From 1217d8b0d6ec3af5974a7c4d8b4d0bbedb7b22f5 Mon Sep 17 00:00:00 2001 From: gyurix Date: Mon, 10 Oct 2022 11:55:48 +0000 Subject: [PATCH] Adding check-line to iptables script --- firewall/firewall-add | 160 +++++++++++++++++++++++------------------- 1 file changed, 89 insertions(+), 71 deletions(-) diff --git a/firewall/firewall-add b/firewall/firewall-add index 603db4c..06be3a5 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -77,91 +77,99 @@ if [[ -z "$TYPE" ]]; then TYPE="tcp" fi; -if [[ -z "$SOURCE" ]]; then - SOURCE_IP="0.0.0.0/0"; +if [[ -z "$SOURCE_IP" ]]; then + if [[ -z "$SOURCE" ]]; then + SOURCE_IP="0.0.0.0/0"; -else - IDX=0 - for i in $(echo $SOURCE) ; do - - if [[ "$i" != *"."* ]]; then - name_resolver $i; - debug "source ip is $APP_IP"; - for IP in $(echo $APP_IP); do - IDX=$(expr 1 + $IDX) - eval SOURCE_IP_$IDX=$IP; - done; + else + IDX=0 + for i in $(echo $SOURCE) ; do - else - IDX=$(expr 1 + $IDX) - if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then - SOURCE_IP="$SOURCE_IP/24"; - eval SOURCE_IP_$IDX="$SOURCE_IP/24"; - debug "source ip is $SOURCE_IP"; + if [[ "$i" != *"."* ]]; then + name_resolver $i; + debug "source ip is $APP_IP"; + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + eval SOURCE_IP_$IDX=$IP; + done; + else - eval SOURCE_IP_$IDX=$i; - IP=$i - debug "source ip is $IP"; + IDX=$(expr 1 + $IDX) + if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then + SOURCE_IP="$SOURCE_IP/24"; + eval SOURCE_IP_$IDX="$SOURCE_IP/24"; + debug "source ip is $SOURCE_IP"; + else + eval SOURCE_IP_$IDX=$i; + IP=$i + debug "source ip is $IP"; + fi fi - fi - done + done - if [ $IDX = 1 ]; then - SOURCE_IP=$IP - fi; - + if [ $IDX = 1 ]; then + SOURCE_IP=$IP + fi; + + fi fi -if [[ -z "$TARGET" ]]; then - TARGET_IP="0.0.0.0/0"; +if [[ -z "$TARGET_IP" ]]; then + if [[ -z "$TARGET" ]]; then + TARGET_IP="0.0.0.0/0"; -else - IDX=0 - for i in $(echo $TARGET) ; do - - if [[ "$i" != *"."* ]]; then - name_resolver $i; - debug "target ip is $APP_IP"; - for IP in $(echo $APP_IP); do - IDX=$(expr 1 + $IDX) - eval TARGET_IP_$IDX=$IP; - done; + else + IDX=0 + for i in $(echo $TARGET) ; do - else - IDX=$(expr 1 + $IDX) - if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then - TARGET_IP="$TARGET_IP/24"; - eval TARGET_IP_$IDX="$TARGET_IP/24"; - debug "target ip is $TARGET_IP"; + if [[ "$i" != *"."* ]]; then + name_resolver $i; + debug "target ip is $APP_IP"; + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + eval TARGET_IP_$IDX=$IP; + done; + else - eval TARGET_IP_$IDX=$i; - IP=$i - debug "target ip is $IP"; + IDX=$(expr 1 + $IDX) + if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then + TARGET_IP="$TARGET_IP/24"; + eval TARGET_IP_$IDX="$TARGET_IP/24"; + debug "target ip is $TARGET_IP"; + else + eval TARGET_IP_$IDX=$i; + IP=$i + debug "target ip is $IP"; + fi fi - fi - done + done - if [ $IDX = 1 ]; then - TARGET_IP=$IP - fi; - + if [ $IDX = 1 ]; then + TARGET_IP=$IP + fi; + + fi fi prerouting() { - LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac) + LINES=$($IPTABLES -w 10 -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac) debug "Previous prerouting lines: "$LINES # DELETE UNECESSARY LINES FROM PREVIOUS RULES if [ -n "$LINES" ] ; then for i in $LINES; do - debug "$IPTABLES -D PREROUTING $i" - $IPTABLES -D PREROUTING $i + debug "$IPTABLES -D PREROUTING $i"; + $IPTABLES -w 10 -D PREROUTING $i sleep 0.1 done fi - debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT" + debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT" $IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT + $IPTABLES -C PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT + if [[ "$(echo $?)" != "0" ]]; then + $IPTABLES -w 20 -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT + fi } postrouting() { @@ -189,10 +197,13 @@ postrouting() { done fi - debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE" - $IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE - - fi + debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE" + $IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE + $IPTABLES -C POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE + if [[ "$(echo $?)" != "0" ]]; then + $IPTABLES -w 20 -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE + fi + fi if [ -n "$TARGET_IP" ] ; then LINES=$($IPTABLES -L --line-number -n | grep $COMMENT | grep $TARGET_IP_FOR_POSTROUTING | grep $TARGET_PORT | awk '{print $1}'| tac) @@ -206,8 +217,12 @@ postrouting() { sleep 0.1 done fi - debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE" - $IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE + debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE" + $IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE + $IPTABLES -C POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE + if [[ "$(echo $?)" != "0" ]]; then + $IPTABLES -w 20 -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE + fi fi } @@ -238,7 +253,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward ############################## -IPTABLES=/sbin/iptables +IPTABLES="/sbin/iptables" ############################### @@ -297,7 +312,7 @@ else ############################ # Host firewall settings ### - if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then + if $IPTABLES -w 10 --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then echo "nothing to do"; else $IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT; @@ -329,14 +344,14 @@ else # # DELETE UNECESSARY LINES FROM PREVIOUS RULES - IPTABLES_COMMAND="$IPTABLES --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac"; + IPTABLES_COMMAND="$IPTABLES -w 10 --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac"; debug "$IPTABLES_COMMAND"; LINES=$(eval $IPTABLES_COMMAND); if [ -n "$LINES" ] ; then for i in $LINES; do debug "$IPTABLES -D $CHAIN $i" - $IPTABLES -D $CHAIN $i + $IPTABLES -w 10 -D $CHAIN $i sleep 0.1 done fi @@ -344,7 +359,10 @@ else debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT" $IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT - + $IPTABLES -C $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT + if [[ "$(echo $?)" != "0" ]]; then + $IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT + fi fi ############################# fi