diff options
| -rw-r--r-- | core/conf/iptables/ipt-bridge.sh | 7 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-client.sh | 25 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-firewall.sh | 4 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-open.sh | 17 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-server.sh | 11 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-start.sh | 34 | ||||
| -rw-r--r-- | core/conf/iptables/ipt-stop.sh | 8 | ||||
| -rw-r--r-- | core/conf/rc.d/iptables | 59 |
8 files changed, 83 insertions, 82 deletions
diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index 2042f8e..b0f7daa 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -1,13 +1,6 @@ #!/bin/bash -echo "setting bridge network..." -source /etc/iptables/ipt-conf.sh -source /etc/iptables/ipt-firewall.sh -ipt_clear -ipt_tables # Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT diff --git a/core/conf/iptables/ipt-client.sh b/core/conf/iptables/ipt-client.sh index abead40..d19a9dc 100644 --- a/core/conf/iptables/ipt-client.sh +++ b/core/conf/iptables/ipt-client.sh @@ -1,14 +1,23 @@ #!/bin/bash echo "setting client network..." -source /etc/iptables/ipt-conf.sh -source /etc/iptables/ipt-firewall.sh -ipt_clear -ipt_tables - -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +if [ "${GW}" == "" ]; then + + $IPT -A INPUT -j srv_icmp + $IPT -A OUTPUT -j srv_icmp + $IPT -A INPUT -j srv_dhcp + $IPT -A OUTPUT -j srv_dhcp + + echo "no gateway, wating for one..." + + while [ "${GW}" == "" ] + do + #we wait for a connection + sleep 2; + GW=$(ip route | grep "default via" | cut -d " " -f 3) + done +fi ####### Input Chain ###### $IPT -A INPUT -j blocker diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index c581e6e..a216fe3 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -9,8 +9,8 @@ ipt_clear () { $IPT -X $IPT6 -F $IPT6 -X - $PIT4 -Z - $PIT6 -Z + #$PIT4 -Z + #$PIT6 -Z $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh new file mode 100644 index 0000000..be2b86b --- /dev/null +++ b/core/conf/iptables/ipt-open.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +## load client configuration +${IPT} -P INPUT DROP +${IPT} -P FORWARD DROP +${IPT} -P OUTPUT ACCEPT + +${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + +${IPT} -A OUTPUT -j ACCEPT + +${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 278c400..67f18f0 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -1,16 +1,5 @@ echo "setting server iptables ..." -source /etc/iptables/ipt-firewall.sh - -ipt_clear -ipt_tables - -# Unlimited on loopback -$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -#$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -#$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT - ####### Input Chain ###### $IPT -A INPUT -j blocker diff --git a/core/conf/iptables/ipt-start.sh b/core/conf/iptables/ipt-start.sh new file mode 100644 index 0000000..b7af1fd --- /dev/null +++ b/core/conf/iptables/ipt-start.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +echo "setting client network..." + +source /etc/iptables/ipt-firewall.sh + +ipt_clear +ipt_tables + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +case $TYPE in + bridge) + #ipt_clear + echo 1 > /proc/sys/net/ipv4/ip_forward + source /etc/iptables/ipt-bridge.sh + exit 0 + ;; + server) + #ipt_clear + source /etc/iptables/ipt-server.sh + exit 0 + ;; + client) + source /etc/iptables/ipt-client.sh + exit 0 + ;; + open) + source /etc/iptables/ipt-open.sh + exit 0 + ;; +esac diff --git a/core/conf/iptables/ipt-stop.sh b/core/conf/iptables/ipt-stop.sh new file mode 100644 index 0000000..55af57c --- /dev/null +++ b/core/conf/iptables/ipt-stop.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +echo "blocking network..." + +source /etc/iptables/ipt-firewall.sh + +ipt_clear +ipt_tables diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index a2ecaf2..c2061db 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,68 +1,19 @@ #!/bin/bash -. /etc/iptables/ipt-firewall.sh - case $1 in start) - case $TYPE in - bridge) - #ipt_clear - echo "setting bridge network..." - echo 1 > /proc/sys/net/ipv4/ip_forward - - ## load bridge configuration - #iptables-restore /etc/iptables/bridge.v4 - #iptables-restore /etc/iptables/bridge.v6 - bash /etc/iptables/ipt-bridge.sh - - ;; - server) - #ipt_clear - echo "setting server network..." - ## load server configuration - #iptables-restore /etc/iptables/server.v4 - #iptables-restore /etc/iptables/server.v6 - bash /etc/iptables/ipt-server.sh - ;; - client) - #ipt_clear - echo "setting client network..." - ## load client configuration - #iptables-restore /etc/iptables/client.v4 - bash /etc/iptables/ipt-client.sh - ;; - open) - ipt_clear - echo "setting open network..." - ## load client configuration - - ${IPT} -P INPUT DROP - ${IPT} -P FORWARD DROP - ${IPT} -P OUTPUT ACCEPT - - ${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - ${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - ${IPT} -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT - ${IPT} -A INPUT -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT - - ${IPT} -A OUTPUT -j ACCEPT - - ${IPT} -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - ${IPT} -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - ;; - esac + echo "clear all iptables tables" + bash /etc/iptables/ipt-start.sh ;; stop) - echo "clear all iptables tables" - ipt_clear - ipt_tables + echo "clear all iptables tables" + bash /etc/iptables/ipt-stop.sh ;; restart) $0 start ;; status) - ${IPT} -v + /usr/sbin/iptables -v ;; *) echo "Usage: $0 [start|stop]" |