2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # This function initializes all kernel parameters that need to be adjusted
23 # to run this firewall properly.
24 firewall_kernel_init
() {
25 log INFO
"Configuring kernel parameters..."
28 # Enable conntrack accounting
29 conntrack_set_accounting
"true"
31 # Adjust max. amount of simultaneous connections
32 conntrack_set_max_connections
"${CONNTRACK_MAX_CONNECTIONS}"
34 # Increase UDP connection timeout (fixes DNS)
35 conntrack_set_udp_timeout
"${CONNTRACK_UDP_TIMEOUT}"
37 # Disable sending redirects
38 log INFO
"Disabling sending redirects"
39 sysctl_set_recursively
"net.ipv6.conf" "send_redirects" 0
40 sysctl_set_recursively
"net.ipv4.conf" "send_redirects" 0
42 # Enable source route protection
43 log INFO
"Enabling source route protection"
44 sysctl_set_recursively
"net.ipv6.conf" "accept_source_route" 0
45 sysctl_set_recursively
"net.ipv4.conf" "accept_source_route" 0
47 # ICMP broadcast protection (smurf amplifier protection)
48 log INFO
"Enabling ICMP broadcast protection (smurf amplifier protection)"
49 sysctl_set
"net.ipv4.icmp_echo_ignore_broadcasts" 1
51 # ICMP Dead Error Message protection
52 log INFO
"Enabling ICMP dead error message protection"
53 sysctl_set
"net.ipv4.icmp_ignore_bogus_error_responses" 0
55 # Enable packet forwarding
56 log INFO
"Enabling packet forwarding"
57 sysctl_set_recursively
"net.ipv6.conf" "forwarding" 1
58 sysctl_set_recursively
"net.ipv4.conf" "forwarding" 1
60 # Setting some kernel performance options
61 log INFO
"Setting some kernel performance options"
62 for option
in window_scaling timestamps sack dsack fack
; do
63 sysctl_set
"net.ipv4.tcp_${option}" 1
65 sysctl_set
"net.ipv4.tcp_low_latency" 0
67 # Reduce DoS ability by reducing timeouts
68 log INFO
"Reducing DoS ability"
69 sysctl_set
"net.ipv4.tcp_fin_timeout" 30
70 sysctl_set
"net.ipv4.tcp_keepalive_time" 1800
72 # Set number of times to retry SYN in a new connection
73 sysctl_set
"net.ipv4.tcp_syn_retries" 3
75 # Set number of times to retry a SYN-ACK in a half-open new connection
76 sysctl_set
"net.ipv4.tcp_synack_retries" 2
78 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
79 sysctl_set
"net.ipv4.tcp_rfc1337" 1
81 # SYN-flood protection
82 if enabled FIREWALL_SYN_COOKIES
; then
83 log INFO
"Enabling SYN-flood protection via SYN-cookies"
84 sysctl_set_bool
"net.ipv4.tcp_syncookies" 1
86 log INFO
"Disabling SYN-flood protection via SYN-cookies"
87 sysctl_set_bool
"net.ipv4.tcp_syncookies" 0
91 if enabled FIREWALL_RP_FILTER
; then
92 log INFO
"Enabling anti-spoof from non-routable IP addresses"
93 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 1
95 log INFO
"Disabling anti-spoof from non-routable IP addresses"
96 sysctl_set_recursively
"net.ipv4.conf" "rp_filter" 0
100 if enabled FIREWALL_LOG_MARTIANS
; then
101 log INFO
"Enabling the logging of martians"
102 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 1
104 log INFO
"Disabling the logging of martians"
105 sysctl_set_recursively
"net.ipv4.conf" "log_martians" 0
108 # ICMP redirect messages
109 if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS
; then
110 log INFO
"Enabling accepting ICMP-redirect messages"
111 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 1
112 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 1
114 log INFO
"Disabling accepting ICMP-redirect messages"
115 sysctl_set_recursively
"net.ipv6.conf" "accept_redirects" 0
116 sysctl_set_recursively
"net.ipv4.conf" "accept_redirects" 0
119 # Explicit Congestion Notification
120 if enabled FIREWALL_USE_ECN
; then
121 log INFO
"Enabling ECN (Explicit Congestion Notification)"
122 sysctl_set
"net.ipv4.tcp_ecn" 1
123 sysctl_set
"net.ipv4.tcp_ecn_fallback" 1
125 log INFO
"Disabling ECN (Explicit Congestion Notification)"
126 sysctl_set
"net.ipv4.tcp_ecn" 2
129 # Dynamic IP address hacking
130 log INFO
"Enabling kernel support for dynamic IP addresses"
131 sysctl_set
"net.ipv4.ip_dynaddr" 1
133 if enabled FIREWALL_PMTU_DISCOVERY
; then
134 log INFO
"Enabling PMTU discovery"
135 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 0
137 log INFO
"Disabling PMTU discovery"
138 sysctl_set
"net.ipv4.ip_no_pmtu_disc" 1
142 if ipv4_ttl_valid
"${FIREWALL_DEFAULT_TTL}"; then
143 log INFO
"Setting default TTL to ${FIREWALL_DEFAULT_TTL}"
144 sysctl_set
"net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}"
146 log ERROR
"Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'"
147 log ERROR
" Must be between 10 and 255!"
153 # High-level function which will create a ruleset for the current firewall
154 # configuration and load it into the kernel.
156 local protocol
="${1}"
157 assert isset protocol
163 while [ $# -gt 0 ]; do
169 error
"Unrecognized argument: ${1}"
176 if enabled
test; then
177 log INFO
"Test mode enabled."
178 log INFO
"The firewall ruleset will not be loaded."
181 firewall_lock_acquire
183 # Initialize an empty iptables ruleset.
184 iptables_init
"${protocol}" "DROP"
186 # Add default chains.
187 firewall_filter_rh0_headers
"${protocol}"
188 firewall_filter_icmp
"${protocol}"
189 firewall_filter_invalid_packets
"${protocol}"
190 firewall_custom_chains
"${protocol}"
191 firewall_connection_tracking
"${protocol}"
192 firewall_tcp_clamp_mss
"${protocol}"
194 # Add policies for every zone.
195 firewall_localhost_create_chains
"${protocol}"
198 for zone
in $
(zones_get_all
); do
199 # Create all needed chains for the zone.
200 firewall_zone_create_chains
"${protocol}" "${zone}"
202 # After the chains that are always available have been
203 # created, we will add a custom policy to every single
206 policy_zone_add
"${protocol}" "${zone}"
209 # Load the new ruleset.
211 if enabled testmode
; then
212 list_append args
"--test"
214 iptables_commit
"${protocol}" ${args}
216 firewall_lock_release
220 local protocol
="${1}"
221 assert isset protocol
223 firewall_lock_acquire
225 # Initialize an empty firewall ruleset
226 # with default policy ACCEPT.
227 iptables_init
"${protocol}" ACCEPT
230 ipables_load
"${protocol}"
232 firewall_lock_release
236 local protocol
="${1}"
237 assert isset protocol
239 # Shows the ruleset that is currently loaded.
240 iptables_status
"${protocol}"
246 local protocol
="${1}"
247 assert isset protocol
250 local admin_hosts
="$@"
252 firewall_lock_acquire
"${protocol}"
254 # Drop all communications.
255 iptables_init
"${protocol}" DROP
257 # If an admin host is provided, some administrative
258 # things will be allowed from there.
260 for admin_host
in ${admin_hosts}; do
261 iptables
"${protocol}" -A INPUT
-s "${admin_host}" -j ACCEPT
262 iptables
"${protocol}" -A OUTPUT
-d "${admin_host}" -j ACCEPT
266 iptables_commit
"${protocol}"
268 firewall_lock_release
271 firewall_lock_acquire
() {
273 #lock_acquire ${RUN_DIR}/.firewall_lock
275 # Make sure the lock is released after the firewall
276 # script has crashed or exited early.
277 trap firewall_lock_release EXIT TERM KILL
279 # Create a directory where we can put our
280 # temporary data in the most secure way as possible.
281 IPTABLES_TMPDIR
=$
(mktemp
-d)
284 firewall_lock_release
() {
285 if isset IPTABLES_TMPDIR
; then
286 # Remove all temporary data.
287 rm -rf ${IPTABLES_TMPDIR}
289 # Reset the tempdir variable.
294 trap true EXIT TERM KILL
296 lock_release
${RUN_DIR}/.firewall_lock
299 firewall_custom_chains
() {
300 local protocol
="${1}"
301 assert isset protocol
303 log INFO
"Creating CUSTOM* chains..."
305 # These chains are intened to be filled with
306 # rules by the user. They are processed at the very
307 # beginning so it is possible to overwrite everything.
309 iptables_chain_create
"${protocol}" CUSTOMINPUT
310 iptables
"${protocol}" -A INPUT
-j CUSTOMINPUT
312 iptables_chain_create
"${protocol}" CUSTOMFORWARD
313 iptables
"${protocol}" -A FORWARD
-j CUSTOMFORWARD
315 iptables_chain_create
"${protocol}" CUSTOMOUTPUT
316 iptables
"${protocol}" -A OUTPUT
-j CUSTOMOUTPUT
318 iptables_chain_create
"${protocol}" -t nat CUSTOMPREROUTING
319 iptables
"${protocol}" -t nat
-A PREROUTING
-j CUSTOMPREROUTING
321 iptables_chain_create
"${protocol}" -t nat CUSTOMPOSTROUTING
322 iptables
"${protocol}" -t nat
-A POSTROUTING
-j CUSTOMPOSTROUTING
324 iptables_chain_create
"${protocol}" -t nat CUSTOMOUTPUT
325 iptables
"${protocol}" -t nat
-A OUTPUT
-j CUSTOMOUTPUT
328 firewall_filter_invalid_packets
() {
329 local protocol
="${1}"
330 assert isset protocol
332 local log_limit
="-m limit --limit 5/m --limit-burst 10"
335 iptables_chain_create
"${protocol}" FILTER_INVALID
336 iptables
"${protocol}" -A INPUT
-j FILTER_INVALID
337 iptables
"${protocol}" -A OUTPUT
-j FILTER_INVALID
338 iptables
"${protocol}" -A FORWARD
-j FILTER_INVALID
340 # Create a chain where only TCP packets go
341 iptables_chain_create
"${protocol}" FILTER_INVALID_TCP
342 iptables
"${protocol}" -A FILTER_INVALID
-p tcp
-j FILTER_INVALID_TCP
344 # Create a chain where only UDP packets go
345 iptables_chain_create
"${protocol}" FILTER_INVALID_UDP
346 iptables
"${protocol}" -A FILTER_INVALID
-p udp
-j FILTER_INVALID_UDP
348 # Create a chain where only ICMP packets go
349 iptables_chain_create
"${protocol}" FILTER_INVALID_ICMP
350 iptables
"${protocol}" -A FILTER_INVALID
-p icmp
-j FILTER_INVALID_ICMP
353 # Optionally log all port scans
355 if enabled FIREWALL_LOG_STEALTH_SCANS
; then
356 log INFO
"Logging of stealth scans enabled"
358 # NMAP FIN/URG/PSH - XMAS scan
359 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
,URG
,PSH \
360 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS scan
")"
362 # SYN/RST/ACK/FIN/URG
363 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL SYN
,RST
,ACK
,FIN
,URG \
364 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-PSH scan
")"
367 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL ALL \
368 "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-ALL scan
")"
371 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN \
372 "${log_limit}" -j "$(iptables_LOG "Stealth FIN scan
")"
375 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST \
376 "${log_limit}" -j "$(iptables_LOG "Stealth SYN
/RST scan
")"
379 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN \
380 "${log_limit}" -j "$(iptables_LOG "Stealth SYN
/FIN scan
")"
383 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL NONE \
384 "${log_limit}" -j "$(iptables_LOG "Stealth NULL scan
")"
386 log INFO
"Logging of stealth scans disabled"
393 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
,URG
,PSH
-j DROP
395 # SYN/RST/ACK/FIN/URG
396 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL SYN
,RST
,ACK
,FIN
,URG
-j DROP
399 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL ALL
-j DROP
402 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL FIN
-j DROP
405 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j DROP
408 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j DROP
411 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-flags ALL NONE
-j DROP
414 # Log packets with bad flags
416 if enabled FIREWALL_LOG_BAD_TCP_FLAGS
; then
417 log INFO
"Logging of packets with bad TCP flags enabled"
420 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 64 \
421 "${log_limit}" -j "$(iptables_LOG "Bad TCP flag
(64)")"
424 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 128 \
425 "${log_limit}" -j "$(iptables_LOG "Bad TCP flag
(128)")"
427 log INFO
"Logging of packets with bad TCP flags disabled"
430 # Drop packets with bad flags
432 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 64 -j DROP
433 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
--tcp-option 128 -j DROP
436 # Log invalid packets
438 if enabled FIREWALL_LOG_INVALID_TCP
; then
439 log INFO
"Logging of INVALID TCP packets enabled"
441 iptables
"${protocol}" -A FILTER_INVALID_TCP
-p tcp
-m conntrack
--ctstate INVALID \
442 "${log_limit}" -j "$(iptables_LOG "INVALID TCP
")"
444 log INFO
"Logging of INVALID TCP packets disabled"
447 if enabled FIREWALL_LOG_INVALID_UDP
; then
448 log INFO
"Logging of INVALID UDP packets enabled"
450 iptables
"${protocol}" -A FILTER_INVALID_UDP
-p udp
-m conntrack
--ctstate INVALID \
451 "${log_limit}" -j "$(iptables_LOG "INVALID UDP
")"
453 log INFO
"Logging of INVALID UDP packets disabled"
456 if enabled FIREWALL_LOG_INVALID_ICMP
; then
457 log INFO
"Logging of INVALID ICMP packets enabled"
459 iptables
"${protocol}" -A FILTER_INVALID_ICMP
-p icmp
-m conntrack
--ctstate INVALID \
460 "${log_limit}" -j "$(iptables_LOG "INVALID ICMP
")"
462 log INFO
"Logging of INVALID ICMP packets disabled"
465 # Drop all INVALID packets
466 iptables
"${protocol}" -A FILTER_INVALID
-m conntrack
--ctstate INVALID
-j DROP
469 firewall_tcp_clamp_mss
() {
470 # Do nothing if this has been disabled.
471 enabled FIREWALL_CLAMP_PATH_MTU ||
return ${EXIT_OK}
473 local protocol
="${1}"
474 assert isset protocol
476 log DEBUG
"Adding rules to clamp MSS to path MTU..."
478 iptables
"${protocol}" -t mangle
-A FORWARD \
479 -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
482 firewall_connection_tracking
() {
483 local protocol
="${1}"
484 assert isset protocol
486 log INFO
"Creating Connection Tracking chain..."
488 iptables_chain_create
"${protocol}" CONNTRACK
489 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate ESTABLISHED
,RELATED
-j ACCEPT
490 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j "$(iptables_LOG "INVALID packet
: ")"
491 iptables
"${protocol}" -A CONNTRACK
-m conntrack
--ctstate INVALID
-j DROP
493 iptables
"${protocol}" -A INPUT
-j CONNTRACK
494 iptables
"${protocol}" -A OUTPUT
-j CONNTRACK
495 iptables
"${protocol}" -A FORWARD
-j CONNTRACK
498 firewall_localhost_create_chains
() {
499 local protocol
="${1}"
500 assert isset protocol
502 log DEBUG
"Creating firewall chains for localhost..."
504 # Accept everything on lo
505 iptables
"${protocol}" -A INPUT
-i lo
-j ACCEPT
506 iptables
"${protocol}" -A OUTPUT
-o lo
-j ACCEPT
509 firewall_filter_rh0_headers
() {
510 local protocol
="${1}"
511 assert isset protocol
514 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
516 # Filter all packets that have RH0 headers
517 # http://www.ietf.org/rfc/rfc5095.txt
518 iptables_chain_create
"${protocol}" FILTER_RH0
519 iptables
"${protocol}" -A FILTER_RH0
-m rt
--rt-type 0 -j DROP
521 iptables
"${protocol}" -A INPUT
-j FILTER_RH0
522 iptables
"${protocol}" -A FORWARD
-j FILTER_RH0
523 iptables
"${protocol}" -A OUTPUT
-j FILTER_RH0
526 firewall_filter_icmp
() {
527 local protocol
="${1}"
528 assert isset protocol
531 [ "${protocol}" = "ipv6" ] ||
return ${EXIT_OK}
533 local chain
="FILTER_ICMPV6"
535 # Create an extra chain for handling ICMP packets.
536 iptables_chain_create
"${protocol}" "${chain}_COMMON"
539 for suffix
in INC FWD OUT
; do
540 iptables_chain_create
"${protocol}" "${chain}_${suffix}"
541 iptables
"${protocol}" -A "${chain}_${suffix}" -j "${chain}_COMMON"
543 iptables
"${protocol}" -A INPUT
-p icmpv6
-j "${chain}_INC"
544 iptables
"${protocol}" -A FORWARD
-p icmpv6
-j "${chain}_FWD"
545 iptables
"${protocol}" -A OUTPUT
-p icmpv6
-j "${chain}_OUT"
547 # Packets that must always pass the firewall.
548 # Type 4: Parameter Problem
550 for type in ttl-zero-during-reassembly bad-header
; do
551 iptables
"${protocol}" -A "${chain}_COMMON" \
552 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
555 # Packets that are accepted if they belong to an existing connection.
556 for type in echo-reply destination-unreachable packet-too-big \
557 unknown-header-type unknown-option
; do
558 iptables
"${protocol}" -A "${chain}_COMMON" \
559 -m conntrack
--ctstate ESTABLISHED
,RELATED \
560 -p icmpv6
--icmpv6-type "${type}" -j ACCEPT
563 # Packets that are always discarded.
564 # Type 100, 101, 200, 201: Private Experimentation
565 for type in 100 101 200 201; do
566 iptables
"${protocol}" -A "${chain}_COMMON" \
567 -p icmpv6
--icmpv6-type "${type}" -j DROP
570 # Discard packets from local networks with hop limit smaller than $hoplimit.
571 # Type 148: Path solicitation
572 # Type 149: Path advertisement
574 for type in {router
,neighbour
}-{advertisement
,solicitation
} 148 149; do
575 iptables
"${protocol}" -A "${chain}_INC" \
576 -p icmpv6
--icmpv6-type "${type}" \
577 -m hl
--hl-lt "${hoplimit}" -j DROP
580 # The firewall is always allowed to send ICMP echo requests.
581 iptables
"${protocol}" -A "${chain}_OUT" \
582 -p icmpv6
--icmpv6-type echo-request
-j ACCEPT
587 firewall_zone_create_chains
() {
588 local protocol
="${1}"
589 assert isset protocol
594 log DEBUG
"Creating firewall chains for zone '${zone}'."
596 local chain_prefix
="ZONE_${zone^^}"
598 # Create filter chains.
599 iptables_chain_create
"${protocol}" "${chain_prefix}_INPUT"
600 iptables
"${protocol}" -A INPUT -i ${zone} -j "${chain_prefix}_INPUT"
602 iptables_chain_create
"${protocol}" "${chain_prefix}_OUTPUT"
603 iptables
"${protocol}" -A OUTPUT -o ${zone} -j "${chain_prefix}_OUTPUT"
606 iptables_chain_create
"${protocol}" "${chain_prefix}_CUSTOM"
608 # Intrusion Prevention System.
609 iptables_chain_create
"${protocol}" "${chain_prefix}_IPS"
611 # Create a chain for each other zone.
612 # This leaves us with n^2 chains. Duh.
614 local other_zone other_chain_prefix
615 for other_zone
in $
(zones_get_all
); do
616 other_chain_prefix
="${chain_prefix}_${other_zone^^}"
617 iptables_chain_create
"${protocol}" "${other_chain_prefix}"
619 # Connect the chain with the FORWARD chain.
620 iptables
"${protocol}" -A FORWARD -i "${zone}" -o "${other_zone}" \
621 -j "${other_chain_prefix}"
623 # Handle custom rules.
624 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_CUSTOM"
627 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${chain_prefix}_IPS"
630 iptables_chain_create
"${protocol}" "${other_chain_prefix}_RULES"
631 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_RULES"
634 iptables_chain_create
"${protocol}" "${other_chain_prefix}_POLICY"
635 iptables
"${protocol}" -A "${other_chain_prefix}" -j "${other_chain_prefix}_POLICY"
638 ## Create mangle chain.
639 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}"
640 #iptables "${protocol}" -t mangle -A PREROUTING -i "${zone}" -j "${chain_prefix}"
641 #iptables "${protocol}" -t mangle -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
643 ## Quality of Service
644 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_INC"
645 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -i "${zone}" -j "${chain_prefix}_QOS_INC"
646 #iptables_chain_create "${protocol}" -t mangle "${chain_prefix}_QOS_OUT"
647 #iptables "${protocol}" -t mangle -A "${chain_prefix}" -o "${zone}" -j "${chain_prefix}_QOS_OUT"
650 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}"
651 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}"
652 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}"
654 # Network Address Translation
655 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_DNAT"
656 iptables
"${protocol}" -t nat -A PREROUTING -i "${zone}" -j "${chain_prefix}_DNAT"
657 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_SNAT"
658 iptables
"${protocol}" -t nat -A POSTROUTING -o "${zone}" -j "${chain_prefix}_SNAT"
661 iptables_chain_create
"${protocol}" -t nat
"${chain_prefix}_UPNP"
662 iptables
"${protocol}" -t nat -A "${chain_prefix}" -j "${chain_prefix}_UPNP"
667 firewall_parse_rules
() {
672 # End if no rule file exists.
673 [ -r "${file}" ] ||
return ${EXIT_OK}
677 local ${FIREWALL_RULES_CONFIG_PARAMS}
679 while read -r line
; do
681 [ -n "${line}" ] ||
continue
683 # Skip commented lines.
684 [ "${line:0:1}" = "#" ] && continue
687 _firewall_parse_rule_line
${line}
688 if [ $?
-ne ${EXIT_OK} ]; then
689 log WARNING
"Skipping invalid line: ${line}"
695 # Source IP address/net.
697 list_append cmd
"-s ${src}"
700 # Destination IP address/net.
702 list_append cmd
"-d ${dst}"
707 list_append cmd
"-p ${proto}"
709 if list_match
${proto} ${FIREWALL_PROTOCOLS_SUPPORTING_PORTS}; then
711 list_append cmd
"--sport ${sport}"
715 list_append cmd
"--dport ${dport}"
720 # Always append the action.
721 list_append cmd
"-j ${action}"
728 _firewall_parse_rule_line
() {
732 for arg
in ${FIREWALL_RULES_CONFIG_PARAMS}; do
737 while read -r arg
; do
738 key
=$
(cli_get_key
${arg})
740 if ! list_match
"${key}" ${FIREWALL_RULES_CONFIG_PARAMS}; then
741 log WARNING
"Unrecognized argument: ${arg}"
745 val
=$
(cli_get_val
"${arg}")
746 assign
"${key}" "${val}"
747 done <<< "$(args "$@
")"
749 # action must always be set.
750 if ! isset action
; then
751 log WARNING
"'action' is not set: $@"
755 for arg
in src dst
; do
756 isset
${arg} ||
continue
758 # Check for valid IP addresses.
759 if ! ip_is_valid
${!arg}; then
760 log WARNING
"Invalid IP address for '${arg}=${!arg}': $@"
769 if ! list_match
"${proto}" ${FIREWALL_SUPPORTED_PROTOCOLS}; then
770 log WARNING
"Unsupported protocol type 'proto=${proto}': $@"
775 for arg
in sport dport
; do
776 isset
${arg} ||
continue
778 # Check if port is valid.
779 if ! isinteger
${arg}; then
780 log WARNING
"Invalid port '${arg}=${!arg}': $@"