safebox/firewall_containers
7
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Adding check-line to iptables script

Browse Source
This commit is contained in:
Gyorgy Berenyi
2022-10-10 11:55:48 +00:00
parent 246819fdfa
commit 1217d8b0d6
1 changed files with 89 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
firewall/firewall-add
View File

@@ -77,91 +77,99 @@ if [[ -z "$TYPE" ]]; then
TYPE="tcp"
fi;
if [[ -z "$SOURCE" ]]; then
SOURCE_IP="0.0.0.0/0";
if [[ -z "$SOURCE_IP" ]]; then
if [[ -z "$SOURCE" ]]; then
SOURCE_IP="0.0.0.0/0";
else
IDX=0
for i in $(echo $SOURCE) ; do
if [[ "$i" != *"."* ]]; then
name_resolver $i;
debug "source ip is $APP_IP";
for IP in $(echo $APP_IP); do
IDX=$(expr 1 + $IDX)
eval SOURCE_IP_$IDX=$IP;
done;
else
IDX=0
for i in $(echo $SOURCE) ; do
else
IDX=$(expr 1 + $IDX)
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
SOURCE_IP="$SOURCE_IP/24";
eval SOURCE_IP_$IDX="$SOURCE_IP/24";
debug "source ip is $SOURCE_IP";
if [[ "$i" != *"."* ]]; then
name_resolver $i;
debug "source ip is $APP_IP";
for IP in $(echo $APP_IP); do
IDX=$(expr 1 + $IDX)
eval SOURCE_IP_$IDX=$IP;
done;
else
eval SOURCE_IP_$IDX=$i;
IP=$i
debug "source ip is $IP";
IDX=$(expr 1 + $IDX)
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
SOURCE_IP="$SOURCE_IP/24";
eval SOURCE_IP_$IDX="$SOURCE_IP/24";
debug "source ip is $SOURCE_IP";
else
eval SOURCE_IP_$IDX=$i;
IP=$i
debug "source ip is $IP";
fi
fi
fi
done
done
if [ $IDX = 1 ]; then
SOURCE_IP=$IP
fi;
if [ $IDX = 1 ]; then
SOURCE_IP=$IP
fi;
fi
fi
if [[ -z "$TARGET" ]]; then
TARGET_IP="0.0.0.0/0";
if [[ -z "$TARGET_IP" ]]; then
if [[ -z "$TARGET" ]]; then
TARGET_IP="0.0.0.0/0";
else
IDX=0
for i in $(echo $TARGET) ; do
if [[ "$i" != *"."* ]]; then
name_resolver $i;
debug "target ip is $APP_IP";
for IP in $(echo $APP_IP); do
IDX=$(expr 1 + $IDX)
eval TARGET_IP_$IDX=$IP;
done;
else
IDX=0
for i in $(echo $TARGET) ; do
else
IDX=$(expr 1 + $IDX)
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
TARGET_IP="$TARGET_IP/24";
eval TARGET_IP_$IDX="$TARGET_IP/24";
debug "target ip is $TARGET_IP";
if [[ "$i" != *"."* ]]; then
name_resolver $i;
debug "target ip is $APP_IP";
for IP in $(echo $APP_IP); do
IDX=$(expr 1 + $IDX)
eval TARGET_IP_$IDX=$IP;
done;
else
eval TARGET_IP_$IDX=$i;
IP=$i
debug "target ip is $IP";
IDX=$(expr 1 + $IDX)
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
TARGET_IP="$TARGET_IP/24";
eval TARGET_IP_$IDX="$TARGET_IP/24";
debug "target ip is $TARGET_IP";
else
eval TARGET_IP_$IDX=$i;
IP=$i
debug "target ip is $IP";
fi
fi
fi
done
done
if [ $IDX = 1 ]; then
TARGET_IP=$IP
fi;
if [ $IDX = 1 ]; then
TARGET_IP=$IP
fi;
fi
fi
prerouting() {
LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
LINES=$($IPTABLES -w 10 -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
debug "Previous prerouting lines: "$LINES
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
if [ -n "$LINES" ] ; then
for i in $LINES; do
debug "$IPTABLES -D PREROUTING $i"
$IPTABLES -D PREROUTING $i
debug "$IPTABLES -D PREROUTING $i";
$IPTABLES -w 10 -D PREROUTING $i
sleep 0.1
done
fi
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT"
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
$IPTABLES -C PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
if [[ "$(echo $?)" != "0" ]]; then
$IPTABLES -w 20 -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
fi
}
postrouting() {
@@ -189,10 +197,13 @@ postrouting() {
done
fi
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
$IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
fi
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
$IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
$IPTABLES -C POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
if [[ "$(echo $?)" != "0" ]]; then
$IPTABLES -w 20 -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
fi
fi
if [ -n "$TARGET_IP" ] ; then
LINES=$($IPTABLES -L --line-number -n | grep $COMMENT | grep $TARGET_IP_FOR_POSTROUTING | grep $TARGET_PORT | awk '{print $1}'| tac)
@@ -206,8 +217,12 @@ postrouting() {
sleep 0.1
done
fi
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
$IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
$IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
$IPTABLES -C POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
if [[ "$(echo $?)" != "0" ]]; then
$IPTABLES -w 20 -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
fi
fi
}
@@ -238,7 +253,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
##############################
IPTABLES=/sbin/iptables
IPTABLES="/sbin/iptables"
###############################
@@ -297,7 +312,7 @@ else
############################
# Host firewall settings ###
if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then
if $IPTABLES -w 10 --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then
echo "nothing to do";
else
$IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT;
@@ -329,14 +344,14 @@ else
#
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
IPTABLES_COMMAND="$IPTABLES --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac";
IPTABLES_COMMAND="$IPTABLES -w 10 --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac";
debug "$IPTABLES_COMMAND";
LINES=$(eval $IPTABLES_COMMAND);
if [ -n "$LINES" ] ; then
for i in $LINES; do
debug "$IPTABLES -D $CHAIN $i"
$IPTABLES -D $CHAIN $i
$IPTABLES -w 10 -D $CHAIN $i
sleep 0.1
done
fi
@@ -344,7 +359,10 @@ else
debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
$IPTABLES -C $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
if [[ "$(echo $?)" != "0" ]]; then
$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
fi
fi
#############################
fi