Menu
▾
▴
astlinux-commits
|
From: <dha...@us...> - 2006-08-11 21:10:25
|
Revision: 243 Author: dhartman Date: 2006-08-11 14:10:22 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=243&view=rev Log Message: ----------- init script and arno-firewall.mk typos Modified Paths: -------------- trunk/package/arno-fw/arno-firewall.mk trunk/package/iptables/iptables.init Modified: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk 2006-08-11 19:31:56 UTC (rev 242) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-11 21:10:22 UTC (rev 243) @@ -3,7 +3,7 @@ # Arno's IPtables Firewall Script # ############################################################# -ARNO_FW_DIR:=package/arno_fw +ARNO_FW_DIR:=package/arno-fw ARNO_FW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall $(ARNO_FW_TARGET_BINARY): Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-11 19:31:56 UTC (rev 242) +++ trunk/package/iptables/iptables.init 2006-08-11 21:10:22 UTC (rev 243) @@ -5,7 +5,7 @@ start () { if [ "$INTIF" ] then -if [ $FWVERS = arno ] +if [ "$FWVERS" = "arno" ] then /usr/sbin/arno-iptables-firewall start else @@ -23,7 +23,7 @@ stop () { if [ "$INTIF" ] then -if [ $FWVERS = arno ] +if [ "$FWVERS" = "arno" ] then /usr/sbin/arno-iptables-firewall stop else This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-14 00:06:12
|
Revision: 246 Author: dhartman Date: 2006-08-13 17:06:05 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=246&view=rev Log Message: ----------- fixes to Arno's firewall. Modified Paths: -------------- trunk/package/arno-fw/Config.in Added Paths: ----------- trunk/package/arno-fw/arnofw.mk trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf Removed Paths: ------------- trunk/package/arno-fw/arno-firewall.mk Modified: trunk/package/arno-fw/Config.in =================================================================== --- trunk/package/arno-fw/Config.in 2006-08-13 05:49:35 UTC (rev 245) +++ trunk/package/arno-fw/Config.in 2006-08-14 00:06:05 UTC (rev 246) @@ -1,4 +1,4 @@ -config BR2_PACKAGE_ARNO_FW +config BR2_PACKAGE_ARNOFW bool "Arno's Firewall Support" default n help Deleted: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk 2006-08-13 05:49:35 UTC (rev 245) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-14 00:06:05 UTC (rev 246) @@ -1,29 +0,0 @@ -############################################################# -# -# Arno's IPtables Firewall Script -# -############################################################# -ARNO_FW_DIR:=package/arno-fw -ARNO_FW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall - -$(ARNO_FW_TARGET_BINARY): - $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall - $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf - -arno_fw: uclibc linux asterisk $(ARNO_FW_TARGET_BINARY) - -arno_fw-clean: - rm $(ARNO_FW_TARGET_BINARY) - rm $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf - -arno_fw-dirclean: - echo "Nothing to do" - -############################################################# -# -# Toplevel Makefile options -# -############################################################# -ifeq ($(strip $(BR2_PACKAGE_ARNO_FW)),y) -TARGETS+= -endif Added: trunk/package/arno-fw/arnofw.mk =================================================================== --- trunk/package/arno-fw/arnofw.mk (rev 0) +++ trunk/package/arno-fw/arnofw.mk 2006-08-14 00:06:05 UTC (rev 246) @@ -0,0 +1,29 @@ +############################################################# +# +# Arno's IPtables Firewall Script +# +############################################################# +ARNOFW_DIR:=package/arno-fw +ARNOFW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall + +$(ARNOFW_TARGET_BINARY): + $(INSTALL) -D -m 0755 $(ARNOFW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall + $(INSTALL) -D -m 0700 $(ARNOFW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arnofw: uclibc linux asterisk $(ARNOFW_TARGET_BINARY) + +arnofw-clean: + rm $(ARNOFW_TARGET_BINARY) + rm $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arnofw-dirclean: + echo "Nothing to do" + +############################################################# +# +# Toplevel Makefile options +# +############################################################# +ifeq ($(strip $(BR2_PACKAGE_ARNOFW)),y) +TARGETS+= +endif Added: trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf =================================================================== --- trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf (rev 0) +++ trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf 2006-08-14 00:06:05 UTC (rev 246) @@ -0,0 +1 @@ +link /tmp/etc/arno-iptables-firewall.conf \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf ___________________________________________________________________ Name: svn:special + * This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-18 04:52:48
|
Revision: 278 Author: dhartman Date: 2006-08-17 21:52:41 -0700 (Thu, 17 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=278&view=rev Log Message: ----------- arno's firewall fix and VIA rc.modules fix Modified Paths: -------------- trunk/package/arno-fw/arno-iptables-firewall trunk/target/device/via/target_skeleton/etc/rc.modules Modified: trunk/package/arno-fw/arno-iptables-firewall =================================================================== --- trunk/package/arno-fw/arno-iptables-firewall 2006-08-18 03:31:12 UTC (rev 277) +++ trunk/package/arno-fw/arno-iptables-firewall 2006-08-18 04:52:41 UTC (rev 278) @@ -52,11 +52,13 @@ # Astlinux mod: check if config file is on key disk or use default from stat ############################################################################# +if [ ! -e /tmp/etc/arno-iptables-firewall.conf ]; then if [ -e /mnt/kd/arno-iptables-firewall.conf ]; then ln -s /mnt/kd/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf else cp /stat/etc/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf fi +fi # Check if config file exists and if so load it ############################################### Modified: trunk/target/device/via/target_skeleton/etc/rc.modules =================================================================== --- trunk/target/device/via/target_skeleton/etc/rc.modules 2006-08-18 03:31:12 UTC (rev 277) +++ trunk/target/device/via/target_skeleton/etc/rc.modules 2006-08-18 04:52:41 UTC (rev 278) @@ -12,7 +12,7 @@ #forcedeth #8139cp 8139too -#via-rhine +via-rhine #pcnet32 #acenic #e1000 This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2007-11-14 01:48:16
|
Revision: 1377
http://astlinux.svn.sourceforge.net/astlinux/?rev=1377&view=rev
Author: dhartman
Date: 2007-11-13 17:48:20 -0800 (Tue, 13 Nov 2007)
Log Message:
-----------
version bump on Arno's firewall
Modified Paths:
--------------
trunk/package/arno-fw/arno-iptables-firewall
trunk/package/arno-fw/arno-iptables-firewall.conf
Modified: trunk/package/arno-fw/arno-iptables-firewall
===================================================================
--- trunk/package/arno-fw/arno-iptables-firewall 2007-11-13 19:06:19 UTC (rev 1376)
+++ trunk/package/arno-fw/arno-iptables-firewall 2007-11-14 01:48:20 UTC (rev 1377)
@@ -1,41 +1,47 @@
#!/bin/sh
-#
+
# chkconfig: 2345 11 89
# description: Arno's iptables firewall
-MY_VERSION="1.8.6c"
+### BEGIN INIT INFO
+# Provides: arno-iptables-firewall
+# Required-Start: $syslog $local_fs
+# Required-Stop: $syslog $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Setup iptables firewall configuration
+### END INIT INFO
-# Astlinux modifications by Darrick Hartman
-#
############################################################################################
# You should put this script in eg. "/etc/init.d/" (or "/etc/rc.d/"). #
# Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it #
-# If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or #
+# If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or #
# (for ie. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script #
# ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). #
############################################################################################
+MY_VERSION="1.8.8i"
+
# Location of the configuration file for this firewall:
#######################################################
CONFIG_FILE=/etc/arno-iptables-firewall.conf
# ------------------------------------------------------------------------------------------
-# -= Arno's iptables firewall =-
-# Single- & multi-homed firewall script with DSL/ADSL support
+# -= Arno's iptables firewall =-
+# Single- & multi-homed firewall script with DSL/ADSL support
#
-# ~ In memory of my dear father ~
+# ~ In memory of my dear father ~
#
-# (C) Copyright 2001-2006 by Arno van Amersfoort
+# (C) Copyright 2001-2007 by Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
-# at the proper locations!)
+# at the proper locations!)
# ------------------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
+# version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -47,19 +53,13 @@
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ------------------------------------------------------------------------------------------
+# Some predefined variables:
+anyhost="0/0"
+anyport="0:65535"
+
printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$MY_VERSION\033[0m\n"
echo "-------------------------------------------------------------------------------"
-# Astlinux mod: check if config file is on key disk or use default from stat
-#############################################################################
-if [ ! -e /tmp/etc/arno-iptables-firewall.conf ]; then
-if [ -e /mnt/kd/arno-iptables-firewall.conf ]; then
- ln -s /mnt/kd/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf
-else
- cp /stat/etc/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf
-fi
-fi
-
# Check if config file exists and if so load it
###############################################
if [ -e "$CONFIG_FILE" ]; then
@@ -67,8 +67,8 @@
# Check whether we also need to drop messages in a dedicated firewall log file
if [ -z "$FIREWALL_LOG" ]; then FIREWALL_LOG="/dev/null"; fi
else
- printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n"
- printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" >&2
+ printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" >&2
exit 2
fi
@@ -83,15 +83,32 @@
{
# root check
if [ "$(id -u)" != "0" ]; then
- printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" >&2
exit 1
fi
+ # Check whether the iptables binary exists and if it's executable
+ #################################################################
+ if [ ! -x $IPTABLES ]; then
+ printf "\033[40m\033[1;31mERROR: Binary \"$IPTABLES\" does not exist or is not executable!\033[0m\n" >&2
+ printf "\033[40m\033[1;31m Please, make sure that IPTABLES is (properly) installed!\033[0m\n" >&2
+ exit 13
+ fi
+
+ # Check that we have at least kernel 2.4 else generate a warning (no error as 2.2 kernels could be iptables patched)
+ ####################################################################################################################
+ KERNELMAJ=`uname -r |sed -e 's,\..*,,'`
+ KERNELMIN=`uname -r |sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
+ if [ "$KERNELMAJ" -lt 2 ] || [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ]; then
+ printf "\033[40m\033[1;31mWARNING: Your kernel version is older than 2.4! Your kernel probably doesn't\033[0m\n" >&2
+ printf "\033[40m\033[1;31m support IPTABLES unless an IPTABLES patch is compiled in it.\033[0m\n" >&2
+ fi
+
# Make sure EXT_IF != ""
########################
if [ -z "$EXT_IF" ]; then
- printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n"
- printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" >&2
+ printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" >&2
exit 2
fi
@@ -163,8 +180,8 @@
for eif in $EXT_IF; do
for iif in $INT_IF; do
if [ "$iif" = "$eif" ]; then
- printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n"
- printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" >&2
+ printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" >&2
exit 3
fi
done
@@ -174,8 +191,8 @@
##############################
for eif in $EXT_IF; do
if [ "$eif" = "$MODEM_IF" ]; then
- printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n"
- printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" >&2
+ printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" >&2
exit 4
fi
done
@@ -185,8 +202,8 @@
if [ -n "$MODEM_IF" ]; then
for iif in $INT_IF; do
if [ "$iif" = "$MODEM_IF" ]; then
- printf "\033[40m\033[1;31mERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n"
- printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" >&2
+ printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" >&2
exit 5
fi
done
@@ -196,8 +213,8 @@
####################################
for eif in $EXT_IF; do
if [ "$eif" = "lo" ] || [ "$eif" = "127.0.0.1" ]; then
- printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n"
- printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" >&2
+ printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" >&2
exit 6
fi
done
@@ -206,8 +223,8 @@
####################################
for iif in $INT_IF; do
if [ "$iif" = "lo" ] || [ "$iif" = "127.0.0.1" ]; then
- printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n"
- printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" >&2
+ printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" >&2
exit 7
fi
done
@@ -215,40 +232,31 @@
# Make sure MODEM_IF != lo / 127.0.0.1
######################################
if [ "$MODEM_IF" = "lo" ] || [ "$MODEM_IF" = "127.0.0.1" ]; then
- printf "\033[40m\033[1;31mERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n"
- printf "\033[40m\033[1;31m loopback device! Please, check the configuration file.\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" >&2
+ printf "\033[40m\033[1;31m loopback device! Please, check the configuration file.\033[0m\n" >&2
exit 8
fi
- # Make sure than when multi route masquerade is enabled, multiple external
- # interfaces exist
- ##########################################################################
- if [ "$MASQ_MULTI_ROUTE" = "1" ] && [ -z "$(echo $EXT_IF |grep ' ')" ]; then
- printf "\033[40m\033[1;31mERROR: Multiroute masquerade is enabled but only one external interface is\033[0m\n"
- printf "\033[40m\033[1;31m specified! Please, check the configuration file.\033[0m\n"
- exit 9
- fi
-
# If support for an DHCP server serving an external net is enabled, we
# also need to know what the external net is.
##########################################################################
if [ "$EXTERNAL_DHCP_SERVER" = "1" ] && [ -z "$EXTERNAL_NET" ]; then
- printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n"
- printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" >&2
+ printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2
exit 10
fi
# We can only perform NAT if NAT_INTERNAL_NET is defined
if [ "$NAT" = "1" ] && [ -z "$NAT_INTERNAL_NET" ]; then
- printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" >&2
exit 11
fi
# If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set
##########################################################################
if [ "$NMB_BROADCAST_FIX" = "1" ] && [ -z "$EXTERNAL_NET" ]; then
- printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n"
- printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n"
+ printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" >&2
+ printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" >&2
exit 12
fi
@@ -256,36 +264,12 @@
##########################################################################
if [ -n "$BROADCAST_TCP_NOLOG" ] || [ -n "$BROADCAST_UDP_NOLOG" ]; then
if [ -z "$EXTERNAL_NET" ]; then
- printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but the EXTERNAL_NET\033[0m\n"
- printf "\033[40m\033[1;31m has NOT been defined! This could be a problem.\033[0m\n"
+ printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but the EXTERNAL_NET\033[0m\n" >&2
+ printf "\033[40m\033[1;31m has NOT been defined! This could be a problem.\033[0m\n" >&2
fi
fi
- # Check whether the iptables binary exists and if it's executable
- #################################################################
- if [ ! -x $IPTABLES ]; then
- printf "\033[40m\033[1;31mERROR: Binary \"$IPTABLES\" does not exist or is not executable!\033[0m\n"
- printf "\033[40m\033[1;31m Please, make sure that IPTABLES is (properly) installed!\033[0m\n"
- exit 13
- fi
- # Check that we have at least kernel 2.4 else generate a warning (no error as 2.2 kernels could be iptables patched)
- ####################################################################################################################
- KERNELMAJ=`uname -r |sed -e 's,\..*,,'`
- KERNELMIN=`uname -r |sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
- if [ "$KERNELMAJ" -lt 2 ] || [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ]; then
- printf "\033[40m\033[1;31mWARNING: Your kernel version is older than 2.4! Your kernel probably doesn't\033[0m\n"
- printf "\033[40m\033[1;31m support IPTABLES unless an IPTABLES patch is compiled in it.\033[0m\n"
- fi
-
- # Check whether IPCHAINS is active else IPTABLES won't work (RedHat <7.2 for example)
- ###########################################################################################
- if /sbin/lsmod 2>/dev/null |grep -q ipchains; then
- printf "\033[40m\033[1;31mERROR: Found IPCHAINS module loaded in the kernel. Unable to load IPTABLES module because of this!\033[0m\n"
- printf "\033[40m\033[1;31m Please, use \"rmmod ipchains\" (as root) to remove the IPCHAINS module and then run this script again.\033[0m\n"
- exit 14
- fi
-
# Passed all sanity checks :-)
##############################
echo "Sanity checks passed...OK"
@@ -293,48 +277,76 @@
# Helper function to load a module
+##################################
module_probe()
{
- if [ -x /sbin/modprobe ]; then
- result=`/sbin/modprobe $1 2>&1`
- else
- # Let the path figure it out
- result=`modprobe $1 2>&1`
- fi
+ # Module support available?
+ if [ -e /proc/modules ]; then
+ if [ -x /sbin/modprobe ]; then
+ result=`/sbin/modprobe $* 2>&1`
+ return_val=$?
+ else
+ # Let the path figure it out
+ result=`modprobe $* 2>&1`
+ return_val=$?
+ fi
- if [ "$?" != "0" ]; then
- printf "\033[40m\033[1;31m$result\033[0m\n" # Show any (error) messages generated by modprobe in red
+ if [ "$return_val" != "0" ]; then
+ if [ -z "$(echo "$result" |grep -e '^FATAL: Module .* not found')" ] ; then
+ # Show any (error) messages in red
+ printf "\033[40m\033[1;31mmodprobe $*: $result\033[0m\n" >&2
+ else
+ if [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then
+ echo "NOTE: Module \"$1\" not found. Assuming it is compiled in the kernel"
+ fi
+ fi
+ else
+ if [ -n "$(echo "$result" |grep -e '^WARNING:')" ]; then
+ # Show any (warning) messages in red
+ printf "\033[40m\033[1;31mmodprobe $*: $result\033[0m\n" >&2
+ else
+ if [ -n "$result" ]; then # If result is not empty, show it
+ echo "$result"
+ fi
+ fi
+ fi
else
- if [ -n "$result" ]; then # If result is not empty, show it
- echo "$result"
+ if [ "$COMPILED_IN_KERNEL_MESSAGES" != "0" ]; then
+ echo "NOTE: Kernel has no module support. Assuming module \"$1\" is compiled in the kernel"
fi
fi
+
+ return $return_val
}
load_modules()
{
- if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.* ]; then
- echo "Detected IPTABLES module... Loading additional IPTABLES modules:"
+ echo "Checking/probing Iptables modules:"
- module_probe ip_tables # Required; all ipv4 modules depend on this one
- module_probe ip_conntrack # Allows connection tracking state match, which allows you to
- # write rules matching the state of a connection
- module_probe ip_conntrack_ftp # Permits active FTP; requires ip_conntrack
+ module_probe ip_tables # Required; all ipv4 modules depend on this one
+ module_probe ip_conntrack # Allows connection tracking state match, which allows you to
+ # write rules matching the state of a connection
+ module_probe ip_conntrack_ftp # Permits active FTP; requires ip_conntrack
- module_probe ipt_conntrack # Allows tracking for various protocols, placing entries
- # in the conntrack table etc.
- module_probe ipt_limit # Allows log limits
- module_probe ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
- module_probe ipt_multiport # Allows packet specifications on multiple ports
+ module_probe ipt_conntrack # Allows tracking for various protocols, placing entries
+ # in the conntrack table etc.
+ module_probe ipt_limit # Allows log limits
+ module_probe ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
+ module_probe ipt_multiport # Allows packet specifications on multiple ports
- module_probe iptable_filter # Implements the filter table
- module_probe iptable_nat # Implements the nat table
+ module_probe iptable_filter # Implements the filter table
+ module_probe iptable_mangle # Implements the mangle table
+ module_probe iptable_nat # Implements the nat table
- if [ -n "$MAC_ADDRESS_FILE" ]; then
- module_probe ipt_mac # Allows specifying MAC address
- fi
+ # Explicitely load some targets
+ module_probe ipt_REJECT # Implements the REJECT target
+ module_probe ipt_LOG # Implements the LOG target
+ if [ -n "$MAC_ADDRESS_FILE" ]; then
+ module_probe ipt_mac # Allows specifying MAC address
+ fi
+
# (Currently) unused modules:
# module_probe ipt_iprange # Allows to use IP ranges in rules
# module_probe ipt_addrtype # Allows matching src/dst address type (BROKEN!)
@@ -345,44 +357,41 @@
# module_probe ipt_mark # Allows use of mark match
# module_probe ip_conntrack_egg
- if [ "$USE_IRC" = "1" ]; then
+ if [ "$USE_IRC" = "1" ]; then
# echo "Enabling IRC DCC module support..."
- module_probe ip_conntrack_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
+ module_probe ip_conntrack_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
- if [ "$NAT" = "1" ]; then
- module_probe ip_nat_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
- fi
+ if [ "$NAT" = "1" ]; then
+ module_probe ip_nat_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001
fi
+ fi
- if [ "$SET_MSS" != "0" ]; then
- module_probe ipt_tcpmss # Permits TCPMSS checking on a packet
- fi
+ if [ "$SET_MSS" != "0" ]; then
+# module_probe ipt_tcpmss # Enable TCPMSS checking on a packet
+ module_probe ipt_TCPMSS # Load the TCPMSS target
+ fi
- if [ "$NAT" = "1" ]; then
- module_probe iptable_nat # Implements nat table
- module_probe ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack, iptables_nat
- fi
+ if [ "$NAT" = "1" ]; then
+# module_probe iptable_nat # Implements nat table
+ module_probe ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack, iptables_nat
+ module_probe ipt_MASQUERADE # Implements the MASQUERADE target
+ fi
- if [ "$MANGLE_TOS" != "0" ] || [ "$PACKET_TTL" = "1" ] || [ "$TTL_INC" = "1" ]; then
- module_probe iptable_mangle # Implements the mangle table
- fi
+ if [ "$MANGLE_TOS" != "0" ]; then
+# module_probe ipt_tos # Enable TOS checking on a packet
+ module_probe ipt_TOS # Load the TOS target
+ fi
- if [ "$MANGLE_TOS" != "0" ]; then
- module_probe ipt_tos # Permits TOS checking on a packet
- fi
+ if [ "$PACKET_TTL" = "1" ] || [ "$TTL_INC" = "1" ]; then
+# module_probe ipt_ttl # Enable TTL checking on a packet
+ module_probe ipt_TTL # Load the TTL target
+ fi
- if [ "$PACKET_TTL" = "1" ] || [ "$TTL_INC" = "1" ]; then
- module_probe ipt_ttl # Enable ttl manipulation
- fi
+# if [ "$TRAFFIC_SHAPING" = "1" ]; then
+# module_probe ipt_length
+# fi
-# if [ "$TRAFFIC_SHAPING" = "1" ]; then
-# module_probe ipt_length
-# fi
-
- echo "All IPTABLES modules loaded!"
- else
- echo "No module found for IPTABLES, assuming ALL modules are compiled in the kernel."
- fi
+ echo " Module check done..."
}
@@ -406,17 +415,17 @@
######################################################################
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
if [ "$RP_FILTER" = "1" ]; then
- echo " Enabling anti-spoof with rp_filter."
+ echo " Enabling anti-spoof with rp_filter"
else
- echo " Disabling anti-spoof with rp_filter."
+ echo " Disabling anti-spoof with rp_filter"
fi
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# if [ "$i" = "/proc/sys/net/ipv4/conf/$EXT_IF/rp_filter" ] || [ "$RP_FILTER" != "0" ]; then
if [ "$RP_FILTER" = "1" ]; then
- echo "1" > $i
+ echo 1 > $i
else
- echo "0" > $i
+ echo 0 > $i
fi
done
fi
@@ -425,41 +434,41 @@
###############################
if [ "$ECHO_IGNORE" = "1" ]; then
echo " Blocking all ICMP echo-requests"
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
- echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
+ echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
# Add synflood protection?
##########################
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
if [ "$SYN_PROT" != 0 ]; then
- echo " Enabling SYN-flood protection via SYN-cookies."
- echo "1" > /proc/sys/net/ipv4/tcp_syncookies
+ echo " Enabling SYN-flood protection via SYN-cookies"
+ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
else
- echo " Disabling SYN-flood protection via SYN-cookies."
- echo "0" > /proc/sys/net/ipv4/tcp_syncookies
+ echo " Disabling SYN-flood protection via SYN-cookies"
+ echo 0 > /proc/sys/net/ipv4/tcp_syncookies
fi
fi
# Log martians?
###############
if [ "$LOG_MARTIANS" = "1" ]; then
- echo " Enabling the logging of martians."
- echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
+ echo " Enabling the logging of martians"
+ echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
else
- echo " Disabling the logging of martians."
- echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
+ echo " Disabling the logging of martians"
+ echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi
# Accept ICMP redirect messages?
################################
if [ "$ICMP_REDIRECT" = "1" ]; then
- echo " Enabling the acception of ICMP-redirect messages."
- echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
+ echo " Enabling the acception of ICMP-redirect messages"
+ echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
else
- echo " Disabling the acception of ICMP-redirect messages."
- echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
+ echo " Disabling the acception of ICMP-redirect messages"
+ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
# Set the maximum number of connections to track.
@@ -468,29 +477,29 @@
#######################################################################################
if [ ! -f /proc/sys/net/ipv4/ip_conntrack_max ] && [ ! -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ] \
&& [ -n "$CONNTRACK" ]; then
- printf "\033[40m\033[1;31m WARNING: /proc/../ip_conntrack_max was NOT found. This may be a problem!\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: /proc/../ip_conntrack_max was NOT found. This may be a problem!\033[0m\n" >&2
else
if [ -n "$CONNTRACK" ]; then
- echo " Setting the max. amount of simultaneous connections to $CONNTRACK."
+ echo " Setting the max. amount of simultaneous connections to $CONNTRACK"
else
- echo " Setting the max. amount of simultaneous connections to 4096 (default)."
+ echo " Setting the max. amount of simultaneous connections to 4096 (default)"
fi
# Default location for ip_conntrack_max
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
if [ -n "$CONNTRACK" ]; then
- echo "$CONNTRACK" > /proc/sys/net/ipv4/ip_conntrack_max
+ echo $CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max
else
- echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
+ echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
fi
fi
# Alternate location for ip_conntrack_max
if [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then
if [ -n "$CONNTRACK" ]; then
- echo "$CONNTRACK" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
+ echo $CONNTRACK > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
else
- echo "4096" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
+ echo 4096 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
fi
fi
fi
@@ -499,7 +508,7 @@
############################
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
- echo "0" > $interface
+ echo 0 > $interface
done
fi
@@ -510,33 +519,33 @@
# network. Source routing is rarely used for legitimate purposes.
###################################################################################
if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then
- echo " DISABLING protection against source routed packets."
+ echo " DISABLING protection against source routed packets"
for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do
- echo "1" > $interface
+ echo 1 > $interface
done
else
- echo " Enabling protection against source routed packets."
+ echo " Enabling protection against source routed packets"
for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do
- echo "0" > $interface
+ echo 0 > $interface
done
fi
# ICMP Broadcasting protection (smurf amplifier protection)
###########################################################
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# ICMP Dead Error Messages protection
#####################################
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
- echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+ echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Enable automatic IP defragmenting (is obsolete for 2.4 kernels, but still used for 2.2 legacy support)
########################################################################################################
if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then
- echo "1" > /proc/sys/net/ipv4/ip_always_defrag
+ echo 1 > /proc/sys/net/ipv4/ip_always_defrag
fi
# LooseUDP patch is required by some internet-based games
@@ -548,15 +557,15 @@
#############################################################################
if [ "$LOOSE_UDP_PATCH" = "1" ]; then
if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
- echo " Enabling the LOOSE_UDP_PATCH (required for some internet games, but less secure!)."
- echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
+ echo " Enabling the LOOSE_UDP_PATCH (required for some internet games, but less secure!)"
+ echo 1 > /proc/sys/net/ipv4/ip_masq_udp_dloose
else
- printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_masq_udp_dloose does not exist!\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_masq_udp_dloose does not exist!\033[0m\n" >&2
fi
else
if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then
- echo " Disabling the LOOSE_UDP_PATCH (more secure)."
- echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
+ echo " Disabling the LOOSE_UDP_PATCH (more secure)"
+ echo 0 > /proc/sys/net/ipv4/ip_masq_udp_dloose
fi
fi
@@ -564,48 +573,59 @@
####################################################
if [ "$IP_FORWARDING" != "0" ]; then
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
- echo "1" > /proc/sys/net/ipv4/ip_forward
+ echo 1 > /proc/sys/net/ipv4/ip_forward
else
- printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_forward does not exist! If you're using\033[0m\n"
- printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_forward does not exist! If you're using\033[0m\n" >&2
+ printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n" >&2
fi
else
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
- echo "0" > /proc/sys/net/ipv4/ip_forward
+ echo 0 > /proc/sys/net/ipv4/ip_forward
fi
fi
# Change some default timings to fix false logs generated by "lost connections"
+ # Defaults:
+ # echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
+ # echo "180" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
+ # echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
+ # echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
+ # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
+ # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
+ # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
+ # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
+ # echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
+ # echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
+ # echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
+ # echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
###############################################################################
- echo " Setting default conntrack timeouts."
- echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
- echo "180" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
-# echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
-# echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
-# echo 600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
-# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
-# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
-# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
-# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
-# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
-# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
-# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
+ echo " Setting default conntrack timeouts"
+ # This is to fix issue's with DNS:
+ ##################################
+ echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
+ echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
+ # Enable some general settings
+ ##############################
+ echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
+# echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
+
# Reduce DoS'ing ability by reducing timeouts
- # Defaults:
- # echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
- # echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
- # echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
- # echo 1 > /proc/sys/net/ipv4/tcp_sack
#############################################################
if [ "$REDUCE_DOS_ABILITY" = "1" ]; then
- echo " Enabling reduction of the DoS'ing ability."
+ echo " Enabling reduction of the DoS'ing ability"
- echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
- echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
- echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
- echo "0" > /proc/sys/net/ipv4/tcp_sack
+# echo 0 > /proc/sys/net/ipv4/tcp_sack
+ echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
+ echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
+ else
+ echo " Disabling reduction of the DoS'ing ability"
+
+ # Defaults:
+# echo 1 > /proc/sys/net/ipv4/tcp_sack
+ echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
+ echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
fi
# Set out local port range. Kernel default = "1024 4999"
@@ -625,42 +645,42 @@
###########################################################################################
if [ -n "$DEFAULT_TTL" ]; then
if [ ! -e /proc/sys/net/ipv4/ip_default_ttl ]; then
- printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_default_ttl does not exist!\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_default_ttl does not exist!\033[0m\n" >&2
else
if [ $DEFAULT_TTL -gt 9 ] && [ $DEFAULT_TTL -lt 256 ]; then
echo " Setting Default TTL=$DEFAULT_TTL"
- echo "$DEFAULT_TTL" > /proc/sys/net/ipv4/ip_default_ttl
+ echo $DEFAULT_TTL > /proc/sys/net/ipv4/ip_default_ttl
else
- printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" >&2
fi
fi
else
# If no Variable is set...
if [ -e /proc/sys/net/ipv4/ip_default_ttl ]; then
echo " Setting default TTL to 64"
- echo "64" > /proc/sys/net/ipv4/ip_default_ttl
+ echo 64 > /proc/sys/net/ipv4/ip_default_ttl
fi
fi
# Increase the default queuelength. (Kernel Default: 1024)
##########################################################
- if [ -e /proc/sys/net/ipv4/ipv4/ip_queue_maxlen ]; then
- echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
+ if [ -e /proc/sys/net/ipv4/ip_queue_maxlen ]; then
+ echo 2048 > /proc/sys/net/ipv4/ip_queue_maxlen
fi
# Enable ECN? (Explicit Congestion Notification)
################################################
if [ "$ECN" = "1" ]; then
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
- echo " Enabling ECN (Explicit Congestion Notification)."
- echo "1" > /proc/sys/net/ipv4/tcp_ecn
+ echo " Enabling ECN (Explicit Congestion Notification)"
+ echo 1 > /proc/sys/net/ipv4/tcp_ecn
else
- printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/tcp_ecn does not exist!\033[0m\n"
+ printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/tcp_ecn does not exist!\033[0m\n" >&2
fi
else
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
- echo " Disabling ECN (Explicit Congestion Notification)."
- echo "0" > /proc/sys/net/ipv4/tcp_ecn
+ echo " Disabling ECN (Explicit Congestion Notification)"
+ echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
fi
@@ -669,27 +689,30 @@
######################################################
if [ "$EXT_IF_DHCP_IP" = "1" ]; then
echo " Enabling support for dynamic IP's"
- echo "1" > /proc/sys/net/ipv4/ip_dynaddr
+ echo 1 > /proc/sys/net/ipv4/ip_dynaddr
else
- echo "0" > /proc/sys/net/ipv4/ip_dynaddr
+ echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi
# In most cases pmtu discovery is ok, but in some rare cases (when having problems)
# you might want to disable it.
if [ "$NO_PMTU_DISCOVERY" = "1" ]; then
echo " Disabling PMTU discovery"
- echo "1" > /proc/sys/net/ipv4/ip_no_pmtu_disc
+ echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
else
- echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc
+ echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
fi
- echo "/proc/ setup done..."
+ echo " Flushing route table"
+ echo 1 >/proc/sys/net/ipv4/route/flush
+
+ echo " /proc/ setup done..."
}
setup_filter_table()
{
- echo "Flushing rules in the filter table."
+ echo "Flushing rules in the filter table"
# Attempt to flush all rules in filter table
############################################
@@ -714,7 +737,7 @@
##############################################################################
$IPTABLES -N MAC_FILTER
- echo "Setting default (secure) policies."
+ echo "Setting default (secure) policies"
# Set standard policies for the built-in tables (drop = very secure)
####################################################################
$IPTABLES -P INPUT DROP
@@ -734,97 +757,75 @@
}
-# Helper function to split get hostname(s) from variable
+# Helper function to get hostname(s) from variable
get_dhost()
{
# Get variable from stdin
read hosts_ports
- if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then
- echo "$hosts_ports"
+ CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
+ # IP or hostname?
+ if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
+ echo "$CHK_HOST"
+ return 0
+ else
+ echo "0/0"
return 1
- else
- CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
- # IP or hostname?
- if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]' )" ]; then
- echo "$CHK_HOST"
- else
- echo "0/0"
- fi
fi
-
- return 0
}
-# Helper function to split get port(s) from variable
+# Helper function to get port(s) from variable
get_dport()
{
# Get variable from stdin
read hosts_ports
- if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then
- printf ""
+ CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
+ # IP or hostname?
+ if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
+ echo "$hosts_ports" |sed -e s!"^$CHK_HOST:"!! -e s!"^$CHK_HOST"!! -e s!'-'!':'!g
return 1
else
- CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
- # IP or hostname?
- if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
- hostname="$CHK_HOST"
- echo "$(echo "$hosts_ports" |sed s/"^$hostname:"// |sed s/'-'/':'/g)"
- else
- echo "$(echo "$hosts_ports" |sed s/'-'/':'/g)"
- fi
+ echo "$hosts_ports" |sed s!'-'!':'!g
+ return 0
fi
-
- return 0
}
-# Helper function to split get hostname(s) from variable
+# Helper function to get hostname(s) from variable
get_shost()
{
# Get variable from stdin
read hosts_ports
- if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then
+ CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
+ # IP or hostname?
+ if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
+ echo "$CHK_HOST"
+ return 0
+ else
echo "0/0"
return 1
- else
- CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
- # IP or hostname?
- if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
- echo "$CHK_HOST"
- else
- echo "0/0"
- fi
fi
-
- return 0
}
-# Helper function to split get port(s) from variable
+# Helper function to get port(s) from variable
get_sport()
{
# Get variable from stdin
read hosts_ports
- if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then
- echo "$hosts_ports" |sed s/'-'/':'/g
+ CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
+ # IP or hostname?
+ if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
+ echo "$hosts_ports" |sed -e s!"^$CHK_HOST:"!! -e s!"^$CHK_HOST"!! -e s!'-'!':'!g
return 1
else
- CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')"
- # IP or hostname?
- if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then
- hostname="$CHK_HOST"
- echo "$(echo "$hosts_ports" |sed s/"^$hostname:"// |sed s/'-'/':'/g)"
- else
- echo "$(echo "$hosts_ports" |sed s/'-'/':'/g)"
- fi
+ echo "$hosts_ports" |sed s!'-'!':'!g
+ return 0
fi
-
- return 0
}
@@ -853,7 +854,7 @@
## Log scanning of nmap etc.
############################
if [ "$SCAN_LOG" != "0" ]; then
- echo "Logging of stealth scans (nmap probes etc.) enabled."
+ echo "Logging of stealth scans (nmap probes etc.) enabled"
# (NMAP) FIN/URG/PSH
####################
@@ -891,7 +892,7 @@
-m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: "
else
- echo "Logging of stealth scans (nmap probes etc.) disabled."
+ echo "Logging of stealth scans (nmap probes etc.) disabled"
fi
# Drop (NMAP) scan packets:
@@ -928,14 +929,14 @@
# Log packets with bad flags?
#############################
if [ "$BAD_FLAGS_LOG" != "0" ]; then
- echo "Logging of packets with bad TCP-flags enabled."
+ echo "Logging of packets with bad TCP-flags enabled"
$IPTABLES -A VALID_CHK -p tcp --tcp-option 64 \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(64): "
$IPTABLES -A VALID_CHK -p tcp --tcp-option 128 \
-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(128): "
else
- echo "Logging of packets with bad TCP-flags disabled."
+ echo "Logging of packets with bad TCP-flags disabled"
fi
# Drop packets with bad tcp flags
@@ -946,58 +947,52 @@
# These packets are normally from "lost connection" and thus can generate false alarms
# So we might want to ignore such packets
######################################################################################
- if [ "$LOST_CONNECTION_LOG" != "1" ]; then
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j DROP
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j DROP
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j DROP
- $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j DROP
+# if [ "$LOST_CONNECTION_LOG" != "1" ]; then
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j DROP
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j DROP
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j DROP
+# $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j DROP
+# fi
+
+ # Here we add some protection from random packets we receive, such as random sweeps from other
+ # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection
+ ###############################################################################################
+ if [ "$INVALID_TCP_LOG" = "1" ]; then
+ echo "Logging of INVALID TCP packets enabled"
+
+ $IPTABLES -A VALID_CHK -p tcp -m state --state INVALID \
+ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID TCP: "
+ else
+ echo "Logging of INVALID TCP packets disabled"
fi
- # Logging of possible stealth scans
- ###################################
- if [ "$POSSIBLE_SCAN_LOG" = "1" ]; then
- echo "Logging of possible stealth scans enabled."
- if [ "$UNPRIV_TCP_LOG" != "0" ]; then
- $IPTABLES -A VALID_CHK -p tcp ! --syn --dport 1024: \
- -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth scan (UNPRIV)?: "
- fi
+ if [ "$INVALID_UDP_LOG" = "1" ]; then
+ echo "Logging of INVALID UDP packets enabled"
- if [ "$PRIV_TCP_LOG" != "0" ]; then
- $IPTABLES -A VALID_CHK -p tcp ! --syn --dport :1023 \
- -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth scan (PRIV)?: "
- fi
+ $IPTABLES -A VALID_CHK -p tcp -m state --state INVALID \
+ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID UDP: "
else
- echo "Logging of possible stealth scans disabled."
+ echo "Logging of INVALID UDP packets disabled"
fi
- # Possible stealth scan drop (we don't like "new"-packets which don't have SYN-only set)
- ########################################################################################
- $IPTABLES -A VALID_CHK -p tcp ! --syn -j DROP
+ if [ "$INVALID_ICMP_LOG" = "1" ]; then
+ echo "Logging of INVALID ICMP packets enabled"
- # Here we add some protection from random packets we receive, such as random sweeps from other
- # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection
- ###############################################################################################
- if [ "$INVALID_PACKET_LOG" != "0" ]; then
- echo "Logging of INVALID packets enabled."
-
# Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets
if [ "$ICMP_REQUEST_LOG" != "0" ]; then
$IPTABLES -A VALID_CHK -p icmp --icmp-type echo-request -m state --state INVALID \
- -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: "
+ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID ICMP-request: "
fi
# Only log INVALID ICMP-other packets when we also want to log "normal" ICMP-other packets
if [ "$ICMP_OTHER_LOG" != "0" ]; then
$IPTABLES -A VALID_CHK -p icmp ! --icmp-type echo-request -m state --state INVALID \
- -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: "
+ -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID ICMP-other: "
fi
-
- $IPTABLES -A VALID_CHK -p ! icmp -m state --state INVALID \
- -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: "
else
- echo "Logging of INVALID packets disabled."
+ echo "Logging of INVALID ICMP packets disabled"
fi
# Drop invalid packets
@@ -1007,10 +1002,10 @@
## Log fragmented packets
#########################
if [ "$FRAG_LOG" = "1" ]; then
- echo "Logging of fragmented packets enabled."
+ echo "Logging of fragmented packets enabled"
$IPTABLES -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "Fragmented packet: "
else
- echo "Logging of fragmented packets disabled."
+ echo "Logging of fragmented packets disabled"
fi
# Drop fragmented packets
@@ -1030,7 +1025,7 @@
# Log access from reserved addresses
####################################
if [ "$RESERVED_NET_LOG" != "0" ]; then
- echo "Logging of access from reserved addresses enabled."
+ echo "Logging of access from reserved addresses enabled"
$IPTABLES -A RESERVED_NET_CHK -s 10.0.0.0/8 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class A address: "
@@ -1043,7 +1038,7 @@
$IPTABLES -A RESERVED_NET_CHK -s 169.254.0.0/16 \
-m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class M$ address: "
else
- echo "Logging of access from reserved addresses disabled."
+ echo "Logging of access from reserved addresses disabled"
fi
@@ -1065,7 +1060,7 @@
# Create new chain:
$IPTABLES -N SPOOF_CHK
- echo "Setting up anti-spoof rules."
+ echo "Setting up anti-spoof rules"
# Anti-spoof protection for the internal net
for net in $INTERNAL_NET; do
@@ -1108,53 +1103,18 @@
# Create new chain:
$IPTABLES -N DMZ_INPUT_CHAIN 2>/dev/null
- # Adding TCP ports NOT to be firewalled
- #######################################
- if [ -n "$DMZ_OPEN_TCP" ]; then
- echo "Allowing DMZ hosts to connect to TCP port(s): $DMZ_OPEN_TCP"
- for port in $DMZ_OPEN_TCP; do
- $IPTABLES -A DMZ_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT
- done
- fi
-
- # Adding UDP ports NOT to be firewalled
- #######################################
- if [ -n "$DMZ_OPEN_UDP" ]; then
- echo "Allowing DMZ hosts to connect to UDP port(s): $DMZ_OPEN_UDP"
- for port in $DMZ_OPEN_UDP; do
- $IPTABLES -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT
- done
- fi
-
- # Adding IP protocols NOT to be firewalled
- ##########################################
- if [ -n "$DMZ_OPEN_IP" ]; then
- echo "Allowing DMZ hosts to connect to IP protocol(s): $DMZ_OPEN_IP"
- for proto in $DMZ_OPEN_IP; do
- $IPTABLES -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT
- done
- fi
-
- # Allow to send ICMP packets?
- #############################
- if [ "$DMZ_OPEN_ICMP" = "1" ]; then
- echo "Allowing DMZ hosts to send ICMP-requests(ping)."
- $IPTABLES -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
- fi
-
# Add TCP ports to allow for certain hosts
##########################################
for rule in $DMZ_HOST_OPEN_TCP; do
echo "$rule" | {
IFS='>' read hosts ports
+ echo " Allowing $hosts(DMZ) for TCP port(s): $ports"
+
IFS=','
-
for host in $hosts; do
- echo " Allowing DMZ host $host to connect to TCP port(s): $ports"
-
for port in $ports; do
- $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p tcp --syn --dport $port -j ACCEPT
+ $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT
done
done
}
@@ -1167,10 +1127,10 @@
echo "$rule" | {
IFS='>' read hosts ports
+ echo " Allowing $shosts(DMZ) for UDP port(s): $ports"
+
IFS=','
for host in $hosts; do
- echo " Allowing DMZ host $host to connect to UDP port(s): $ports"
-
for port in $ports; do
$IPTABLES -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT
done
@@ -1179,23 +1139,16 @@
unset IFS
done
- # Add ICMP to allow for certain hosts
- #####################################
- for host in `echo "$DMZ_HOST_OPEN_ICMP" |sed s/' '/','/g`; do
- echo " Allowing DMZ host $host to send ICMP-requests(ping)."
- $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -j ACCEPT
- done
-
# Add IP protocols to allow for certain hosts
#############################################
for rule in $DMZ_HOST_OPEN_IP; do
echo "$rule" | {
IFS='>' read hosts protos
+ echo " Allowing $hosts(DMZ) for IP protocol(s): $protos"
+
IFS=','
for host in $hosts; do
- echo " Allowing DMZ host $host to connect to connect to IP protocol(s): $protos"
-
for proto in $protos; do
$IPTABLES -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT
done
@@ -1204,8 +1157,52 @@
unset IFS
done
+ # Adding TCP ports NOT to be firewalled
+ #######################################
+ if [ -n "$DMZ_OPEN_TCP" ]; then
+ echo " Allowing TCP port(s): $DMZ_OPEN_TCP"
+ for port in $DMZ_OPEN_TCP; do
+ $IPTABLES -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
+ done
+ fi
+
+ # Adding UDP ports NOT to be firewalled
+ #######################################
+ if [ -n "$DMZ_OPEN_UDP" ]; then
+ echo " Allowing UDP port(s): $DMZ_OPEN_UDP"
+ for port in $DMZ_OPEN_UDP; do
+ $IPTABLES -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT
+ done
+ fi
+
+ # Adding IP protocols NOT to be firewalled
+ ##########################################
+ if [ -n "$DMZ_OPEN_IP" ]; then
+ echo " Allowing IP protocol(s): $DMZ_OPEN_IP"
+ for proto in $DMZ_OPEN_IP; do
+ $IPTABLES -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT
+ done
+ fi
+
+ # Allow to send ICMP packets?
+ #############################
+ if [ "$DMZ_OPEN_ICMP" != "0" ]; then
+ echo " Allowing ICMP-requests(ping)"
+ $IPTABLES -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
+ fi
+
+ # Log incoming ICMP-request packets?
+ ####################################
+ if [ "$ICMP_REQUEST_LOG" != "0" ]; then
+ $IPTABLES -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request \
+ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "ICMP-request: "
+ fi
+
+ # Drop ICMP packets
+ $IPTABLES -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP
+
# Log everything else
- $IPTABLES -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Denied DMZ input packet: "
+ $IPTABLES -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "DMZ-INPUT denied: "
# Everything else is denied
$IPTABLES -A DMZ_INPUT_CHAIN -j DROP
@@ -1217,101 +1214,125 @@
##################################################
setup_dmz_lan_forward_chain()
{
+ echo " Setting up DMZ->LAN policy:"
+
# Create new chain:
$IPTABLES -N DMZ_LAN_FORWARD_CHAIN
- # DMZ-to-LAN TCP rules
+ # TCP ports to ALLOW for certain DMZ hosts
+ #########################################
for rule in $DMZ_LAN_HOST_OPEN_TCP; do
echo "$rule" | {
- IFS='>' read shosts dhost_ports
+ IFS='>' read shosts dhosts_ports
- # SRC IP specified?
- if [ -z "$dhost_ports" ]; then
- dhost_ports="$shosts"
- shosts="0/0"
+ dhosts=`echo "$dhosts_ports" |get_dhost`
+ ports=`echo "$dhosts_ports" |get_dport`
+
+ # DST ports specified?
+ if [ -z "$ports" ]; then
+ ports="0:65535"
fi
- if [ "$shosts" = "0/0" ]; then
- echo " DMZ-TO-LAN: Allowing TCP port(s) $dhost_ports"
- else
- echo " DMZ-TO-LAN: Allowing TCP port(s) $dhost_ports for $shosts"
+ # SRC hosts specified?
+ if [ -z "$shosts" ]; then
+ shosts="0/0"
fi
- dhost=`echo "$dhost_ports" |get_dhost`
- ports=`echo "$dhost_ports" |get_dport`
+ echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
IFS=','
for shost in $shosts; do
- for dport in $ports; do
- $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --syn --dport $dport -j ACCEPT
+ for dhost in $dhosts; do
+ for port in $ports; do
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
+ done
done
done
}
unset IFS
done
- # DMZ-to-LAN UDP rules
+ # UDP ports to ALLOW for certain DMZ hosts
+ #########################################
for rule in $DMZ_LAN_HOST_OPEN_UDP; do
echo "$rule" | {
- IFS='>' read shosts dhost_ports
+ IFS='>' read shosts dhosts_ports
- # SRC IP specified?
- if [ -z "$dhost_ports" ]; then
- dhost_ports="$shosts"
- shosts="0/0"
+ dhosts=`echo "$dhosts_ports" |get_dhost`
+ ports=`echo "$dhosts_ports" |get_dport`
+
+ # DST ports specified?
+ if [ -z "$ports" ]; then
+ ports="0:65535"
fi
- if [ "$shosts" = "0/0" ]; then
- echo " DMZ-TO-LAN: Allowing UDP port(s) $dhost_ports"
- else
- echo " DMZ-TO-LAN: Allowing UDP port(s) $dhost_ports for $shosts"
+ # SRC hosts specified?
+ if [ -z "$shosts" ]; then
+ shosts="0/0"
fi
- dhost=`echo "$dhost_ports" |get_dhost`
- ports=`echo "$dhost_ports" |get_dport`
+ echo " Allowing $shosts(DMZ) to $dhosts(LAN) for UDP port(s): $ports"
IFS=','
for shost in $shosts; do
- for dport in $ports; do
- $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $dport -j ACCEPT
+ for dhost in $dhosts; do
+ for port in $ports; do
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
+ done
done
done
}
unset IFS
done
- # DMZ-to-LAN IP-protocol rules
+ # IP protocol(s) to ALLOW for certain DMZ hosts
+ ###############################################
for rule in $DMZ_LAN_HOST_IP_FORWARD; do
echo "$rule" | {
IFS='>' read shosts dhost_protos
- # SRC IP specified?
- if [ -z "$dhost_protos" ]; then
- dhost_protos="$shosts"
+ dhost=`echo "$dhost_protos" |get_dhost`
+ protos=`echo "$dhost_protos" |get_dport`
+
+ # SRC hosts specified?
+ if [ -z "$shosts" ]; then
shosts="0/0"
fi
- if [ "$shosts" = "0/0" ]; then
- echo " DMZ-TO-LAN: Allowing IP protocol(s) $dhost_protos"
- else
- echo " DMZ-TO-LAN: Allowing IP protocol(s) $dhost_protos for $shosts"
- fi
+ echo " Allowing $shosts(DMZ) to $dhosts(LAN) for IP protocol(s): $protos"
- dhost=`echo "$dhost_protos" |get_dhost`
- protos=`echo "$dhost_protos" |get_dport`
-
IFS=','
for shost in $shosts; do
- for proto in $protos; do
- $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
+ for dhost in $dhosts; do
+ for proto in $protos; do
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
+ done
done
done
}
unset IFS
done
+ # Allow ICMP-requests(ping) for DMZ->LAN?
+ ##########################################
+ if [ "$DMZ_LAN_OPEN_ICMP" = "1" ]; then
+ echo " Allowing ICMP-requests(ping)"
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
+ -m limit --limit 20/second --limit-burst 100 -j ACCEPT
+ fi
+
+ # Log incoming ICMP-request packets?
+ ####################################
+ if [ "$ICMP_REQUEST_LOG" != "0" ]; then
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
+ -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "ICMP-request: "
+ fi
+
+ # Drop ICMP packets
+ $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
+
# Log everything else
- $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGL...
[truncated message content] |
|
From: <dha...@us...> - 2008-02-17 07:28:35
|
Revision: 1586
http://astlinux.svn.sourceforge.net/astlinux/?rev=1586&view=rev
Author: dhartman
Date: 2008-02-16 23:28:34 -0800 (Sat, 16 Feb 2008)
Log Message:
-----------
arno fw fixes
Modified Paths:
--------------
trunk/package/arno-fw/arnofw.mk
trunk/package/arno-fw/arnofw.wrapper
Removed Paths:
-------------
trunk/package/arno-fw/arno-iptables-firewall
trunk/package/arno-fw/arno-iptables-firewall.conf
Deleted: trunk/package/arno-fw/arno-iptables-firewall
===================================================================
Deleted: trunk/package/arno-fw/arno-iptables-firewall.conf
===================================================================
Modified: trunk/package/arno-fw/arnofw.mk
===================================================================
--- trunk/package/arno-fw/arnofw.mk 2008-02-15 19:20:31 UTC (rev 1585)
+++ trunk/package/arno-fw/arnofw.mk 2008-02-17 07:28:34 UTC (rev 1586)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=1.8.8l
+ARNOFW_VER:=1.8.8m
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/iptables-firewall
@@ -13,7 +13,7 @@
ARNOFW_TARGET_BINARY:=/usr/sbin/arno-iptables-firewall
ARNOFW_CONFIG_DIR:=/etc/arno-iptables-firewall
ARNOFW_CONFIG:=$(ARNOFW_CONFIG_DIR)/firewall.conf
-ARNOFW_CONFIG_SHIM:=$(ARNOFW_CONFIG_DIR)/firewall.shim
+ARNOFW_CONFIG_SHIM:=$(ARNOFW_CONFIG_DIR)/astlinux.shim
ARNOFW_PLUGIN_DIR:=$(ARNOFW_CONFIG_DIR)/plugins
$(DL_DIR)/$(ARNOFW_SOURCE):
@@ -22,10 +22,8 @@
$(ARNOFW_DIR)/.unpacked: $(DL_DIR)/$(ARNOFW_SOURCE)
$(ARNOFW_CAT) $(DL_DIR)/$(ARNOFW_SOURCE) \
| tar -C $(BUILD_DIR) $(TAR_OPTIONS) -
-ifeq ($(ARNOFW_VER),1.8.8l)
+ifeq ($(ARNOFW_VER),1.8.8m)
$(WGET) -P $(ARNOFW_DIR)$(ARNOFW_PLUGIN_DIR) \
- $(ARNOFW_SITE)/plugins/sip-voip/sip-voip.conf \
- $(ARNOFW_SITE)/plugins/sip-voip/50sip-voip.plugin \
$(ARNOFW_SITE)/plugins/hfsc-traffic-shaper/60hfsc.plugin \
$(ARNOFW_SITE)/plugins/hfsc-traffic-shaper/hfsc.conf
endif
@@ -45,9 +43,6 @@
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_DIR)
$(INSTALL) -D -m 0755 $(ARNOFW_DIR)/$(ARNOFW_BINARY) \
$(TARGET_DIR)$(ARNOFW_TARGET_BINARY)
- $(SED) \
- 's:^CONFIG_FILE=("[^"].*"|.*$$):CONFIG_FILE="$(ARNOFW_CONFIG_SHIM)":' \
- $(TARGET_DIR)/$(ARNOFW_TARGET_BINARY)
$(INSTALL) -D -m 0644 package/arno-fw/arnofw.wrapper \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG_SHIM)
$(INSTALL) -D -m 0644 $(ARNOFW_DIR)$(ARNOFW_CONFIG) \
@@ -55,6 +50,8 @@
$(SED) 's:^IPTABLES="[^"]*":IPTABLES="$(IPTABLES_BIN)":' \
-e 's:^(INT_IF|EXT_IF|MODEM_IF|INTERNET_NET|NAT)=:#&:' \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG)
+ $(SED) 's:^LOCAL_CONFIG_FILE="":LOCAL_CONFIG_FILE="$(ARNOFW_CONFIG_SHIM)":' \
+ $(TARGET_DIR)/stat$(ARNOFW_CONFIG)
$(INSTALL) -D -m 0755 $(ARNOFW_DIR)$(ARNOFW_CONFIG_DIR)/custom-rules \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG_DIR)
$(INSTALL) -D -m 0444 $(ARNOFW_DIR)$(ARNOFW_PLUGIN_DIR)/*.plugin \
Modified: trunk/package/arno-fw/arnofw.wrapper
===================================================================
--- trunk/package/arno-fw/arnofw.wrapper 2008-02-15 19:20:31 UTC (rev 1585)
+++ trunk/package/arno-fw/arnofw.wrapper 2008-02-17 07:28:34 UTC (rev 1586)
@@ -1,20 +1,20 @@
#
-# This is an ugly shim to first load /etc/rc.conf, then
-# /etc/arno-iptables-firewall/firewall.conf, then map values
-# from the former to override values in the latter.
+# In this shim, we're invoked after /etc/arno-iptables-firewall/firewall.conf
+# has been read. We then read /etc/rc.conf, and paste in variables from
+# the latter file that should override whatever values were configured in
+# firewall.conf. Reason being that it should be easy to swap between
+# arno-iptables-firewall and astfw (and back again) with fewer values to
+# reconfigure.
#
# You could argue that this will be confusing, and I wouldn't disagree.
#
# Ideally, we should have the values in /etc/rc.conf and firewall.conf
-# converge... and possibly finalize on a single firewall project.
+# converge... and possibly finalize on a single firewall project for
+# AstLinux.
#
. /etc/rc.conf
-REAL_CONFIG_FILE="`dirname $CONFIG_FILE`/firewall.conf"
-
-. $REAL_CONFIG_FILE
-
#
# the attrocious logic below is to make sure that if INTIF='' and INT2IF=''
# and INT3IF='', then INT_IF='' as well (and not a string of spaces).
@@ -28,16 +28,18 @@
done
EXT_IF=""
-for intf in $EXTIF EXT2IF; do
+for intf in $EXTIF $EXT2IF; do
EXT_IF="$EXT_IF${EXT_IF:+ }$intf"
done
INTERNAL_NET=""
-for pair in ${INTIP:+$INTIP/$INTMN} ${INT2IP:+$INT2IP/$INT2NM} \
+for pair in ${INTIP:+$INTIP/$INTNM} ${INT2IP:+$INT2IP/$INT2NM} \
${INT3IP:+$INT3IP/$INT3NM}; do
INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$pair"
done
+NAT_INTERNAL_NET="$INTERNAL_NET"
+
MODEM_IF=""
NAT=1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ppr...@us...> - 2008-04-30 17:49:20
|
Revision: 1738
http://astlinux.svn.sourceforge.net/astlinux/?rev=1738&view=rev
Author: pprindeville
Date: 2008-04-30 10:49:09 -0700 (Wed, 30 Apr 2008)
Log Message:
-----------
Set DHCP in firewall shim
Modified Paths:
--------------
trunk/package/arno-fw/arnofw.mk
trunk/package/arno-fw/arnofw.wrapper
Modified: trunk/package/arno-fw/arnofw.mk
===================================================================
--- trunk/package/arno-fw/arnofw.mk 2008-04-29 18:04:57 UTC (rev 1737)
+++ trunk/package/arno-fw/arnofw.mk 2008-04-30 17:49:09 UTC (rev 1738)
@@ -48,7 +48,7 @@
$(INSTALL) -D -m 0644 $(ARNOFW_DIR)$(ARNOFW_CONFIG) \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG)
$(SED) 's:^IPTABLES="[^"]*":IPTABLES="$(IPTABLES_BIN)":' \
- -e 's:^(INT_IF|EXT_IF|MODEM_IF|INTERNAL_NET|NAT|NAT_INTERNAL_NET)=:#&:' \
+ -e 's:^(INT_IF|EXT_IF|MODEM_IF|INTERNAL_NET|NAT|NAT_INTERNAL_NET|EXT_IF_DHCP_IP)=:#&:' \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG)
$(SED) 's:^LOCAL_CONFIG_FILE="":LOCAL_CONFIG_FILE="$(ARNOFW_CONFIG_SHIM)":' \
$(TARGET_DIR)/stat$(ARNOFW_CONFIG)
Modified: trunk/package/arno-fw/arnofw.wrapper
===================================================================
--- trunk/package/arno-fw/arnofw.wrapper 2008-04-29 18:04:57 UTC (rev 1737)
+++ trunk/package/arno-fw/arnofw.wrapper 2008-04-30 17:49:09 UTC (rev 1738)
@@ -44,6 +44,12 @@
NAT=1
+if [ -z "$EXTIP" -a -z "$PPPOEIF" ]; then
+ EXT_IF_DHCP_IP=1
+else
+ EXT_IF_DHCP_IP=0
+fi
+
#
# need to do some work on the NONAT variable as well
#
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X