validating application names or IP addresses variables

firewall/firewall-add

@@ -22,6 +22,9 @@ PROTOCOL=$TYPE
 
 EXTRA_OPTIONS="$2 $3 $4"
       
+set | grep SOURCE
+set | grep TARGET
+
 # turn on debug mode by extra option "debug"
       if [[ "$(echo "$EXTRA_OPTIONS" | grep debug)" != "" ]] ; then
               DEBUG=1
@@ -63,55 +66,76 @@ if [[ -z "$TYPE" ]]; then
 	TYPE="tcp"
 fi;
 
-if [[ -z "$SOURCE_IP" ]]; then
+if [[ -z "$SOURCE" ]]; then
 	SOURCE_IP="0.0.0.0/0";
 
-elif [[ "$(echo $SOURCE_IP | cut -d . -f4)" == "0" ]] ; then
+else
-	SOURCE_IP="$SOURCE_IP/24";
-	debug "source ip is $SOURCE_IP";
-fi
-
-if [[ "$SOURCE_APP" != *"."* ]]; then
-	name_resolver $SOURCE_APP;
-	debug "source ip is $APP_IP";
 	IDX=0
+	for i in $(echo $SOURCE) ; do
+	
+		if [[ "$i" != *"."* ]]; then
+			name_resolver $i;
+			debug "source ip is $APP_IP";
 			for IP in $(echo $APP_IP); do
 				IDX=$(expr 1 + $IDX)
+				eval SOURCE_IP_$IDX=$IP;
+			done;
+		
+		else
+			IDX=$(expr 1 + $IDX)
+			if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
+				SOURCE_IP="$SOURCE_IP/24";
+				eval SOURCE_IP_$IDX="$SOURCE_IP/24";
+				debug "source ip is $SOURCE_IP";
+			else
+				eval SOURCE_IP_$IDX=$i;
+				IP=$i
+				debug "source ip is $IP";
+			fi
+		fi
+	done
+
 	if [ $IDX = 1 ]; then
 		SOURCE_IP=$IP
-		else
-			eval SOURCE_IP_$IDX=$IP;
-		fi;
-	done;
-	
-# Modifying source or target IP addresses if POSTROUTING rules needed to applied
 	fi;
 				
-
-if [[ -z "$TARGET_IP" ]]; then
-	TARGET_IP="0.0.0.0/0";
-
-elif [[ "$(echo $TARGET_IP | cut -d . -f4)" == "0" ]] ; then
-	TARGET_IP="$TARGET_IP/24";
-	debug "target ip is $TARGET_IP";
 fi
 
-if [[ "$TARGET_APP" != *"."* ]]; then
+if [[ -z "$TARGET" ]]; then
-	name_resolver $TARGET_APP;
+	TARGET_IP="0.0.0.0/0";
-	debug "target ip is $APP_IP";
+
+else
 	IDX=0
+	for i in $(echo $TARGET) ; do
+	
+		if [[ "$i" != *"."* ]]; then
+			name_resolver $i;
+			debug "target ip is $APP_IP";
 			for IP in $(echo $APP_IP); do
 				IDX=$(expr 1 + $IDX)
-		if [ $IDX = 1 ]; then
-			TARGET_IP=$IP;
-		else
 				eval TARGET_IP_$IDX=$IP;
-		fi;
 			done;
+		
+		else
+			IDX=$(expr 1 + $IDX)
+			if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
+				TARGET_IP="$TARGET_IP/24";
+				eval TARGET_IP_$IDX="$TARGET_IP/24";
+				debug "target ip is $TARGET_IP";
+			else
+				eval TARGET_IP_$IDX=$i;
+				IP=$i
+				debug "target ip is $IP";
+			fi
+		fi
+	done
+
+	if [ $IDX = 1 ]; then
+		TARGET_IP=$IP
 	fi;
 				
-set | grep SOURCE
+fi
-set | grep TARGET
+
 
 prerouting() {
 	LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
@@ -281,8 +305,26 @@ else
 		done
 	fi
 
-	debug "$IPTABLES -I $CHAIN -p $PROTOCOL -s $SOURCE_IP --sport $SOURCE_PORT -d $TARGET_IP --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT"
+	IPTABLES_OPTIONS=""
-	$IPTABLES -I $CHAIN -p $PROTOCOL -s $SOURCE_IP -d $TARGET_IP --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT
+	if [ "$SOURCE_IP" != "" ]; then
+		IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -s $SOURCE_IP";
+	else
+		SOURCE_PORT=""
+	fi
+	if [ "$SOURCE_PORT" != "" ]; then
+		IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --sport $SOURCE_PORT";
+	fi
+	if [ "$TARGET_IP" != "" ]; then
+		IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -d $TARGET_IP";
+	else
+		TARGET_PORT=""
+	fi
+	if [ "$TARGET_PORT" != "" ]; then
+		IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --dport $TARGET_PORT";
+	fi
+
+	debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
+	$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT
 
 	#############################
 fi