
for RULE in $DMZ_INCOMING; do
PROTOCOL=`echo $RULE | cut -d '|' -f1`
IP=`echo $RULE | cut -d '|' -f2`
PORT=`echo $RULE | cut -d '|' -f3`

if [ "$PORT" == "0" ]; then
$FW_DEBUG "Adding DMZ incoming $PROTOCOL $IP"

for IF in $DMZIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $PROTOCOL -s $IP -d $FW_ALLIP
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -s $FW_ALLIP -d $IP
done
else
$FW_DEBUG "Adding DMZ incoming $PROTOCOL $IP:$PORT"

for IF in $DMZIF; do
GetInterfaceInfo $IF
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $PROTOCOL --sport $PORT -s $IP -d $FW_ALLIP
$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL --dport $PORT -s $FW_ALLIP -d $IP
done
fi
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_DMZ_INCOMING ] -eq 0 ] && continue

for IF in $DMZIF; do
GetInterfaceInfo $IF

INPUT="-A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $FWR_PROTO -s $FWR_ADDR -d $FW_ALLIP"
OUTPUT="-A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -s $FW_ALLIP -d $FWR_ADDR"

if [ -z "$FWR_PORT" ]; then
$FW_DEBUG ">>> Adding DMZ incoming $IF: $FWR_PROTO $FWR_ADDR"
$IPTABLES $INPUT
$IPTABLES $OUTPUT
else
$FW_DEBUG ">>> Adding DMZ incoming $IF: $FWR_PROTO $FWR_ADDR:$FWR_PORT"
$IPTABLES $INPUT --sport $FWR_PORT
$IPTABLES $OUTPUT --dport $FWR_PORT
fi
done
done
}

################################################## #############################
#
# RunOneToOneNAT
# --------------
#
# This function enables 1:1 NAT for a particular host on your private
# network. You obviously need to have an additional public IP address
# from your ISP in order to use this feature (aside from the IP address
# assigned to your external interface). This is mostly un-tested, but
# is known to work in most cases. Currently no support is included to
# firewall the public IP. There are some static rules that block most
# dangerous Microsoft Windows services. You can add additional ports
# to /etc/rc.d/rc.firewall.local for the time being.
#
################################################## #############################

RunOneToOneNAT() {

# Two types of 1-to-1 NAT are supported
#
# Type 1:
# - You do not require aliased IPs on your WAN interface
#
# Type 2:
# - You do require aliased IPs on your WAN interface
# - Virtual IPs auto-configured (starting at ethX:200)
#----------------------------------------------------------------

# Clear any existing IP aliases above 200 (e.g. eth0:200)
#--------------------------------------------------------

OLDALIASLIST=`ifconfig | grep "^$EXTIF:2[0-9][0-9]" | awk '{ print $1 }'`
for ALIAS in $OLDALIASLIST; do
$FW_NOTICE "Resetting 1-to-1 NAT alias: $ALIAS"
ifconfig $ALIAS down 2>/dev/null
done

# Reset IP aliases for type 2 1-to-1 NAT
#---------------------------------------

if ( [ "$ONE_TO_ONE_NAT_MODE" == "TYPE2" ] || [ "$ONE_TO_ONE_NAT_MODE" == "type2" ] ); then

# Multiple external IPs are listed... determine unique IPs
#---------------------------------------------------------

NEWALIASLIST=""
RULELIST="$ONE_TO_ONE_NAT $ONE_TO_ONE_NAT_PORT"

for RULE in $RULELIST; do
ALIASIP=`echo $RULE | cut -d '|' -f 2`
CHECKUNIQUE=`echo $NEWALIASLIST | grep $ALIASIP`
if [ -z "$CHECKUNIQUE" ]; then
NEWALIASLIST="$ALIASIP $NEWALIASLIST"
fi
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue

CHECKUNIQUE=`echo $NEWALIASLIST | grep $FWR_ADDR`
if [ -z "$CHECKUNIQUE" ]; then
NEWALIASLIST="$FWR_ADDR $NEWALIASLIST"
fi
done

# Create aliases
#---------------

NETMASK=`ifconfig $EXTIF | grep -A 1 "^$EXTIF " | grep -v $EXTIF | cut -d ':' -f4`
COUNT="200"
for ALIAS in $NEWALIASLIST; do
$FW_NOTICE "Creating alias IP $ALIAS for 1-to-1 NAT"
ifconfig $EXTIF:$COUNT $ALIAS netmask $NETMASK up
COUNT=`expr $COUNT + 1`
done
fi

# Run 1-to-1 NAT iptables rules (single port only)
#-------------------------------------------------

NAT_PORT_IPS=""

for RULE in $ONE_TO_ONE_NAT_PORT; do
NAT_INTIP=`echo $RULE | cut -d '|' -f1`
NAT_EXTIP=`echo $RULE | cut -d '|' -f2`
NAT_PROTOCOL=`echo $RULE | cut -d '|' -f3`
NAT_PORT=`echo $RULE | cut -d '|' -f4`
$FW_NOTICE "Enabling 1:1 NAT $NAT_INTIP - $NAT_EXTIP $NAT_PROTOCOL $NAT_PORT"

CHECKUNIQUE=`echo $NAT_PORT_IPS | grep $NAT_INTIP`
if [ -z "$CHECKUNIQUE" ]; then
# SNAT required for type 1 only?
$IPTABLES -A PREROUTING -t nat -d $NAT_EXTIP -j DNAT --to $NAT_INTIP
$IPTABLES -A POSTROUTING -t nat -s $NAT_INTIP -j SNAT --to $NAT_EXTIP
$IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 0 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 3 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 8 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 11 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $NAT_INTIP -p icmp -j $FW_DROP
fi

$IPTABLES -A FORWARD -p $NAT_PROTOCOL -d $NAT_INTIP --dport $NAT_PORT -j $FW_ACCEPT
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue
[ -z "$FWR_PORT" ] && continue

$FW_NOTICE ">>> Enabling 1:1 NAT $FWR_PARAM - $FWR_ADDR $FWR_PROTO $FWR_PORT"

CHECKUNIQUE=`echo $NAT_PORT_IPS | grep $FWR_PARAM`
if [ -z "$CHECKUNIQUE" ]; then
# SNAT required for type 1 only?
$IPTABLES -A PREROUTING -t nat -d $FWR_ADDR -j DNAT --to $FWR_PARAM
$IPTABLES -A POSTROUTING -t nat -s $FWR_PARAM -j SNAT --to $FWR_ADDR
$IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 0 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 3 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 8 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 11 -j $FW_ACCEPT
$IPTABLES -A FORWARD -d $FWR_PARAM -p icmp -j $FW_DROP
fi

$IPTABLES -A FORWARD -p $FWR_PROTO -d $FWR_PARAM --dport $FWR_PORT -j $FW_ACCEPT
done

# Run 1-to-1 NAT iptables rules (wide open)
#------------------------------------------

for RULE in $ONE_TO_ONE_NAT; do
NAT_INTIP=`echo $RULE | cut -d '|' -f1`
NAT_EXTIP=`echo $RULE | cut -d '|' -f2`
$FW_NOTICE "Enabling 1:1 NAT $NAT_INTIP - $NAT_EXTIP"

# SNAT required for type 1 only?
$IPTABLES -A PREROUTING -t nat -d $NAT_EXTIP -j DNAT --to $NAT_INTIP
$IPTABLES -A POSTROUTING -t nat -s $NAT_INTIP -j SNAT --to $NAT_EXTIP
$IPTABLES -A FORWARD -d $NAT_INTIP -j $FW_ACCEPT
done

for RULE in $RULES; do
ExpandRule $RULE
[ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
[ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue
[ ! -z "$FWR_PORT" ] && continue

$FW_NOTICE ">>> Enabling 1:1 NAT $FWR_PARAM - $FWR_ADDR"

# SNAT required for type 1 only?
$IPTABLES -A PREROUTING -t nat -d $FWR_ADDR -j DNAT --to $FWR_PARAM
$IPTABLES -A POSTROUTING -t nat -s $FWR_PARAM -j SNAT --to $FWR_ADDR
$IPTABLES -A FORWARD -d $FWR_PARAM -j $FW_ACCEPT
done
}


################################################## #############################
#
# Abort
# -----
# Upon a fatal error, set policies to DROP and open port 81 (webconfig)
# and 22 (ssh).
#
################################################## #############################

Abort() {
echo $@
$FW_ERROR "$@"
echo "Setting default policies to DROP..."
$FW_NOTICE "Setting default policies to DROP..."

SetPolicyToDrop

# Allow ping for diagnostics
$IPTABLES -A INPUT -p icmp -j $FW_ACCEPT
$IPTABLES -A OUTPUT -p icmp -j $FW_ACCEPT

# Open 81 and 22
$IPTABLES -I INPUT -j $FW_ACCEPT -p TCP --dport 81
$IPTABLES -I OUTPUT -j $FW_ACCEPT -p TCP --sport 81
$IPTABLES -I INPUT -j $FW_ACCEPT -p TCP --dport 22
$IPTABLES -I OUTPUT -j $FW_ACCEPT -p TCP --sport 22

# Allow DHCP to startup
$IPTABLES -A INPUT -p udp --dport bootpc --sport bootps -j $FW_ACCEPT
$IPTABLES -A INPUT -p tcp --dport bootpc --sport bootps -j $FW_ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport bootpc --dport bootps -j $FW_ACCEPT
$IPTABLES -A OUTPUT -p udp --sport bootpc --dport bootps -j $FW_ACCEPT

# Allow high ports
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -j $FW_ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j $FW_ACCEPT

# Allow everything on the loopback
$IPTABLES -A INPUT -i lo -j $FW_ACCEPT
$IPTABLES -A OUTPUT -o lo -j $FW_ACCEPT

exit 1
}


################################################## #############################
#
# GetInterfaceInfo
# ----------------
#
# Sets variables containing an interface's IP address, network, and
# netmask (IFIP, IFNETWORK, IFNETMASK, and IFPREFIX). First attempt to
# use /etc/sysconfig/network-scripts/ifcfg-xxx, then try getting the
# "live" configuration using 'ip'.
#
################################################## #############################

GetInterfaceInfo() {
IFIP=
IFNETMASK=
IFNETWORK=
IFPREFIX=

if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ]; then
IPADDR=
NETMASK=

source /etc/sysconfig/network-scripts/ifcfg-$1

if ( [ ! -z "$IPADDR" ] && [ ! -z "$NETMASK" ] ); then
IFIP=$IPADDR
IFNETMASK=$NETMASK
IFNETWORK=`$IPCALC --network $IFIP $IFNETMASK | sed s/NETWORK=//i`
IFPREFIX=`$IPCALC --prefix $IFIP $IFNETMASK | sed s/PREFIX=//i`
else
$FW_DEBUG "Obtaining interface configuration directly from device $1"
ADDR=`$IPBIN addr show dev $1 | grep $1$ | awk '{ print $2 }'`
IFIP=`echo $ADDR | cut -d/ -f1`

if [ ! -z "$IFIP" ]; then
# PPPOEKLUDGE -- could make this more generic
if [ "$1" == "ppp0" ]; then
$FW_DEBUG "Detected PPPoE/point-to-point interface, making adjustments"
IFNETMASK="255.255.255.255"
IFNETWORK=$IFIP
IFPREFIX="32"
elif [ ! -z "$ADDR" ]; then
IFPREFIX=`echo $ADDR | cut -d/ -f2`
IFNETWORK=`$IPCALC --network $ADDR | sed s/NETWORK=//i`
IFNETMASK=`$IPCALC --netmask $ADDR | sed s/NETMASK=//i`
fi
fi
fi
else
$FW_DEBUG "Obtaining interface configuration directly from device $1"
ADDR=`$IPBIN addr show dev $1 | grep $1$ | awk '{ print $2 }'`
IFIP=`echo $ADDR | cut -d/ -f1`

if [ ! -z "$IFIP" ]; then
# PPPOEKLUDGE
if [ "$1" == "ppp0" ]; then
$FW_DEBUG "Detected PPPoE/point-to-point interface, making adjustments"
IFNETMASK="255.255.255.255"
IFNETWORK=$IFIP
IFPREFIX="32"
elif [ ! -z "$ADDR" ]; then
IFPREFIX=`echo $ADDR | cut -d/ -f2`
IFNETWORK=`$IPCALC --network $ADDR | sed s/NETWORK=//i`
IFNETMASK=`$IPCALC --netmask $ADDR | sed s/NETMASK=//i`
fi
fi
fi

if [ -z "$IFIP" ]; then
Abort "Unable to determine IP address for: $1"
fi

if [ -z "$IFNETMASK" ]; then
Abort "Unable to determine netmask for: $1"
fi

if [ -z "$IFNETWORK" ]; then
Abort "Unable to determine network address for: $1"
fi

if [ -z "$IFPREFIX" ]; then
Abort "Unable to determine prefix for: $1"
fi
}


################################################## #############################
#
# ExpandRule
# ----------
#
################################################## #############################

ExpandRule() {
if [ $# -ne 1 ]; then
$FW_ERROR "Required argument missing."
return 1
fi

FWR_TYPE=`echo $1 | cut -d\| -f3`
FWR_PROTO=`echo $1 | cut -d\| -f4`
FWR_ADDR=`echo $1 | cut -d\| -f5`
FWR_PORT=`echo $1 | cut -d\| -f6`
FWR_PARAM=`echo $1 | cut -d\| -f7`

return 0
}


################################################## #############################
#
# GenerateRule
# ------------
# Build a custom firewall rule.
#
################################################## #############################

CustomRule() {
if [ $# -ne 1 ]; then
$FW_ERROR "Required argument missing."
return 1
fi

ExpandRule $1 || return 1
[ $[ $FWR_TYPE & $FWR_CUSTOM ] -eq 0 ] && return 1

DST_ADDR=""
DST_PORT=""

if [ ! -z "$FWR_PARAM" ]; then
echo "$FWR_PARAM" | grep "_" >/dev/null 2>&1

if [ $? -eq 0 ]; then
DST_ADDR=`echo $FWR_PARAM | cut -d'_' -f1`
DST_PORT=`echo $FWR_PARAM | cut -d'_' -f2`
else
DST_ADDR=$FWR_PARAM
fi
fi

if [ $[ $FWR_TYPE & $FWR_INCOMING_ALLOW ] -ne 0 ]; then
INPUT="-I INPUT -p $FWR_PROTO -i $EXTIF"
OUTPUT="-I OUTPUT -p $FWR_PROTO -o $EXTIF"

if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
INPUT="$INPUT -s $FWR_ADDR"
OUTPUT="$OUTPUT -d $FWR_ADDR"
elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
INPUT="$INPUT -m mac --mac-source $FWR_ADDR"
fi

if [ ! -z "$DST_ADDR" ]; then
INPUT="$INPUT -d $DST_ADDR"
OUTPUT="$OUTPUT -s $DST_ADDR"
fi

if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
INPUT="$INPUT --dport $FWR_PORT"
OUTPUT="$OUTPUT --sport $FWR_PORT"
fi

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
INPUT="$INPUT --sport $DST_PORT"
OUTPUT="$OUTPUT --dport $DST_PORT"
fi

FW_INPUT="$IPTABLES $INPUT -j $FW_ACCEPT"; INPUT=""
FW_OUTPUT="$IPTABLES $OUTPUT -j $FW_ACCEPT"; OUTPUT=""
elif [ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -ne 0 ]; then
INPUT="-I INPUT -i $EXTIF -p $FWR_PROTO"
OUTPUT="-I OUTPUT -o $EXTIF -p $FWR_PROTO"

if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
INPUT="$INPUT -s $FWR_ADDR"
OUTPUT="$OUTPUT -d $FWR_ADDR"
elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
INPUT="$INPUT -m mac --mac-source $FWR_ADDR"
fi

if [ ! -z "$DST_ADDR" ]; then
INPUT="$INPUT -d $DST_ADDR"
OUTPUT="$OUTPUT -s $DST_ADDR"
fi

if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
INPUT="$INPUT --dport $FWR_PORT"
OUTPUT="$OUTPUT --sport $FWR_PORT"
fi

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
INPUT="$INPUT --sport $DST_PORT"
OUTPUT="$OUTPUT --dport $DST_PORT"
fi

FW_INPUT="$IPTABLES $INPUT -j $FW_DROP"; INPUT=""
FW_OUTPUT="$IPTABLES $OUTPUT -j $FW_DROP"; OUTPUT=""
elif [ $[ $FWR_TYPE & $FWR_OUTGOING_BLOCK ] -ne 0 ]; then
FORWARD="-I FORWARD -p $FWR_PROTO"

if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
FORWARD="$FORWARD -s $FWR_ADDR"
elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
FORWARD="$FORWARD -m mac --mac-source $FWR_ADDR"
fi

if [ ! -z "$DST_ADDR" ]; then
FORWARD="$FORWARD -d $DST_ADDR"
fi

if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
FORWARD="$FORWARD --dport $FWR_PORT"
fi

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
FORWARD="$FORWARD --sport $DST_PORT"
fi

FW_FORWARD="$IPTABLES $FORWARD -j $FW_DROP"; FORWARD=""
elif [ $[ $FWR_TYPE & $FWR_FORWARD ] -ne 0 ]; then
PREROUTING="-I PREROUTING -t nat -d $EXTIP -p $FWR_PROTO"

#$IPTABLES -A PREROUTING -t nat -d $EXTIP -p $FWR_PROTO --dport $FWR_PARAM -j DNAT --to $FWR_ADDR

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
PREROUTING="$PREROUTING --dport $FWR_PORT"
fi

if [ ! -z "$FWR_ADDR" ]; then
PREROUTING="$PREROUTING -j DNAT --to $FWR_ADDR"
fi

FW_PREROUTING="$IPTABLES $PREROUTING"; PREROUTING=""

for LIF in $LANIF; do
GetInterfaceInfo $LIF

#$IPTABLES -t nat -A POSTROUTING -d $FWR_ADDR -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK --dport $FWR_PARAM -j SNAT --to $IFIP
POSTROUTING="-I POSTROUTING -t nat -p $FWR_PROTO"

if [ ! -z "FWR_ADDR" ]; then
POSTROUTING="$POSTROUTING -d $FWR_ADDR"
fi

POSTROUTING="$POSTROUTING -s $IFNETWORK/$IFNETMASK"

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
POSTROUTING="$POSTROUTING --dport $DST_PORT"
fi

POSTROUTING="$POSTROUTING -j SNAT --to $IFIP"

eval "FW_POSTROUTING_$LIF=\"$IPTABLES $POSTROUTING\""; POSTROUTING=""

#$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR --dport $PORT
FORWARD="-I FORWARD -i $EXTIF -o $LIF -p $FWR_PROTO"

if [ ! -z "$FWR_ADDR" ]; then
FORWARD="$FORWARD -d $FWR_ADDR"
fi

if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
FORWARD="$FORWARD --dport $DST_PORT"
fi

FORWARD="$FORWARD -j $FW_ACCEPT"

eval "FW_FORWARD_$LIF=\"$IPTABLES $FORWARD\""; FORWARD=""
done
else
$FW_ERROR "Invalid custom firewall type."
return 1
fi

return 0
}


################################################## #############################
#
# HTBStatus
#
################################################## #############################

HTBStatus() {
echo "EXT - $PHYSEXTIF"
$TCBIN -s -d qdisc show dev $PHYSEXTIF
echo
$TCBIN -s -d class show dev $PHYSEXTIF
$TCBIN -s -d filter show dev $PHYSEXTIF
echo

for IF in $LANIF; do
echo "LAN - $IF"
$TCBIN -s -d qdisc show dev $IF
echo
$TCBIN -s -d class show dev $IF
$TCBIN -s -d filter show dev $IF
echo
done

for IF in $DMZIF; do
echo "DMZ - $IF"
$TCBIN -s -d qdisc show dev $IF
echo
$TCBIN -s -d class show dev $IF
$TCBIN -s -d filter show dev $IF
echo
done
}


################################################## #############################
#
# Ip2Bin
# Convert IPv4 address to decimal number
#
################################################## #############################

Ip2Bin() {
if [ "$#" != "1" ]; then
$FW_ERROR "Invalid argument count."
return 1
fi

A=`echo $1 | cut -d'.' -f1`
B=`echo $1 | cut -d'.' -f2`
C=`echo $1 | cut -d'.' -f3`
D=`echo $1 | cut -d'.' -f4`

BIN=$[ ($A << 24) + ($B << 16) + ($C << + $D ]

return 0
}


################################################## #############################
#
# Bin2Ip
# Convert a decimal number to an IPv4 address
#
################################################## #############################

Bin2Ip()
{
if [ "$#" != "1" ]; then
$FW_ERROR "Invalid argument count."
return 1
fi

BIN=$1

A=$[ $BIN >> 24 ]
BIN=$[ $BIN - ($BIN & 0xff000000) ]
B=$[ $BIN >> 16 ]
BIN=$[ $BIN - ($BIN & 0x00ff0000) ]
C=$[ $BIN >> 8 ]
BIN=$[ $BIN - ($BIN & 0x0000ff00) ]
D=$BIN
}


################################################## #############################
#
# P2PType
# Convert a P2P network flag to a corresponding ip2p network name
#
################################################## #############################

Ipp2pType()
{
if [ "$#" != "1" ]; then
$FW_ERROR "Invalid argument count."
return 1
fi

case $1 in
$FWR_P2P_EDK)
P2P_TYPE="--edk"
;;
$FWR_P2P_KAZAA)
P2P_TYPE="--kazaa"
;;
$FWR_P2P_GNU)
P2P_TYPE="--gnu"
;;
$FWR_P2P_DC)
P2P_TYPE="--dc"
;;
$FWR_P2P_BIT)
P2P_TYPE="--bit"
;;
$FWR_P2P_APPLE)
P2P_TYPE="--apple"
;;
$FWR_P2P_WINMX)
P2P_TYPE="--winmx"
;;
$FWR_P2P_SOUL)
P2P_TYPE="--soul"
;;
$FWR_P2P_ARES)
P2P_TYPE="--ares"
;;
*)
$FW_ERROR "Invalid P2P network type: $1"
esac
}


################################################## #############################
#
# F I R E W A L L S
#
################################################## #############################

################################################## #############################
#
# T R U S T E D S T A N D A L O N E
#
# A "trusted standalone" firewall isn't a firewall at all. All traffic
# is allowed in and out of the machine. Use this firewall for
# machines running on local network
#
################################################## #############################

trustedstandalone() {
$FW_NOTICE "Using trusted standalone mode (no firewall)"

LoadKernelModules
DefineChains
SetKernelSettings
SetPolicyToAccept
RunAdhocRules
RunCustomRules

# FIXME: late change to 3.0 release
# - If the box is in standalone mode, don't load the ip_nat_pptp module
if [ "$FW_MODE" == "trustedstandalone" ]; then
$RMMOD ip_nat_pptp > /dev/null 2>&1
fi
}


################################################## #############################
#
# S T A N D A L O N E
#
# A "standalone" firewall is designed for a server that sits on the
# Internet (or an untrusted LAN). Allowed ports must be defined in
# /etc/firewalla (INCOMING_ALLOW or INCOMING_ALLOW_RANGE).
#
################################################## #############################

standalone() {
$FW_NOTICE "Using standalone mode"

SetKernelSettings
SetPolicyToDrop
LoadKernelModules
DefineChains
RunCommonRules
RunAdhocRules
RunIncomingAllowed
RunIncomingAllowedDefaults
RunIncomingDenied
RunIncomingDeniedDefaults
RunCustomRules
}


################################################## #############################
#
# G A T E W A Y F I R E W A L L
#
################################################## #############################

gateway() {
$FW_NOTICE "Using gateway mode"

SetKernelSettings
SetPolicyToDrop
LoadKernelModules
DefineChains
RunCommonRules
RunAdhocRules
RunRemapPorts
RunIncomingDenied
RunIncomingAllowed
RunIncomingAllowedDefaults
RunIncomingDeniedDefaults
RunPortForwardRules
RunOutgoingDenied
RunOutgoingDeniedDefaults
RunBandwidthRules
RunOneToOneNAT
RunCustomRules

# Enable masquerading
#--------------------
$IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF
$IPTABLES -A FORWARD -i $TRUSTEDIF -j $FW_ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j $FW_ACCEPT

# Drop everything else
#---------------------
$IPTABLES -A FORWARD -j $FW_DROP
}


################################################## #############################
#
# T R U S T E D G A T E W A Y
#
################################################## #############################

trustedgateway() {
$FW_NOTICE "Using trusted gateway mode"

LoadKernelModules
SetKernelSettings
SetPolicyToAccept
RunBandwidthRules

# Enable masquerading
$IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF
}


################################################## #############################
#
# D M Z
#
################################################## #############################

dmz() {
$FW_NOTICE "Using dmz mode"

SetKernelSettings
SetPolicyToDrop
LoadKernelModules
DefineChains
RunCommonRules
RunAdhocRules
RunRemapPorts
RunIncomingDenied
RunIncomingAllowed
RunIncomingAllowedDefaults
RunIncomingDeniedDefaults
RunPortForwardRules
RunOutgoingDenied
RunOutgoingDeniedDefaults
RunBandwidthRules
RunDMZPinhole
RunDMZIncoming
RunOneToOneNAT
RunCustomRules

# LAN: enable masquerading
#-------------------------

for LIF in $LANIF; do
GetInterfaceInfo $LIF
LIFNETWORK=$IFNETWORK
LIFPREFIX=$IFPREFIX
$IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF -s $LIFNETWORK/$LIFPREFIX
done

# DMZ: enable forwarding
#-----------------------

GetInterfaceInfo $EXTIF
EXTNETWORK=$IFNETWORK
EXTPREFIX=$IFPREFIX

for DIF in $DMZIF; do
GetInterfaceInfo $DIF

# Proxy ARP mode -- only 1 DMZ interface supported!
#--------------------------------------------------

if ( [ "$EXTNETWORK" == "$IFNETWORK" ] && [ "$EXTPREFIX" == "$IFPREFIX" ] ); then
$FW_NOTICE "Detected proxy ARP mode"
$SYSCTL -w net.ipv4.conf.$EXTIF.proxy_arp=1 >/dev/null
$SYSCTL -w net.ipv4.conf.$IF.proxy_arp=1 >/dev/null

# Add route to proxy-arped interfaces
$IPBIN route add $IFNETWORK/$IFPREFIX dev $IF 2>/dev/null
$IPBIN route add $IFNETWORK/$IFPREFIX dev $EXTIF 2>/dev/null

# Add IP route
$IPBIN route add $EXTIP dev $EXTIF 2>/dev/null
$IPBIN route append $EXTIP dev $IF 2>/dev/null

GWIP=`/bin/grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF | /bin/sed -e s/GATEWAY=//i | /bin/sed 's/"//g'`
if [ -z "$GWIP" ]; then
$ERROR "Failed to find gateway IP"
fi

$IPBIN route add $GWIP dev $EXTIF 2>/dev/null
fi

# Allow ICMP from DMZ to anywhere and anywhere to DMZ
#----------------------------------------------------

$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 0
$IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 0
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 3
$IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 3
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 11
$IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 11
# This allows any host on the DMZ to ping anyone (including hosts on the LAN)
$IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -
__________________
Rock
phoenix[LPU]
igornix is offline   Reply With Quote
Old 07-16-2005   #2 (permalink)
Just Joined!
 
Join Date: May 2005
Posts: 9
Send a message via ICQ to igornix Send a message via MSN to igornix
And this is my iptables list;
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
drop-reserved all -- 127.0.0.0/8 anywhere
drop-reserved all -- 2.0.0.0/8 anywhere
drop-reserved all -- 96.0.0.0/3 anywhere
drop-reserved all -- 169.254.0.0/16 anywhere
drop-reserved all -- 223.0.0.0/8 anywhere
drop-reserved all -- BASE-ADDRESS.MCAST.NET/4 anywhere
drop-reserved all -- 240.0.0.0/4 anywhere
ACCEPT udp -- anywhere 212-42-117-221.elcat.kg udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ftp-data
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ftp
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ssh
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:smtp
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:81
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:imap
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:1875
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:10000
ACCEPT udp -- anywhere 212-42-117-221.elcat.kg udp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpts:1024:65535 state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- 192.168.1.0/24 anywhere tcp dpt:5190
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:bootpc dpt:bootps
ACCEPT udp -- 212-42-117-221.elcat.kg anywhere udp spt:bootpc dpt:bootps
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ftp-data
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ftp
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ssh
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:smtp
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:81
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:imap
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:1875
ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:10000
ACCEPT all -- 212-42-117-221.elcat.kg anywhere
DROP all -- anywhere anywhere

Chain drop-lan (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain drop-reserved (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
__________________
Rock
phoenix[LPU]
igornix is offline   Reply With Quote
Old 07-17-2005   #3 (permalink)
Linux User
 
Join Date: Feb 2005
Posts: 290
i sincerely suggest you backup your original script, then cut it into half, and half, and half to narrow down the problem and come back here with the line that causes the error, someone will really glad to help, but not going thru that lines of script....
adam7979 is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off
 

Free Magazines
Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe
Systems Management News, the newspaper for IT systems administration and data center managers!
Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe
The Enterprise Newsweekly
eWeek is the essential technology information source for builders of e-business.
subscribe
Oracle Magazine
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe
Total Telecom
Total Telecom is "The Economist of the communications industry".
subscribe
More free magazines »



All times are GMT. The time now is 10:39 PM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.2.0