2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2009 Michael Tremer & Christian Schmidt #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPTABLES_FILE
=$TMPDIR/iptables
32 while [ $# -gt 0 ]; do
41 args
="${args} -A $(uppercase ${1})"
49 echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table}
52 function iptables_flush() {
53 decho "Flushing iptables
"
55 chain_create INPUT ACCEPT
56 chain_create OUTPUT ACCEPT
57 chain_create FORWARD ACCEPT
60 function iptables_init() {
62 chain_create -t filter INPUT DROP
63 chain_create -t filter OUTPUT DROP
64 chain_create -t filter FORWARD DROP
66 iptables -t mangle "* mangle
"
67 chain_create -t mangle PREROUTING ACCEPT
68 chain_create -t mangle INPUT ACCEPT
69 chain_create -t mangle OUTPUT ACCEPT
70 chain_create -t mangle FORWARD ACCEPT
71 chain_create -t mangle POSTROUTING ACCEPT
73 iptables -t nat "* nat
"
74 chain_create -t nat PREROUTING ACCEPT
75 chain_create -t nat OUTPUT ACCEPT
76 chain_create -t nat POSTROUTING ACCEPT
79 function iptables_commit() {
82 vecho "Committing firewall configuration.
"
83 iptables -t filter "COMMIT
"
84 iptables -t mangle "COMMIT
"
85 iptables -t nat "COMMIT
"
87 for table in filter mangle nat; do
88 [ -e ${IPTABLES_FILE}-${table} ] || continue
89 cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE
92 decho "Dumping iptables output
"
95 cat $IPTABLES_FILE | while read LINE; do
96 printf "%4d |
%s
\n" "$counter" "$LINE"
97 counter=$(( $counter + 1 ))
101 iptables-restore $(debug && echo "-v") < $IPTABLES_FILE
104 function chain_create() {
106 if [ "${1}" = "-t" ]; then
110 iptables ${args} ":$1 ${2--} [0:0]"
113 function iptables_LOG() {
117 if [ "$LOG_FACILITY" = "syslog
" ]; then
119 [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
122 [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
123 echo -n " --nflog-threshold 30"
128 function iptables_protocol() {
131 for proto in tcp udp esp ah; do
132 if [ "$PROTO" = "$proto" ]; then
143 function _iptables_port_range() {
147 function _iptables_port_multiport() {
151 function _iptables_port() {
152 if _iptables_port_range "$@
"; then
153 echo $IPTABLES_PORTRANGE
154 elif _iptables_port_multiport "$@
"; then
155 echo $IPTABLES_MULTIPORT
161 function iptables_source_port() {
162 [ -z "$@
" ] && return
164 type=$(_iptables_port $@)
165 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
166 echo "-m multiport
--source-ports $@
"
172 function iptables_destination_port() {
173 [ -z "$@
" ] && return
175 type=$(_iptables_port $@)
176 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
177 echo "-m multiport
--destination-ports $@
"