Adding check-line to iptables script
This commit is contained in:
@@ -77,6 +77,7 @@ if [[ -z "$TYPE" ]]; then
|
|||||||
TYPE="tcp"
|
TYPE="tcp"
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
|
if [[ -z "$SOURCE_IP" ]]; then
|
||||||
if [[ -z "$SOURCE" ]]; then
|
if [[ -z "$SOURCE" ]]; then
|
||||||
SOURCE_IP="0.0.0.0/0";
|
SOURCE_IP="0.0.0.0/0";
|
||||||
|
|
||||||
@@ -111,7 +112,9 @@ else
|
|||||||
fi;
|
fi;
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -z "$TARGET_IP" ]]; then
|
||||||
if [[ -z "$TARGET" ]]; then
|
if [[ -z "$TARGET" ]]; then
|
||||||
TARGET_IP="0.0.0.0/0";
|
TARGET_IP="0.0.0.0/0";
|
||||||
|
|
||||||
@@ -146,22 +149,27 @@ else
|
|||||||
fi;
|
fi;
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
prerouting() {
|
prerouting() {
|
||||||
LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
|
LINES=$($IPTABLES -w 10 -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
|
||||||
debug "Previous prerouting lines: "$LINES
|
debug "Previous prerouting lines: "$LINES
|
||||||
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
||||||
if [ -n "$LINES" ] ; then
|
if [ -n "$LINES" ] ; then
|
||||||
for i in $LINES; do
|
for i in $LINES; do
|
||||||
debug "$IPTABLES -D PREROUTING $i"
|
debug "$IPTABLES -D PREROUTING $i";
|
||||||
$IPTABLES -D PREROUTING $i
|
$IPTABLES -w 10 -D PREROUTING $i
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
||||||
$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
||||||
|
$IPTABLES -C PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
||||||
|
if [[ "$(echo $?)" != "0" ]]; then
|
||||||
|
$IPTABLES -w 20 -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
postrouting() {
|
postrouting() {
|
||||||
@@ -191,7 +199,10 @@ postrouting() {
|
|||||||
|
|
||||||
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
||||||
$IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
$IPTABLES -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
$IPTABLES -C POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
if [[ "$(echo $?)" != "0" ]]; then
|
||||||
|
$IPTABLES -w 20 -I POSTROUTING -d $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$TARGET_IP" ] ; then
|
if [ -n "$TARGET_IP" ] ; then
|
||||||
@@ -208,6 +219,10 @@ postrouting() {
|
|||||||
fi
|
fi
|
||||||
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
||||||
$IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
$IPTABLES -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
$IPTABLES -C POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
if [[ "$(echo $?)" != "0" ]]; then
|
||||||
|
$IPTABLES -w 20 -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -238,7 +253,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
|
|
||||||
IPTABLES=/sbin/iptables
|
IPTABLES="/sbin/iptables"
|
||||||
|
|
||||||
###############################
|
###############################
|
||||||
|
|
||||||
@@ -297,7 +312,7 @@ else
|
|||||||
############################
|
############################
|
||||||
# Host firewall settings ###
|
# Host firewall settings ###
|
||||||
|
|
||||||
if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then
|
if $IPTABLES -w 10 --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then
|
||||||
echo "nothing to do";
|
echo "nothing to do";
|
||||||
else
|
else
|
||||||
$IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT;
|
$IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT;
|
||||||
@@ -329,14 +344,14 @@ else
|
|||||||
|
|
||||||
#
|
#
|
||||||
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
||||||
IPTABLES_COMMAND="$IPTABLES --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac";
|
IPTABLES_COMMAND="$IPTABLES -w 10 --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac";
|
||||||
debug "$IPTABLES_COMMAND";
|
debug "$IPTABLES_COMMAND";
|
||||||
LINES=$(eval $IPTABLES_COMMAND);
|
LINES=$(eval $IPTABLES_COMMAND);
|
||||||
|
|
||||||
if [ -n "$LINES" ] ; then
|
if [ -n "$LINES" ] ; then
|
||||||
for i in $LINES; do
|
for i in $LINES; do
|
||||||
debug "$IPTABLES -D $CHAIN $i"
|
debug "$IPTABLES -D $CHAIN $i"
|
||||||
$IPTABLES -D $CHAIN $i
|
$IPTABLES -w 10 -D $CHAIN $i
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@@ -344,7 +359,10 @@ else
|
|||||||
|
|
||||||
debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
|
debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
|
||||||
$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
|
$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
|
||||||
|
$IPTABLES -C $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
|
||||||
|
if [[ "$(echo $?)" != "0" ]]; then
|
||||||
|
$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
#############################
|
#############################
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user