|
|
|
@@ -3,10 +3,10 @@
|
|
|
|
# Debugging function
|
|
|
|
# Debugging function
|
|
|
|
debug() {
|
|
|
|
debug() {
|
|
|
|
if [ $DEBUG -eq 1 ]; then
|
|
|
|
if [ $DEBUG -eq 1 ]; then
|
|
|
|
echo `date`" DEBUG: "$1 $2 $3
|
|
|
|
echo $(date)" DEBUG: "$1 $2 $3
|
|
|
|
else
|
|
|
|
else
|
|
|
|
echo `date`" DEBUG: "$1 $2 $3 >> /var/log/iptables.log;
|
|
|
|
echo $(date)" DEBUG: "$1 $2 $3 >>/var/log/iptables.log
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# Task type variables
|
|
|
|
# Task type variables
|
|
|
|
@@ -33,20 +33,19 @@ set | grep ROLES
|
|
|
|
SERVICE_FILES=$SERVICE_FILES
|
|
|
|
SERVICE_FILES=$SERVICE_FILES
|
|
|
|
HOST_FILE=$HOST_FILE
|
|
|
|
HOST_FILE=$HOST_FILE
|
|
|
|
if [ "$HOST_FILE" == "" ]; then
|
|
|
|
if [ "$HOST_FILE" == "" ]; then
|
|
|
|
HOST_FILE="/etc/dns/hosts.local";
|
|
|
|
HOST_FILE="/etc/dns/hosts.local"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
RETRIES_NUMBER=$RETRIES_NUMBER
|
|
|
|
RETRIES_NUMBER=$RETRIES_NUMBER
|
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$RETRIES_NUMBER" ]; then
|
|
|
|
if [ -z "$RETRIES_NUMBER" ]; then
|
|
|
|
RETRIES_NUMBER=2;
|
|
|
|
RETRIES_NUMBER=2
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
# turn on debug mode by extra option "debug"
|
|
|
|
# turn on debug mode by extra option "debug"
|
|
|
|
if [[ "$(echo "$EXTRA_OPTIONS" | grep debug)" != "" ]] ; then
|
|
|
|
if [[ "$(echo "$EXTRA_OPTIONS" | grep debug)" != "" ]]; then
|
|
|
|
DEBUG=1
|
|
|
|
DEBUG=1
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# finding IPv4 addresses from application names.
|
|
|
|
# finding IPv4 addresses from application names.
|
|
|
|
name_resolver() {
|
|
|
|
name_resolver() {
|
|
|
|
@@ -54,29 +53,28 @@ name_resolver() {
|
|
|
|
local DNS_IP
|
|
|
|
local DNS_IP
|
|
|
|
local DNS=$1
|
|
|
|
local DNS=$1
|
|
|
|
APP_IP=""
|
|
|
|
APP_IP=""
|
|
|
|
UP_COUNT=0;
|
|
|
|
UP_COUNT=0
|
|
|
|
SRV_COUNT=0;
|
|
|
|
SRV_COUNT=0
|
|
|
|
|
|
|
|
|
|
|
|
echo "DNS: "$DNS;
|
|
|
|
echo "DNS: "$DNS
|
|
|
|
|
|
|
|
|
|
|
|
for D in $(echo $DNS);
|
|
|
|
for D in $(echo $DNS); do
|
|
|
|
do
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [ -z "$STRICK_CHECK" ]; then
|
|
|
|
if [ -z "$STRICK_CHECK" ]; then
|
|
|
|
# find $D as SELECTOR in hosts file
|
|
|
|
# find $D as SELECTOR in hosts file
|
|
|
|
EXISTS=$(grep -w $D $HOST_FILE);
|
|
|
|
EXISTS=$(grep -w $D $HOST_FILE)
|
|
|
|
#EXISTS=$(grep -w "$D-" $HOST_FILE); # TODO?
|
|
|
|
#EXISTS=$(grep -w "$D-" $HOST_FILE); # TODO?
|
|
|
|
if [ -n "$EXISTS" ]; then # selector exists in hosts file
|
|
|
|
if [ -n "$EXISTS" ]; then # selector exists in hosts file
|
|
|
|
# remove all matching selectors and all selctors followed by "-"
|
|
|
|
# remove all matching selectors and all selctors followed by "-"
|
|
|
|
#APP_IP=$(echo $EXISTS | sed s/$D-.//g | sed s/$D//g);
|
|
|
|
#APP_IP=$(echo $EXISTS | sed s/$D-.//g | sed s/$D//g);
|
|
|
|
APP_IP=$(echo "$EXISTS" | awk '{print $1}');
|
|
|
|
APP_IP=$(echo "$EXISTS" | awk '{print $1}')
|
|
|
|
debug "APP_IP: "$APP_IP;
|
|
|
|
debug "APP_IP: "$APP_IP
|
|
|
|
else
|
|
|
|
else
|
|
|
|
debug "no matching APPLICATION NAME found in $HOST_FILE"
|
|
|
|
debug "no matching APPLICATION NAME found in $HOST_FILE"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
else
|
|
|
|
D=$(echo $D | cut -d "-" -f1)
|
|
|
|
D=$(echo $D | cut -d "-" -f1)
|
|
|
|
UP=$(docker ps --format '{{.Names}}\t{{.Status}}' | grep Up | awk '{print $1}' | grep $D"-") ;
|
|
|
|
UP=$(docker ps --format '{{.Names}}\t{{.Status}}' | grep Up | awk '{print $1}' | grep $D"-")
|
|
|
|
# filtering for ROLES variables if exists.
|
|
|
|
# filtering for ROLES variables if exists.
|
|
|
|
if [[ "$ROLES" != "null" && ! -z "$ROLES" ]]; then
|
|
|
|
if [[ "$ROLES" != "null" && ! -z "$ROLES" ]]; then
|
|
|
|
UPS=""
|
|
|
|
UPS=""
|
|
|
|
@@ -84,119 +82,120 @@ name_resolver() {
|
|
|
|
for ROLE in $(echo $ROLES); do
|
|
|
|
for ROLE in $(echo $ROLES); do
|
|
|
|
FILTERED_BY_ROLE=$(docker inspect $U -f '{{.Config.Labels.roles}}' | uniq | grep $ROLE)
|
|
|
|
FILTERED_BY_ROLE=$(docker inspect $U -f '{{.Config.Labels.roles}}' | uniq | grep $ROLE)
|
|
|
|
if [[ "$(echo $FILTERED_BY_ROLE)" != "" ]]; then
|
|
|
|
if [[ "$(echo $FILTERED_BY_ROLE)" != "" ]]; then
|
|
|
|
UPS="$UPS $U";
|
|
|
|
UPS="$UPS $U"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
UP=$UPS
|
|
|
|
UP=$UPS
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
UP_COUNT=$((UP_COUNT+$(echo $UP | wc -w)));
|
|
|
|
UP_COUNT=$((UP_COUNT + $(echo $UP | wc -w)))
|
|
|
|
|
|
|
|
|
|
|
|
for SRV_FILE in $(echo $SERVICE_FILES); do
|
|
|
|
for SRV_FILE in $(echo $SERVICE_FILES); do
|
|
|
|
CONTAINER_NAMES=$(jq -r .containers[].NAME $SRV_FILE);
|
|
|
|
CONTAINER_NAMES=$(jq -r .containers[].NAME $SRV_FILE)
|
|
|
|
for NAME in $(echo $CONTAINER_NAMES); do
|
|
|
|
for NAME in $(echo $CONTAINER_NAMES); do
|
|
|
|
NEWNAME=$(echo $NAME | cut -d "-" -f1);
|
|
|
|
NEWNAME=$(echo $NAME | cut -d "-" -f1)
|
|
|
|
if [ "$D" == "$NEWNAME" ]; then
|
|
|
|
if [ "$D" == "$NEWNAME" ]; then
|
|
|
|
if [[ "$ROLES" != "null" && ! -z "$ROLES" ]]; then
|
|
|
|
if [[ "$ROLES" != "null" && ! -z "$ROLES" ]]; then
|
|
|
|
C_ROLES=$(jq -r --arg NAME "$NAME" '.containers[] | select(.NAME==$NAME)' $SRV_FILE | jq -r .ROLES);
|
|
|
|
C_ROLES=$(jq -r --arg NAME "$NAME" '.containers[] | select(.NAME==$NAME)' $SRV_FILE | jq -r .ROLES)
|
|
|
|
for ROLE in $(echo $ROLES); do
|
|
|
|
for ROLE in $(echo $ROLES); do
|
|
|
|
# TODO, ha C_ROLES tobb erteket tartalmaz
|
|
|
|
# TODO, ha C_ROLES tobb erteket tartalmaz
|
|
|
|
if [ "$ROLE" == "$C_ROLES" ]; then
|
|
|
|
if [ "$ROLE" == "$C_ROLES" ]; then
|
|
|
|
SRV_COUNT=$((SRV_COUNT+1));
|
|
|
|
SRV_COUNT=$((SRV_COUNT + 1))
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
else
|
|
|
|
else
|
|
|
|
SRV_COUNT=$((SRV_COUNT+1));
|
|
|
|
SRV_COUNT=$((SRV_COUNT + 1))
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
done;
|
|
|
|
done
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
if [ ! -z "$UP" ] ; then
|
|
|
|
if [ ! -z "$UP" ]; then
|
|
|
|
for D_IP in `echo $UP` ;
|
|
|
|
for D_IP in $(echo $UP); do
|
|
|
|
do
|
|
|
|
DNS_IP=$(docker inspect $D_IP -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}')
|
|
|
|
DNS_IP=$(docker inspect $D_IP -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}');
|
|
|
|
|
|
|
|
if [ "$APP_IP" == "" ]; then
|
|
|
|
if [ "$APP_IP" == "" ]; then
|
|
|
|
APP_IP="$DNS_IP";
|
|
|
|
APP_IP="$DNS_IP"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
APP_IP="$APP_IP $DNS_IP";
|
|
|
|
APP_IP="$APP_IP $DNS_IP"
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
echo "APP_IP: "$APP_IP;
|
|
|
|
echo "APP_IP: "$APP_IP
|
|
|
|
done
|
|
|
|
done
|
|
|
|
else
|
|
|
|
else
|
|
|
|
debug "no matching running process found"
|
|
|
|
debug "no matching running process found"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done;
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
if [[ ! -z "$STRICK_CHECK" && $UP_COUNT -lt $SRV_COUNT ]]; then
|
|
|
|
if [[ ! -z "$STRICK_CHECK" && $UP_COUNT -lt $SRV_COUNT ]]; then
|
|
|
|
if [ "$2" == "" ]; then RETRIES=0;
|
|
|
|
if [ "$2" == "" ]; then
|
|
|
|
else RETRIES=$2;
|
|
|
|
RETRIES=0
|
|
|
|
fi;
|
|
|
|
|
|
|
|
if [ $RETRIES -le $RETRIES_NUMBER ]; then
|
|
|
|
|
|
|
|
debug "Try to reread container names at $RETRIES";
|
|
|
|
|
|
|
|
sleep 1;
|
|
|
|
|
|
|
|
RETRIES=$((RETRIES+1));
|
|
|
|
|
|
|
|
name_resolver $DNS $RETRIES;
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
debug "Not enough running process found for executing firewall rules, exiting";
|
|
|
|
RETRIES=$2
|
|
|
|
exit;
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ $RETRIES -le $RETRIES_NUMBER ]; then
|
|
|
|
|
|
|
|
debug "Try to reread container names at $RETRIES"
|
|
|
|
|
|
|
|
sleep 1
|
|
|
|
|
|
|
|
RETRIES=$((RETRIES + 1))
|
|
|
|
|
|
|
|
name_resolver $DNS $RETRIES
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
debug "Not enough running process found for executing firewall rules, exiting"
|
|
|
|
|
|
|
|
exit
|
|
|
|
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -z "$TYPE" ]]; then
|
|
|
|
if [[ -z "$TYPE" ]]; then
|
|
|
|
TYPE="tcp"
|
|
|
|
TYPE="tcp"
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -z "$SOURCE_IP" ]]; then
|
|
|
|
if [[ -z "$SOURCE_IP" ]]; then
|
|
|
|
if [[ -z "$SOURCE" ]]; then
|
|
|
|
if [[ -z "$SOURCE" ]]; then
|
|
|
|
#SOURCE_IP="0.0.0.0/0";
|
|
|
|
#SOURCE_IP="0.0.0.0/0";
|
|
|
|
echo "No source IP added";
|
|
|
|
echo "No source IP added"
|
|
|
|
elif [ "$(set | grep -w SOURCE_IFACE)" != "" ]; then
|
|
|
|
elif [ "$(set | grep -w SOURCE_IFACE)" != "" ]; then
|
|
|
|
SOURCE=$SOURCE_IFACE;
|
|
|
|
SOURCE=$SOURCE_IFACE
|
|
|
|
echo "VPN interface added instead of IP or domain name";
|
|
|
|
echo "VPN interface added instead of IP or domain name"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
IDX=0
|
|
|
|
IDX=0
|
|
|
|
for i in $(echo $SOURCE) ; do
|
|
|
|
for i in $(echo $SOURCE); do
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$i" != [0-9]*"."[0-9]*"."[0-9]*"."[0-9]* ]]; then
|
|
|
|
if [[ "$i" != [0-9]*"."[0-9]*"."[0-9]*"."[0-9]* ]]; then
|
|
|
|
name_resolver $i;
|
|
|
|
name_resolver $i
|
|
|
|
debug "source ip is $APP_IP";
|
|
|
|
debug "source ip is $APP_IP"
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
debug "No any IP address found for SOURCE: $SOURCE, try again to resolv";
|
|
|
|
debug "No any IP address found for SOURCE: $SOURCE, try again to resolv"
|
|
|
|
name_resolver $i;
|
|
|
|
name_resolver $i
|
|
|
|
debug "source ip is $APP_IP";
|
|
|
|
debug "source ip is $APP_IP"
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
debug "No any IP address found for SOURCE: $SOURCE, giving up";
|
|
|
|
debug "No any IP address found for SOURCE: $SOURCE, giving up"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
for IP in $(echo $APP_IP); do
|
|
|
|
for IP in $(echo $APP_IP); do
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
eval SOURCE_IP_$IDX=$IP;
|
|
|
|
eval SOURCE_IP_$IDX=$IP
|
|
|
|
done;
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
|
|
|
|
if [[ "$(echo $i | cut -d . -f4)" == "0" ]]; then
|
|
|
|
SOURCE_IP="$i/24";
|
|
|
|
SOURCE_IP="$i/24"
|
|
|
|
eval SOURCE_IP_$IDX="$i/24";
|
|
|
|
eval SOURCE_IP_$IDX="$i/24"
|
|
|
|
debug "source ip is $SOURCE_IP";
|
|
|
|
debug "source ip is $SOURCE_IP"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
eval SOURCE_IP_$IDX=$i;
|
|
|
|
eval SOURCE_IP_$IDX=$i
|
|
|
|
IP=$i
|
|
|
|
IP=$i
|
|
|
|
debug "source ip is $IP";
|
|
|
|
debug "source ip is $IP"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
if [ $IDX = 1 ]; then
|
|
|
|
if [ $IDX = 1 ]; then
|
|
|
|
SOURCE_IP=$IP
|
|
|
|
SOURCE_IP=$IP
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
@@ -207,44 +206,44 @@ if [[ -z "$TARGET_IP" ]]; then
|
|
|
|
echo "No target IP added"
|
|
|
|
echo "No target IP added"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
IDX=0
|
|
|
|
IDX=0
|
|
|
|
for i in $(echo $TARGET) ; do
|
|
|
|
for i in $(echo $TARGET); do
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$i" != [0-9]*"."[0-9]*"."[0-9]*"."[0-9]* ]]; then
|
|
|
|
if [[ "$i" != [0-9]*"."[0-9]*"."[0-9]*"."[0-9]* ]]; then
|
|
|
|
name_resolver $i;
|
|
|
|
name_resolver $i
|
|
|
|
debug "target ip is $APP_IP";
|
|
|
|
debug "target ip is $APP_IP"
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
debug "No any IP address found for TARGET: $TARGET, try again to resolv";
|
|
|
|
debug "No any IP address found for TARGET: $TARGET, try again to resolv"
|
|
|
|
name_resolver $i;
|
|
|
|
name_resolver $i
|
|
|
|
debug "target ip is $APP_IP";
|
|
|
|
debug "target ip is $APP_IP"
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
if [[ -z "$APP_IP" ]]; then
|
|
|
|
debug "No any IP address found for TARGET: $TARGET, giving up";
|
|
|
|
debug "No any IP address found for TARGET: $TARGET, giving up"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
for IP in $(echo $APP_IP); do
|
|
|
|
for IP in $(echo $APP_IP); do
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
eval TARGET_IP_$IDX=$IP;
|
|
|
|
eval TARGET_IP_$IDX=$IP
|
|
|
|
done;
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
IDX=$(expr 1 + $IDX)
|
|
|
|
if [[ "$(echo $i | cut -d . -f4)" == "0" ]] ; then
|
|
|
|
if [[ "$(echo $i | cut -d . -f4)" == "0" ]]; then
|
|
|
|
TARGET_IP="$i/24";
|
|
|
|
TARGET_IP="$i/24"
|
|
|
|
eval TARGET_IP_$IDX="$i/24";
|
|
|
|
eval TARGET_IP_$IDX="$i/24"
|
|
|
|
debug "target ip is $TARGET_IP";
|
|
|
|
debug "target ip is $TARGET_IP"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
eval TARGET_IP_$IDX=$i;
|
|
|
|
eval TARGET_IP_$IDX=$i
|
|
|
|
IP=$i
|
|
|
|
IP=$i
|
|
|
|
debug "target ip is $IP";
|
|
|
|
debug "target ip is $IP"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
if [ $IDX = 1 ]; then
|
|
|
|
if [ $IDX = 1 ]; then
|
|
|
|
TARGET_IP=$IP
|
|
|
|
TARGET_IP=$IP
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
@@ -252,10 +251,10 @@ fi
|
|
|
|
delete_lines() {
|
|
|
|
delete_lines() {
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$1" != "" ]; then
|
|
|
|
if [ "$1" != "" ]; then
|
|
|
|
CHAIN=$1;
|
|
|
|
CHAIN=$1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ -n "$LINES" ] ; then
|
|
|
|
if [ -n "$LINES" ]; then
|
|
|
|
for i in $LINES; do
|
|
|
|
for i in $LINES; do
|
|
|
|
debug "$IPTABLES -D $CHAIN $i"
|
|
|
|
debug "$IPTABLES -D $CHAIN $i"
|
|
|
|
$IPTABLES -w -D $CHAIN $i
|
|
|
|
$IPTABLES -w -D $CHAIN $i
|
|
|
|
@@ -265,8 +264,8 @@ delete_lines() {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
prerouting() {
|
|
|
|
prerouting() {
|
|
|
|
if [ "$(set |grep -w SOURCE_IFACE)" != "" ]; then
|
|
|
|
if [ "$(set | grep -w SOURCE_IFACE)" != "" ]; then
|
|
|
|
if [ "$TARGET_IP" != "" ] && [ "$TARGET_PORT" != "" ] ; then
|
|
|
|
if [ "$TARGET_IP" != "" ] && [ "$TARGET_PORT" != "" ]; then
|
|
|
|
debug "$IPTABLES -I PREROUTING -i $SOURCE_IFACE -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
|
|
|
debug "$IPTABLES -I PREROUTING -i $SOURCE_IFACE -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
|
|
|
$IPTABLES -w -I PREROUTING -i $SOURCE_IFACE -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
|
|
|
$IPTABLES -w -I PREROUTING -i $SOURCE_IFACE -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
@@ -275,10 +274,10 @@ prerouting() {
|
|
|
|
if [ "$TARGET_IP" != "" ]; then
|
|
|
|
if [ "$TARGET_IP" != "" ]; then
|
|
|
|
if [ "$TARGET_PORT" != "" ]; then
|
|
|
|
if [ "$TARGET_PORT" != "" ]; then
|
|
|
|
|
|
|
|
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac)
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep DNAT | grep $SOURCE_PORT | grep $TARGET_IP | grep $TARGET_PORT | grep $COMMENT | awk '{print $1}' | tac)
|
|
|
|
debug "Previous prerouting lines: "$LINES
|
|
|
|
debug "Previous prerouting lines: "$LINES
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
delete_lines "PREROUTING";
|
|
|
|
delete_lines "PREROUTING"
|
|
|
|
|
|
|
|
|
|
|
|
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
|
|
|
debug "$IPTABLES -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment $COMMENT -j DNAT --to $TARGET_IP:$TARGET_PORT"
|
|
|
|
$IPTABLES -w -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
|
|
|
$IPTABLES -w -I PREROUTING -d $SOURCE_IP -p $PROTOCOL --dport $SOURCE_PORT -m comment --comment "$COMMENT" -j DNAT --to $TARGET_IP:$TARGET_PORT
|
|
|
|
@@ -290,29 +289,29 @@ prerouting() {
|
|
|
|
|
|
|
|
|
|
|
|
postrouting() {
|
|
|
|
postrouting() {
|
|
|
|
|
|
|
|
|
|
|
|
if [ -n "$SOURCE_IP" ] ; then
|
|
|
|
if [ -n "$SOURCE_IP" ]; then
|
|
|
|
SOURCE_IP_FOR_POSTROUTING="$(echo $SOURCE_IP | cut -d . -f1-3).0/24";
|
|
|
|
SOURCE_IP_FOR_POSTROUTING="$(echo $SOURCE_IP | cut -d . -f1-3).0/24"
|
|
|
|
debug "source ip is $SOURCE_IP_FOR_POSTROUTING"
|
|
|
|
debug "source ip is $SOURCE_IP_FOR_POSTROUTING"
|
|
|
|
|
|
|
|
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep MASQUERADE | grep $COMMENT | grep $SOURCE_IP_FOR_POSTROUTING | grep $SOURCE_PORT | awk '{print $1}'| tac)
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep MASQUERADE | grep $COMMENT | grep $SOURCE_IP_FOR_POSTROUTING | grep $SOURCE_PORT | awk '{print $1}' | tac)
|
|
|
|
debug "Previous postrouting lines: "$LINES
|
|
|
|
debug "Previous postrouting lines: "$LINES
|
|
|
|
|
|
|
|
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
delete_lines "POSTROUTING";
|
|
|
|
delete_lines "POSTROUTING"
|
|
|
|
|
|
|
|
|
|
|
|
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
|
|
|
debug "$IPTABLES -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
|
|
|
$IPTABLES -w -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
|
|
|
$IPTABLES -w -I POSTROUTING -s $SOURCE_IP_FOR_POSTROUTING -p $PROTOCOL --sport $SOURCE_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ -n "$TARGET_IP" ] ; then
|
|
|
|
if [ -n "$TARGET_IP" ]; then
|
|
|
|
TARGET_IP_FOR_POSTROUTING="$(echo $TARGET_IP | cut -d . -f1-3).0/24";
|
|
|
|
TARGET_IP_FOR_POSTROUTING="$(echo $TARGET_IP | cut -d . -f1-3).0/24"
|
|
|
|
debug "target ip is $TARGET_IP_FOR_POSTROUTING"
|
|
|
|
debug "target ip is $TARGET_IP_FOR_POSTROUTING"
|
|
|
|
|
|
|
|
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep $COMMENT | grep $TARGET_IP_FOR_POSTROUTING | grep $TARGET_PORT | awk '{print $1}'| tac)
|
|
|
|
LINES=$($IPTABLES -w -L --line-number -n | grep $COMMENT | grep $TARGET_IP_FOR_POSTROUTING | grep $TARGET_PORT | awk '{print $1}' | tac)
|
|
|
|
debug "Previous postrouting lines: "$LINES
|
|
|
|
debug "Previous postrouting lines: "$LINES
|
|
|
|
|
|
|
|
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
delete_lines "POSTROUTING";
|
|
|
|
delete_lines "POSTROUTING"
|
|
|
|
|
|
|
|
|
|
|
|
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
|
|
|
debug "$IPTABLES -I POSTROUTING -s $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE"
|
|
|
|
$IPTABLES -w -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
|
|
|
$IPTABLES -w -I POSTROUTING -d $TARGET_IP_FOR_POSTROUTING -p $PROTOCOL --dport $TARGET_PORT -m comment --comment "$COMMENT" -j MASQUERADE
|
|
|
|
@@ -321,10 +320,10 @@ postrouting() {
|
|
|
|
|
|
|
|
|
|
|
|
ip_route() {
|
|
|
|
ip_route() {
|
|
|
|
|
|
|
|
|
|
|
|
COUNT_NETWORK=$(set |grep NETWORK |wc -l)
|
|
|
|
COUNT_NETWORK=$(set | grep NETWORK | wc -l)
|
|
|
|
|
|
|
|
|
|
|
|
for network_index in $(seq 1 $COUNT_NETWORK) ; do
|
|
|
|
for network_index in $(seq 1 $COUNT_NETWORK); do
|
|
|
|
if set |grep NETWORK_ ; then
|
|
|
|
if set | grep NETWORK_; then
|
|
|
|
NETWORK=$(eval "echo \${"NETWORK_$network_index"}")
|
|
|
|
NETWORK=$(eval "echo \${"NETWORK_$network_index"}")
|
|
|
|
GATEWAY=$(eval "echo \${"GATEWAY_$network_index"}")
|
|
|
|
GATEWAY=$(eval "echo \${"GATEWAY_$network_index"}")
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
@@ -333,105 +332,105 @@ ip_route() {
|
|
|
|
done
|
|
|
|
done
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$ROUTE" == "true" ]]; then
|
|
|
|
|
|
|
|
IP_ROUTE="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$ROUTE" == "true" ]] ; then
|
|
|
|
ip_route
|
|
|
|
IP_ROUTE="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route";
|
|
|
|
exit
|
|
|
|
|
|
|
|
|
|
|
|
ip_route;
|
|
|
|
|
|
|
|
exit;
|
|
|
|
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
##############################
|
|
|
|
##############################
|
|
|
|
|
|
|
|
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
echo 1 >/proc/sys/net/ipv4/ip_forward
|
|
|
|
|
|
|
|
|
|
|
|
##############################
|
|
|
|
##############################
|
|
|
|
|
|
|
|
|
|
|
|
if /sbin/iptables-legacy -L |grep DOCKER-USER ; then
|
|
|
|
if /usr/sbin/iptables-legacy -L | grep DOCKER-USER; then
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES="/sbin/iptables-legacy";
|
|
|
|
IPTABLES="/usr/sbin/iptables-legacy"
|
|
|
|
else
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES="/sbin/iptables";
|
|
|
|
IPTABLES="/usr/sbin/iptables"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
###############################
|
|
|
|
###############################
|
|
|
|
|
|
|
|
|
|
|
|
COUNT_SOURCE_IP=$(set |grep SOURCE_IP |wc -l)
|
|
|
|
COUNT_SOURCE_IP=$(set | grep SOURCE_IP | wc -l)
|
|
|
|
COUNT_SOURCE_PORT=$(set |grep SOURCE_PORT |wc -l)
|
|
|
|
COUNT_SOURCE_PORT=$(set | grep SOURCE_PORT | wc -l)
|
|
|
|
COUNT_TARGET_IP=$(set |grep TARGET_IP |wc -l)
|
|
|
|
COUNT_TARGET_IP=$(set | grep TARGET_IP | wc -l)
|
|
|
|
COUNT_TARGET_PORT=$(set |grep TARGET_PORT |wc -l)
|
|
|
|
COUNT_TARGET_PORT=$(set | grep TARGET_PORT | wc -l)
|
|
|
|
|
|
|
|
|
|
|
|
# SOURCE AND TARGET PORTS ARE IN PAIRS
|
|
|
|
# SOURCE AND TARGET PORTS ARE IN PAIRS
|
|
|
|
if [ "$COUNT_SOURCE_PORT" == "$COUNT_TARGET_PORT" ]; then PAIRS="1";
|
|
|
|
if [ "$COUNT_SOURCE_PORT" == "$COUNT_TARGET_PORT" ]; then
|
|
|
|
else PAIRS="0";
|
|
|
|
PAIRS="1"
|
|
|
|
fi;
|
|
|
|
else
|
|
|
|
|
|
|
|
PAIRS="0"
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$COUNT_SOURCE_IP" == 0 ] ; then COUNT_SOURCE_IP=1 ; fi
|
|
|
|
if [ "$COUNT_SOURCE_IP" == 0 ]; then COUNT_SOURCE_IP=1; fi
|
|
|
|
for source_ip_index in $(seq 1 $COUNT_SOURCE_IP) ; do
|
|
|
|
for source_ip_index in $(seq 1 $COUNT_SOURCE_IP); do
|
|
|
|
if set |grep SOURCE_IP_ ; then
|
|
|
|
if set | grep SOURCE_IP_; then
|
|
|
|
SOURCE_IP=$(eval "echo \${"SOURCE_IP_$source_ip_index"}")
|
|
|
|
SOURCE_IP=$(eval "echo \${"SOURCE_IP_$source_ip_index"}")
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$COUNT_SOURCE_PORT" == 0 ] ; then COUNT_SOURCE_PORT=1 ; fi
|
|
|
|
if [ "$COUNT_SOURCE_PORT" == 0 ]; then COUNT_SOURCE_PORT=1; fi
|
|
|
|
for source_port_index in $(seq 1 $COUNT_SOURCE_PORT) ; do
|
|
|
|
for source_port_index in $(seq 1 $COUNT_SOURCE_PORT); do
|
|
|
|
if set |grep SOURCE_PORT_ ; then
|
|
|
|
if set | grep SOURCE_PORT_; then
|
|
|
|
SOURCE_PORT=$(eval "echo \${"SOURCE_PORT_$source_port_index"}")
|
|
|
|
SOURCE_PORT=$(eval "echo \${"SOURCE_PORT_$source_port_index"}")
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$COUNT_TARGET_IP" == 0 ] ; then COUNT_TARGET_IP=1 ; fi
|
|
|
|
if [ "$COUNT_TARGET_IP" == 0 ]; then COUNT_TARGET_IP=1; fi
|
|
|
|
for target_ip_index in $(seq 1 $COUNT_TARGET_IP) ; do
|
|
|
|
for target_ip_index in $(seq 1 $COUNT_TARGET_IP); do
|
|
|
|
if set |grep TARGET_IP_ ; then
|
|
|
|
if set | grep TARGET_IP_; then
|
|
|
|
TARGET_IP=$(eval "echo \${"TARGET_IP_$target_ip_index"}")
|
|
|
|
TARGET_IP=$(eval "echo \${"TARGET_IP_$target_ip_index"}")
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$COUNT_TARGET_PORT" == 0 ] ; then COUNT_TARGET_PORT=1 ; fi
|
|
|
|
if [ "$COUNT_TARGET_PORT" == 0 ]; then COUNT_TARGET_PORT=1; fi
|
|
|
|
for target_port_index in $(seq 1 $COUNT_TARGET_PORT) ; do
|
|
|
|
for target_port_index in $(seq 1 $COUNT_TARGET_PORT); do
|
|
|
|
if set |grep TARGET_PORT_ ; then
|
|
|
|
if set | grep TARGET_PORT_; then
|
|
|
|
TARGET_PORT=$(eval "echo \${"TARGET_PORT_$target_port_index"}")
|
|
|
|
TARGET_PORT=$(eval "echo \${"TARGET_PORT_$target_port_index"}")
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
debug "PAIRS: $PAIRS"
|
|
|
|
debug "PAIRS: $PAIRS";
|
|
|
|
debug "source_port_index: $source_port_index"
|
|
|
|
debug "source_port_index: $source_port_index";
|
|
|
|
debug "target_port_index: $target_port_index"
|
|
|
|
debug "target_port_index: $target_port_index";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# if case of pairs if indexes doesn't match then omit routing
|
|
|
|
# if case of pairs if indexes doesn't match then omit routing
|
|
|
|
if [ "$PAIRS" == "1" ] && [ "$source_port_index" != "$target_port_index" ] ; then
|
|
|
|
if [ "$PAIRS" == "1" ] && [ "$source_port_index" != "$target_port_index" ]; then
|
|
|
|
debug "OMIT ROUTING";
|
|
|
|
debug "OMIT ROUTING"
|
|
|
|
continue;
|
|
|
|
continue
|
|
|
|
fi;
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
#############################
|
|
|
|
#############################
|
|
|
|
# NSENTER Specific settings #
|
|
|
|
# NSENTER Specific settings #
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] || [[ "$HOST" == "true" ]] ; then
|
|
|
|
if [[ "$PREROUTING" == "true" ]] || [[ "$POSTROUTING" == "true" ]] || [[ "$HOST" == "true" ]]; then
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$HOST" == "true" ] ; then
|
|
|
|
if [ "$HOST" == "true" ]; then
|
|
|
|
IPTABLES="/sbin/iptables -t nat";
|
|
|
|
IPTABLES="/sbin/iptables -t nat"
|
|
|
|
debug "iptables: "$IPTABLES;
|
|
|
|
debug "iptables: "$IPTABLES
|
|
|
|
else
|
|
|
|
else
|
|
|
|
IPTABLES="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- /sbin/iptables-legacy -t nat";
|
|
|
|
IPTABLES="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- /sbin/iptables-legacy -t nat"
|
|
|
|
debug "iptables: "$IPTABLES;
|
|
|
|
debug "iptables: "$IPTABLES
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$PREROUTING" == "true" ]] ; then
|
|
|
|
if [[ "$PREROUTING" == "true" ]]; then
|
|
|
|
prerouting;
|
|
|
|
prerouting
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [[ "$POSTROUTING" == "true" ]] ; then
|
|
|
|
if [[ "$POSTROUTING" == "true" ]]; then
|
|
|
|
postrouting;
|
|
|
|
postrouting
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
|
|
|
# Host firewall settings ###
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if $IPTABLES -w -n --list $CHAIN |grep ESTABLISHED |grep RELATED|grep ACCEPT ; then
|
|
|
|
|
|
|
|
echo "nothing to do";
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
$IPTABLES -w -I $CHAIN -m state --state established,related -j ACCEPT;
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
|
|
|
# Host firewall settings ###
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if $IPTABLES -w -n --list $CHAIN | grep ESTABLISHED | grep RELATED | grep ACCEPT; then
|
|
|
|
|
|
|
|
echo "nothing to do"
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
$IPTABLES -w -I $CHAIN -m state --state established,related -j ACCEPT
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES_OPTIONS=""
|
|
|
|
IPTABLES_OPTIONS=""
|
|
|
|
@@ -439,30 +438,30 @@ else
|
|
|
|
if [ "$SOURCE_IP" != "" ]; then
|
|
|
|
if [ "$SOURCE_IP" != "" ]; then
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$(echo $SOURCE_IP | cut -d . -f4)" == "0" ]; then
|
|
|
|
if [ "$(echo $SOURCE_IP | cut -d . -f4)" == "0" ]; then
|
|
|
|
SOURCE_IP="$(echo $SOURCE_IP | cut -d . -f1-3).0/24";
|
|
|
|
SOURCE_IP="$(echo $SOURCE_IP | cut -d . -f1-3).0/24"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -s $SOURCE_IP";
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -s $SOURCE_IP"
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $SOURCE_IP";
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $SOURCE_IP"
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$SOURCE_PORT" != "" ]; then
|
|
|
|
if [ "$SOURCE_PORT" != "" ]; then
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --sport $SOURCE_PORT";
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --sport $SOURCE_PORT"
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $SOURCE_PORT";
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $SOURCE_PORT"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$TARGET_IP" != "" ]; then
|
|
|
|
if [ "$TARGET_IP" != "" ]; then
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$(echo $TARGET_IP | cut -d . -f4)" == "0" ]; then
|
|
|
|
if [ "$(echo $TARGET_IP | cut -d . -f4)" == "0" ]; then
|
|
|
|
TARGET_IP="$(echo $TARGET_IP | cut -d . -f1-3).0/24";
|
|
|
|
TARGET_IP="$(echo $TARGET_IP | cut -d . -f1-3).0/24"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -d $TARGET_IP";
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" -d $TARGET_IP"
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $TARGET_IP";
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $TARGET_IP"
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$TARGET_PORT" != "" ]; then
|
|
|
|
if [ "$TARGET_PORT" != "" ]; then
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --dport $TARGET_PORT";
|
|
|
|
IPTABLES_OPTIONS=$IPTABLES_OPTIONS" --dport $TARGET_PORT"
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $TARGET_PORT";
|
|
|
|
GREP_OPTIONS=$GREP_OPTIONS"|grep -e $TARGET_PORT"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
@@ -470,17 +469,17 @@ else
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
# DELETE UNECESSARY LINES FROM PREVIOUS RULES
|
|
|
|
IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac";
|
|
|
|
IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep $PROTOCOL $GREP_OPTIONS | awk '{print \$1}'| tac"
|
|
|
|
debug "$IPTABLES_COMMAND";
|
|
|
|
debug "$IPTABLES_COMMAND"
|
|
|
|
LINES=$(eval $IPTABLES_COMMAND);
|
|
|
|
LINES=$(eval $IPTABLES_COMMAND)
|
|
|
|
delete_lines;
|
|
|
|
delete_lines
|
|
|
|
|
|
|
|
|
|
|
|
if [ "$OPERATION" == "DELETE" ]; then
|
|
|
|
if [ "$OPERATION" == "DELETE" ]; then
|
|
|
|
|
|
|
|
|
|
|
|
IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep -w "$COMMENT" | awk '{print \$1}'| tac";
|
|
|
|
IPTABLES_COMMAND="$IPTABLES -w --line-number -n --list $CHAIN | grep -w "$COMMENT" | awk '{print \$1}'| tac"
|
|
|
|
debug "$IPTABLES_COMMAND";
|
|
|
|
debug "$IPTABLES_COMMAND"
|
|
|
|
LINES=$(eval $IPTABLES_COMMAND);
|
|
|
|
LINES=$(eval $IPTABLES_COMMAND)
|
|
|
|
delete_lines;
|
|
|
|
delete_lines
|
|
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
else
|
|
|
|
debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
|
|
|
|
debug "$IPTABLES -I $CHAIN -p $PROTOCOL $IPTABLES_OPTIONS -m comment --comment "$COMMENT" -j ACCEPT"
|
|
|
|
@@ -488,11 +487,9 @@ else
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#############################
|
|
|
|
#############################
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
done # target_port
|
|
|
|
done # target_port
|
|
|
|
done # target_ip
|
|
|
|
done # target_ip
|
|
|
|
done # source_port
|
|
|
|
done # source_port
|
|
|
|
done # source_ip
|
|
|
|
done # source_ip
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
