From 09b2c0fe2a8bcaa517959b450d13588e52ea7244 Mon Sep 17 00:00:00 2001 From: gyurix Date: Wed, 15 Dec 2021 07:52:50 +0000 Subject: [PATCH] Prerouting and postrouting rules created in functions. --- firewall/firewall-add | 89 +++++++++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 37 deletions(-) diff --git a/firewall/firewall-add b/firewall/firewall-add index 2a3a29d..503a8b5 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -21,6 +21,34 @@ IPTABLES=/sbin/iptables-legacy ############################### +prerouting() { +LINES=$($iptables --line-number -n | grep $COMMENT | grep PREROUTING |awk '{print $1}'| tac) + + # DELETE UNECESSARY LINES FROM PREVIOUS RULES + if [ -n "$LINES" ] ; then + for i in $LINES; do + $iptables -D $i + sleep 0.1 + done + fi + +$iptables -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT +} + +postrouting() { +LINES=$($iptables --line-number -n | grep $COMMENT | grep POSTROUTING | awk '{print $1}'| tac) + + # DELETE UNECESSARY LINES FROM PREVIOUS RULES + if [ -n "$LINES" ] ; then + for i in $LINES; do + $iptables -D $i + sleep 0.1 + done + fi + +$iptables -I POSTROUTING -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE +} + COUNT_SOURCE_IP=$(set |grep SOURCE_IP |wc -l) COUNT_SOURCE_PORT=$(set |grep SOURCE_PORT |wc -l) COUNT_TARGET_IP=$(set |grep TARGET_IP |wc -l) @@ -54,31 +82,10 @@ if [[ "$NSENTER" == "true" ]] ; then iptables="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- $IPTABLES -t nat"; if [[ "$PREROUTING" == "true" ]] ; then - LINES=$($iptables --line-number -n | grep $COMMENT | grep PREROUTING |awk '{print $1}'| tac) + prerouting; - # DELETE UNECESSARY LINES FROM PREVIOUS RULES - if [ -n "$LINES" ] ; then - for i in $LINES; do - $iptables -D $i - sleep 0.1 - done - fi - - $iptables -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT - elif [[ "$POSTROUTING" == "true" ]] ; then - LINES=$($iptables --line-number -n | grep $COMMENT | grep POSTROUTING | awk '{print $1}'| tac) - - # DELETE UNECESSARY LINES FROM PREVIOUS RULES - if [ -n "$LINES" ] ; then - for i in $LINES; do - $iptables -D $i - sleep 0.1 - done - fi - - $iptables -I POSTROUTING -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE - + postrouting; else ip_route="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"; @@ -87,26 +94,34 @@ if [[ "$NSENTER" == "true" ]] ; then else - if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then - echo "nothing to do"; - else $IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT; - fi + if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] ; then + if [[ "$PREROUTING" == "true" ]] ; then + prerouting; - # - # DELETE UNECESSARY LINES FROM PREVIOUS RULES - LINES=$($IPTABLES --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) + elif [[ "$POSTROUTING" == "true" ]] ; then + postrouting; + else - if [ -n "$LINES" ] ; then - for i in $LINES; do - $IPTABLES -D $CHAIN $i - sleep 0.1 - done + if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then + echo "nothing to do"; + else $IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT; fi - $IPTABLES -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT + # + # DELETE UNECESSARY LINES FROM PREVIOUS RULES + LINES=$($IPTABLES --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) - ############################# + if [ -n "$LINES" ] ; then + for i in $LINES; do + $IPTABLES -D $CHAIN $i + sleep 0.1 + done + fi + $IPTABLES -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT + + ############################# + fi fi done # target_port