[pkg-netfilter-team] Bug#951256: iptables fails to update rules from fwbuilder

José L Fernández Jambrina j.fdez.jambrina at gr.ssr.upm.es
Thu Feb 13 12:18:52 GMT 2020


Package: iptables
Version: 1.8.3-2
Severity: important


Dear maintainer,

     This the Router.fw (renamed to Router_bad.fw) fwbuilder generate in 
my system.

     I found a workaround: I put the command "nft flush ruleset" in the 
prolog section. I defined it in  the User|Router|Editor|Firewalls 
Settings|Prolog/Epilog section of my router, and I have to recognize I 
commented out to generate in the file I send, so you can uncomment it to 
verify it works.


     Thanks very much



El 10/12/19 a las 14:32, José L. Fernández Jambrina escribió:
> Package: iptables
> Version: 1.8.3-2
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to buster from strech, the iptables defined in 
> fwbuilder don't works when changed:
> iall I get is a message "iptables: Chain already exists" for each rule 
> and they don't work.
>
> Moreover as I removed network-manager package my system start withour 
> rules (maybe with default rules) an this moment the script generated 
> by fwbuilder runs without warnning and rules are applied. Afterwards, 
> if I tried to aplly diferent rules, I get the warnning messages and 
> the rules don't work.
>
> At first my system was running the stable version of iptables, 
> 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>
> Thanks in advance,
>
>
> -- System Information:
> Debian Release: 10.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), 
> LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages iptables depends on:
> ii libc6 2.28-10
> ii libip4tc2 1.8.3-2
> ii libip6tc2 1.8.3-2
> ii libiptc0 1.8.3-2
> ii libmnl0 1.0.4-2
> ii libnetfilter-conntrack3 1.0.7-1
> ii libnfnetlink0 1.0.1-3+b1
> ii libnftnl11 1.1.5-1
> ii libxtables12 1.8.3-2
>
> Versions of packages iptables recommends:
> ii nftables 0.9.0-2
>
> Versions of packages iptables suggests:
> ii kmod 26-1
>
> -- no debconf information


-------------- next part --------------
#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v5.3.7
#
#  Generated Tue Jan  7 20:27:43 2020 CET by jambrina
#
# files: * Router.fw /home/jambrina/fw/Router.fw
#
# Compiled for iptables 1.4.4
#




FWBDEBUG=""

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH



LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"

log() {
    echo "$1"
    which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}

getInterfaceVarName() {
    echo $1 | sed 's/\./_/'
}

getaddr_internal() {
    dev=$1
    name=$2
    af=$3
    L=$($IP $af addr show dev $dev |  sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
    test -z "$L" && { 
        eval "$name=''"
        return
    }
    eval "${name}_list=\"$L\"" 
}

getnet_internal() {
    dev=$1
    name=$2
    af=$3
    L=$($IP route list proto kernel | grep $dev | grep -v default |  sed 's! .*$!!')
    test -z "$L" && { 
        eval "$name=''"
        return
    }
    eval "${name}_list=\"$L\"" 
}


getaddr() {
    getaddr_internal $1 $2 "-4"
}

getaddr6() {
    getaddr_internal $1 $2 "-6"
}

getnet() {
    getnet_internal $1 $2 "-4"
}

getnet6() {
    getnet_internal $1 $2 "-6"
}

# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
    NAME=$1
    $IP link show | grep ": $NAME" | while read L; do
        OIFS=$IFS
        IFS=" :"
        set $L
        IFS=$OIFS
        echo $2
    done
}

diff_intf() {
    func=$1
    list1=$2
    list2=$3
    cmd=$4
    for intf in $list1
    do
        echo $list2 | grep -q $intf || {
        # $vlan is absent in list 2
            $func $intf $cmd
        }
    done
}

find_program() {
  PGM=$1
  which $PGM >/dev/null 2>&1 || {
    echo "\"$PGM\" not found"
    exit 1
  }
}
check_tools() {
  find_program which
  find_program $IPTABLES 
  find_program $IP 
}
reset_iptables_v4() {
  local list

  $IPTABLES  -P OUTPUT  DROP
  $IPTABLES  -P INPUT   DROP
  $IPTABLES  -P FORWARD DROP

  while read table; do
      list=$($IPTABLES  -t $table -L -n)
      printf "%s" "$list" | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES  -t $table -F $chain
      fi
      done
      $IPTABLES  -t $table -X
  done < /proc/net/ip_tables_names
}

reset_iptables_v6() {
  local list

  $IP6TABLES  -P OUTPUT  DROP
  $IP6TABLES  -P INPUT   DROP
  $IP6TABLES  -P FORWARD DROP

  while read table; do
      list=$($IP6TABLES  -t $table -L -n)
      printf "%s" "$list" | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IP6TABLES  -t $table -F $chain
      fi
      done
      $IP6TABLES  -t $table -X
  done < /proc/net/ip6_tables_names
}


P2P_INTERFACE_WARNING=""

missing_address() {
    address=$1
    cmd=$2

    oldIFS=$IFS
    IFS="@"
    set $address
    addr=$1
    interface=$2
    IFS=$oldIFS



    $IP addr show dev $interface | grep -q POINTOPOINT && {
        test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
        P2P_INTERFACE_WARNING="yes"
        return
    }

    test "$cmd" = "add" && {
      echo "# Adding ip address: $interface $addr"
      echo $addr | grep -q ':' && {
          $FWBDEBUG $IP addr $cmd $addr dev $interface
      } || {
          $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
      }
    }

    test "$cmd" = "del" && {
      echo "# Removing ip address: $interface $addr"
      $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
    }

    $FWBDEBUG $IP link set $interface up
}

list_addresses_by_scope() {
    interface=$1
    scope=$2
    ignore_list=$3
    $IP addr ls dev $interface | \
      awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
        'BEGIN {
           split(IGNORED,ignored_arr);
           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
         }
         (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
        while read addr; do
          echo "${addr}@$interface"
	done | sort
}


update_addresses_of_interface() {
    ignore_list=$2
    set $1 
    interface=$1 
    shift

    FWB_ADDRS=$(
      for addr in $*; do
        echo "${addr}@$interface"
      done | sort
    )

    CURRENT_ADDRS_ALL_SCOPES=""
    CURRENT_ADDRS_GLOBAL_SCOPE=""

    $IP link show dev $interface >/dev/null 2>&1 && {
      CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
      CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
    } || {
      echo "# Interface $interface does not exist"
      # Stop the script if we are not in test mode
      test -z "$FWBDEBUG" && exit 1
    }

    diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
    diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}

clear_addresses_except_known_interfaces() {
    $IP link show | sed 's/://g' | awk -v IGNORED="$*" \
        'BEGIN {
           split(IGNORED,ignored_arr);
           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
         }
         (/state/ && !($2 in ignored_dict)) {print $2;}' | \
         while read intf; do
            echo "# Removing addresses not configured in fwbuilder from interface $intf"
            $FWBDEBUG $IP addr flush dev $intf scope global
            $FWBDEBUG $IP link set $intf down
         done
}

check_file() {
    test -r "$2" || {
        echo "Can not find file $2 referenced by address table object $1"
        exit 1
    }
}

check_run_time_address_table_files() {
    :
    check_file "Black_List" "/home/jambrina/fw/BlackList.AddressTable"
}

load_modules() {
    :
    
}

verify_interfaces() {
    :
    echo "Verifying interfaces: eno2 xenbr0"
    for i in eno2 xenbr0 ; do
        $IP link show "$i" > /dev/null 2>&1 || {
            log "Interface $i does not exist"
            exit 1
        }
    done
}

prolog_commands() {
    echo "Running prolog script"
    # Just to reset the firewall with nftables
#nft flush ruleset
}

epilog_commands() {
    echo "Running epilog script"
    
}

run_epilog_and_exit() {
    epilog_commands
    exit $1
}

configure_interfaces() {
    :
    # Configure interfaces
}

script_body() {
    # ================ IPv4


    # ================ Table 'filter', automatic rules
    # accept established sessions
    $IPTABLES -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
    $IPTABLES -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
    $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


    # ================ Table 'nat',  rule set NAT
    # 
    # Rule 0 (NAT)
    # 
    echo "Rule 0 (NAT)"
    # 
    $IPTABLES -t nat -A POSTROUTING -o eno2   -s 192.168.37.0/24  -j SNAT --to-source 138.4.47.43



    # ================ Table 'filter', rule set Policy
    # 
    # Rule 0 (global)
    # 
    echo "Rule 0 (global)"
    # 
    $IPTABLES -A OUTPUT -p icmp  -m icmp  --icmp-type any  -j ACCEPT
    $IPTABLES -A INPUT -p icmp  -m icmp  --icmp-type any  -j ACCEPT
    $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type any  -j ACCEPT
    # 
    # Rule 1 (global)
    # 
    echo "Rule 1 (global)"
    # 
    $IPTABLES -N RULE_1
    grep -Ev '^#|^;|^\s*$' /home/jambrina/fw/BlackList.AddressTable | while read L ; do
      set $L; at_Black_List=$1; $IPTABLES -A INPUT  -s $at_Black_List   -j RULE_1 
    done
    grep -Ev '^#|^;|^\s*$' /home/jambrina/fw/BlackList.AddressTable | while read L ; do
      set $L; at_Black_List=$1; $IPTABLES -A FORWARD  -s $at_Black_List   -j RULE_1 
    done
    $IPTABLES -A RULE_1  -j LOG  --log-level info --log-prefix "RULE 1 -- DENY "
    $IPTABLES -A RULE_1  -j DROP
    # 
    # Rule 2 (global)
    # 
    echo "Rule 2 (global)"
    # 
    $IPTABLES -A INPUT  -s 138.4.37.1   -j ACCEPT
    $IPTABLES -A INPUT  -s 138.4.47.43   -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.37.1   -j ACCEPT
    $IPTABLES -A OUTPUT  -j ACCEPT
    # 
    # Rule 3 (global)
    # 
    echo "Rule 3 (global)"
    # 
    $IPTABLES -A OUTPUT  -d 138.4.37.1   -j ACCEPT
    $IPTABLES -A OUTPUT  -d 138.4.47.43   -j ACCEPT
    $IPTABLES -A OUTPUT  -d 192.168.37.1   -j ACCEPT
    $IPTABLES -A INPUT  -j ACCEPT
    # 
    # Rule 6 (eno2)
    # 
    echo "Rule 6 (eno2)"
    # 
    $IPTABLES -N In_RULE_6
    $IPTABLES -A INPUT -i eno2   -s 138.4.37.0/26   -j In_RULE_6
    $IPTABLES -A FORWARD -i eno2   -s 138.4.37.0/26   -j In_RULE_6
    $IPTABLES -A In_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6 -- DENY "
    $IPTABLES -A In_RULE_6  -j DROP
    # 
    # Rule 7 (eno2)
    # 
    echo "Rule 7 (eno2)"
    # 
    $IPTABLES -N In_RULE_7
    $IPTABLES -A INPUT -i eno2   -s 192.168.37.0/24   -j In_RULE_7
    $IPTABLES -A FORWARD -i eno2   -s 192.168.37.0/24   -j In_RULE_7
    $IPTABLES -A In_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7 -- DENY "
    $IPTABLES -A In_RULE_7  -j DROP
    # 
    # Rule 8 (xenbr0)
    # 
    echo "Rule 8 (xenbr0)"
    # 
    $IPTABLES -N Cid5115X13783.0
    $IPTABLES -A INPUT -i xenbr0   -j Cid5115X13783.0
    $IPTABLES -A FORWARD -i xenbr0   -j Cid5115X13783.0
    $IPTABLES -A Cid5115X13783.0  -s 138.4.37.0/26   -j RETURN
    $IPTABLES -A Cid5115X13783.0  -s 192.168.37.0/24   -j RETURN
    $IPTABLES -N In_RULE_8_3
    $IPTABLES -A Cid5115X13783.0  -j In_RULE_8_3
    $IPTABLES -A In_RULE_8_3  -j LOG  --log-level info --log-prefix "BAD ADDR "
    $IPTABLES -A In_RULE_8_3  -j DROP
    # 
    # Rule 9 (global)
    # 
    echo "Rule 9 (global)"
    # 
    $IPTABLES -N Cid3275X21764.1
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 25  -j Cid3275X21764.1
    $IPTABLES -A INPUT -p tcp -m tcp  --dport 25  -j Cid3275X21764.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 25  -j Cid3275X21764.1
    $IPTABLES -A Cid3275X21764.1  -d 138.4.37.1   -j RETURN
    $IPTABLES -A Cid3275X21764.1  -d 138.4.47.43   -j RETURN
    $IPTABLES -A Cid3275X21764.1  -d 192.168.37.1   -j RETURN
    $IPTABLES -A Cid3275X21764.1  -d 138.4.37.12   -j RETURN
    $IPTABLES -A Cid3275X21764.1  -d 138.4.37.56   -j RETURN
    $IPTABLES -A Cid3275X21764.1  -d 192.168.37.12   -j RETURN
    $IPTABLES -N Cid3275X21764.0
    $IPTABLES -A Cid3275X21764.1  -j Cid3275X21764.0
    $IPTABLES -A Cid3275X21764.0  -s 138.4.37.1   -j RETURN
    $IPTABLES -A Cid3275X21764.0  -s 138.4.47.43   -j RETURN
    $IPTABLES -A Cid3275X21764.0  -s 192.168.37.1   -j RETURN
    $IPTABLES -A Cid3275X21764.0  -s 138.4.37.12   -j RETURN
    $IPTABLES -A Cid3275X21764.0  -s 138.4.37.56   -j RETURN
    $IPTABLES -A Cid3275X21764.0  -s 192.168.37.12   -j RETURN
    $IPTABLES -N RULE_9_3
    $IPTABLES -A Cid3275X21764.0  -j RULE_9_3
    $IPTABLES -A RULE_9_3  -j LOG  --log-level info --log-prefix "RULE 9 -- DENY "
    $IPTABLES -A RULE_9_3  -j DROP
    # 
    # Rule 10 (global)
    # 
    echo "Rule 10 (global)"
    # 
    $IPTABLES -N Cid3404X8722.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  --dports 25,465  -m conntrack --ctstate NEW  -j Cid3404X8722.0
    $IPTABLES -A INPUT -p tcp -m tcp  -m multiport  --dports 25,465  -m conntrack --ctstate NEW  -j Cid3404X8722.0
    $IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  --dports 25,465  -m conntrack --ctstate NEW  -j Cid3404X8722.0
    $IPTABLES -A Cid3404X8722.0  -d 138.4.37.1   -j RETURN
    $IPTABLES -A Cid3404X8722.0  -d 138.4.47.43   -j RETURN
    $IPTABLES -A Cid3404X8722.0  -d 192.168.37.1   -j RETURN
    $IPTABLES -A Cid3404X8722.0  -d 138.4.37.12   -j RETURN
    $IPTABLES -A Cid3404X8722.0  -d 138.4.37.56   -j RETURN
    $IPTABLES -A Cid3404X8722.0  -d 192.168.37.12   -j RETURN
    $IPTABLES -N RULE_10_3
    $IPTABLES -A Cid3404X8722.0  -j RULE_10_3
    $IPTABLES -A RULE_10_3  -j LOG  --log-level info --log-prefix "RULE 10 -- ACCEPT "
    $IPTABLES -A RULE_10_3  -j ACCEPT
    # 
    # Rule 11 (global)
    # 
    echo "Rule 11 (global)"
    # 
    $IPTABLES -A INPUT  -s 192.168.37.0/24   -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.37.0/24   -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.37.0/24   -j ACCEPT
    # 
    # Rule 12 (global)
    # 
    echo "Rule 12 (global)"
    # 
    $IPTABLES -A INPUT  -s 138.4.37.0/26   -j ACCEPT
    $IPTABLES -A OUTPUT  -s 138.4.37.0/26   -j ACCEPT
    $IPTABLES -A FORWARD  -s 138.4.37.0/26   -j ACCEPT
    # 
    # Rule 13 (global)
    # 
    echo "Rule 13 (global)"
    # 
    $IPTABLES -N Cid3223X3394.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 1723  -m conntrack --ctstate NEW  -j Cid3223X3394.0
    $IPTABLES -N RULE_13
    $IPTABLES -A Cid3223X3394.0  -d 138.4.37.10   -j RULE_13
    $IPTABLES -A Cid3223X3394.0  -d 138.4.37.11   -j RULE_13
    $IPTABLES -N Cid3223X3394.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 1723  -m conntrack --ctstate NEW  -j Cid3223X3394.1
    $IPTABLES -A Cid3223X3394.1  -d 138.4.37.10   -j RULE_13
    $IPTABLES -A Cid3223X3394.1  -d 138.4.37.11   -j RULE_13
    $IPTABLES -A RULE_13  -j LOG  --log-level info --log-prefix "RULE 13 -- ACCEPT "
    $IPTABLES -A RULE_13  -j ACCEPT
    # 
    # Rule 14 (global)
    # 
    echo "Rule 14 (global)"
    # 
    $IPTABLES -N Cid6619X3394.0
    $IPTABLES -A OUTPUT -p 47  -j Cid6619X3394.0
    $IPTABLES -A Cid6619X3394.0  -d 138.4.37.10   -j ACCEPT
    $IPTABLES -A Cid6619X3394.0  -d 138.4.37.11   -j ACCEPT
    $IPTABLES -N Cid6619X3394.1
    $IPTABLES -A FORWARD -p 47  -j Cid6619X3394.1
    $IPTABLES -A Cid6619X3394.1  -d 138.4.37.10   -j ACCEPT
    $IPTABLES -A Cid6619X3394.1  -d 138.4.37.11   -j ACCEPT
    # 
    # Rule 15 (global)
    # 
    echo "Rule 15 (global)"
    # 
    $IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  -d 138.4.37.12   --dports 143,993,995,25,465  -m conntrack --ctstate NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  -d 138.4.37.12   --dports 143,993,995,25,465  -m conntrack --ctstate NEW  -j ACCEPT
    # 
    # Rule 16 (global)
    # 
    echo "Rule 16 (global)"
    # 
    $IPTABLES -N Cid3241X3394.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 22  -m conntrack --ctstate NEW  -j Cid3241X3394.0
    $IPTABLES -N RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.10   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.11   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.12   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.38   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.39   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.56   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 138.4.37.57   -j RULE_16
    $IPTABLES -A Cid3241X3394.0  -d 192.168.37.12   -j RULE_16
    $IPTABLES -N Cid3241X3394.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 22  -m conntrack --ctstate NEW  -j Cid3241X3394.1
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.10   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.11   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.12   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.38   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.39   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.56   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 138.4.37.57   -j RULE_16
    $IPTABLES -A Cid3241X3394.1  -d 192.168.37.12   -j RULE_16
    $IPTABLES -A RULE_16  -j LOG  --log-level info --log-prefix "RULE 16 -- ACCEPT "
    $IPTABLES -A RULE_16  -j ACCEPT
    # 
    # Rule 17 (global)
    # 
    echo "Rule 17 (global)"
    # 
    $IPTABLES -N Cid3880X3394.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 53  -m conntrack --ctstate NEW  -j Cid3880X3394.0
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 53  -m conntrack --ctstate NEW  -j Cid3880X3394.0
    $IPTABLES -A Cid3880X3394.0  -d 138.4.37.12   -j ACCEPT
    $IPTABLES -A Cid3880X3394.0  -d 192.168.37.12   -j ACCEPT
    $IPTABLES -N Cid3880X3394.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 53  -m conntrack --ctstate NEW  -j Cid3880X3394.1
    $IPTABLES -A FORWARD -p udp -m udp  --dport 53  -m conntrack --ctstate NEW  -j Cid3880X3394.1
    $IPTABLES -A Cid3880X3394.1  -d 138.4.37.12   -j ACCEPT
    $IPTABLES -A Cid3880X3394.1  -d 192.168.37.12   -j ACCEPT
    # 
    # Rule 18 (global)
    # 
    echo "Rule 18 (global)"
    # 
    $IPTABLES -N Cid5198X3394.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 443  -m conntrack --ctstate NEW  -j Cid5198X3394.0
    $IPTABLES -A Cid5198X3394.0  -d 138.4.37.12   -j ACCEPT
    $IPTABLES -A Cid5198X3394.0  -d 192.168.37.12   -j ACCEPT
    $IPTABLES -N Cid5198X3394.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 443  -m conntrack --ctstate NEW  -j Cid5198X3394.1
    $IPTABLES -A Cid5198X3394.1  -d 138.4.37.12   -j ACCEPT
    $IPTABLES -A Cid5198X3394.1  -d 192.168.37.12   -j ACCEPT
    # 
    # Rule 19 (global)
    # 
    echo "Rule 19 (global)"
    # 
    $IPTABLES -N RULE_19
    $IPTABLES -A OUTPUT -p tcp -m tcp  -m multiport  -d 138.4.37.38   --dports 80,443  -m conntrack --ctstate NEW  -j RULE_19
    $IPTABLES -A FORWARD -p tcp -m tcp  -m multiport  -d 138.4.37.38   --dports 80,443  -m conntrack --ctstate NEW  -j RULE_19
    $IPTABLES -A RULE_19  -j LOG  --log-level info --log-prefix "RULE 19 -- ACCEPT "
    $IPTABLES -A RULE_19  -j ACCEPT
    # 
    # Rule 20 (global)
    # 
    echo "Rule 20 (global)"
    # 
    $IPTABLES -A OUTPUT -p tcp -m tcp  -d 138.4.37.0/26   --dport 1024:65535  -m conntrack --ctstate NEW  -j ACCEPT
    $IPTABLES -A INPUT -p tcp -m tcp  -d 138.4.37.0/26   --dport 1024:65535  -m conntrack --ctstate NEW  -j ACCEPT
    $IPTABLES -A FORWARD -p tcp -m tcp  -d 138.4.37.0/26   --dport 1024:65535  -m conntrack --ctstate NEW  -j ACCEPT
    # 
    # Rule 21 (global)
    # 
    echo "Rule 21 (global)"
    # 
    $IPTABLES -N RULE_21
    $IPTABLES -A OUTPUT  -j RULE_21
    $IPTABLES -A INPUT  -j RULE_21
    $IPTABLES -A FORWARD  -j RULE_21
    $IPTABLES -A RULE_21  -j LOG  --log-level info --log-prefix "RULE 21 -- DENY "
    $IPTABLES -A RULE_21  -j DROP








    # ============== ROUTING RULES ============== 

    HAVE_MKTEMP=$(which mktemp)

    test -n "$HAVE_MKTEMP" && {
      TMPDIRNAME=$(mktemp -d)
      test -z "$TMPDIRNAME" && exit 1
    }

    test -z "$HAVE_MKTEMP" && {
      TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$"
      (umask 077 && mkdir $TMPDIRNAME) || exit 1
    }

    TMPFILENAME="$TMPDIRNAME/.fwbuilder.out"
    OLD_ROUTES="$TMPDIRNAME/.old_routes"

    #
    # This function stops stdout redirection
    # and sends previously saved output to terminal
    restore_script_output()
    {
      exec 1>&3 2>&1
      cat $TMPFILENAME
      rm -rf $TMPDIRNAME
    }

    # if any routing rule fails we do our best to prevent freezing the firewall
    route_command_error()
    {
      echo "Error: Routing rule $1 couldn't be activated"
      echo "Recovering previous routing configuration..."
      # delete current routing rules
      $IP route show | while read route ; do $IP route del $route ; done
      # restore old routing rules
      sh $OLD_ROUTES
      echo "...done"
      restore_script_output
      epilog_commands
      exit 1
    }

    # redirect output to prevent ssh session from stalling
    exec 3>&1
    exec 1> $TMPFILENAME
    exec 2>&1

    # store previous routing configuration (sort: 'via' GW has to be
    # inserted after device routes)

    $IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES

    echo "Deleting routing rules previously set by user space processes..."
    $IP route show | grep -v 'proto kernel' | \
        while read route ; do $IP route del $route ; done
        
    echo "Activating non-ecmp routing rules..."
    # 
    # Rule 0 (main)
    # 
    echo "Routing rule 0 (main)"
    # 
    # 
    # 
    $IP route add default via 138.4.47.1 \
    || route_command_error "0 (main)"


    restore_script_output
    echo "...done."
}

ip_forward() {
    :
    
}

reset_all() {
    :
    reset_iptables_v4
}

block_action() {
    reset_all
}

stop_action() {
    reset_all
    $IPTABLES  -P OUTPUT  ACCEPT
    $IPTABLES  -P INPUT   ACCEPT
    $IPTABLES  -P FORWARD ACCEPT
}

check_iptables() {
    IP_TABLES="$1"
    [ ! -e $IP_TABLES ] && return 151
    NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
    [ -z "$NF_TABLES" ] && return 152
    return 0
}
status_action() {
    check_iptables "/proc/net/ip_tables_names"
    ret_ipv4=$?
    check_iptables "/proc/net/ip6_tables_names"
    ret_ipv6=$?
    [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
    [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
        echo "iptables modules are not loaded"
    }
    [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
        echo "Firewall is not configured"
    }
    exit 3
}

# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'

cmd=$1
test -z "$cmd" && {
    cmd="start"
}

case "$cmd" in
    start)
        log "Activating firewall script generated Tue Jan  7 20:27:43 2020 by jambrina"
        check_tools
        
        check_run_time_address_table_files
        
        load_modules "nat "
        configure_interfaces
        verify_interfaces
         prolog_commands 
         reset_all 
        
        script_body
        ip_forward
        
        epilog_commands
        RETVAL=$?
        ;;

    stop)
        stop_action
        RETVAL=$?
        ;;

    status)
        status_action
        RETVAL=$?
        ;;

    block)
        block_action
        RETVAL=$?
        ;;

    reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;

    interfaces)
        configure_interfaces
        RETVAL=$?
        ;;

    test_interfaces)
        FWBDEBUG="echo"
        configure_interfaces
        RETVAL=$?
        ;;



    *)
        echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
        ;;

esac

exit $RETVAL


More information about the pkg-netfilter-team mailing list