[pkg-netfilter-team] Bug#951256: iptables fails to update rules from fwbuilder
José L Fernández Jambrina
j.fdez.jambrina at gr.ssr.upm.es
Thu Feb 13 12:18:52 GMT 2020
Package: iptables
Version: 1.8.3-2
Severity: important
Dear maintainer,
This the Router.fw (renamed to Router_bad.fw) fwbuilder generate in
my system.
I found a workaround: I put the command "nft flush ruleset" in the
prolog section. I defined it in the User|Router|Editor|Firewalls
Settings|Prolog/Epilog section of my router, and I have to recognize I
commented out to generate in the file I send, so you can uncomment it to
verify it works.
Thanks very much
El 10/12/19 a las 14:32, José L. Fernández Jambrina escribió:
> Package: iptables
> Version: 1.8.3-2
> Severity: important
>
> Dear Maintainer,
>
> After upgrading to buster from strech, the iptables defined in
> fwbuilder don't works when changed:
> iall I get is a message "iptables: Chain already exists" for each rule
> and they don't work.
>
> Moreover as I removed network-manager package my system start withour
> rules (maybe with default rules) an this moment the script generated
> by fwbuilder runs without warnning and rules are applied. Afterwards,
> if I tried to aplly diferent rules, I get the warnning messages and
> the rules don't work.
>
> At first my system was running the stable version of iptables,
> 1.8.2-4, so I move to the testing version, 1.8.3-2, without changes.
>
> Thanks in advance,
>
>
> -- System Information:
> Debian Release: 10.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8),
> LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages iptables depends on:
> ii libc6 2.28-10
> ii libip4tc2 1.8.3-2
> ii libip6tc2 1.8.3-2
> ii libiptc0 1.8.3-2
> ii libmnl0 1.0.4-2
> ii libnetfilter-conntrack3 1.0.7-1
> ii libnfnetlink0 1.0.1-3+b1
> ii libnftnl11 1.1.5-1
> ii libxtables12 1.8.3-2
>
> Versions of packages iptables recommends:
> ii nftables 0.9.0-2
>
> Versions of packages iptables suggests:
> ii kmod 26-1
>
> -- no debconf information
-------------- next part --------------
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.3.7
#
# Generated Tue Jan 7 20:27:43 2020 CET by jambrina
#
# files: * Router.fw /home/jambrina/fw/Router.fw
#
# Compiled for iptables 1.4.4
#
FWBDEBUG=""
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr_internal() {
dev=$1
name=$2
af=$3
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
find_program() {
PGM=$1
which $PGM >/dev/null 2>&1 || {
echo "\"$PGM\" not found"
exit 1
}
}
check_tools() {
find_program which
find_program $IPTABLES
find_program $IP
}
reset_iptables_v4() {
local list
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
while read table; do
list=$($IPTABLES -t $table -L -n)
printf "%s" "$list" | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done < /proc/net/ip_tables_names
}
reset_iptables_v6() {
local list
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
while read table; do
list=$($IP6TABLES -t $table -L -n)
printf "%s" "$list" | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done < /proc/net/ip6_tables_names
}
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
check_file "Black_List" "/home/jambrina/fw/BlackList.AddressTable"
}
load_modules() {
:
}
verify_interfaces() {
:
echo "Verifying interfaces: eno2 xenbr0"
for i in eno2 xenbr0 ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
}
prolog_commands() {
echo "Running prolog script"
# Just to reset the firewall with nftables
#nft flush ruleset
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
# Configure interfaces
}
script_body() {
# ================ IPv4
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'nat', rule set NAT
#
# Rule 0 (NAT)
#
echo "Rule 0 (NAT)"
#
$IPTABLES -t nat -A POSTROUTING -o eno2 -s 192.168.37.0/24 -j SNAT --to-source 138.4.47.43
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -N RULE_1
grep -Ev '^#|^;|^\s*$' /home/jambrina/fw/BlackList.AddressTable | while read L ; do
set $L; at_Black_List=$1; $IPTABLES -A INPUT -s $at_Black_List -j RULE_1
done
grep -Ev '^#|^;|^\s*$' /home/jambrina/fw/BlackList.AddressTable | while read L ; do
set $L; at_Black_List=$1; $IPTABLES -A FORWARD -s $at_Black_List -j RULE_1
done
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
$IPTABLES -A RULE_1 -j DROP
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -A INPUT -s 138.4.37.1 -j ACCEPT
$IPTABLES -A INPUT -s 138.4.47.43 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.37.1 -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
$IPTABLES -A OUTPUT -d 138.4.37.1 -j ACCEPT
$IPTABLES -A OUTPUT -d 138.4.47.43 -j ACCEPT
$IPTABLES -A OUTPUT -d 192.168.37.1 -j ACCEPT
$IPTABLES -A INPUT -j ACCEPT
#
# Rule 6 (eno2)
#
echo "Rule 6 (eno2)"
#
$IPTABLES -N In_RULE_6
$IPTABLES -A INPUT -i eno2 -s 138.4.37.0/26 -j In_RULE_6
$IPTABLES -A FORWARD -i eno2 -s 138.4.37.0/26 -j In_RULE_6
$IPTABLES -A In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
$IPTABLES -A In_RULE_6 -j DROP
#
# Rule 7 (eno2)
#
echo "Rule 7 (eno2)"
#
$IPTABLES -N In_RULE_7
$IPTABLES -A INPUT -i eno2 -s 192.168.37.0/24 -j In_RULE_7
$IPTABLES -A FORWARD -i eno2 -s 192.168.37.0/24 -j In_RULE_7
$IPTABLES -A In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7 -- DENY "
$IPTABLES -A In_RULE_7 -j DROP
#
# Rule 8 (xenbr0)
#
echo "Rule 8 (xenbr0)"
#
$IPTABLES -N Cid5115X13783.0
$IPTABLES -A INPUT -i xenbr0 -j Cid5115X13783.0
$IPTABLES -A FORWARD -i xenbr0 -j Cid5115X13783.0
$IPTABLES -A Cid5115X13783.0 -s 138.4.37.0/26 -j RETURN
$IPTABLES -A Cid5115X13783.0 -s 192.168.37.0/24 -j RETURN
$IPTABLES -N In_RULE_8_3
$IPTABLES -A Cid5115X13783.0 -j In_RULE_8_3
$IPTABLES -A In_RULE_8_3 -j LOG --log-level info --log-prefix "BAD ADDR "
$IPTABLES -A In_RULE_8_3 -j DROP
#
# Rule 9 (global)
#
echo "Rule 9 (global)"
#
$IPTABLES -N Cid3275X21764.1
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 25 -j Cid3275X21764.1
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j Cid3275X21764.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 25 -j Cid3275X21764.1
$IPTABLES -A Cid3275X21764.1 -d 138.4.37.1 -j RETURN
$IPTABLES -A Cid3275X21764.1 -d 138.4.47.43 -j RETURN
$IPTABLES -A Cid3275X21764.1 -d 192.168.37.1 -j RETURN
$IPTABLES -A Cid3275X21764.1 -d 138.4.37.12 -j RETURN
$IPTABLES -A Cid3275X21764.1 -d 138.4.37.56 -j RETURN
$IPTABLES -A Cid3275X21764.1 -d 192.168.37.12 -j RETURN
$IPTABLES -N Cid3275X21764.0
$IPTABLES -A Cid3275X21764.1 -j Cid3275X21764.0
$IPTABLES -A Cid3275X21764.0 -s 138.4.37.1 -j RETURN
$IPTABLES -A Cid3275X21764.0 -s 138.4.47.43 -j RETURN
$IPTABLES -A Cid3275X21764.0 -s 192.168.37.1 -j RETURN
$IPTABLES -A Cid3275X21764.0 -s 138.4.37.12 -j RETURN
$IPTABLES -A Cid3275X21764.0 -s 138.4.37.56 -j RETURN
$IPTABLES -A Cid3275X21764.0 -s 192.168.37.12 -j RETURN
$IPTABLES -N RULE_9_3
$IPTABLES -A Cid3275X21764.0 -j RULE_9_3
$IPTABLES -A RULE_9_3 -j LOG --log-level info --log-prefix "RULE 9 -- DENY "
$IPTABLES -A RULE_9_3 -j DROP
#
# Rule 10 (global)
#
echo "Rule 10 (global)"
#
$IPTABLES -N Cid3404X8722.0
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport --dports 25,465 -m conntrack --ctstate NEW -j Cid3404X8722.0
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 25,465 -m conntrack --ctstate NEW -j Cid3404X8722.0
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 25,465 -m conntrack --ctstate NEW -j Cid3404X8722.0
$IPTABLES -A Cid3404X8722.0 -d 138.4.37.1 -j RETURN
$IPTABLES -A Cid3404X8722.0 -d 138.4.47.43 -j RETURN
$IPTABLES -A Cid3404X8722.0 -d 192.168.37.1 -j RETURN
$IPTABLES -A Cid3404X8722.0 -d 138.4.37.12 -j RETURN
$IPTABLES -A Cid3404X8722.0 -d 138.4.37.56 -j RETURN
$IPTABLES -A Cid3404X8722.0 -d 192.168.37.12 -j RETURN
$IPTABLES -N RULE_10_3
$IPTABLES -A Cid3404X8722.0 -j RULE_10_3
$IPTABLES -A RULE_10_3 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT "
$IPTABLES -A RULE_10_3 -j ACCEPT
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
$IPTABLES -A INPUT -s 192.168.37.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.37.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.37.0/24 -j ACCEPT
#
# Rule 12 (global)
#
echo "Rule 12 (global)"
#
$IPTABLES -A INPUT -s 138.4.37.0/26 -j ACCEPT
$IPTABLES -A OUTPUT -s 138.4.37.0/26 -j ACCEPT
$IPTABLES -A FORWARD -s 138.4.37.0/26 -j ACCEPT
#
# Rule 13 (global)
#
echo "Rule 13 (global)"
#
$IPTABLES -N Cid3223X3394.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 1723 -m conntrack --ctstate NEW -j Cid3223X3394.0
$IPTABLES -N RULE_13
$IPTABLES -A Cid3223X3394.0 -d 138.4.37.10 -j RULE_13
$IPTABLES -A Cid3223X3394.0 -d 138.4.37.11 -j RULE_13
$IPTABLES -N Cid3223X3394.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 1723 -m conntrack --ctstate NEW -j Cid3223X3394.1
$IPTABLES -A Cid3223X3394.1 -d 138.4.37.10 -j RULE_13
$IPTABLES -A Cid3223X3394.1 -d 138.4.37.11 -j RULE_13
$IPTABLES -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- ACCEPT "
$IPTABLES -A RULE_13 -j ACCEPT
#
# Rule 14 (global)
#
echo "Rule 14 (global)"
#
$IPTABLES -N Cid6619X3394.0
$IPTABLES -A OUTPUT -p 47 -j Cid6619X3394.0
$IPTABLES -A Cid6619X3394.0 -d 138.4.37.10 -j ACCEPT
$IPTABLES -A Cid6619X3394.0 -d 138.4.37.11 -j ACCEPT
$IPTABLES -N Cid6619X3394.1
$IPTABLES -A FORWARD -p 47 -j Cid6619X3394.1
$IPTABLES -A Cid6619X3394.1 -d 138.4.37.10 -j ACCEPT
$IPTABLES -A Cid6619X3394.1 -d 138.4.37.11 -j ACCEPT
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d 138.4.37.12 --dports 143,993,995,25,465 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 138.4.37.12 --dports 143,993,995,25,465 -m conntrack --ctstate NEW -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
$IPTABLES -N Cid3241X3394.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j Cid3241X3394.0
$IPTABLES -N RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.10 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.11 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.12 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.38 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.39 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.56 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 138.4.37.57 -j RULE_16
$IPTABLES -A Cid3241X3394.0 -d 192.168.37.12 -j RULE_16
$IPTABLES -N Cid3241X3394.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j Cid3241X3394.1
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.10 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.11 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.12 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.38 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.39 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.56 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 138.4.37.57 -j RULE_16
$IPTABLES -A Cid3241X3394.1 -d 192.168.37.12 -j RULE_16
$IPTABLES -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- ACCEPT "
$IPTABLES -A RULE_16 -j ACCEPT
#
# Rule 17 (global)
#
echo "Rule 17 (global)"
#
$IPTABLES -N Cid3880X3394.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j Cid3880X3394.0
$IPTABLES -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j Cid3880X3394.0
$IPTABLES -A Cid3880X3394.0 -d 138.4.37.12 -j ACCEPT
$IPTABLES -A Cid3880X3394.0 -d 192.168.37.12 -j ACCEPT
$IPTABLES -N Cid3880X3394.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j Cid3880X3394.1
$IPTABLES -A FORWARD -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j Cid3880X3394.1
$IPTABLES -A Cid3880X3394.1 -d 138.4.37.12 -j ACCEPT
$IPTABLES -A Cid3880X3394.1 -d 192.168.37.12 -j ACCEPT
#
# Rule 18 (global)
#
echo "Rule 18 (global)"
#
$IPTABLES -N Cid5198X3394.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j Cid5198X3394.0
$IPTABLES -A Cid5198X3394.0 -d 138.4.37.12 -j ACCEPT
$IPTABLES -A Cid5198X3394.0 -d 192.168.37.12 -j ACCEPT
$IPTABLES -N Cid5198X3394.1
$IPTABLES -A FORWARD -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j Cid5198X3394.1
$IPTABLES -A Cid5198X3394.1 -d 138.4.37.12 -j ACCEPT
$IPTABLES -A Cid5198X3394.1 -d 192.168.37.12 -j ACCEPT
#
# Rule 19 (global)
#
echo "Rule 19 (global)"
#
$IPTABLES -N RULE_19
$IPTABLES -A OUTPUT -p tcp -m tcp -m multiport -d 138.4.37.38 --dports 80,443 -m conntrack --ctstate NEW -j RULE_19
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport -d 138.4.37.38 --dports 80,443 -m conntrack --ctstate NEW -j RULE_19
$IPTABLES -A RULE_19 -j LOG --log-level info --log-prefix "RULE 19 -- ACCEPT "
$IPTABLES -A RULE_19 -j ACCEPT
#
# Rule 20 (global)
#
echo "Rule 20 (global)"
#
$IPTABLES -A OUTPUT -p tcp -m tcp -d 138.4.37.0/26 --dport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -d 138.4.37.0/26 --dport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -d 138.4.37.0/26 --dport 1024:65535 -m conntrack --ctstate NEW -j ACCEPT
#
# Rule 21 (global)
#
echo "Rule 21 (global)"
#
$IPTABLES -N RULE_21
$IPTABLES -A OUTPUT -j RULE_21
$IPTABLES -A INPUT -j RULE_21
$IPTABLES -A FORWARD -j RULE_21
$IPTABLES -A RULE_21 -j LOG --log-level info --log-prefix "RULE 21 -- DENY "
$IPTABLES -A RULE_21 -j DROP
# ============== ROUTING RULES ==============
HAVE_MKTEMP=$(which mktemp)
test -n "$HAVE_MKTEMP" && {
TMPDIRNAME=$(mktemp -d)
test -z "$TMPDIRNAME" && exit 1
}
test -z "$HAVE_MKTEMP" && {
TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$"
(umask 077 && mkdir $TMPDIRNAME) || exit 1
}
TMPFILENAME="$TMPDIRNAME/.fwbuilder.out"
OLD_ROUTES="$TMPDIRNAME/.old_routes"
#
# This function stops stdout redirection
# and sends previously saved output to terminal
restore_script_output()
{
exec 1>&3 2>&1
cat $TMPFILENAME
rm -rf $TMPDIRNAME
}
# if any routing rule fails we do our best to prevent freezing the firewall
route_command_error()
{
echo "Error: Routing rule $1 couldn't be activated"
echo "Recovering previous routing configuration..."
# delete current routing rules
$IP route show | while read route ; do $IP route del $route ; done
# restore old routing rules
sh $OLD_ROUTES
echo "...done"
restore_script_output
epilog_commands
exit 1
}
# redirect output to prevent ssh session from stalling
exec 3>&1
exec 1> $TMPFILENAME
exec 2>&1
# store previous routing configuration (sort: 'via' GW has to be
# inserted after device routes)
$IP route show | sort -k 2 | awk '{printf "ip route add %s\n",$0;}' > $OLD_ROUTES
echo "Deleting routing rules previously set by user space processes..."
$IP route show | grep -v 'proto kernel' | \
while read route ; do $IP route del $route ; done
echo "Activating non-ecmp routing rules..."
#
# Rule 0 (main)
#
echo "Routing rule 0 (main)"
#
#
#
$IP route add default via 138.4.47.1 \
|| route_command_error "0 (main)"
restore_script_output
echo "...done."
}
ip_forward() {
:
}
reset_all() {
:
reset_iptables_v4
}
block_action() {
reset_all
}
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
check_iptables() {
IP_TABLES="$1"
[ ! -e $IP_TABLES ] && return 151
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
[ -z "$NF_TABLES" ] && return 152
return 0
}
status_action() {
check_iptables "/proc/net/ip_tables_names"
ret_ipv4=$?
check_iptables "/proc/net/ip6_tables_names"
ret_ipv6=$?
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
echo "iptables modules are not loaded"
}
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
echo "Firewall is not configured"
}
exit 3
}
# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'
cmd=$1
test -z "$cmd" && {
cmd="start"
}
case "$cmd" in
start)
log "Activating firewall script generated Tue Jan 7 20:27:43 2020 by jambrina"
check_tools
check_run_time_address_table_files
load_modules "nat "
configure_interfaces
verify_interfaces
prolog_commands
reset_all
script_body
ip_forward
epilog_commands
RETVAL=$?
;;
stop)
stop_action
RETVAL=$?
;;
status)
status_action
RETVAL=$?
;;
block)
block_action
RETVAL=$?
;;
reload)
$0 stop
$0 start
RETVAL=$?
;;
interfaces)
configure_interfaces
RETVAL=$?
;;
test_interfaces)
FWBDEBUG="echo"
configure_interfaces
RETVAL=$?
;;
*)
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
;;
esac
exit $RETVAL
More information about the pkg-netfilter-team
mailing list