From a326c2646b2672e9db18811b0d100b805bc38738 Mon Sep 17 00:00:00 2001 From: gyurix Date: Mon, 12 Sep 2022 12:51:43 +0000 Subject: [PATCH] validating application names or IP addresses variables --- firewall/firewall-add | 130 ++++++++++++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 44 deletions(-) diff --git a/firewall/firewall-add b/firewall/firewall-add index 95eee98..3148585 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -22,7 +22,10 @@ PROTOCOL=$TYPE EXTRA_OPTIONS="$2 $3 $4" - # turn on debug mode by extra option "debug" +set | grep SOURCE +set | grep TARGET + +# turn on debug mode by extra option "debug" if [[ "$(echo "$EXTRA_OPTIONS" | grep debug)" != "" ]] ; then DEBUG=1 fi; @@ -63,55 +66,76 @@ if [[ -z "$TYPE" ]]; then TYPE="tcp" fi; -if [[ -z "$SOURCE_IP" ]]; then +if [[ -z "$SOURCE" ]]; then SOURCE_IP="0.0.0.0/0"; -elif [[ "$(echo $SOURCE_IP | cut -d . -f4)" == "0" ]] ; then - SOURCE_IP="$SOURCE_IP/24"; - debug "source ip is $SOURCE_IP"; +else + IDX=0 + for i in $(echo $SOURCE) ; do + + if [[ "$i" != *"."* ]]; then + name_resolver $i; + debug "source ip is $APP_IP"; + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + eval SOURCE_IP_$IDX=$IP; + done; + + else + IDX=$(expr 1 + $IDX) + if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then + SOURCE_IP="$SOURCE_IP/24"; + eval SOURCE_IP_$IDX="$SOURCE_IP/24"; + debug "source ip is $SOURCE_IP"; + else + eval SOURCE_IP_$IDX=$i; + IP=$i + debug "source ip is $IP"; + fi + fi + done + + if [ $IDX = 1 ]; then + SOURCE_IP=$IP + fi; + fi -if [[ "$SOURCE_APP" != *"."* ]]; then - name_resolver $SOURCE_APP; - debug "source ip is $APP_IP"; - IDX=0 - for IP in $(echo $APP_IP); do - IDX=$(expr 1 + $IDX) - if [ $IDX = 1 ]; then - SOURCE_IP=$IP - else - eval SOURCE_IP_$IDX=$IP; - fi; - done; - -# Modifying source or target IP addresses if POSTROUTING rules needed to applied -fi; - - -if [[ -z "$TARGET_IP" ]]; then +if [[ -z "$TARGET" ]]; then TARGET_IP="0.0.0.0/0"; -elif [[ "$(echo $TARGET_IP | cut -d . -f4)" == "0" ]] ; then - TARGET_IP="$TARGET_IP/24"; - debug "target ip is $TARGET_IP"; +else + IDX=0 + for i in $(echo $TARGET) ; do + + if [[ "$i" != *"."* ]]; then + name_resolver $i; + debug "target ip is $APP_IP"; + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + eval TARGET_IP_$IDX=$IP; + done; + + else + IDX=$(expr 1 + $IDX) + if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then + TARGET_IP="$TARGET_IP/24"; + eval TARGET_IP_$IDX="$TARGET_IP/24"; + debug "target ip is $TARGET_IP"; + else + eval TARGET_IP_$IDX=$i; + IP=$i + debug "target ip is $IP"; + fi + fi + done + + if [ $IDX = 1 ]; then + TARGET_IP=$IP + fi; + fi -if [[ "$TARGET_APP" != *"."* ]]; then - name_resolver $TARGET_APP; - debug "target ip is $APP_IP"; - IDX=0 - for IP in $(echo $APP_IP); do - IDX=$(expr 1 + $IDX) - if [ $IDX = 1 ]; then - TARGET_IP=$IP; - else - eval TARGET_IP_$IDX=$IP; - fi; - done; -fi; - -set | grep SOURCE -set | grep TARGET prerouting() { LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac) @@ -281,8 +305,26 @@ else done fi - debug "$IPTABLES -I $CHAIN -p $PROTOCOL -s $SOURCE_IP --sport $SOURCE_PORT -d $TARGET_IP --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT" - $IPTABLES -I $CHAIN -p $PROTOCOL -s $SOURCE_IP -d $TARGET_IP --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT + IPTABLES_OPTIONS="" + if [ "$SOURCE_IP" != "" ]; then + IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -s $SOURCE_IP"; + else + SOURCE_PORT="" + fi + if [ "$SOURCE_PORT" != "" ]; then + IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --sport $SOURCE_PORT"; + fi + if [ "$TARGET_IP" != "" ]; then + IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -d $TARGET_IP"; + else + TARGET_PORT="" + fi + if [ "$TARGET_PORT" != "" ]; then + IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --dport $TARGET_PORT"; + fi + + debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT" + $IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT ############################# fi