diff --git a/firewall/firewall-add b/firewall/firewall-add index 224eca7..e910752 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -10,6 +10,34 @@ echo 1 > /proc/sys/net/ipv4/ip_forward ############################## + +############################### + +COUNT_SOURCE_IP=$(set |grep SOURCE_IP |wc -l) +COUNT_SOURCE_PORT=$(set |grep SOURCE_PORT |wc -l) +COUNT_TARGET_IP=$(set |grep TARGET_IP |wc -l) +COUNT_TARGET_PORT=$(set |grep TARGET_PORT |wc -l) + + +for source_ip_index in $(seq 1 $COUNT_SOURCE_IP) ; do + if set |grep SOURCE_IP_ ; then + SOURCE_IP=$(eval "echo \${"SOURCE_IP_$source_ip_index"}") + fi + + for source_port_index in $(seq 1 $COUNT_SOURCE_PORT) ; do + if set |grep SOURCE_PORT_ ; then + SOURCE_PORT=$(eval "echo \${"SOURCE_PORT_$source_port_index"}") + fi + for target_ip_index in $(seq 1 $COUNT_TARGET_IP) ; do + if set |grep TARGET_IP_ ; then + TARGET_IP=$(eval "echo \${"TARGET_IP_$target_ip_index"}") + fi + + for target_port_index in $(seq 1 $COUNT_TARGET_PORT) ; do + if set |grep TARGET_PORT_ ; then + TARGET_PORT=$(eval "echo \${"TARGET_PORT_$target_port_index"}") + fi + ############################# # NSENTER Specific settings # @@ -22,48 +50,42 @@ iptables="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- /sbin else $iptables -I POSTROUTING -m state --state established,related -j ACCEPT; fi +# DELETE UNECESSARY LINES FROM PREVIOUS RULES +LINES=$($iptables --line-number -n --list POSTROUTING | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $SOURCE_PORT |grep $TARGET_PORT | awk '{print $1}'| tac) + +if [ -n "$LINES" ] ; then + for i in $LINES; do + $iptables -D POSTROUTING $i + sleep 0.1 + done +fi + +$iptables -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT + else iptables="/sbin/iptables-legacy" if $iptables --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then else $iptables -I $CHAIN -m state --state established,related -j ACCEPT; fi -fi + # +# DELETE UNECESSARY LINES FROM PREVIOUS RULES +LINES=$($iptables --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) -############################### - -COUNT_SOURCE_IP=$(set |grep SOURCE_IP |wc -l) -COUNT_TARGET_IP=$(set |grep TARGET_IP |wc -l) -COUNT_TARGET_PORT=$(set |grep TARGET_PORT |wc -l) - - -for source_ip_index in $(seq 1 $COUNT_SOURCE_IP) ; do - if set |grep SOURCE_IP_ ; then - SOURCE_IP=$(eval "echo \${"SOURCE_IP_$source_ip_index"}") + if [ -n "$LINES" ] ; then + for i in $LINES; do + $iptables -D $CHAIN $i + sleep 0.1 + done fi - for target_ip_index in $(seq 1 $COUNT_TARGET_IP) ; do - if set |grep TARGET_IP_ ; then - TARGET_IP=$(eval "echo \${"TARGET_IP_$target_ip_index"}") - fi +$iptables -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT - for target_port_index in $(seq 1 $COUNT_TARGET_PORT) ; do - if set |grep TARGET_PORT_ ; then - TARGET_PORT=$(eval "echo \${"TARGET_PORT_$target_port_index"}") - fi +############################# - # DELETE UNECESSARY LINES FROM PREVIOUS RULES - LINES=$($iptables --line-number -n --list $CHAIN | grep $SOURCE_IP |grep $TARGET_IP |grep $PROTOCOL |grep $TARGET_PORT | awk '{print $1}'| tac) - - if [ -n "$LINES" ] ; then - for i in $LINES; do - $iptables -D $CHAIN $i - sleep 0.1 - done - fi - - $iptables -I $CHAIN -s $SOURCE_IP -d $TARGET_IP -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j ACCEPT +fi + done done done done