2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # This function initializes all kernel parameters that need to be adjusted
23 # to run this firewall properly.
24 firewall_kernel_init
() {
25 log INFO
"Configuring kernel parameters..."
28 # Enable conntrack accounting
29 conntrack_set_accounting
"true"
31 # Adjust max. amount of simultaneous connections
32 conntrack_set_max_connections
"${CONNTRACK_MAX_CONNECTIONS}"
34 # Increase UDP connection timeout (fixes DNS)
35 conntrack_set_udp_timeout
"${CONNTRACK_UDP_TIMEOUT}"
37 # Disable sending redirects
38 log INFO
"Disabling sending redirects"
39 sysctl_set_recursively
"net.ipv6.conf" "send_redirects" 0
40 sysctl_set_recursively
"net.ipv4.conf" "send_redirects" 0
42 # Enable source route protection
43 log INFO
"Enabling source route protection"
44 sysctl_set_recursively
"net.ipv6.conf" "accept_source_route" 0
45 sysctl_set_recursively
"net.ipv4.conf" "accept_source_route" 0
47 # ICMP broadcast protection (smurf amplifier protection)
48 log INFO
"Enabling ICMP broadcast protection (smurf amplifier protection)"
49 sysctl_set
"net.ipv4.icmp_echo_ignore_broadcasts" 1
51 # ICMP Dead Error Message protection
52 log INFO
"Enabling ICMP dead error message protection"
53 sysctl_set
"net.ipv4.icmp_ignore_bogus_error_responses" 0
55 # Enable packet forwarding
56 log INFO
"Enabling packet forwarding"
57 sysctl_set_recursively
"net.ipv6.conf" "forwarding" 1
58 sysctl_set_recursively
"net.ipv4.conf" "forwarding" 1
60 # Setting some kernel performance options
61 log INFO
"Setting some kernel performance options"
62 for option
in window_scaling timestamps sack dsack fack
; do
63 sysctl_set
"net.ipv4.tcp_${option}" 1
65 sysctl_set
"net.ipv4.tcp_low_latency" 0
67 # Reduce DoS ability by reducing timeouts
68 log INFO
"Reducing DoS ability"
69 sysctl_set
"net.ipv4.tcp_fin_timeout" 30
70 sysctl_set
"net.ipv4.tcp_keepalive_time" 1800
72 # Set number of times to retry SYN in a new connection
73 sysctl_set
"net.ipv4.tcp_syn_retries" 3
75 # Set number of times to retry a SYN-ACK in a half-open new connection
76 sysctl_set
"net.ipv4.tcp_synack_retries" 2
78 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
79 sysctl_set
"net.ipv4.tcp_rfc1337" 1
81 # SYN-flood protection
82 if enabled FIREWALL_SYN_COOKIES
; then
83 log INFO
"Enabling SYN-flood protection via SYN-cookies"
84 sysctl_set_bool
"net.ipv4.tcp_syncookies" 1
86 log INFO
"Disabling SYN-flood protection via SYN-cookies"
87 sysctl_set_bool
"net.ipv4.tcp_syncookies" 0
91 if enabled FIREWALL_RP_FILTER
; then
92 log INFO
"Enabling anti-spoof from non-routable IP addresses"
93 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 1
95 log INFO
"Disabling anti-spoof from non-routable IP addresses"
96 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 0
100 if enabled FIREWALL_LOG_MARTIANS
; then
101 log INFO
"Enabling the logging of martians"
102 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 1
104 log INFO
"Disabling the logging of martians"
105 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 0
108 # ICMP redirect messages
109 if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS
; then
110 log INFO
"Enabling accepting ICMP-redirect messages"
111 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 1
112 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 1
114 log INFO
"Disabling accepting ICMP-redirect messages"
115 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 0
116 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 0
119 # Explicit Congestion Notification
120 if enabled FIREWALL_USE_ECN
; then
121 log INFO
"Enabling ECN (Explicit Congestion Notification)"
122 sysctl_set
"net.ipv4.tcp_ecn" 1
124 log INFO
"Disabling ECN (Explicit Congestion Notification)"
125 sysctl_set
"net.ipv4.tcp_ecn" 2
128 # Dynamic IP address hacking
129 log INFO
"Enabling kernel support for dynamic IP addresses"
130 sysctl_set
"net.ipv4.ip_dynaddr" 1
132 if enabled FIREWALL_PMTU_DISCOVERY
; then
133 log INFO
"Enabling PMTU discovery"
134 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 0
136 log INFO
"Disabling PMTU discovery"
137 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 1
141 if ipv4_ttl_valid
"${FIREWALL_DEFAULT_TTL}"; then
142 log INFO
"Setting default TTL to ${FIREWALL_DEFAULT_TTL}"
143 sysctl_set
"net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}"
145 log ERROR
"Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'"
146 log ERROR
" Must be between 10 and 255!"
152 # High-level function which will create a ruleset for the current firewall
153 # configuration and load it into the kernel.
155 local protocol
="${1}"
156 assert isset protocol
162 while [ $# -gt 0 ]; do
168 error
"Unrecognized argument: ${1}"
175 if enabled
test; then
176 log INFO
"Test mode enabled."
177 log INFO
"The firewall ruleset will not be loaded."
180 firewall_lock_acquire
182 # Initialize an empty iptables ruleset.
183 iptables_init
"${protocol}" "DROP"
185 # Add default chains.
186 firewall_filter_rh0_headers
"${protocol}"
187 firewall_filter_icmp
"${protocol}"
188 firewall_filter_invalid_packets
"${protocol}"
189 firewall_custom_chains
"${protocol}"
190 firewall_connection_tracking
"${protocol}"
191 firewall_tcp_clamp_mss
"${protocol}"
193 # Add policies for every zone.
194 firewall_localhost_create_chains
"${protocol}"
197 for zone
in $
(zones_get_all
); do
198 # Create all needed chains for the zone.
199 firewall_zone_create_chains
"${protocol}" "${zone}"
201 # After the chains that are always available have been
202 # created, we will add a custom policy to every single
205 policy_zone_add
"${protocol}" "${zone}"
208 # Load the new ruleset.
210 if enabled testmode
; then
211 list_append args
"--test"
213 iptables_commit
"${protocol}" ${args}
215 firewall_lock_release
219 local protocol
="${1}"
220 assert isset protocol
222 firewall_lock_acquire
224 # Initialize an empty firewall ruleset
225 # with default policy ACCEPT.
226 iptables_init
"${protocol}" ACCEPT
229 ipables_load
"${protocol}"
231 firewall_lock_release
235 local protocol
="${1}"
236 assert isset protocol
238 # Shows the ruleset that is currently loaded.
239 iptables_status
"${protocol}"
245 local protocol
="${1}"
246 assert isset protocol
249 local admin_hosts
="$@"
251 firewall_lock_acquire
"${protocol}"
253 # Drop all communications.
254 iptables_init
"${protocol}" DROP
256 # If an admin host is provided, some administrative
257 # things will be allowed from there.
259 for admin_host
in ${admin_hosts}; do
260 iptables
"${protocol}" -A INPUT
-s "${admin_host}" -j ACCEPT
261 iptables
"${protocol}" -A OUTPUT
-d "${admin_host}" -j ACCEPT
265 iptables_commit
"${protocol}"
267 firewall_lock_release
270 firewall_lock_acquire
() {
271 lock_acquire
${RUN_DIR}/.firewall_lock
273 # Make sure the lock is released after the firewall
274 # script has crashed or exited early.
275 trap firewall_lock_release EXIT TERM KILL
277 # Create a directory where we can put our
278 # temporary data in the most secure way as possible.
279 IPTABLES_TMPDIR
=$
(mktemp
-d)
282 firewall_lock_release
() {
283 if isset IPTABLES_TMPDIR
; then
284 # Remove all temporary data.
285 rm -rf ${IPTABLES_TMPDIR}
287 # Reset the tempdir variable.
292 trap true EXIT TERM KILL
294 lock_release
${RUN_DIR}/.firewall_lock
297 firewall_custom_chains
() {
298 local protocol
="${1}"
299 assert isset protocol
301 log INFO
"Creating CUSTOM* chains..."
303 # These chains are intened to be filled with
304 # rules by the user. They are processed at the very
305 # beginning so it is possible to overwrite everything.
307 iptables_chain_create
"${protocol}" CUSTOMINPUT
308 iptables
"${protocol}" -A INPUT
-j CUSTOMINPUT
310 iptables_chain_create
"${protocol}" CUSTOMFORWARD
311 iptables
"${protocol}" -A FORWARD
-j CUSTOMFORWARD
313 iptables_chain_create
"${protocol}" CUSTOMOUTPUT
314 iptables
"${protocol}" -A OUTPUT
-j CUSTOMOUTPUT
316 iptables_chain_create
"${protocol}" -t nat CUSTOMPREROUTING
317 iptables
"${protocol}" -t nat
-A PREROUTING
-j CUSTOMPREROUTING
319 iptables_chain_create
"${protocol}" -t nat CUSTOMPOSTROUTING
320 iptables
"${protocol}" -t nat
-A POSTROUTING
-j CUSTOMPOSTROUTING
322 iptables_chain_create
"${protocol}" -t nat CUSTOMOUTPUT
323 iptables
"${protocol}" -t nat
-A OUTPUT
-j CUSTOMOUTPUT
326 firewall_filter_invalid_packets
() {
327 local protocol
="${1}"
328 assert isset protocol
330 local log_limit
="-m limit --limit 5/m --limit-burst 10"
333 iptables_chain_create
"${protocol}" FILTER_INVALID
334 iptables
"${protocol}" -A INPUT
-j FILTER_INVALID
335 iptables
"${protocol}" -A OUTPUT
-j FILTER_INVALID
336 iptables
"${protocol}" -A FORWARD
-j FILTER_INVALID
338 # Create a chain where only TCP packets go
339 iptables_chain_create
"${protocol}" FILTER_INVALID_TCP
340 iptables
"${protocol}" -A FILTER_INVALID
-p tcp
-j FILTER_INVALID_TCP
342 # Create a chain where only UDP packets go
343 iptables_chain_create
"${protocol}" FILTER_INVALID_UDP
344 iptables
"${protocol}" -A FILTER_INVALID
-p udp
-j FILTER_INVALID_UDP
346 # Create a chain where only ICMP packets go
347 iptables_chain_create
"${protocol}" FILTER_INVALID_ICMP
348 iptables
"${protocol}" -A FILTER_INVALID
-p icmp
-j FILTER_INVALID_ICMP
351 # Optionally log all port scans
353 if enabled FIREWALL_LOG_STEALTH_SCANS
; then
354 log INFO
"Logging of stealth scans enabled"
356 # NMAP FIN/URG/PSH - XMAS scan
357 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
,URG
,PSH \
358 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS scan
")"
360 # SYN/RST/ACK/FIN/URG
361 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL SYN
,RST
,ACK
,FIN
,URG \
362 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-PSH scan
")"
365 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL ALL \
366 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-ALL scan
")"
369 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN \
370 "${log_limit}" -j "$(iptables_LOG "Stealth FIN scan
")"
373 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST \
374 "${log_limit}" -j "$(iptables_LOG "Stealth SYN
/RST scan
")"
377 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN \
378 "${log_limit}" -j "$(iptables_LOG "Stealth SYN
/FIN scan
")"
381 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL NONE \
382 "${log_limit}" -j "$(iptables_LOG "Stealth NULL scan
")"
384 log INFO
"Logging of stealth scans disabled"
391 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
,URG
,PSH
-j DROP
393 # SYN/RST/ACK/FIN/URG
394 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL SYN
,RST
,ACK
,FIN
,URG
-j DROP
397 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL ALL
-j DROP
400 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
-j DROP
403 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j DROP
406 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j DROP
409 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL NONE
-j DROP
412 # Log packets with bad flags
414 if enabled FIREWALL_LOG_BAD_TCP_FLAGS
; then
415 log INFO
"Logging of packets with bad TCP flags enabled"
418 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 64 \
419 "${log_limit}" -j "$(iptables_LOG "Bad TCP flag
(64)")"
422 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 128 \
423 "${log_limit}" -j "$(iptables_LOG "Bad TCP flag
(128)")"
425 log INFO
"Logging of packets with bad TCP flags disabled"
428 # Drop packets with bad flags
430 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 64 -j DROP
431 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 128 -j DROP
434 # Log invalid packets
436 if enabled FIREWALL_LOG_INVALID_TCP
; then
437 log INFO
"Logging of INVALID TCP packets enabled"
439 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
-m conntrack
--ctstate INVALID \
440 "${log_limit}" -j "$(iptables_LOG "INVALID TCP
")"
442 log INFO
"Logging of INVALID TCP packets disabled"
445 if enabled FIREWALL_LOG_INVALID_UDP
; then
446 log INFO
"Logging of INVALID UDP packets enabled"
448 iptables
"${protocol}" -A FILTER_INVALID_UDP
-p udp
-m conntrack
--ctstate INVALID \
449 "${log_limit}" -j "$(iptables_LOG "INVALID UDP
")"
451 log INFO
"Logging of INVALID UDP packets disabled"
454 if enabled FIREWALL_LOG_INVALID_ICMP
; then
455 log INFO
"Logging of INVALID ICMP packets enabled"
457 iptables
"${protocol}" -A FILTER_INVALID_ICMP
-p icmp
-m conntrack
--ctstate INVALID \
458 "${log_limit}" -j "$(iptables_LOG "INVALID ICMP
")"
460 log INFO
"Logging of INVALID ICMP packets disabled"
463 # Drop all INVALID packets
464 iptables
"${protocol}" -A FILTER_INVALID
-m conntrack
--ctstate INVALID
-j DROP
467 firewall_tcp_clamp_mss
() {
468 # Do nothing if this has been disabled.
469 enabled FIREWALL_CLAMP_PATH_MTU ||
return ${EXIT_OK}
471 local protocol
="${1}"
472 assert isset protocol
474 log DEBUG
"Adding rules to clamp MSS to path MTU..."
476 iptables
"${protocol}" -t mangle
-A FORWARD \
477 -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
480 firewall_connection_tracking
() {
481 local protocol
="${1}"
482 assert isset protocol
484 log INFO
"Creating Connection Tracking chain..."
486 iptables_chain_create
"${protocol}" CONNTRACK
487 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j ACCEPT
488 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j "$(iptables_LOG "INVALID packet
: ")"
489 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j DROP
491 iptables
"${protocol}" -A INPUT
-j CONNTRACK
492 iptables
"${protocol}" -A OUTPUT
-j CONNTRACK
493 iptables
"${protocol}" -A FORWARD
-j CONNTRACK
496 firewall_localhost_create_chains
() {
497 local protocol
="${1}"
498 assert isset protocol
500 log DEBUG
"Creating firewall chains for localhost..."
502 # Accept everything on lo
503 iptables
"${protocol}" -A INPUT
-i lo
-j ACCEPT
504 iptables
"${protocol}" -A OUTPUT
-o lo
-j ACCEPT
507 firewall_filter_rh0_headers
() {
508 local protocol
="${1}"
509 assert isset protocol
512 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
514 # Filter all packets that have RH0 headers
515 # http://www.ietf.org/rfc/rfc5095.txt
516 iptables_chain_create
"${protocol}" FILTER_RH0
517 iptables
"${protocol}" -A FILTER_RH0
-m rt
--rt-type 0 -j DROP
519 iptables
"${protocol}" -A INPUT
-j FILTER_RH0
520 iptables
"${protocol}" -A FORWARD
-j FILTER_RH0
521 iptables
"${protocol}" -A OUTPUT
-j FILTER_RH0
524 firewall_filter_icmp
() {
525 local protocol
="${1}"
526 assert isset protocol
529 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
531 local chain
="FILTER_ICMPV6"
533 # Create an extra chain for handling ICMP packets.
534 iptables_chain_create
"${protocol}" "${chain}_COMMON"
537 for suffix
in INC FWD OUT
; do
538 iptables_chain_create
"${protocol}" "${chain}_${suffix}"
539 iptables
"${protocol}" -A "${chain}_${suffix}" -j "${chain}_COMMON"
541 iptables
"${protocol}" -A INPUT
-p icmpv6
-j "${chain}_INC"
542 iptables
"${protocol}" -A FORWARD
-p icmpv6
-j "${chain}_FWD"
543 iptables
"${protocol}" -A OUTPUT
-p icmpv6
-j "${chain}_OUT"
545 # Packets that must always pass the firewall.
546 # Type 4: Parameter Problem
548 for type in ttl-zero-during-reassembly bad-header
; do
549 iptables
"${protocol}" -A "${chain}_COMMON" \
550 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
553 # Packets that are accepted if they belong to an existing connection.
554 for type in echo-reply destination-unreachable packet-too-big \
555 unknown-header-type unknown-option
; do
556 iptables
"${protocol}" -A "${chain}_COMMON" \
557 -m conntrack
--ctstate ESTABLISHED
,RELATED \
558 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
561 # Packets that are always discarded.
562 # Type 100, 101, 200, 201: Private Experimentation
563 for type in 100 101 200 201; do
564 iptables
"${protocol}" -A "${chain}_COMMON" \
565 -p icmpv6
--icmpv6-type "${type}" -j DROP
568 # Discard packets from local networks with hop limit smaller than $hoplimit.
569 # Type 148: Path solicitation
570 # Type 149: Path advertisement
572 for type in {router
,neighbour
}-{advertisement
,solicitation
} 148 149; do
573 iptables
"${protocol}" -A "${chain}_INC" \
574 -p icmpv6
--icmpv6-type "${type}" \
575 -m hl
--hl-lt "${hoplimit}" -j DROP
578 # The firewall is always allowed to send ICMP echo requests.
579 iptables
"${protocol}" -A "${chain}_OUT" \
580 -p icmpv6
--icmpv6-type echo-request
-j ACCEPT
585 firewall_zone_create_chains
() {
586 local protocol
="${1}"
587 assert isset protocol
592 log DEBUG
"Creating firewall chains for zone '${zone}'."
594 local chain_prefix
="ZONE_${zone^^}"
596 # Create filter chains.
597 iptables_chain_create
"${protocol}" "${chain_prefix}_INPUT"
598 iptables
"${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT"
600 iptables_chain_create
"${protocol}" "${chain_prefix}_OUTPUT"
601 iptables
"${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT"
604 iptables_chain_create
"${protocol}" "${chain_prefix}_CUSTOM"
606 # Intrusion Prevention System.
607 iptables_chain_create
"${protocol}" "${chain_prefix}_IPS"
609 # Create a chain for each other zone.
610 # This leaves us with n^2 chains. Duh.
612 local other_zone other_chain_prefix
613 for other_zone
in $
(zones_get_all
); do
614 other_chain_prefix
="${chain_prefix}_${other_zone^^}"
615 iptables_chain_create
"${protocol}" "${other_chain_prefix}"
617 # Connect the chain with the FORWARD chain.
618 iptables
"${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
619 -j "${other_chain_prefix}"
621 # Handle custom rules.
622 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"
625 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"
628 iptables_chain_create
"${protocol}" "${other_chain_prefix}_RULES"
629 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"
632 iptables_chain_create
"${protocol}" "${other_chain_prefix}_POLICY"
633 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
636 ## Create mangle chain.
637 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
638 #iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}"
639 #iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
641 ## Quality of Service
642 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
643 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
644 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
645 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"
648 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}"
649 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}"
650 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
652 # Network Address Translation
653 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_DNAT"
654 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT"
655 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_SNAT"
656 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"
659 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_UPNP"
660 iptables
"${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"
665 firewall_parse_rules
() {
670 # End if no rule file exists.
671 [ -r "${file}" ] ||
return ${EXIT_OK}
675 local ${FIREWALL_RULES_CONFIG_PARAMS}
677 while read -r line
; do
679 [ -n "${line}" ] ||
continue
681 # Skip commented lines.
682 [ "${line:0:1}" = "#" ] && continue
685 _firewall_parse_rule_line
${line}
686 if [ $?
-ne ${EXIT_OK} ]; then
687 log WARNING
"Skipping invalid line: ${line}"
693 # Source IP address/net.
695 list_append cmd
"-s ${src}"
698 # Destination IP address/net.
700 list_append cmd
"-d ${dst}"
705 list_append cmd
"-p ${proto}"
707 if list_match
${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
709 list_append cmd
"--sport ${sport}"
713 list_append cmd
"--dport ${dport}"
718 # Always append the action.
719 list_append cmd
"-j ${action}"
726 _firewall_parse_rule_line
() {
730 for arg
in ${FIREWALL_RULES_CONFIG_PARAMS}; do
735 while read -r arg
; do
736 key
=$
(cli_get_key
${arg})
738 if ! list_match
"${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
739 log WARNING
"Unrecognized argument: ${arg}"
743 val
=$
(cli_get_val
${arg})
744 assign
"${key}" "${val}"
745 done <<< "$(args $@)"
747 # action must always be set.
748 if ! isset action
; then
749 log WARNING
"'action' is not set: $@"
753 for arg
in src dst
; do
754 isset
${arg} ||
continue
756 # Check for valid IP addresses.
757 if ! ip_is_valid
${!arg}; then
758 log WARNING
"Invalid IP address for '${arg}=${!arg}': $@"
767 if ! list_match
"${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
768 log WARNING
"Unsupported protocol type 'proto=${proto}': $@"
773 for arg
in sport dport
; do
774 isset
${arg} ||
continue
776 # Check if port is valid.
777 if ! isinteger
${arg}; then
778 log WARNING
"Invalid port '${arg}=${!arg}': $@"