Find the answer to your Linux question:
Results 1 to 3 of 3
Hi PLEASE C an anybody look through my script and say what is wrong with it. Because I got the following error: Bad argument `DROP' Try `iptables -h' or 'iptables ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2005
    Posts
    9

    my firewall script sucks


    Hi
    PLEASE C an anybody look through my script and say what is wrong with it. Because I got the following error: Bad argument `DROP'
    Try `iptables -h' or 'iptables --help' for more information.
    #!/bin/sh

    ################################################## #############################
    #
    # Original by Dinesh Kandiah
    # - additions by Daniel Carrera
    # - additions by Paul Moore, pcmoore@engin.umich.edu
    #
    # Copyright (C) 2000-2004 Point Clark Networks
    # Copyright (C) 2003 Paul Moore
    #
    # $Id: rc.firewall,v 1.31 2005/04/29 19:37:34 peter Exp $
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
    #
    # Inspired by...
    # - Trinity OS
    # - Linux Security
    # - linux-firewall-tools.com
    # - Usenet
    #
    ################################################## #############################
    #
    # Semantics:
    # - Incoming - packets destined for *this* machine
    # - Outgoing - packets from the LAN/DMZ to the outside world
    # - Forward - packets from the outside world to the LAN/DMZ
    #
    ################################################## #############################


    ################################################## #############################
    #
    # C O N S T A N T S
    #
    ################################################## #############################

    # Field seperator
    IFS='
    '

    # Path
    PATH=/sbin:/bin:/usr/bin

    # ACCEPT and DROP default chain names
    FW_DROP="DROP"
    FW_ACCEPT="ACCEPT"

    # Configuration
    FW_CONF=${FW_CONF:-"/etc/firewall"}
    FW_ADHOC=${FW_ADHOC:-"/etc/rc.d/rc.firewall.local"}
    FW_TYPES="/etc/rc.d/rc.firewall.types"

    # Default mode
    FW_DEFAULT_MODE="trustedstandalone"

    # Binaries
    IPBIN="/sbin/ip"
    TCBIN="/sbin/tc"
    IPCALC="/bin/ipcalc"
    IPTABLES="/sbin/iptables"
    MODPROBE="/sbin/modprobe"
    RMMOD="/sbin/rmmod"
    SYSCTL="/sbin/sysctl"

    # Logging
    FW_TODO=${FW_TODO:-"/bin/echo"}
    FW_FACILITY=${FW_FACILITY:-"local6"}
    FW_DEBUG=${FW_DEBUG:-"/usr/bin/logger -p $FW_FACILITY.notice -t firewall"}
    FW_ERROR=${FW_ERROR:-"/usr/bin/logger -p $FW_FACILITY.error -t firewall"}
    FW_NOTICE=${FW_NOTICE:-"/usr/bin/logger -p $FW_FACILITY.notice -t firewall"}
    FW_WARNING=${FW_WARNING:-"/usr/bin/logger -p $FW_FACILITY.warning -t firewall"}

    # Shorthand
    FW_ALLIP="0.0.0.0/0"

    # Declare these as integer
    declare -i FWR_TYPE
    declare -i FWR_PROTO

    # This blob translates PHP firewall type defines into bash declarations.
    # This way, there is is only one source for firewall types (firewallrule.class).
    FWR_CLASS="/var/webconfig/classes/firewallrule.class"

    if [ "$FWR_CLASS" -nt "$FW_TYPES" -o ! -f "$FW_TYPES" ]; then
    echo "# Generated by: $0" > $FW_TYPES
    echo "# Created from: $FWR_CLASS" >> $FW_TYPES
    /bin/egrep "^define.*FWR_.*0x" "$FWR_CLASS" | \
    /bin/sed -e 's/define(/declare -i /' -e 's/, /=/' -e 's/);.*$//' >>\
    $FW_TYPES || exit 1
    echo "# vi: syntax=sh" >> $FW_TYPES
    fi

    source $FW_TYPES || exit 1


    ################################################## #############################
    #
    # F U N C T I O N S
    #
    ################################################## #############################

    ################################################## #############################
    #
    # SetKernelSettings
    # -----------------
    #
    # Defines some default kernel settings... mostly for added security.
    #
    ################################################## #############################

    SetKernelSettings() {
    $FW_NOTICE "Setting kernel parameters"

    # Enable IP Forwarding, not really required for standalone mode
    $SYSCTL -w net.ipv4.ip_forward=1 >/dev/null

    # Enable TCP SYN Cookie protection:
    $SYSCTL -w net.ipv4.tcp_syncookies=1 >/dev/null

    # Enabling dynamic TCP/IP address hacking.
    $SYSCTL -w net.ipv4.ip_dynaddr=1 >/dev/null

    # Log spoofed, source-routed, and redirect packets
    $SYSCTL -w net.ipv4.conf.all.log_martians=0 >/dev/null

    # Disable ICMP Re-directs
    $SYSCTL -w net.ipv4.conf.all.accept_redirects=0 >/dev/null
    $SYSCTL -w net.ipv4.conf.all.send_redirects=0 >/dev/null

    # Ensure that source-routed packets are dropped
    $SYSCTL -w net.ipv4.conf.all.accept_source_route=0 >/dev/null

    # Disable ICMP broadcast echo protection
    $SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null

    # Enable bad error message protection
    $SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 >/dev/null
    }


    ################################################## #############################
    #
    # SetPolicyToAccept
    # -----------------
    #
    # Sets default firewall policy to accept.
    #
    ################################################## #############################

    SetPolicyToAccept() {
    $FW_NOTICE "Setting default policy to $FW_ACCEPT"

    for TABLE in filter nat mangle; do
    $IPTABLES -t $TABLE -F # Flush all previous rules.
    $IPTABLES -t $TABLE -X # Delete user-defined chains.
    done

    $IPTABLES -P INPUT $FW_ACCEPT
    $IPTABLES -P OUTPUT $FW_ACCEPT
    $IPTABLES -P FORWARD $FW_ACCEPT
    }


    ################################################## #############################
    #
    # SetPolicyToDrop
    # ---------------
    #
    # Sets default firewall policy to drop.
    #
    ################################################## #############################

    SetPolicyToDrop() {
    $FW_NOTICE "Setting default policy to DROP"

    for TABLE in filter nat mangle; do
    $IPTABLES -t $TABLE -F # Flush all previous rules.
    $IPTABLES -t $TABLE -X # Delete user-defined chains.
    done

    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    }


    ################################################## #############################
    #
    # DefineChains
    # ------------
    #
    # Define any custom chains here. Custom chains include:
    # - drop-reserved - for logging invalid IPs appearing on the network
    # - drop-lan - for logging LAN traffic trying to escape the LAN
    #
    # Use the FW_DROP and FW_ACCEPT variable to override DROP and ACCEPT.
    # This can be handy for troubleshooting.
    #
    ################################################## #############################

    DefineChains() {
    $FW_NOTICE "Defining custom chains"

    # Create a default DROP for easy debugging
    #-----------------------------------------
    if [ "$FW_DROP" != "DROP" ]; then
    $IPTABLES -N $FW_DROP
    # useful for debug: $IPTABLES -t filter -A $FW_DROP -j LOG --log-prefix "Drop: "
    $IPTABLES -t filter -A $FW_DROP -j $FW_DROP
    fi

    # Create a default ACCEPT for easy debugging
    #-------------------------------------------
    if [ "$FW_ACCEPT" != "ACCEPT" ]; then
    $IPTABLES -N $FW_ACCEPT
    # useful for debug: $IPTABLES -t filter -A $FW_ACCEPT -j LOG --log-prefix "Accept: "
    $IPTABLES -t filter -A $FW_ACCEPT -j $FW_ACCEPT
    fi

    # Create a chain for dropping reserved network IPs
    #-------------------------------------------------
    $IPTABLES -N drop-reserved
    # useful for debug: $IPTABLES -t filter -A drop-reserved -j LOG --log-prefix "Drop - reserved network: "
    $IPTABLES -t filter -A drop-reserved -j $FW_DROP

    # Create a chain for dropping services that shouldn't leave the LAN
    #------------------------------------------------------------------
    $IPTABLES -N drop-lan
    # useful for debug: $IPTABLES -t filter -A drop-lan -j LOG --log-prefix "Drop - LAN only: "
    $IPTABLES -t filter -A drop-lan -j $FW_DROP
    }


    ################################################## #############################
    #
    # LoadKernelModules
    # -----------------
    #
    # Loads kernel modules. Most modules will automatically load... but
    # some require a little help
    #
    ################################################## #############################

    LoadKernelModules() {
    $FW_NOTICE "Loading kernel modules"

    $MODPROBE ipt_LOG # Add LOG target.
    $MODPROBE ipt_REJECT # Add REJECT target.
    $MODPROBE ipt_MASQUERADE # Add MASQUERADE target.
    $MODPROBE ipt_owner # Allows you to match for the owner.
    $MODPROBE ip_conntrack_ftp # Connection tracking for FTP.
    $MODPROBE ip_conntrack_irc # Connection tracking for IRC.
    $MODPROBE ip_nat_ftp # Active FTP
    $MODPROBE ip_nat_irc # IRC stuff

    # PPTP and dependencies don't always auto-load...
    # Office Edition only.
    $MODPROBE ppp_generic > /dev/null 2>&1
    $MODPROBE ppp_mppe > /dev/null 2>&1
    $MODPROBE ip_conntrack_proto_gre > /dev/null 2>&1
    $MODPROBE ip_conntrack_pptp > /dev/null 2>&1
    $MODPROBE ip_nat_proto_gre > /dev/null 2>&1

    # Ipp2p module (if installed)
    $MODPROBE ipt_ipp2p > /dev/null 2>&1
    }


    ################################################## #############################
    #
    # RunAdhocRules
    # -------------
    #
    # Run custom rules in FW_ADHOC
    #
    ################################################## #############################

    RunAdhocRules() {
    $FW_DEBUG "Checking for ad-hoc rules in $FW_ADHOC"

    if [ -x "$FW_ADHOC" ]; then
    $FW_NOTICE "Running ad-hoc rules in $FW_ADHOC"
    source "$FW_ADHOC"
    $FW_DEBUG "Finished ad-hoc rules in $FW_ADHOC"
    fi
    }


    ################################################## #############################
    #
    # RunCommonRules
    # --------------
    #
    # Rules that should be included in *all* firewall types should go here.
    # This function:
    # - allows all traffic on the loopback interface
    # - blocks invalid IP ranges
    # - allows ICMP (RFC compliance)
    # - allows DHCP traffic
    #
    ################################################## #############################

    RunCommonRules() {
    $FW_NOTICE "Running common rules"

    # Allow some ICMP (ping)
    #-----------------------
    # ICMP can be used for attacks.. we allow as little as possible.
    # The following are necessary ports we *can't* do without:
    # 0 Needed to ping hosts outside the network.
    # 3 Needed by all networks.
    # 11 Needed by the traceroute program.
    $IPTABLES -A INPUT -p icmp --icmp-type 0 -j $FW_ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 3 -j $FW_ACCEPT
    $IPTABLES -A INPUT -p icmp --icmp-type 11 -j $FW_ACCEPT

    # This allows other hosts to ping you. You should keep this rule.
    $IPTABLES -A INPUT -p icmp --icmp-type 8 -j $FW_ACCEPT
    $IPTABLES -A INPUT -p icmp -j $FW_DROP
    $IPTABLES -A OUTPUT -p icmp -j $FW_ACCEPT

    # UDP injection
    #--------------
    # TODO: run a Nessus scan for details
    # $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
    # $IPTABLES -A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
    # $IPTABLES -A INPUT -p udp --sport 53 -j DROP

    # SYN bit issues
    #---------------
    $IPTABLES -A INPUT -m state --state INVALID -j DROP
    $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # Allow everything on the loopback
    #---------------------------------
    $IPTABLES -A INPUT -i lo -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o lo -j $FW_ACCEPT

    # Allow everything on trusted interfaces
    #---------------------------------------
    if [ ! -z "$TRUSTEDIF" ]; then
    $IPTABLES -A INPUT -i $TRUSTEDIF -j $FW_ACCEPT
    fi
    # TODO: this makes output lines below redundant
    $IPTABLES -A OUTPUT -j $FW_ACCEPT

    # Block IPs that should never show up on our external interface
    #--------------------------------------------------------------
    $IPTABLES -A INPUT -i $EXTIF -s 127.0.0.0/8 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 2.0.0.0/8 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 96.0.0.0/3 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 223.0.0.0/8 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -j drop-reserved
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/4 -j drop-reserved

    # Allow DHCP client to respond
    #-----------------------------
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --dport bootpc --sport bootps -j $FW_ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport bootpc --sport bootps -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport bootpc --dport bootps -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport bootpc --dport bootps -j $FW_ACCEPT

    if [ "$FW_MODE" == "dmz" ]; then
    for IF in $DMZIF; do
    GetInterfaceInfo $IF

    # Allow DMZ DHCP clients to respond
    #----------------------------------
    $IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p udp --dport bootps --sport bootpc
    $IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p tcp --dport bootps --sport bootpc
    $IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p tcp --sport bootps --dport bootpc
    $IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p udp --sport bootps --dport bootpc

    # Allow DMZ DNS servers to respond
    #---------------------------------
    $IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p tcp --dport domain -s $IFNETWORK/$IFNETMASK
    $IPTABLES -A INPUT -j $FW_ACCEPT -i $IF -p udp --dport domain -s $IFNETWORK/$IFNETMASK
    $IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p tcp --sport domain -d $IFNETWORK/$IFNETMASK
    $IPTABLES -A OUTPUT -j $FW_ACCEPT -o $IF -p udp --sport domain -d $IFNETWORK/$IFNETMASK
    done
    fi
    }


    ################################################## #############################
    #
    # RunIncomingAllowedDefaults
    # --------------------------
    #
    ################################################## #############################

    RunIncomingAllowedDefaults() {
    $FW_NOTICE "Running default incoming rules"

    # Allow high ports
    #-----------------
    $IPTABLES -A OUTPUT -s $EXTIP -j $FW_ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --dport 1024:65535 \
    -m state --state ESTABLISHED,RELATED -j $FW_ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport 1024:65535 \
    -m state --state ESTABLISHED,RELATED -j $FW_ACCEPT
    }


    ################################################## #############################
    #
    # RunIncomingAllowed
    # ------------------
    #
    ################################################## #############################

    RunIncomingAllowed() {
    $FW_NOTICE "Running user-defined incoming rules"

    # Standard ports and port ranges
    #-------------------------------
    for RULE in $INCOMING_ALLOW; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    PORT=`echo $RULE | cut -d '|' -f2`
    $FW_DEBUG "Allowing incoming $PROTOCOL port $PORT"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p $PROTOCOL --dport $PORT -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p $PROTOCOL --sport $PORT -j $FW_ACCEPT
    done
    for RULE in $INCOMING_ALLOW_RANGE; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    RANGE=`echo $RULE | cut -d '|' -f2`
    $FW_DEBUG "Allowing incoming $PROTOCOL range $RANGE"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p $PROTOCOL --dport $RANGE -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p $PROTOCOL --sport $RANGE -j $FW_ACCEPT
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_INCOMING_ALLOW ] -eq 0 ] && continue

    INPUT="-A INPUT -p $FWR_PROTO -i $EXTIF -d $EXTIP"
    OUTPUT="-A OUTPUT -p $FWR_PROTO -o $EXTIF -s $EXTIP"

    if [ ! -z "$FWR_ADDR" ]; then
    INPUT="$INPUT -s $FWR_ADDR"
    OUTPUT="$OUTPUT -d $FWR_ADDR"
    fi

    $FW_DEBUG ">>> Allowing incoming $FWR_PROTO port/range $FWR_PORT"
    $IPTABLES $INPUT --dport $FWR_PORT -j $FW_ACCEPT
    $IPTABLES $OUTPUT --sport $FWR_PORT -j $FW_ACCEPT
    done

    # PPTP server
    #------------
    if [ "$PPTP_SERVER" == "on" ]; then
    $RMMOD ip_nat_pptp > /dev/null 2>&1
    $FW_DEBUG ">>> Allowing incoming GRE protocol 47 for PPTP server"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 47 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 47 -j $FW_ACCEPT
    $FW_DEBUG ">>> Allowing incoming TCP port 1723 for PPTP server"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p tcp --dport 1723 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport 1723 -j $FW_ACCEPT
    else
    # Temporary: disable this module
    # $MODPROBE ip_nat_pptp > /dev/null 2>&1
    $RMMOD ip_nat_pptp > /dev/null 2>&1
    fi

    # IPsec server
    #-------------
    if [ "$IPSEC_SERVER" == "on" ]; then
    # IKE negotiations
    $FW_DEBUG ">>> Allowing incoming UDP port 500 for IPsec server"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p udp --sport 500 --dport 500 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport 500 --dport 500 -j $FW_ACCEPT

    # ESP/AH encryption and authentication
    $FW_DEBUG ">>> Allowing incoming ESP/AH for IPsec server"
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 50 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 50 -j $FW_ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -d $EXTIP -p 51 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p 51 -j $FW_ACCEPT

    # Mark all incoming encrypted packets
    $IPTABLES -t mangle -A PREROUTING -p esp -j MARK --set-mark 100

    # Direct un-encrypted (already authenticated) packets to the proper chain.
    # Packets destined for this box on any interface (LAN, WAN) are allowed.
    $IPTABLES -A INPUT -d $EXTIP --match mark --mark 100 -j $FW_ACCEPT
    for LIF in $LANIF; do
    GetInterfaceInfo $LIF
    $IPTABLES -A INPUT -d $IFIP --match mark --mark 100 -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -s $IFIP -j $FW_ACCEPT
    done

    # Packets destined to the LAN are allowed.
    $IPTABLES -A FORWARD --match mark --mark 100 -j $FW_ACCEPT

    # Do not masquerade VPN traffic
    $IPTABLES -A POSTROUTING -t nat -o $EXTIF -p esp -j $FW_ACCEPT
    $IPTABLES -A POSTROUTING -t nat -o $EXTIF -p ah -j $FW_ACCEPT
    fi
    }


    ################################################## #############################
    #
    # RunIncomingDeniedDefaults
    # -------------------------
    #
    # Block everything that is not already defined
    #
    ################################################## #############################

    RunIncomingDeniedDefaults() {
    $FW_NOTICE "Running incoming denied defaults"
    $IPTABLES -A INPUT -i $EXTIF -s $FW_ALLIP -d $FW_ALLIP -j $FW_DROP
    $IPTABLES -A OUTPUT -o $EXTIF -s $FW_ALLIP -d $FW_ALLIP -j $FW_DROP
    }


    ################################################## #############################
    #
    # RunIncomingDenied
    # -----------------
    #
    ################################################## #############################

    RunIncomingDenied() {
    $FW_NOTICE "Running incoming denied rules"

    # MAC filter rules
    if [ ! -z "$WIFIF" ]; then
    $FW_NOTICE "Checking for wireless MAC filtering on $WIFIF"

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_MAC_FILTER ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_WIFI ] -eq 0 ] && continue

    WIFIMACFILTER="yes"
    $FW_NOTICE ">>> Adding wireless MAC filtering for $FWR_ADDR"
    $IPTABLES -t nat -A PREROUTING -i $WIFIF -m mac --mac-source $FWR_ADDR -j $FW_ACCEPT
    done

    if [ "$WIFIMACFILTER" == "yes" ]; then
    $IPTABLES -t nat -A PREROUTING -i $WIFIF -j $FW_DROP
    else
    $FW_NOTICE "MAC filtering disabled on $WIFIF"
    fi
    fi

    # Block host rules
    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_WIFI ] -ne 0 ] && continue
    [ -z "$FWR_ADDR" ] && continue

    $FW_DEBUG ">>> Blocking incoming host: $FWR_ADDR"
    $IPTABLES -A INPUT -d $EXTIP -i $EXTIF -s $FWR_ADDR -j $FW_DROP
    $IPTABLES -A OUTPUT -s $EXTIP -o $EXTIF -d $FWR_ADDR -j $FW_DROP
    done

    # Block P2P network rules
    P2P_TYPES=""
    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_P2P ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue

    Ipp2pType $[ $FWR_TYPE & ~($FWR_ENABLED | $FWR_P2P | $FWR_INCOMING_BLOCK) ]
    P2P_TYPES=`echo $P2P_TYPES $P2P_TYPE | sort | uniq`
    done

    if [ ! -z "$P2P_TYPES" ]; then
    $FW_DEBUG ">>> Blocking P2P network(s): $P2P_TYPES"
    $IPTABLES -A FORWARD -m ipp2p $P2P_TYPES -j $FW_DROP
    fi
    }


    ################################################## #############################
    #
    # RunOutgoingDenied
    # -----------------
    #
    ################################################## #############################

    RunOutgoingDenied() {
    $FW_NOTICE "Running user-defined block outgoing rules"

    for RULE in $OUTGOING_BLOCK; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    PORT=`echo $RULE | cut -d '|' -f2`
    $FW_DEBUG "Blocking outgoing $PROTOCOL port $PORT"

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $PROTOCOL --dport $PORT -j $FW_DROP
    done
    done
    for RULE in $OUTGOING_BLOCK_RANGE; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    RANGE=`echo $RULE | cut -d '|' -f2`
    $FW_DEBUG "Blocking outgoing $PROTOCOL range $RANGE"

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $PROTOCOL --dport $RANGE -j $FW_DROP
    done
    done
    for HOST in $OUTGOING_BLOCK_DESTS; do
    $FW_DEBUG "Blocking traffic to $HOST"

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d $HOST -j $FW_DROP
    done
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_OUTGOING_BLOCK ] -eq 0 ] && continue

    if [ $FWR_PROTO -ne 0 ]; then
    $FW_DEBUG ">>> Blocking outgoing $FWR_PROTO port $FWR_PORT"

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d 0/0 -p $FWR_PROTO --dport $FWR_PORT -j $FW_DROP
    done
    else
    $FW_DEBUG ">>> Blocking outgoing traffic to $FWR_ADDR"

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -d $FWR_ADDR -j $FW_DROP
    done
    fi
    done
    }


    ################################################## #############################
    #
    # RunOutgoingDeniedDefaults
    # -------------------------
    #
    ################################################## #############################

    RunOutgoingDeniedDefaults() {
    $FW_NOTICE "Running default block outgoing rules"

    # Block services from leaving the LAN (low port numbers)
    # Snort will log suspicious traffic in high port ranges
    #-------------------------------------------------------
    # TODO: the ipsec0 interface (or lack of one) makes this harder to implement
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 111 # RPC stuff
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 111 # RPC stuff
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 137:139 # Samba
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 137:139 # Samba
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p tcp --dport 635 # Mountd
    #$IPTABLES -A FORWARD -j drop-lan -o $EXTIF -p udp --dport 635 # Mountd
    }


    ################################################## #############################
    #
    # RunPortForwardRules
    # -------------------
    #
    ################################################## #############################

    RunPortForwardRules() {
    $FW_NOTICE "Running user-defined port forward rules"

    for RULE in $FORWARD; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    FROMPORT=`echo $RULE | cut -d '|' -f3`
    TO=`echo $RULE | cut -d '|' -f4`

    TOIP=`echo $TO | cut -d ':' -f1`
    TOPORT=`echo $TO | cut -d ':' -f2`

    $FW_DEBUG "Port forwarding $PROTOCOL $FROMPORT to $TOIP $TOPORT"
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p $PROTOCOL --dport $FROMPORT -j DNAT --to $TO

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -t nat -A POSTROUTING -d $TOIP -p $PROTOCOL -s $IFNETWORK/$IFNETMASK --dport $FROMPORT -j SNAT --to $IFIP
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -d $TOIP --dport $TOPORT
    done
    done
    for RULE in $FORWARD_RANGE; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    RANGE=`echo $RULE | cut -d '|' -f3`
    TOIP=`echo $RULE | cut -d '|' -f4`
    $FW_DEBUG "Port forwarding $PROTOCOL range $RANGE to $TOIP"
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p $PROTOCOL --dport $RANGE -j DNAT --to $TOIP

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -t nat -A POSTROUTING -d $TOIP -p $PROTOCOL -s $IFNETWORK/$IFNETMASK --dport $RANGE -j SNAT --to $IFIP
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -d $TOIP --dport $RANGE
    done
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_FORWARD ] -eq 0 ] && continue

    $FW_DEBUG ">>> Port forwarding $FWR_PROTO $FWR_PARAM to $FWR_ADDR $FWR_PORT"

    if [ -z "$FWR_PORT" ]; then
    DPORT=$FWR_PARAM
    TO="$FWR_ADDR"
    else
    DPORT=$FWR_PORT
    TO="$FWR_ADDR:$FWR_PORT"
    fi

    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p $FWR_PROTO --dport $FWR_PARAM -j DNAT --to $TO

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -t nat -A POSTROUTING -d $FWR_ADDR -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK --dport $FWR_PARAM -j SNAT --to $IFIP
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR --dport $DPORT
    done
    done

    if [ ! -z "$PPTP_FORWARD" ]; then
    $FW_DEBUG "Forwarding PPTP traffic to $PPTP_FORWARD"
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p 47 -j DNAT --to $PPTP_FORWARD
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1723 -j DNAT --to $PPTP_FORWARD

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p 47 -d $PPTP_FORWARD
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p TCP -d $PPTP_FORWARD --dport 1723
    done
    fi

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_PPTP_FORWARD ] -eq 0 ] && continue

    $FW_DEBUG ">>> Forwarding PPTP traffic to $FWR_ADDR"
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p $FWR_PROTO -j DNAT --to $FWR_ADDR
    $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport $FWR_PORT -j DNAT --to $FWR_ADDR

    for IF in $LANIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p TCP -d $FWR_ADDR --dport $FWR_PORT
    done

    # XXX: Can only have one of these...
    break
    done
    }


    ################################################## #############################
    #
    # RunRemapPorts
    # -------------
    #
    ################################################## #############################

    RunRemapPorts() {
    $FW_NOTICE "Running user-defined port re-map rules"

    if [ "$SQUID_TRANSPARENT" == "on" ]; then
    # Is a content filter in transparent mode too?
    if [ ! -z "$SQUID_FILTER_TRANSPARENT" ]; then
    $FW_DEBUG "Enabled Proxy+Filter transparent mode for filter port $SQUID_FILTER_TRANSPARENT"
    $IPTABLES -t nat -A PREROUTING -i ! $EXTIF -p tcp -d ! $EXTIP --dport 80 -j REDIRECT --to-port $SQUID_FILTER_TRANSPARENT
    $FW_DEBUG "Blocking proxy port 3128 for Proxy+Filter transparent mode"
    $IPTABLES -t nat -I PREROUTING -p tcp -s ! 127.0.0.1 --dport 3128 -j $FW_DROP
    else
    $FW_DEBUG "Enabled proxy transparent mode"
    $IPTABLES -t nat -A PREROUTING -i ! $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
    fi
    fi
    }


    ################################################## #############################
    #
    # RunCustomRules
    # -----------------
    #
    ################################################## #############################

    RunCustomRules() {
    $FW_NOTICE "Running custom rules"

    for RULE in $RULES; do
    FW_INPUT=""
    FW_OUTPUT=""
    FW_FORWARD=""
    FW_PREROUTING=""

    for LIF in $LANIF; do
    eval "FW_FORWARD_$LIF=\"\""
    eval "FW_POSTROUTING_$LIF=\"\""
    done

    CustomRule $RULE || continue

    [ ! -z "$FW_INPUT" ] && $FW_INPUT
    [ ! -z "$FW_OUTPUT" ] && $FW_OUTPUT
    [ ! -z "$FW_FORWARD" ] && $FW_FORWARD
    [ ! -z "$FW_PREROUTING" ] && $FW_PREROUTING

    for LIF in $LANIF; do
    eval "VAR=\"\$FW_FORWARD_$LIF\""
    [ ! -z "$VAR" ] && $VAR
    eval "VAR=\"\$FW_POSTROUTING_$LIF\""
    [ ! -z "$VAR" ] && $VAR
    done
    done
    }


    ################################################## #############################
    #
    # RunBandwidthRules
    # -----------------
    # Initialize HTB qdisc. Set external up/down bandwidth. Create classes,
    # firewall mark rules for up/down rates, and associated tc filter rules.
    #
    ################################################## #############################

    RunBandwidthRules() {
    [ "$BANDWIDTH_QOS" != "on" ] && return
    [ -z "$BANDWIDTH_UPSTREAM" -o -z "$BANDWIDTH_DOWNSTREAM" ] && return

    $FW_NOTICE "Initializing bandwidth manager: $BANDWIDTH_UPSTREAM kbits up, $BANDWIDTH_DOWNSTREAM kbits down"

    # external WAN (EXTIF) and LAN (LANIF) interfaces...
    $TCBIN qdisc del dev $PHYSEXTIF root handle 1: htb >/dev/null 2>&1
    $TCBIN qdisc add dev $PHYSEXTIF root handle 1: htb default 2 r2q 1

    for IF in $LANIF; do
    $TCBIN qdisc del dev $IF root handle 1: htb >/dev/null 2>&1
    $TCBIN qdisc add dev $IF root handle 1: htb default 2 r2q 1
    done

    # Just incase an interface role was changed
    for IF in $DMZIF; do
    $TCBIN qdisc del dev $IF root handle 1: htb >/dev/null 2>&1
    $TCBIN qdisc add dev $IF root handle 1: htb default 2 r2q 1
    done

    # Class 1:1 specifies maximum upstream/downstream rates
    # Class 1:2 is a low priority default class for catch-all traffic
    $TCBIN class add dev $PHYSEXTIF parent 1: classid 1:1 htb \
    rate "$BANDWIDTH_UPSTREAM"kbit
    $TCBIN class add dev $PHYSEXTIF parent 1:1 classid 1:2 htb \
    rate "$BANDWIDTH_UPSTREAM"kbit prio 7

    for IF in $LANIF; do
    $TCBIN class add dev $IF parent 1: classid 1:1 htb \
    rate "$BANDWIDTH_DOWNSTREAM"kbit
    $TCBIN class add dev $IF parent 1:1 classid 1:2 htb \
    rate "$BANDWIDTH_DOWNSTREAM"kbit prio 7
    done

    for IF in $DMZIF; do
    $TCBIN class add dev $IF parent 1: classid 1:1 htb \
    rate "$BANDWIDTH_DOWNSTREAM"kbit
    $TCBIN class add dev $IF parent 1:1 classid 1:2 htb \
    rate "$BANDWIDTH_DOWNSTREAM"kbit prio 7
    done

    declare -i CLSID=10
    declare -i FWMARK=0x9000

    # Convert bandwidth rules to classes
    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_P2P ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_BANDWIDTH_MARK ] -eq 0 ] && continue

    BW_PRIO=`echo $FWR_PARAM | cut -d':' -f1`
    BW_UPSTREAM=`echo $FWR_PARAM | cut -d':' -f2`
    BW_DOWNSTREAM=`echo $FWR_PARAM | cut -d':' -f3`

    # Create upstream FORWARD MARK rules
    if [ ! -z "$BW_UPSTREAM" ]; then
    BW_MATCH=""
    STR_FWMARK=`printf "0x%04x" $FWMARK`
    $FW_DEBUG ">>> HTB Class 1:$CLSID, mark: $STR_FWMARK, priority: $BW_PRIO, $BW_UPSTREAM kbits up"

    # Create class
    $TCBIN class add dev $PHYSEXTIF parent 1:1 classid 1:$CLSID htb rate \
    "$BW_UPSTREAM"kbit prio $BW_PRIO

    # Create rule
    BW_RULE="-A FORWARD -t mangle -i ! $EXTIF -j MARK --set-mark $STR_FWMARK"

    # Handle IP range
    HI_ADDR=`echo $FWR_ADDR | cut -d':' -f2`

    if [ -z "$HI_ADDR" ]; then
    # Single IP, or IP/netmask
    if [ ! -z "$FWR_ADDR" ]; then
    BW_MATCH="-s $FWR_ADDR"
    fi

    if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
    BW_MATCH="$BW_MATCH --dport $FWR_PORT"
    fi

    if [ -z "$BW_MATCH" ]; then
    $FW_WARNING "Invalid bandwidth match criteria."
    else
    $IPTABLES $BW_RULE -p TCP $BW_MATCH
    $IPTABLES $BW_RULE -p UDP $BW_MATCH

    # Create filter
    $TCBIN filter add dev $PHYSEXTIF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID
    fi
    else
    # IP range
    LO_ADDR=`echo $FWR_ADDR | cut -d':' -f1`

    Ip2Bin $LO_ADDR || continue
    LO_ADDR=$BIN
    Ip2Bin $HI_ADDR || continue
    HI_ADDR=$BIN

    while [ $LO_ADDR -le $HI_ADDR ]; do
    Bin2Ip $LO_ADDR || continue

    BW_MATCH="-s $A.$B.$C.$D"

    if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
    BW_MATCH="$BW_MATCH --dport $FWR_PORT"
    fi

    $IPTABLES $BW_RULE -p TCP $BW_MATCH
    $IPTABLES $BW_RULE -p UDP $BW_MATCH

    # Create filter
    $TCBIN filter add dev $PHYSEXTIF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID

    LO_ADDR=$[ $LO_ADDR + 1];
    done
    fi

    CLSID=$[ $CLSID + 1 ]
    FWMARK=$[ $FWMARK + 1 ]
    fi

    # Create downstream FORWARD MARK rules
    if [ ! -z "$BW_DOWNSTREAM" ]; then
    BW_MATCH=""
    STR_FWMARK=`printf "0x%04x" $FWMARK`
    $FW_DEBUG ">>> HTB Class 1:$CLSID, mark: $STR_FWMARK, priority: $BW_PRIO, $BW_DOWNSTREAM kbits down"

    # Create class
    for IF in $LANIF; do
    $TCBIN class add dev $IF parent 1:1 classid 1:$CLSID htb rate \
    "$BW_DOWNSTREAM"kbit prio $BW_PRIO
    done

    # Create class
    for IF in $DMZIF; do
    $TCBIN class add dev $IF parent 1:1 classid 1:$CLSID htb rate \
    "$BW_DOWNSTREAM"kbit prio $BW_PRIO
    done

    # Create rule
    BW_RULE="-A FORWARD -t mangle -i $EXTIF -j MARK --set-mark $STR_FWMARK"

    # Check for IP range
    HI_ADDR=`echo $FWR_ADDR | cut -d':' -f2`

    if [ -z "$HI_ADDR" ]; then
    # Single IP, or IP/netmask
    if [ ! -z "$FWR_ADDR" ]; then
    BW_MATCH="-d $FWR_ADDR"
    fi

    if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
    BW_MATCH="$BW_MATCH --sport $FWR_PORT"
    fi

    if [ -z "$BW_MATCH" ]; then
    $FW_WARNING "Invalid bandwidth match criteria."
    else
    $IPTABLES $BW_RULE -p TCP $BW_MATCH
    $IPTABLES $BW_RULE -p UDP $BW_MATCH

    # Create filter for LAN
    for IF in $LANIF; do
    $TCBIN filter add dev $IF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID
    done

    # Create filter for DMZ
    for IF in $DMZIF; do
    $TCBIN filter add dev $IF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID
    done
    fi
    else
    # IP range
    LO_ADDR=`echo $FWR_ADDR | cut -d':' -f1`

    Ip2Bin $LO_ADDR || continue
    LO_ADDR=$BIN
    Ip2Bin $HI_ADDR || continue
    HI_ADDR=$BIN

    while [ $LO_ADDR -le $HI_ADDR ]; do
    Bin2Ip $LO_ADDR || continue

    BW_MATCH="-d $A.$B.$C.$D"

    if [ ! -z "$FWR_PORT" -a "$FWR_PORT" != 0 ]; then
    BW_MATCH="$BW_MATCH --sport $FWR_PORT"
    fi

    $IPTABLES $BW_RULE -p TCP $BW_MATCH
    $IPTABLES $BW_RULE -p UDP $BW_MATCH

    # Create filter for LAN
    for IF in $LANIF; do
    $TCBIN filter add dev $IF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID
    done

    # Create filter for DMZ
    for IF in $DMZIF; do
    $TCBIN filter add dev $IF protocol ip parent 1:0 \
    prio 1 handle $STR_FWMARK fw classid 1:$CLSID
    done

    LO_ADDR=$[ $LO_ADDR + 1];
    done
    fi

    # Handle transparent squid mode
    if [ "$SQUID_TRANSPARENT" == "on" ]; then
    BW_MATCH=""

    if [ ! -z "$FWR_ADDR" ]; then
    BW_MATCH="-d $FWR_ADDR"
    fi

    if [ -z "$FWR_PORT" -o "$FWR_PORT" == "80" ]; then
    $IPTABLES -A OUTPUT -t mangle -p TCP \
    $BW_MATCH --sport 3128 -j MARK --set-mark $STR_FWMARK
    fi
    fi

    CLSID=$[ $CLSID + 1 ]
    FWMARK=$[ $FWMARK + 1 ]
    fi
    done
    }


    ################################################## #############################
    #
    # RunDMZPinhole
    # -------------
    #
    ################################################## #############################

    RunDMZPinhole() {
    $FW_NOTICE "Running DMZ pinhole rules"
    for RULE in $DMZ_PINHOLE; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    IP=`echo $RULE | cut -d '|' -f2`
    PORT=`echo $RULE | cut -d '|' -f3`

    if [ "$PORT" == "0" ]; then
    $FW_DEBUG "Adding DMZ pinhole $PROTOCOL $IP"

    for LIF in $LANIF; do
    for DIF in $DMZIF; do
    GetInterfaceInfo $DIF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $PROTOCOL -s $IP -d $IFNETWORK/$IFNETMASK
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $PROTOCOL -s $IFNETWORK/$IFNETMASK -d $IP
    done
    done
    else
    $FW_DEBUG "Adding DMZ pinhole $PROTOCOL $IP:$PORT"

    for LIF in $LANIF; do
    for DIF in $DMZIF; do
    GetInterfaceInfo $DIF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $PROTOCOL --sport $PORT -s $IP -d $IFNETWORK/$IFNETMASK
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $PROTOCOL --dport $PORT -s $IFNETWORK/$IFNETMASK -d $IP
    done
    done
    fi
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_DMZ_PINHOLE ] -eq 0 ] && continue

    for LIF in $LANIF; do
    for DIF in $DMZIF; do
    GetInterfaceInfo $DIF
    LAN="-A FORWARD -j $FW_ACCEPT -i $LIF -o $DIF -p $FWR_PROTO -s $FWR_ADDR -d $IFNETWORK/$IFNETMASK"
    DMZ="-A FORWARD -j $FW_ACCEPT -i $DIF -o $LIF -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK -d $FWR_ADDR"

    if [ -z "$FWR_PORT" ]; then
    $FW_DEBUG ">>> Adding DMZ pinhole $LIF -> $DIF: $FWR_PROTO $FWR_ADDR"
    $IPTABLES $LAN
    $IPTABLES $DMZ
    else
    $FW_DEBUG ">>> Adding DMZ pinhole $DIF -> $LIF: $FWR_PROTO $FWR_ADDR:$FWR_PORT"
    $IPTABLES $LAN --sport $FWR_PORT
    $IPTABLES $DMZ --dport $FWR_PORT
    fi
    done
    done
    done
    }


    ################################################## #############################
    #
    # RunDMZIncoming
    # --------------
    #
    ################################################## #############################

    RunDMZIncoming() {
    $FW_NOTICE "Running DMZ incoming rules"

    # Selective ports/IPs open in DMZ
    #--------------------------------
    for RULE in $DMZ_INCOMING; do
    PROTOCOL=`echo $RULE | cut -d '|' -f1`
    IP=`echo $RULE | cut -d '|' -f2`
    PORT=`echo $RULE | cut -d '|' -f3`

    if [ "$PORT" == "0" ]; then
    $FW_DEBUG "Adding DMZ incoming $PROTOCOL $IP"

    for IF in $DMZIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $PROTOCOL -s $IP -d $FW_ALLIP
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL -s $FW_ALLIP -d $IP
    done
    else
    $FW_DEBUG "Adding DMZ incoming $PROTOCOL $IP:$PORT"

    for IF in $DMZIF; do
    GetInterfaceInfo $IF
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $PROTOCOL --sport $PORT -s $IP -d $FW_ALLIP
    $IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $PROTOCOL --dport $PORT -s $FW_ALLIP -d $IP
    done
    fi
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_DMZ_INCOMING ] -eq 0 ] && continue

    for IF in $DMZIF; do
    GetInterfaceInfo $IF

    INPUT="-A FORWARD -j $FW_ACCEPT -i $IF -o $EXTIF -p $FWR_PROTO -s $FWR_ADDR -d $FW_ALLIP"
    OUTPUT="-A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -s $FW_ALLIP -d $FWR_ADDR"

    if [ -z "$FWR_PORT" ]; then
    $FW_DEBUG ">>> Adding DMZ incoming $IF: $FWR_PROTO $FWR_ADDR"
    $IPTABLES $INPUT
    $IPTABLES $OUTPUT
    else
    $FW_DEBUG ">>> Adding DMZ incoming $IF: $FWR_PROTO $FWR_ADDR:$FWR_PORT"
    $IPTABLES $INPUT --sport $FWR_PORT
    $IPTABLES $OUTPUT --dport $FWR_PORT
    fi
    done
    done
    }

    ################################################## #############################
    #
    # RunOneToOneNAT
    # --------------
    #
    # This function enables 1:1 NAT for a particular host on your private
    # network. You obviously need to have an additional public IP address
    # from your ISP in order to use this feature (aside from the IP address
    # assigned to your external interface). This is mostly un-tested, but
    # is known to work in most cases. Currently no support is included to
    # firewall the public IP. There are some static rules that block most
    # dangerous Microsoft Windows services. You can add additional ports
    # to /etc/rc.d/rc.firewall.local for the time being.
    #
    ################################################## #############################

    RunOneToOneNAT() {

    # Two types of 1-to-1 NAT are supported
    #
    # Type 1:
    # - You do not require aliased IPs on your WAN interface
    #
    # Type 2:
    # - You do require aliased IPs on your WAN interface
    # - Virtual IPs auto-configured (starting at ethX:200)
    #----------------------------------------------------------------

    # Clear any existing IP aliases above 200 (e.g. eth0:200)
    #--------------------------------------------------------

    OLDALIASLIST=`ifconfig | grep "^$EXTIF:2[0-9][0-9]" | awk '{ print $1 }'`
    for ALIAS in $OLDALIASLIST; do
    $FW_NOTICE "Resetting 1-to-1 NAT alias: $ALIAS"
    ifconfig $ALIAS down 2>/dev/null
    done

    # Reset IP aliases for type 2 1-to-1 NAT
    #---------------------------------------

    if ( [ "$ONE_TO_ONE_NAT_MODE" == "TYPE2" ] || [ "$ONE_TO_ONE_NAT_MODE" == "type2" ] ); then

    # Multiple external IPs are listed... determine unique IPs
    #---------------------------------------------------------

    NEWALIASLIST=""
    RULELIST="$ONE_TO_ONE_NAT $ONE_TO_ONE_NAT_PORT"

    for RULE in $RULELIST; do
    ALIASIP=`echo $RULE | cut -d '|' -f 2`
    CHECKUNIQUE=`echo $NEWALIASLIST | grep $ALIASIP`
    if [ -z "$CHECKUNIQUE" ]; then
    NEWALIASLIST="$ALIASIP $NEWALIASLIST"
    fi
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue

    CHECKUNIQUE=`echo $NEWALIASLIST | grep $FWR_ADDR`
    if [ -z "$CHECKUNIQUE" ]; then
    NEWALIASLIST="$FWR_ADDR $NEWALIASLIST"
    fi
    done

    # Create aliases
    #---------------

    NETMASK=`ifconfig $EXTIF | grep -A 1 "^$EXTIF " | grep -v $EXTIF | cut -d ':' -f4`
    COUNT="200"
    for ALIAS in $NEWALIASLIST; do
    $FW_NOTICE "Creating alias IP $ALIAS for 1-to-1 NAT"
    ifconfig $EXTIF:$COUNT $ALIAS netmask $NETMASK up
    COUNT=`expr $COUNT + 1`
    done
    fi

    # Run 1-to-1 NAT iptables rules (single port only)
    #-------------------------------------------------

    NAT_PORT_IPS=""

    for RULE in $ONE_TO_ONE_NAT_PORT; do
    NAT_INTIP=`echo $RULE | cut -d '|' -f1`
    NAT_EXTIP=`echo $RULE | cut -d '|' -f2`
    NAT_PROTOCOL=`echo $RULE | cut -d '|' -f3`
    NAT_PORT=`echo $RULE | cut -d '|' -f4`
    $FW_NOTICE "Enabling 1:1 NAT $NAT_INTIP - $NAT_EXTIP $NAT_PROTOCOL $NAT_PORT"

    CHECKUNIQUE=`echo $NAT_PORT_IPS | grep $NAT_INTIP`
    if [ -z "$CHECKUNIQUE" ]; then
    # SNAT required for type 1 only?
    $IPTABLES -A PREROUTING -t nat -d $NAT_EXTIP -j DNAT --to $NAT_INTIP
    $IPTABLES -A POSTROUTING -t nat -s $NAT_INTIP -j SNAT --to $NAT_EXTIP
    $IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 0 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 3 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 8 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $NAT_INTIP -p icmp --icmp-type 11 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $NAT_INTIP -p icmp -j $FW_DROP
    fi

    $IPTABLES -A FORWARD -p $NAT_PROTOCOL -d $NAT_INTIP --dport $NAT_PORT -j $FW_ACCEPT
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue
    [ -z "$FWR_PORT" ] && continue

    $FW_NOTICE ">>> Enabling 1:1 NAT $FWR_PARAM - $FWR_ADDR $FWR_PROTO $FWR_PORT"

    CHECKUNIQUE=`echo $NAT_PORT_IPS | grep $FWR_PARAM`
    if [ -z "$CHECKUNIQUE" ]; then
    # SNAT required for type 1 only?
    $IPTABLES -A PREROUTING -t nat -d $FWR_ADDR -j DNAT --to $FWR_PARAM
    $IPTABLES -A POSTROUTING -t nat -s $FWR_PARAM -j SNAT --to $FWR_ADDR
    $IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 0 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 3 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 8 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $FWR_PARAM -p icmp --icmp-type 11 -j $FW_ACCEPT
    $IPTABLES -A FORWARD -d $FWR_PARAM -p icmp -j $FW_DROP
    fi

    $IPTABLES -A FORWARD -p $FWR_PROTO -d $FWR_PARAM --dport $FWR_PORT -j $FW_ACCEPT
    done

    # Run 1-to-1 NAT iptables rules (wide open)
    #------------------------------------------

    for RULE in $ONE_TO_ONE_NAT; do
    NAT_INTIP=`echo $RULE | cut -d '|' -f1`
    NAT_EXTIP=`echo $RULE | cut -d '|' -f2`
    $FW_NOTICE "Enabling 1:1 NAT $NAT_INTIP - $NAT_EXTIP"

    # SNAT required for type 1 only?
    $IPTABLES -A PREROUTING -t nat -d $NAT_EXTIP -j DNAT --to $NAT_INTIP
    $IPTABLES -A POSTROUTING -t nat -s $NAT_INTIP -j SNAT --to $NAT_EXTIP
    $IPTABLES -A FORWARD -d $NAT_INTIP -j $FW_ACCEPT
    done

    for RULE in $RULES; do
    ExpandRule $RULE
    [ $[ $FWR_TYPE & $FWR_ENABLED ] -eq 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -ne 0 ] && continue
    [ $[ $FWR_TYPE & $FWR_ONE_TO_ONE ] -eq 0 ] && continue
    [ ! -z "$FWR_PORT" ] && continue

    $FW_NOTICE ">>> Enabling 1:1 NAT $FWR_PARAM - $FWR_ADDR"

    # SNAT required for type 1 only?
    $IPTABLES -A PREROUTING -t nat -d $FWR_ADDR -j DNAT --to $FWR_PARAM
    $IPTABLES -A POSTROUTING -t nat -s $FWR_PARAM -j SNAT --to $FWR_ADDR
    $IPTABLES -A FORWARD -d $FWR_PARAM -j $FW_ACCEPT
    done
    }


    ################################################## #############################
    #
    # Abort
    # -----
    # Upon a fatal error, set policies to DROP and open port 81 (webconfig)
    # and 22 (ssh).
    #
    ################################################## #############################

    Abort() {
    echo $@
    $FW_ERROR "$@"
    echo "Setting default policies to DROP..."
    $FW_NOTICE "Setting default policies to DROP..."

    SetPolicyToDrop

    # Allow ping for diagnostics
    $IPTABLES -A INPUT -p icmp -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -p icmp -j $FW_ACCEPT

    # Open 81 and 22
    $IPTABLES -I INPUT -j $FW_ACCEPT -p TCP --dport 81
    $IPTABLES -I OUTPUT -j $FW_ACCEPT -p TCP --sport 81
    $IPTABLES -I INPUT -j $FW_ACCEPT -p TCP --dport 22
    $IPTABLES -I OUTPUT -j $FW_ACCEPT -p TCP --sport 22

    # Allow DHCP to startup
    $IPTABLES -A INPUT -p udp --dport bootpc --sport bootps -j $FW_ACCEPT
    $IPTABLES -A INPUT -p tcp --dport bootpc --sport bootps -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -p tcp --sport bootpc --dport bootps -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -p udp --sport bootpc --dport bootps -j $FW_ACCEPT

    # Allow high ports
    $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -j $FW_ACCEPT
    $IPTABLES -A INPUT -p tcp --dport 1024:65535 \
    -m state --state ESTABLISHED,RELATED -j $FW_ACCEPT

    # Allow everything on the loopback
    $IPTABLES -A INPUT -i lo -j $FW_ACCEPT
    $IPTABLES -A OUTPUT -o lo -j $FW_ACCEPT

    exit 1
    }


    ################################################## #############################
    #
    # GetInterfaceInfo
    # ----------------
    #
    # Sets variables containing an interface's IP address, network, and
    # netmask (IFIP, IFNETWORK, IFNETMASK, and IFPREFIX). First attempt to
    # use /etc/sysconfig/network-scripts/ifcfg-xxx, then try getting the
    # "live" configuration using 'ip'.
    #
    ################################################## #############################

    GetInterfaceInfo() {
    IFIP=
    IFNETMASK=
    IFNETWORK=
    IFPREFIX=

    if [ -f /etc/sysconfig/network-scripts/ifcfg-$1 ]; then
    IPADDR=
    NETMASK=

    source /etc/sysconfig/network-scripts/ifcfg-$1

    if ( [ ! -z "$IPADDR" ] && [ ! -z "$NETMASK" ] ); then
    IFIP=$IPADDR
    IFNETMASK=$NETMASK
    IFNETWORK=`$IPCALC --network $IFIP $IFNETMASK | sed s/NETWORK=//i`
    IFPREFIX=`$IPCALC --prefix $IFIP $IFNETMASK | sed s/PREFIX=//i`
    else
    $FW_DEBUG "Obtaining interface configuration directly from device $1"
    ADDR=`$IPBIN addr show dev $1 | grep $1$ | awk '{ print $2 }'`
    IFIP=`echo $ADDR | cut -d/ -f1`

    if [ ! -z "$IFIP" ]; then
    # PPPOEKLUDGE -- could make this more generic
    if [ "$1" == "ppp0" ]; then
    $FW_DEBUG "Detected PPPoE/point-to-point interface, making adjustments"
    IFNETMASK="255.255.255.255"
    IFNETWORK=$IFIP
    IFPREFIX="32"
    elif [ ! -z "$ADDR" ]; then
    IFPREFIX=`echo $ADDR | cut -d/ -f2`
    IFNETWORK=`$IPCALC --network $ADDR | sed s/NETWORK=//i`
    IFNETMASK=`$IPCALC --netmask $ADDR | sed s/NETMASK=//i`
    fi
    fi
    fi
    else
    $FW_DEBUG "Obtaining interface configuration directly from device $1"
    ADDR=`$IPBIN addr show dev $1 | grep $1$ | awk '{ print $2 }'`
    IFIP=`echo $ADDR | cut -d/ -f1`

    if [ ! -z "$IFIP" ]; then
    # PPPOEKLUDGE
    if [ "$1" == "ppp0" ]; then
    $FW_DEBUG "Detected PPPoE/point-to-point interface, making adjustments"
    IFNETMASK="255.255.255.255"
    IFNETWORK=$IFIP
    IFPREFIX="32"
    elif [ ! -z "$ADDR" ]; then
    IFPREFIX=`echo $ADDR | cut -d/ -f2`
    IFNETWORK=`$IPCALC --network $ADDR | sed s/NETWORK=//i`
    IFNETMASK=`$IPCALC --netmask $ADDR | sed s/NETMASK=//i`
    fi
    fi
    fi

    if [ -z "$IFIP" ]; then
    Abort "Unable to determine IP address for: $1"
    fi

    if [ -z "$IFNETMASK" ]; then
    Abort "Unable to determine netmask for: $1"
    fi

    if [ -z "$IFNETWORK" ]; then
    Abort "Unable to determine network address for: $1"
    fi

    if [ -z "$IFPREFIX" ]; then
    Abort "Unable to determine prefix for: $1"
    fi
    }


    ################################################## #############################
    #
    # ExpandRule
    # ----------
    #
    ################################################## #############################

    ExpandRule() {
    if [ $# -ne 1 ]; then
    $FW_ERROR "Required argument missing."
    return 1
    fi

    FWR_TYPE=`echo $1 | cut -d\| -f3`
    FWR_PROTO=`echo $1 | cut -d\| -f4`
    FWR_ADDR=`echo $1 | cut -d\| -f5`
    FWR_PORT=`echo $1 | cut -d\| -f6`
    FWR_PARAM=`echo $1 | cut -d\| -f7`

    return 0
    }


    ################################################## #############################
    #
    # GenerateRule
    # ------------
    # Build a custom firewall rule.
    #
    ################################################## #############################

    CustomRule() {
    if [ $# -ne 1 ]; then
    $FW_ERROR "Required argument missing."
    return 1
    fi

    ExpandRule $1 || return 1
    [ $[ $FWR_TYPE & $FWR_CUSTOM ] -eq 0 ] && return 1

    DST_ADDR=""
    DST_PORT=""

    if [ ! -z "$FWR_PARAM" ]; then
    echo "$FWR_PARAM" | grep "_" >/dev/null 2>&1

    if [ $? -eq 0 ]; then
    DST_ADDR=`echo $FWR_PARAM | cut -d'_' -f1`
    DST_PORT=`echo $FWR_PARAM | cut -d'_' -f2`
    else
    DST_ADDR=$FWR_PARAM
    fi
    fi

    if [ $[ $FWR_TYPE & $FWR_INCOMING_ALLOW ] -ne 0 ]; then
    INPUT="-I INPUT -p $FWR_PROTO -i $EXTIF"
    OUTPUT="-I OUTPUT -p $FWR_PROTO -o $EXTIF"

    if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
    INPUT="$INPUT -s $FWR_ADDR"
    OUTPUT="$OUTPUT -d $FWR_ADDR"
    elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
    INPUT="$INPUT -m mac --mac-source $FWR_ADDR"
    fi

    if [ ! -z "$DST_ADDR" ]; then
    INPUT="$INPUT -d $DST_ADDR"
    OUTPUT="$OUTPUT -s $DST_ADDR"
    fi

    if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    INPUT="$INPUT --dport $FWR_PORT"
    OUTPUT="$OUTPUT --sport $FWR_PORT"
    fi

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    INPUT="$INPUT --sport $DST_PORT"
    OUTPUT="$OUTPUT --dport $DST_PORT"
    fi

    FW_INPUT="$IPTABLES $INPUT -j $FW_ACCEPT"; INPUT=""
    FW_OUTPUT="$IPTABLES $OUTPUT -j $FW_ACCEPT"; OUTPUT=""
    elif [ $[ $FWR_TYPE & $FWR_INCOMING_BLOCK ] -ne 0 ]; then
    INPUT="-I INPUT -i $EXTIF -p $FWR_PROTO"
    OUTPUT="-I OUTPUT -o $EXTIF -p $FWR_PROTO"

    if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
    INPUT="$INPUT -s $FWR_ADDR"
    OUTPUT="$OUTPUT -d $FWR_ADDR"
    elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
    INPUT="$INPUT -m mac --mac-source $FWR_ADDR"
    fi

    if [ ! -z "$DST_ADDR" ]; then
    INPUT="$INPUT -d $DST_ADDR"
    OUTPUT="$OUTPUT -s $DST_ADDR"
    fi

    if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    INPUT="$INPUT --dport $FWR_PORT"
    OUTPUT="$OUTPUT --sport $FWR_PORT"
    fi

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    INPUT="$INPUT --sport $DST_PORT"
    OUTPUT="$OUTPUT --dport $DST_PORT"
    fi

    FW_INPUT="$IPTABLES $INPUT -j $FW_DROP"; INPUT=""
    FW_OUTPUT="$IPTABLES $OUTPUT -j $FW_DROP"; OUTPUT=""
    elif [ $[ $FWR_TYPE & $FWR_OUTGOING_BLOCK ] -ne 0 ]; then
    FORWARD="-I FORWARD -p $FWR_PROTO"

    if [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -eq 0 ]; then
    FORWARD="$FORWARD -s $FWR_ADDR"
    elif [ ! -z "$FWR_ADDR" -a $[ $FWR_TYPE & $FWR_MAC_SOURCE ] -ne 0 ]; then
    FORWARD="$FORWARD -m mac --mac-source $FWR_ADDR"
    fi

    if [ ! -z "$DST_ADDR" ]; then
    FORWARD="$FORWARD -d $DST_ADDR"
    fi

    if [ ! -z "$FWR_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    FORWARD="$FORWARD --dport $FWR_PORT"
    fi

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    FORWARD="$FORWARD --sport $DST_PORT"
    fi

    FW_FORWARD="$IPTABLES $FORWARD -j $FW_DROP"; FORWARD=""
    elif [ $[ $FWR_TYPE & $FWR_FORWARD ] -ne 0 ]; then
    PREROUTING="-I PREROUTING -t nat -d $EXTIP -p $FWR_PROTO"

    #$IPTABLES -A PREROUTING -t nat -d $EXTIP -p $FWR_PROTO --dport $FWR_PARAM -j DNAT --to $FWR_ADDR

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    PREROUTING="$PREROUTING --dport $FWR_PORT"
    fi

    if [ ! -z "$FWR_ADDR" ]; then
    PREROUTING="$PREROUTING -j DNAT --to $FWR_ADDR"
    fi

    FW_PREROUTING="$IPTABLES $PREROUTING"; PREROUTING=""

    for LIF in $LANIF; do
    GetInterfaceInfo $LIF

    #$IPTABLES -t nat -A POSTROUTING -d $FWR_ADDR -p $FWR_PROTO -s $IFNETWORK/$IFNETMASK --dport $FWR_PARAM -j SNAT --to $IFIP
    POSTROUTING="-I POSTROUTING -t nat -p $FWR_PROTO"

    if [ ! -z "FWR_ADDR" ]; then
    POSTROUTING="$POSTROUTING -d $FWR_ADDR"
    fi

    POSTROUTING="$POSTROUTING -s $IFNETWORK/$IFNETMASK"

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    POSTROUTING="$POSTROUTING --dport $DST_PORT"
    fi

    POSTROUTING="$POSTROUTING -j SNAT --to $IFIP"

    eval "FW_POSTROUTING_$LIF=\"$IPTABLES $POSTROUTING\""; POSTROUTING=""

    #$IPTABLES -A FORWARD -j $FW_ACCEPT -i $EXTIF -o $IF -p $FWR_PROTO -d $FWR_ADDR --dport $PORT
    FORWARD="-I FORWARD -i $EXTIF -o $LIF -p $FWR_PROTO"

    if [ ! -z "$FWR_ADDR" ]; then
    FORWARD="$FORWARD -d $FWR_ADDR"
    fi

    if [ ! -z "$DST_PORT" -a \( $FWR_PROTO -eq 6 -o $FWR_PROTO -eq 17 \) ]; then
    FORWARD="$FORWARD --dport $DST_PORT"
    fi

    FORWARD="$FORWARD -j $FW_ACCEPT"

    eval "FW_FORWARD_$LIF=\"$IPTABLES $FORWARD\""; FORWARD=""
    done
    else
    $FW_ERROR "Invalid custom firewall type."
    return 1
    fi

    return 0
    }


    ################################################## #############################
    #
    # HTBStatus
    #
    ################################################## #############################

    HTBStatus() {
    echo "EXT - $PHYSEXTIF"
    $TCBIN -s -d qdisc show dev $PHYSEXTIF
    echo
    $TCBIN -s -d class show dev $PHYSEXTIF
    $TCBIN -s -d filter show dev $PHYSEXTIF
    echo

    for IF in $LANIF; do
    echo "LAN - $IF"
    $TCBIN -s -d qdisc show dev $IF
    echo
    $TCBIN -s -d class show dev $IF
    $TCBIN -s -d filter show dev $IF
    echo
    done

    for IF in $DMZIF; do
    echo "DMZ - $IF"
    $TCBIN -s -d qdisc show dev $IF
    echo
    $TCBIN -s -d class show dev $IF
    $TCBIN -s -d filter show dev $IF
    echo
    done
    }


    ################################################## #############################
    #
    # Ip2Bin
    # Convert IPv4 address to decimal number
    #
    ################################################## #############################

    Ip2Bin() {
    if [ "$#" != "1" ]; then
    $FW_ERROR "Invalid argument count."
    return 1
    fi

    A=`echo $1 | cut -d'.' -f1`
    B=`echo $1 | cut -d'.' -f2`
    C=`echo $1 | cut -d'.' -f3`
    D=`echo $1 | cut -d'.' -f4`

    BIN=$[ ($A << 24) + ($B << 16) + ($C << + $D ]

    return 0
    }


    ################################################## #############################
    #
    # Bin2Ip
    # Convert a decimal number to an IPv4 address
    #
    ################################################## #############################

    Bin2Ip()
    {
    if [ "$#" != "1" ]; then
    $FW_ERROR "Invalid argument count."
    return 1
    fi

    BIN=$1

    A=$[ $BIN >> 24 ]
    BIN=$[ $BIN - ($BIN & 0xff000000) ]
    B=$[ $BIN >> 16 ]
    BIN=$[ $BIN - ($BIN & 0x00ff0000) ]
    C=$[ $BIN >> 8 ]
    BIN=$[ $BIN - ($BIN & 0x0000ff00) ]
    D=$BIN
    }


    ################################################## #############################
    #
    # P2PType
    # Convert a P2P network flag to a corresponding ip2p network name
    #
    ################################################## #############################

    Ipp2pType()
    {
    if [ "$#" != "1" ]; then
    $FW_ERROR "Invalid argument count."
    return 1
    fi

    case $1 in
    $FWR_P2P_EDK)
    P2P_TYPE="--edk"
    ;;
    $FWR_P2P_KAZAA)
    P2P_TYPE="--kazaa"
    ;;
    $FWR_P2P_GNU)
    P2P_TYPE="--gnu"
    ;;
    $FWR_P2P_DC)
    P2P_TYPE="--dc"
    ;;
    $FWR_P2P_BIT)
    P2P_TYPE="--bit"
    ;;
    $FWR_P2P_APPLE)
    P2P_TYPE="--apple"
    ;;
    $FWR_P2P_WINMX)
    P2P_TYPE="--winmx"
    ;;
    $FWR_P2P_SOUL)
    P2P_TYPE="--soul"
    ;;
    $FWR_P2P_ARES)
    P2P_TYPE="--ares"
    ;;
    *)
    $FW_ERROR "Invalid P2P network type: $1"
    esac
    }


    ################################################## #############################
    #
    # F I R E W A L L S
    #
    ################################################## #############################

    ################################################## #############################
    #
    # T R U S T E D S T A N D A L O N E
    #
    # A "trusted standalone" firewall isn't a firewall at all. All traffic
    # is allowed in and out of the machine. Use this firewall for
    # machines running on local network
    #
    ################################################## #############################

    trustedstandalone() {
    $FW_NOTICE "Using trusted standalone mode (no firewall)"

    LoadKernelModules
    DefineChains
    SetKernelSettings
    SetPolicyToAccept
    RunAdhocRules
    RunCustomRules

    # FIXME: late change to 3.0 release
    # - If the box is in standalone mode, don't load the ip_nat_pptp module
    if [ "$FW_MODE" == "trustedstandalone" ]; then
    $RMMOD ip_nat_pptp > /dev/null 2>&1
    fi
    }


    ################################################## #############################
    #
    # S T A N D A L O N E
    #
    # A "standalone" firewall is designed for a server that sits on the
    # Internet (or an untrusted LAN). Allowed ports must be defined in
    # /etc/firewalla (INCOMING_ALLOW or INCOMING_ALLOW_RANGE).
    #
    ################################################## #############################

    standalone() {
    $FW_NOTICE "Using standalone mode"

    SetKernelSettings
    SetPolicyToDrop
    LoadKernelModules
    DefineChains
    RunCommonRules
    RunAdhocRules
    RunIncomingAllowed
    RunIncomingAllowedDefaults
    RunIncomingDenied
    RunIncomingDeniedDefaults
    RunCustomRules
    }


    ################################################## #############################
    #
    # G A T E W A Y F I R E W A L L
    #
    ################################################## #############################

    gateway() {
    $FW_NOTICE "Using gateway mode"

    SetKernelSettings
    SetPolicyToDrop
    LoadKernelModules
    DefineChains
    RunCommonRules
    RunAdhocRules
    RunRemapPorts
    RunIncomingDenied
    RunIncomingAllowed
    RunIncomingAllowedDefaults
    RunIncomingDeniedDefaults
    RunPortForwardRules
    RunOutgoingDenied
    RunOutgoingDeniedDefaults
    RunBandwidthRules
    RunOneToOneNAT
    RunCustomRules

    # Enable masquerading
    #--------------------
    $IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF
    $IPTABLES -A FORWARD -i $TRUSTEDIF -j $FW_ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j $FW_ACCEPT

    # Drop everything else
    #---------------------
    $IPTABLES -A FORWARD -j $FW_DROP
    }


    ################################################## #############################
    #
    # T R U S T E D G A T E W A Y
    #
    ################################################## #############################

    trustedgateway() {
    $FW_NOTICE "Using trusted gateway mode"

    LoadKernelModules
    SetKernelSettings
    SetPolicyToAccept
    RunBandwidthRules

    # Enable masquerading
    $IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF
    }


    ################################################## #############################
    #
    # D M Z
    #
    ################################################## #############################

    dmz() {
    $FW_NOTICE "Using dmz mode"

    SetKernelSettings
    SetPolicyToDrop
    LoadKernelModules
    DefineChains
    RunCommonRules
    RunAdhocRules
    RunRemapPorts
    RunIncomingDenied
    RunIncomingAllowed
    RunIncomingAllowedDefaults
    RunIncomingDeniedDefaults
    RunPortForwardRules
    RunOutgoingDenied
    RunOutgoingDeniedDefaults
    RunBandwidthRules
    RunDMZPinhole
    RunDMZIncoming
    RunOneToOneNAT
    RunCustomRules

    # LAN: enable masquerading
    #-------------------------

    for LIF in $LANIF; do
    GetInterfaceInfo $LIF
    LIFNETWORK=$IFNETWORK
    LIFPREFIX=$IFPREFIX
    $IPTABLES -A POSTROUTING -t nat -j MASQUERADE -o $EXTIF -s $LIFNETWORK/$LIFPREFIX
    done

    # DMZ: enable forwarding
    #-----------------------

    GetInterfaceInfo $EXTIF
    EXTNETWORK=$IFNETWORK
    EXTPREFIX=$IFPREFIX

    for DIF in $DMZIF; do
    GetInterfaceInfo $DIF

    # Proxy ARP mode -- only 1 DMZ interface supported!
    #--------------------------------------------------

    if ( [ "$EXTNETWORK" == "$IFNETWORK" ] && [ "$EXTPREFIX" == "$IFPREFIX" ] ); then
    $FW_NOTICE "Detected proxy ARP mode"
    $SYSCTL -w net.ipv4.conf.$EXTIF.proxy_arp=1 >/dev/null
    $SYSCTL -w net.ipv4.conf.$IF.proxy_arp=1 >/dev/null

    # Add route to proxy-arped interfaces
    $IPBIN route add $IFNETWORK/$IFPREFIX dev $IF 2>/dev/null
    $IPBIN route add $IFNETWORK/$IFPREFIX dev $EXTIF 2>/dev/null

    # Add IP route
    $IPBIN route add $EXTIP dev $EXTIF 2>/dev/null
    $IPBIN route append $EXTIP dev $IF 2>/dev/null

    GWIP=`/bin/grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF | /bin/sed -e s/GATEWAY=//i | /bin/sed 's/"//g'`
    if [ -z "$GWIP" ]; then
    $ERROR "Failed to find gateway IP"
    fi

    $IPBIN route add $GWIP dev $EXTIF 2>/dev/null
    fi

    # Allow ICMP from DMZ to anywhere and anywhere to DMZ
    #----------------------------------------------------

    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 0
    $IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 0
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 3
    $IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 3
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 11
    $IPTABLES -A FORWARD -d $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -p icmp --icmp-type 11
    # This allows any host on the DMZ to ping anyone (including hosts on the LAN)
    $IPTABLES -A FORWARD -s $IFNETWORK/$IFNETMASK -j $FW_ACCEPT -

  2. #2
    Just Joined!
    Join Date
    May 2005
    Posts
    9
    And this is my iptables list;
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere state INVALID
    REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
    DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    drop-reserved all -- 127.0.0.0/8 anywhere
    drop-reserved all -- 2.0.0.0/8 anywhere
    drop-reserved all -- 96.0.0.0/3 anywhere
    drop-reserved all -- 169.254.0.0/16 anywhere
    drop-reserved all -- 223.0.0.0/8 anywhere
    drop-reserved all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    drop-reserved all -- 240.0.0.0/4 anywhere
    ACCEPT udp -- anywhere 212-42-117-221.elcat.kg udp spt:bootps dpt:bootpc
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp spt:bootps dpt:bootpc
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ftp-data
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ftp
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:ssh
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:smtp
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:81
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:imap
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:1875
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpt:10000
    ACCEPT udp -- anywhere 212-42-117-221.elcat.kg udp dpts:1024:65535 state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere 212-42-117-221.elcat.kg tcp dpts:1024:65535 state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP tcp -- 192.168.1.0/24 anywhere tcp dpt:5190
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:bootpc dpt:bootps
    ACCEPT udp -- 212-42-117-221.elcat.kg anywhere udp spt:bootpc dpt:bootps
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ftp-data
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ftp
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:ssh
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:smtp
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:81
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:imap
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:1875
    ACCEPT tcp -- 212-42-117-221.elcat.kg anywhere tcp spt:10000
    ACCEPT all -- 212-42-117-221.elcat.kg anywhere
    DROP all -- anywhere anywhere

    Chain drop-lan (0 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

    Chain drop-reserved (7 references)
    target prot opt source destination
    DROP all -- anywhere anywhere

  3. #3
    Linux User
    Join Date
    Feb 2005
    Posts
    290
    i sincerely suggest you backup your original script, then cut it into half, and half, and half to narrow down the problem and come back here with the line that causes the error, someone will really glad to help, but not going thru that lines of script....

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •