"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "share/arno-iptables-firewall/plugins/parasitic-net-helper" between
aif-2.1.0.tar.gz and aif-2.1.1.tar.gz

About: Arno’s iptables firewall is a stateful firewall script for both single and multi-homed machines with DSL/ADSL support.

parasitic-net-helper  (aif-2.1.0):parasitic-net-helper  (aif-2.1.1)
skipping to change at line 29 skipping to change at line 29
parasitic_net_helper_do_work() parasitic_net_helper_do_work()
{ {
local RETVAL=0 local RETVAL=0
# Flush the PARASITIC_NET_ACL # Flush the PARASITIC_NET_ACL
iptables -F PARASITIC_NET_ACL iptables -F PARASITIC_NET_ACL
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_DENY_TCP; do for rule in $PARASITIC_NET_HOST_DENY_TCP; do
if parse_rule "$rule" PARASITIC_NET_HOST_DENY_TCP "hosts-ports"; then if parse_rule "$rule" PARASITIC_NET_HOST_DENY_TCP "shosts:ANYHOST-dhosts-por
echo "${INDENT}Denying access to $hosts for TCP port(s): $ports" ts:ANYPORT"; then
echo "${INDENT}Denying access from $shosts to $dhosts for TCP port(s): $po
rts"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping TCP deny rule(s) for unresolvable host \"$h echo "** WARNING: Skipping TCP deny rule(s) for unresolvable host \"$d
ost\"! **" >&2 host\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for port in $ports; do for shost_ip in `ip_range "$shosts"`; do
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then for port in $ports; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p tcp --dport $port - if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
m limit --limit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --dport $port -m limit --limit 1/m -j LOG \
fi --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied:
"
fi
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p tcp --dport $port -j ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --
$PARASITIC_NET_DENY_POLICY dport $port -j $PARASITIC_NET_DENY_POLICY
done
done done
done done
done done
fi fi
done done
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_DENY_UDP; do for rule in $PARASITIC_NET_HOST_DENY_UDP; do
if parse_rule "$rule" PARASITIC_NET_HOST_DENY_UDP "hosts-ports"; then if parse_rule "$rule" PARASITIC_NET_HOST_DENY_UDP "shosts:ANYHOST-dhosts-por
echo "${INDENT}Denying access to $hosts for UDP port(s): $ports" ts:ANYPORT"; then
echo "${INDENT}Denying access from $shosts to $dhosts for UDP port(s): $po
rts"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping UDP deny rule(s) for unresolvable host \"$h echo "** WARNING: Skipping UDP deny rule(s) for unresolvable host \"$d
ost\"! **" >&2 host\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for port in $ports; do for shost_ip in `ip_range "$shosts"`; do
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then for port in $ports; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p udp --dport $port - if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
m limit --limit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --dport $port -m limit --limit 1/m -j LOG \
fi --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied:
"
fi
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p udp --dport $port -j ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --
$PARASITIC_NET_DENY_POLICY dport $port -j $PARASITIC_NET_DENY_POLICY
done
done done
done done
done done
fi fi
done done
IFS=' ,' unset IFS
for hosts in $PARASITIC_NET_HOST_DENY_ICMP; do for rule in $PARASITIC_NET_HOST_DENY_ICMP; do
echo "${INDENT}Denying access to $hosts for ICMP requests" if parse_rule "$rule" PARASITIC_NET_HOST_DENY_ICMP "shosts:ANYHOST-dhosts";
then
for host in `ip_range "$hosts"`; do echo "${INDENT}Denying access from $shosts to $dhosts for ICMP requests"
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping ICMP deny rule(s) for unresolvable host \"$ho IFS=' ,'
st\"! **" >&2 for dhost in `ip_range "$dhosts"`; do
RETVAL=1 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
continue echo "** WARNING: Skipping ICMP deny rule(s) for unresolvable host \"$
fi dhost\"! **" >&2
RETVAL=1
for host_ip2 in $host_ip; do continue
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p icmp --icmp-type echo-r
equest -m limit --limit 1/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
fi fi
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p icmp --icmp-type echo-req for dhost_ip in $host_ip; do
uest -j $PARASITIC_NET_DENY_POLICY for shost_ip in `ip_range "$shosts"`; do
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp -
-icmp-type echo-request -m limit --limit 1/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
fi
ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --i
cmp-type echo-request -j $PARASITIC_NET_DENY_POLICY
done
done
done done
done fi
done done
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_DENY_IP; do for rule in $PARASITIC_NET_HOST_DENY_IP; do
if parse_rule "$rule" PARASITIC_NET_HOST_DENY_IP "hosts-protos"; then if parse_rule "$rule" PARASITIC_NET_HOST_DENY_IP "shosts:ANYHOST-dhosts-prot
echo "${INDENT}Denying access to $hosts for IP protocol(s): $protos" os"; then
echo "${INDENT}Denying access from $shosts to $dhosts for IP protocol(s):
$protos"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping IP deny rule(s) for unresolvable host \"$ho echo "** WARNING: Skipping IP deny rule(s) for unresolvable host \"$dh
st\"! **" >&2 ost\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for proto in $protos; do for shost_ip in `ip_range "$shosts"`; do
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then for proto in $protos; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p $proto -m limit --l if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
imit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $pro
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " to -m limit --limit 1/m -j LOG \
fi --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied:
"
fi
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p $proto -j $PARASITIC_ ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto
NET_DENY_POLICY -j $PARASITIC_NET_DENY_POLICY
done
done done
done done
done done
fi fi
done done
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_OPEN_TCP; do for rule in $PARASITIC_NET_HOST_OPEN_TCP; do
if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_TCP "hosts-ports"; then if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-por
echo "${INDENT}Allowing access to $hosts for TCP port(s): $ports" ts"; then
echo "${INDENT}Allowing access from $shosts to $dhosts for TCP port(s): $p
orts"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping TCP allow rule(s) for unresolvable host \"$ echo "** WARNING: Skipping TCP allow rule(s) for unresolvable host \"$
host\"! **" >&2 dhost\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for port in $ports; do for shost_ip in `ip_range "$shosts"`; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p tcp --dport $port -j for port in $ports; do
ACCEPT ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --
dport $port -j ACCEPT
done
done done
done done
done done
fi fi
done done
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_OPEN_UDP; do for rule in $PARASITIC_NET_HOST_OPEN_UDP; do
if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_UDP "hosts-ports"; then if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-por
echo "${INDENT}Allowing access to $hosts for UDP port(s): $ports" ts"; then
echo "${INDENT}Allowing access from $shosts to $dhosts for UDP port(s): $p
orts"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping UDP allow rule(s) for unresolvable host \"$ echo "** WARNING: Skipping UDP allow rule(s) for unresolvable host \"$
host\"! **" >&2 dhost\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for port in $ports; do for shost_ip in `ip_range "$shosts"`; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p udp --dport $port -j for port in $ports; do
ACCEPT ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --
dport $port -j ACCEPT
done
done done
done done
done done
fi fi
done done
IFS=' ,' unset IFS
for hosts in $PARASITIC_NET_HOST_OPEN_ICMP; do
echo "${INDENT}Allowing access to $hosts for ICMP requests" for rule in $PARASITIC_NET_HOST_OPEN_ICMP; do
if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_ICMP "shosts:ANYHOST-dhosts";
for host in `ip_range "$hosts"`; do then
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then echo "${INDENT}Allowing access from $shosts to $dhosts for ICMP requests"
echo "** WARNING: Skipping ICMP allow rule(s) for unresolvable host \"$h
ost\"! **" >&2
RETVAL=1
continue
fi
for host_ip2 in $host_ip; do IFS=' ,'
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p icmp --icmp-type echo-req for dhost in `ip_range "$dhosts"`; do
uest -j ACCEPT if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping ICMP allow rule(s) for unresolvable host \"
$dhost\"! **" >&2
RETVAL=1
continue
fi
for dhost_ip in $host_ip; do
for shost_ip in $shosts; do
ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --i
cmp-type echo-request -j ACCEPT
done
done
done done
done fi
done done
unset IFS unset IFS
for rule in $PARASITIC_NET_HOST_OPEN_IP; do for rule in $PARASITIC_NET_HOST_OPEN_IP; do
if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_IP "hosts-protos"; then if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_IP "shosts:ANYHOST-dhosts-prot
echo "${INDENT}Allowing access to $hosts for IP protocol(s): $protos" os"; then
echo "${INDENT}Allowing access from $shosts to $dhosts for IP protocol(s):
$protos"
IFS=' ,' IFS=' ,'
for host in `ip_range "$hosts"`; do for dhost in `ip_range "$dhosts"`; do
if ! get_dynamic_host_cached $host || [ -z "$host_ip" ]; then if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
echo "** WARNING: Skipping IP allow rule(s) for unresolvable host \"$h echo "** WARNING: Skipping IP allow rule(s) for unresolvable host \"$d
ost\"! **" >&2 host\"! **" >&2
RETVAL=1 RETVAL=1
continue continue
fi fi
for host_ip2 in $host_ip; do for dhost_ip in $host_ip; do
for proto in $protos; do for shost_ip in $shosts; do
ip4tables -A PARASITIC_NET_ACL -d $host_ip2 -p $proto -j ACCEPT for proto in $protos; do
ip4tables -A PARASITIC_NET_ACL -d $dhost_ip -p $proto -j ACCEPT
done
done done
done done
done done
fi fi
done done
# Set default policy # Set default policy
if [ -z "$PARASITIC_NET_HOST_OPEN_TCP" ]; then if [ -z "$PARASITIC_NET_HOST_OPEN_TCP" ]; then
ip4tables -A PARASITIC_NET_ACL -p tcp -j ACCEPT ip4tables -A PARASITIC_NET_ACL -p tcp -j ACCEPT
else else
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
ip4tables -A PARASITIC_NET_ACL -p tcp -m limit --limit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -p tcp -m limit --limit 12/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
fi fi
ip4tables -A PARASITIC_NET_ACL -p tcp -j $PARASITIC_NET_DENY_POLICY ip4tables -A PARASITIC_NET_ACL -p tcp -j $PARASITIC_NET_DENY_POLICY
fi fi
if [ -z "$PARASITIC_NET_HOST_OPEN_UDP" ]; then if [ -z "$PARASITIC_NET_HOST_OPEN_UDP" ]; then
ip4tables -A PARASITIC_NET_ACL -p udp -j ACCEPT ip4tables -A PARASITIC_NET_ACL -p udp -j ACCEPT
else else
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
ip4tables -A PARASITIC_NET_ACL -p udp -m limit --limit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -p udp -m limit --limit 12/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
fi fi
ip4tables -A PARASITIC_NET_ACL -p udp -j $PARASITIC_NET_DENY_POLICY ip4tables -A PARASITIC_NET_ACL -p udp -j $PARASITIC_NET_DENY_POLICY
fi fi
if [ -z "$PARASITIC_NET_HOST_OPEN_ICMP" ]; then if [ -z "$PARASITIC_NET_HOST_OPEN_ICMP" ]; then
ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j ACCEPT ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j ACCEPT
else else
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -m limit - ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -m limit -
-limit 1/m -j LOG \ -limit 12/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
limit <span class="insert">12/m</span> -j LOG \
fi fi
ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j $PARASITI C_NET_DENY_POLICY ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j $PARASITI C_NET_DENY_POLICY
fi fi
# Drop the rest ("Other" IP protocols always need to be specified explicitly) # Drop the rest ("Other" IP protocols always need to be specified explicitly)
if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
ip4tables -A PARASITIC_NET_ACL -m limit --limit 1/m -j LOG \ ip4tables -A PARASITIC_NET_ACL -m limit --limit 12/m -j LOG \
--log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: " --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
fi fi
ip4tables -A PARASITIC_NET_ACL -j $PARASITIC_NET_DENY_POLICY ip4tables -A PARASITIC_NET_ACL -j $PARASITIC_NET_DENY_POLICY
return $RETVAL return $RETVAL
} }
############ ############
# Mainline # # Mainline #
############ ############
# Check where to find the config file # Check where to find the config file
CONF_FILE="" CONF_FILE=""
if [ -n "$PLUGIN_CONF_PATH" ]; then if [ -n "$PLUGIN_CONF_PATH" ]; then
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE" CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi fi
# Check if the config file exists # Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then if [ ! -f "$CONF_FILE" ]; then
echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2 echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
PLUGIN_RET_VAL=1 PLUGIN_RET_VAL=1
else else
# Source the plugin config file # Source the plugin config file
. "$CONF_FILE" . "$CONF_FILE"
# Only proceed if environment ok # Only proceed if environment ok
if ! parasitic_net_helper_sanity_check; then if ! parasitic_net_helper_sanity_check; then
PLUGIN_RET_VAL=1 PLUGIN_RET_VAL=1
else else
 End of changes. 33 change blocks. 
120 lines changed or deleted 159 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)