[Astlinux-commits] SF.net SVN: astlinux: [1372] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1372
          http://astlinux.svn.sourceforge.net/astlinux/?rev=1372&view=rev
Author:   krisk84
Date:     2007-11-07 20:26:19 -0800 (Wed, 07 Nov 2007)

Log Message:
-----------
multiple astfw fixes and improvements

Modified Paths:
--------------
    trunk/package/iptables/astfw
    trunk/target/generic/target_skeleton/stat/etc/rc.conf

Modified: trunk/package/iptables/astfw
===================================================================

--- trunk/package/iptables/astfw	2007-11-07 19:57:21 UTC (rev 1371)
+++ trunk/package/iptables/astfw	2007-11-08 04:26:19 UTC (rev 1372)
@@ -134,6 +134,16 @@
 
 fi
 
+if [ "$EXTOPENSRC" ]
+then
+for i in $EXTOPENSRC
+do
+for j in $EXTIFS
+do
+iptables -A INPUT -m state --state NEW -i $j -s $i -j ACCEPT
+done
+done
+fi
 
 if [ "$EXTOPEN" ]
 then
@@ -277,11 +287,11 @@
 
 if [ "$DMZSRC" ]
 then
-iptables -t nat -A PREROUTING -i $EXTIF -s "$DMZSRC" -p $PROTOCOL -m $PROTOCOL --dport $PORT -j DNAT --to-destination "$DMZIP":"$PORT"
-iptables -A FORWARD -i $EXTIF -d $DMZIP -s "$DMZSRC" -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
+iptables -t nat -A PREROUTING -i $EXTIF -p $PROTOCOL -m $PROTOCOL --dport $PORT -j DNAT --to-destination "$DMZIP":"$PORT"
+# iptables -A FORWARD -i $EXTIF -d $DMZIP -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
 else
 iptables -t nat -A PREROUTING -i $EXTIF -p $PROTOCOL -m $PROTOCOL --dport $PORT -j DNAT --to-destination "$DMZIP":"$PORT"
-iptables -A FORWARD -i $EXTIF -d $DMZIP -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
+# iptables -A FORWARD -i $EXTIF -d $DMZIP -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
 fi
 
 done
@@ -289,33 +299,54 @@
 
 if [ "$DMZSRC" ]
 then
+# Catch the TCP/UDP stuff we need
+for i in $EXTOPEN
+do
 
-iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p udp -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 47 -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 50 -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 51 -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
+if `echo $i | grep -q "u"`
+then
+PROTOCOL=udp
+fi
 
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -m state --state NEW -p tcp -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -m state --state NEW -p udp -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -p 47 -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -p 50 -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -p 51 -j ACCEPT
+if `echo $i | grep -q "t"`
+then
+PROTOCOL=tcp
+fi
 
+if `echo $i | grep -q "i"`
+then
+PROTOCOL=icmp
+fi
+
+PORT=`echo $i | tr -d itu`
+
+if [ "$PROTOCOL" = "icmp" ]
+then
+iptables -t nat -A PREROUTING -m $PROTOCOL -p $PROTOCOL --icmp-type $PORT -j ACCEPT
 else
+iptables -t nat -A PREROUTING -p $PROTOCOL --dport $PORT -i $EXTIF -j ACCEPT
+fi
+done
 
-iptables -t nat -A PREROUTING -p tcp -i $EXTIF -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p udp -i $EXTIF -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 47 -i $EXTIF -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 50 -i $EXTIF -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p 51 -i $EXTIF -j DNAT --to-destination $DMZIP
+# Don't nat anything from DMZSRC ips
+for i in $DMZSRC
+do
+iptables -t nat -A PREROUTING -i $EXTIF -s $i -j ACCEPT
+done
 
-iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -m state --state NEW -p tcp -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -m state --state NEW -p udp -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -p 47 -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -p 50 -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -p 51 -j ACCEPT
+# DNAT everything else
+iptables -t nat -A PREROUTING -i $EXTIF -j DNAT --to-destination $DMZIP
 
+# Pass it
+iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -j ACCEPT
+
+else
+# DNAT everything else
+iptables -t nat -A PREROUTING -j DNAT --to-destination $DMZIP
+
+# Pass it
+iptables -A FORWARD -i $EXTIF -o $IF -d $DMZIP -j ACCEPT
+
 fi
 fi
 

Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf
===================================================================
--- trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-11-07 19:57:21 UTC (rev 1371)
+++ trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-11-08 04:26:19 UTC (rev 1372)
@@ -274,6 +274,12 @@
 ##t= tcp u= udp
 #EXTOPEN="t22 u4569"
 
+##EXTOPENSRC
+##We will allow any traffic from these IP addresses.  As usual, multiple entries
+##can be specified using spaces.  Standard iptables netmask and CIDR notation is
+##accepted.
+#EXTOPENSRC="4.2.2.1 4.2.2.2"
+
 ##MASQPORTS
 ##By default the Linux kernel will attempt to use the same source and destination port
 ##for a MASQUERADED connection as long as it is above 1023.  This option allows you to


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


