From d1eb707cec611ff95739525b91e795fa385a06ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ber=C3=A9nyi=20Gy=C3=B6rgy?= Date: Fri, 11 Feb 2022 15:28:49 +0000 Subject: [PATCH] Completing firewall scripts. --- firewall/firewall-add | 109 ++++++++++++++++++++++-------------------- 1 file changed, 58 insertions(+), 51 deletions(-) diff --git a/firewall/firewall-add b/firewall/firewall-add index cf48385..6aa0a64 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -8,7 +8,7 @@ debug() { } # Task type variables -NSENTER=$NSENTER +ROUTE=$ROUTE PREROUTING=$PREROUTING POSTROUTING=$POSTROUTING @@ -38,31 +38,44 @@ IPTABLES=/sbin/iptables-legacy ############################### prerouting() { -LINES=$($iptables --line-number -n | grep $COMMENT | grep PREROUTING |awk '{print $1}'| tac) + LINES=$($IPTABLES --line-number -n | grep $COMMENT | grep PREROUTING |awk '{print $1}'| tac) # DELETE UNECESSARY LINES FROM PREVIOUS RULES if [ -n "$LINES" ] ; then for i in $LINES; do - $iptables -D $i + $IPTABLES -D $i sleep 0.1 done fi -$iptables -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT + $IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT } postrouting() { -LINES=$($iptables --line-number -n | grep $COMMENT | grep POSTROUTING | awk '{print $1}'| tac) + LINES=$($IPTABLES --line-number -n | grep $COMMENT | grep POSTROUTING | awk '{print $1}'| tac) # DELETE UNECESSARY LINES FROM PREVIOUS RULES if [ -n "$LINES" ] ; then for i in $LINES; do - $iptables -D $i + $IPTABLES -D $i sleep 0.1 done fi -$iptables -I POSTROUTING -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE + $IPTABLES -I POSTROUTING -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE +} + +ip_route() { + + COUNT_NETWORK=$(set |grep NETWORK |wc -l) + + for network_index in $(seq 1 $COUNT_NETWORK) ; do + if set |grep NETWORK_ ; then + NETWORK=$(eval "echo \${"NETWORK_$network_index"}") + GATEWAY=$(eval "echo \${"GATEWAY_$network_index"}") + fi + $IP_ROUTE add $NETWORK/24 via $GATEWAY + done } COUNT_SOURCE_IP=$(set |grep SOURCE_IP |wc -l) @@ -92,57 +105,45 @@ for source_ip_index in $(seq 1 $COUNT_SOURCE_IP) ; do ############################# # NSENTER Specific settings # -if [[ "$NSENTER" == "true" ]] ; then - if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] ; then - iptables="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- $IPTABLES -t nat"; - - debug "iptables: "$IPTABLES; - - if [[ "$PREROUTING" == "true" ]] ; then - prerouting; - - elif [[ "$POSTROUTING" == "true" ]] ; then - postrouting; - fi; - else - ip_route="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"; - - - fi +if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] ; then + NS_IPTABLES="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- $IPTABLES -t nat"; + + debug "iptables: "$NS_IPTABLES; + + if [[ "$PREROUTING" == "true" ]] ; then + prerouting; + elif [[ "$POSTROUTING" == "true" ]] ; then + postrouting; + + fi; else - if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] ; then - if [[ "$PREROUTING" == "true" ]] ; then - prerouting; - elif [[ "$POSTROUTING" == "true" ]] ; then - postrouting; - fi; +############################ +# Host firewall settings ### + + if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then + echo "nothing to do"; else - - if $IPTABLES --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then - echo "nothing to do"; - else - $IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT; - fi - - # - # DELETE UNECESSARY LINES FROM PREVIOUS RULES - LINES=$($IPTABLES --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) - - if [ -n "$LINES" ] ; then - for i in $LINES; do - $IPTABLES -D $CHAIN $i - sleep 0.1 - done - fi - - $IPTABLES -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT - - ############################# + $IPTABLES -I $CHAIN -m state --state established,related -j ACCEPT; fi + + # + # DELETE UNECESSARY LINES FROM PREVIOUS RULES + LINES=$($IPTABLES --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) + + if [ -n "$LINES" ] ; then + for i in $LINES; do + $IPTABLES -D $CHAIN $i + sleep 0.1 + done + fi + + $IPTABLES -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT + + ############################# fi done # target_port @@ -151,3 +152,9 @@ fi done # source_ip +if [[ "$ROUTE" == "true" ]] ; then + IP_ROUTE="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"; + + debug "ip_route: "$IP_ROUTE; + ip_route; +fi