2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
27 # Check if the directory where we put our rules in is set and
29 assert isset IPTABLES_TMPDIR
30 assert
[ -d "${IPTABLES_TMPDIR}" ]
35 while [ $# -gt 0 ]; do
42 args
="${args} -A ${2^^}"
52 echo "${args:1:${#args}}" >> ${IPTABLES_TMPDIR}/${table}
55 function iptables_init() {
57 assert isoneof policy ACCEPT DROP
60 iptables_chain_create -t filter INPUT ${policy}
61 iptables_chain_create -t filter OUTPUT ${policy}
62 iptables_chain_create -t filter FORWARD ${policy}
64 iptables -t mangle "* mangle
"
65 iptables_chain_create -t mangle PREROUTING ACCEPT
66 iptables_chain_create -t mangle INPUT ACCEPT
67 iptables_chain_create -t mangle OUTPUT ACCEPT
68 iptables_chain_create -t mangle FORWARD ACCEPT
69 iptables_chain_create -t mangle POSTROUTING ACCEPT
71 iptables -t nat "* nat
"
72 iptables_chain_create -t nat PREROUTING ACCEPT
73 iptables_chain_create -t nat OUTPUT ACCEPT
74 iptables_chain_create -t nat POSTROUTING ACCEPT
77 function iptables_commit() {
80 # Check if the directory where we put our rules in is set and
82 assert isset IPTABLES_TMPDIR
83 assert [ -d "${IPTABLES_TMPDIR}" ]
85 log INFO "Committing firewall configuration...
"
86 iptables -t filter "COMMIT
"
87 iptables -t mangle "COMMIT
"
88 iptables -t nat "COMMIT
"
90 local iptables_ruleset="${IPTABLES_TMPDIR}/commit
"
91 : > ${iptables_ruleset}
93 # Concat the rules for every chain into one file.
95 for table in filter mangle nat; do
96 cat ${IPTABLES_TMPDIR}/${table} \
97 >> ${iptables_ruleset} 2>/dev/null
100 log DEBUG "Dumping iptables ruleset
"
104 line=$(printf "%4d |
%s
\n" "${counter}" "${line}")
107 counter=$(( $counter + 1 ))
108 done < ${iptables_ruleset}
110 iptables-restore < ${iptables_ruleset}
113 function iptables_chain_create() {
115 if [ "${1}" = "-t" ]; then
120 iptables ${args} ":$1 ${2--} [0:0]"
123 function iptables_LOG() {
126 if [ "${FIREWALL_LOG_FACILITY}" = "syslog
" ]; then
128 [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
131 [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
132 echo -n " --nflog-threshold 30"
137 function iptables_protocol() {
140 for proto in tcp udp esp ah; do
141 if [ "$PROTO" = "$proto" ]; then
152 function _iptables_port_range() {
156 function _iptables_port_multiport() {
160 function _iptables_port() {
161 if _iptables_port_range "$@
"; then
162 echo $IPTABLES_PORTRANGE
163 elif _iptables_port_multiport "$@
"; then
164 echo $IPTABLES_MULTIPORT
170 function iptables_source_port() {
171 [ -z "$@
" ] && return
173 type=$(_iptables_port $@)
174 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
175 echo "-m multiport
--source-ports $@
"
181 function iptables_destination_port() {
182 [ -z "$@
" ] && return
184 type=$(_iptables_port $@)
185 if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
186 echo "-m multiport
--destination-ports $@
"