"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/bin/arno-iptables-firewall" (16 Sep 2020, 217482 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "arno-iptables-firewall": 2.1.0_vs_2.1.1.

    1 #!/bin/sh
    2 
    3 MY_VERSION="2.1.1"
    4 
    5 # Location of the main configuration file for the firewall
    6 ##########################################################
    7 CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf
    8 
    9 # ------------------------------------------------------------------------------
   10 #                         -= Arno's Iptables Firewall(AIF) =-
   11 #               Single- & multi-homed firewall script with DSL/ADSL support
   12 #
   13 #                           ~ In memory of my dear father ~
   14 #
   15 # (C) Copyright 2001-2020 by Arno van Amersfoort & Lonnie Abelbeck
   16 # Homepage              : https://rocky.eld.leidenuniv.nl/
   17 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   18 #                         (note: you must remove all spaces and substitute the @ and the .
   19 #                         at the proper locations!)
   20 # ------------------------------------------------------------------------------
   21 # This program is free software; you can redistribute it and/or
   22 # modify it under the terms of the GNU General Public License
   23 # version 2 as published by the Free Software Foundation.
   24 
   25 # This program is distributed in the hope that it will be useful,
   26 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   27 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   28 # GNU General Public License for more details.
   29 
   30 # You should have received a copy of the GNU General Public License
   31 # along with this program; if not, write to the Free Software
   32 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   33 # ------------------------------------------------------------------------------
   34 
   35 printf "\033[40m\033[1;32mArno's Iptables Firewall(AIF) v$MY_VERSION\033[0m\n"
   36 echo "-------------------------------------------------------------------------------"
   37 
   38 # Check if the main config file exists and if so load it
   39 ########################################################
   40 if [ -f "$CONFIG_FILE" ]; then
   41   . "$CONFIG_FILE"
   42 else
   43   printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" >&2
   44   printf "\033[40m\033[1;31m       Please, check the file's location and (root) rights.\033[0m\n\n" >&2
   45   exit 2
   46 fi
   47 
   48 # Check if the environment file exists and if so, load it
   49 #########################################################
   50 
   51 # Autodetect according to standard paths
   52 ENV_FILE="/usr/local/share/arno-iptables-firewall/environment" 
   53 if [ ! -f "$ENV_FILE" ]; then
   54   ENV_FILE="/usr/share/arno-iptables-firewall/environment"
   55   if [ ! -f "$ENV_FILE" ]; then
   56     printf "\033[40m\033[1;31mERROR: Unable to locate environment file in /usr/(local/)/share/arno-iptables-firewall/\033[0m\n" >&2
   57     printf "\033[40m\033[1;31m       Please, check the file's location and (root) rights.\033[0m\n\n" >&2
   58     exit 2
   59   fi
   60 fi
   61 
   62 # Source environment file
   63 . "$ENV_FILE"
   64 
   65 sanity_check()
   66 {
   67   local ip4t_ver ip6t_ver
   68 
   69   # Show uname & iptables information
   70   echo "Platform: $(uname -s -r -m)"
   71   ip4t_ver="$($IP4TABLES --version)"
   72   ip4t_ver="${ip4t_ver#* v}"
   73   ip4t_ver="${ip4t_ver%% *}"
   74   ip6t_ver="$($IP6TABLES --version)"
   75   ip6t_ver="${ip6t_ver#* v}"
   76   ip6t_ver="${ip6t_ver%% *}"
   77   echo "Netfilter iptables version: $ip4t_ver"
   78   if [ "$ip4t_ver" != "$ip6t_ver" ]; then
   79     printf "\033[40m\033[1;31mWARNING: Mismatched iptables($ip4t_ver) / ip6tables($ip6t_ver) versions.\033[0m\n" >&2
   80   fi
   81 
   82   # root check
   83   if [ "$(id -u)" != "0" ]; then
   84     printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n\n" >&2
   85     exit 1
   86   fi
   87 
   88   # Check whether the required binaries exist and are executable
   89   ##############################################################
   90   check_command_error iptables
   91   if [ "$IPV6_DETECTED" = "1" ]; then
   92     check_command_error ip6tables
   93   fi
   94   check_command_error awk
   95   check_command_error tr
   96   check_command_error ip
   97   check_command_error cut
   98   check_command_error uname
   99   check_command_error sed
  100   check_command_error cat
  101   check_command_error date
  102   check_command_error modprobe
  103   check_command_error sysctl
  104   check_command_error head
  105   check_command_error tail
  106   check_command_error wc
  107   check_command_error logger
  108 
  109   check_command_warning pgrep
  110   check_command_warning pkill
  111   check_command_warning dig nslookup
  112 
  113   if [ "$IPV6_SUPPORT" = "1" ]; then
  114     if ! kernel_ver_chk 2 6 24; then
  115       printf "\033[40m\033[1;31mWARNING: IPv6 support is enabled but your kernel is rather old (<2.6.24)! This *could* cause problems...\033[0m\n" >&2
  116     fi
  117   fi
  118 }
  119 
  120 
  121 ipset_check()
  122 {
  123   if [ "$IPTABLES_IPSET" != "1" ]; then
  124     return 1
  125   fi
  126 
  127   ## Check if userspace 'ipset' command is installed
  128   if ! check_command ipset; then
  129     return 1
  130   fi
  131 
  132   ## Issue a simple command that will fail without kernel support
  133   if ! ipset list -n >/dev/null 2>&1; then
  134     return 1
  135   fi
  136 
  137   return 0
  138 }
  139 
  140 
  141 config_check()
  142 {
  143   local retval=0
  144 
  145   # Make sure EXT_IF != ""
  146   ########################
  147   if [ -z "$EXT_IF" ]; then
  148     printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" >&2
  149     printf "\033[40m\033[1;31m       Please, check the configuration file.\033[0m\n\n" >&2
  150     retval=1
  151   fi
  152 
  153   # Check whether EXT_IF exists
  154   #############################
  155   IFS=' ,'
  156   for interface in $EXT_IF; do
  157     if ! check_interface $interface; then
  158       printf "\033[40m\033[1;31mWARNING: External interface $interface does NOT exist (yet?)\033[0m\n\n" >&2
  159     fi
  160   done
  161 
  162   # Check whether INT_IF exists
  163   #############################
  164   IFS=' ,'
  165   for interface in $INT_IF; do
  166     if ! check_interface $interface; then
  167       printf "\033[40m\033[1;31mWARNING: Internal interface $interface does NOT exist (yet?)\033[0m\n\n" >&2
  168     fi
  169   done
  170 
  171   # Check whether DMZ_IF exists
  172   #############################
  173   IFS=' ,'
  174   for interface in $DMZ_IF; do
  175     if ! check_interface $interface; then
  176       printf "\033[40m\033[1;31mWARNING: DMZ interface $interface does NOT exist (yet?)\033[0m\n\n" >&2
  177     fi
  178   done
  179 
  180   # Check whether TRUSTED_IF exists
  181   #################################
  182   IFS=' ,'
  183   for interface in $TRUSTED_IF; do
  184     if ! check_interface $interface; then
  185       printf "\033[40m\033[1;31mWARNING: Trusted interface $interface does NOT exist (yet?)\033[0m\n\n" >&2
  186     fi
  187   done
  188 
  189   # Make sure INT_IF != EXT_IF
  190   ############################
  191   IFS=' ,'
  192   for eif in $EXT_IF; do
  193     for iif in $INT_IF; do
  194       if [ "$iif" = "$eif" ]; then
  195         printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" >&2
  196         printf "\033[40m\033[1;31m       INT_IF! Please, check the configuration file.\033[0m\n\n" >&2
  197         retval=1
  198         break
  199       fi
  200     done
  201   done
  202 
  203   # Make sure EXT_IF != lo / 127.0.0.1
  204   ####################################
  205   IFS=' ,'
  206   for eif in $EXT_IF; do
  207     if [ "$eif" = "lo" -o "$eif" = "127.0.0.1" ]; then
  208       printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" >&2
  209       printf "\033[40m\033[1;31m       local loopback device! Please, check the configuration file.\033[0m\n\n" >&2
  210       retval=1
  211       break
  212     fi
  213   done
  214 
  215   # Make sure INT_IF != lo / 127.0.0.1
  216   ####################################
  217   IFS=' ,'
  218   for iif in $INT_IF; do
  219     if [ "$iif" = "lo" -o "$iif" = "127.0.0.1" ]; then
  220       printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" >&2
  221       printf "\033[40m\033[1;31m       name of the local loopback device! Please, check the configuration file.\033[0m\n\n" >&2
  222       retval=1
  223       break
  224     fi
  225   done
  226 
  227   # If support for an DHCP server serving an external net is enabled, we
  228   # also need to know what the external net is.
  229   ##########################################################################
  230   if [ "$EXTERNAL_DHCP_SERVER" = "1" -a -z "$EXTERNAL_NET" ]; then
  231     printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" >&2
  232     printf "\033[40m\033[1;31m       EXTERNAL_NET has NOT been defined!\033[0m\n\n" >&2
  233     retval=1
  234   fi
  235 
  236   # We can only perform NAT if NAT_INTERNAL_NET is defined
  237   if [ "$NAT" = "1" -a -z "$NAT_INTERNAL_NET" ]; then
  238     printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n\n" >&2
  239     retval=1
  240   fi
  241 
  242   # If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set
  243   ##########################################################################
  244   if [ "$NMB_BROADCAST_FIX" = "1" -a -z "$EXTERNAL_NET" ]; then
  245     printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" >&2
  246     printf "\033[40m\033[1;31m       EXTERNAL_NET has NOT been defined!\033[0m\n\n" >&2
  247     retval=1
  248   fi
  249 
  250   # Warn if no_broadcast variables are used and external net is NOT defined
  251   ##########################################################################
  252   if [ -n "$BROADCAST_TCP_NOLOG" -o -n "$BROADCAST_UDP_NOLOG" ]; then
  253     if [ -z "$EXTERNAL_NET" -a -z "$EXT_NET_BCAST_ADDRESS" ]; then
  254       printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but EXTERNAL_NET (or EXT_NET_BCAST_ADDRESS)\033[0m\n" >&2
  255       printf "\033[40m\033[1;31m         has NOT been defined!\033[0m\n\n" >&2
  256     fi
  257   fi
  258 
  259   # Check whether we know the plugin binary path
  260   ##############################################
  261   if [ ! -d "$PLUGIN_BIN_PATH" ]; then
  262     printf "\033[40m\033[1;31mERROR: The PLUGIN_BIN_PATH ($PLUGIN_BIN_PATH) does not exist!\033[0m\n" >&2
  263     printf "\033[40m\033[1;31m       Please check your installation and/or configuration file.\033[0m\n\n" >&2
  264     retval=1
  265   fi
  266 
  267   # Check whether we know the plugin config path
  268   ##############################################
  269   if [ ! -d "$PLUGIN_CONF_PATH" ]; then
  270     printf "\033[40m\033[1;31mERROR: The PLUGIN_CONF_PATH ($PLUGIN_CONF_PATH) does not exist!\033[0m\n" >&2
  271     printf "\033[40m\033[1;31m       Please check your installation and/or configuration file.\033[0m\n\n" >&2
  272     retval=1
  273   fi
  274 
  275   # Check for errors
  276   if [ $retval -ne 0 ]; then
  277     show_failed
  278     exit $retval
  279   fi
  280 }
  281 
  282 
  283 load_modules()
  284 {
  285   unset IFS
  286   # Set indent for functions
  287   INDENT=' '
  288 
  289   echo "Checking/probing Iptables modules:"
  290 
  291   # Required; all IPv4 modules depend on this one
  292   modprobe ip_tables
  293   if [ "$IPV6_SUPPORT" = "1" ]; then
  294     modprobe ip6_tables
  295   fi
  296 
  297   # Allows connection tracking state match, which allows you to
  298   # write rules matching the state of a connection
  299   modprobe_multi nf_conntrack ip_conntrack
  300   if [ "$IPV6_SUPPORT" = "1" ]; then
  301     ## kernel >= 4.19 merged nf_conntrack_ipv{4,6} into nf_conntrack
  302     if ! kernel_ver_chk 4 19 0; then
  303       modprobe nf_conntrack_ipv6
  304     fi
  305   fi
  306 
  307   # Allows tracking for various protocols, placing entries in the conntrack table etc.
  308   if [ "$IPV6_SUPPORT" = "1" ]; then
  309     modprobe_multi xt_conntrack "ipt_conntrack,ip6t_conntrack"
  310   else
  311     modprobe_multi xt_conntrack ipt_conntrack
  312   fi
  313 
  314   # Allows log limits
  315   if [ "$IPV6_SUPPORT" = "1" ]; then
  316     modprobe_multi xt_limit "ipt_limit,ip6t_limit"
  317   else
  318     modprobe_multi xt_limit ipt_limit
  319   fi
  320 
  321   # Permits packet state checking (SYN, SYN-ACK, ACK, and so on).
  322   if [ "$IPV6_SUPPORT" = "1" ]; then
  323     modprobe_multi xt_state "ipt_state,ip6t_state"
  324   else
  325     modprobe_multi xt_state ipt_state
  326   fi
  327 
  328   # Allows packet specifications on multiple ports
  329   if [ "$IPV6_SUPPORT" = "1" ]; then
  330     modprobe_multi xt_multiport "ipt_multiport,ip6t_multiport"
  331   else
  332     modprobe_multi xt_multiport ipt_multiport
  333   fi
  334 
  335   # Implement the filter table:
  336   modprobe iptable_filter
  337   if [ "$IPV6_SUPPORT" = "1" ]; then
  338     modprobe ip6table_filter
  339   fi
  340 
  341   # Implement the mangle table
  342   modprobe iptable_mangle
  343   if [ "$IPV6_SUPPORT" = "1" ]; then
  344     modprobe ip6table_mangle
  345   fi
  346 
  347   # Implement the raw table
  348   modprobe iptable_raw
  349   if [ "$IPV6_SUPPORT" = "1" ]; then
  350     modprobe ip6table_raw
  351   fi
  352 
  353   # Implement the REJECT target
  354   modprobe ipt_REJECT
  355   if [ "$IPV6_SUPPORT" = "1" ]; then
  356     modprobe ip6t_REJECT
  357   fi
  358 
  359   # Implement the LOG target
  360   if [ "$IPV6_SUPPORT" = "1" ]; then
  361     modprobe_multi xt_LOG "ipt_LOG,ip6t_LOG"
  362   else
  363     modprobe_multi xt_LOG ipt_LOG
  364   fi
  365 
  366   if [ "$SET_MSS" != "0" ]; then
  367     # Implement the TCPMSS target
  368     if [ "$IPV6_SUPPORT" = "1" ]; then
  369       modprobe_multi xt_TCPMSS "ipt_TCPMSS,ip6t_TCPMSS"
  370     else
  371       modprobe_multi xt_TCPMSS ipt_TCPMSS
  372     fi
  373   fi
  374 
  375   if [ "$MANGLE_TOS" != "0" ]; then
  376     # Implement the TOS target
  377     if [ "$IPV6_SUPPORT" = "1" ]; then
  378       modprobe_multi xt_DSCP "ipt_DSCP,ip6t_DSCP" "ipt_TOS,ip6t_TOS"
  379     else
  380       modprobe_multi xt_DSCP ipt_DSCP ipt_TOS
  381     fi
  382   fi
  383 
  384   if [ "$PACKET_TTL" = "1" -o "$TTL_INC" = "1" ]; then
  385     # Load the TTL target:
  386     modprobe ipt_TTL
  387   fi
  388 
  389   # (Currently) unused modules:
  390   #    modprobe ipt_addrtype            # Allows matching src/dst address type (BROKEN!)
  391   #    modprobe ipt_pkttype             # Permits checking for packet type (BROADCAST, MULTICAST etc.) (BROKEN!)
  392   #    modprobe ip_queue                # Allows queuing packets to user space
  393   #    modprobe ipt_owner               # Permits user/group checking on OUTPUT packets
  394   #    modprobe ipt_mark                # Allows use of mark match
  395   #    modprobe ip_conntrack_egg
  396 
  397   # Implement the NAT table
  398   modprobe iptable_nat
  399 
  400   if [ "$NAT" = "1" -o -n "$NAT_FORWARD_TCP" -o -n "$NAT_FORWARD_UDP" -o -n "$NAT_FORWARD_IP" ]; then
  401     # Load the module implementing DNAT/SNAT/NAT support
  402     modprobe_multi nf_nat ip_nat
  403   fi
  404 
  405   if [ "$NAT" = "1" ]; then
  406     if [ -z "$NAT_STATIC_IP" ]; then
  407       # Load the MASQUERADE target:
  408       modprobe ipt_MASQUERADE
  409     fi
  410   fi
  411 
  412   echo " Module check done..."
  413 }
  414 
  415 
  416 setup_misc()
  417 {
  418   # Remove any stale plugin restart file
  419   rm -f "$PLUGIN_LOAD_FILE_RESTART"
  420 
  421   # Remove stale host-cache file
  422   rm -f "$HOST_CACHE_FILE"
  423 
  424   # Most people don't want to get any firewall logs being spit to the console
  425   # This option makes the kernel ring buffer only log messages with level "panic"
  426   if [ "$DMESG_PANIC_ONLY" = "1" ]; then
  427     echo "Setting the kernel ring buffer to only log panic messages to the console"
  428 #    dmesg -c    # Clear ring buffer
  429     dmesg -n 1  # Only show panic messages on the console
  430   fi
  431 }
  432 
  433 
  434 setup_kernel_settings()
  435 {
  436   # Set INDENT value for functions
  437   INDENT='  '
  438 
  439   echo "Configuring general kernel parameters:"
  440 
  441   # Disable conntrack automatic helper assignment, if supported
  442   #############################################################
  443   if sysctl_key_match net.netfilter.nf_conntrack_helper; then
  444     sysctl -w net.netfilter.nf_conntrack_helper=0
  445   else
  446     echo " Conntrack legacy automatic helper assignment is ENABLED"
  447     # Fallback to an older conntrack match method
  448     NF_CONNTRACK_STATE="-m state --state"
  449   fi
  450 
  451   # Set the maximum number of connections to track.
  452   # The kernel "default" depends on the available amount of RAM, 128 MB of RAM -> 8192
  453   # possible entries, 256 MB of RAM --> 16376 possible entries, etc...
  454   #######################################################################################
  455   if [ -n "$CONNTRACK" -a "$CONNTRACK" != "0" ]; then
  456     echo " Setting the max. amount of simultaneous connections to $CONNTRACK"
  457     sysctl_multi -w net.nf_conntrack_max=$CONNTRACK \
  458                     net.ipv4.netfilter.ip_conntrack_max=$CONNTRACK \
  459                     net.ipv4.ip_conntrack_max=$CONNTRACK
  460   fi
  461 
  462   # Change some default timings to fix false logs generated by "lost connections"
  463   # Defaults:
  464   #          echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
  465   #          echo 180 > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
  466   #          echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
  467   #          echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
  468   #          echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
  469   #          echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
  470   #          echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
  471   #          echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
  472   #          echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
  473   #          echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
  474   #          echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
  475   #          echo 1200 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
  476   ###############################################################################
  477 #  echo " Setting default conntrack timeouts"
  478 
  479   # This is to fix issues with DNS:
  480   sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout=60 \
  481                   net.ipv4.netfilter.ip_conntrack_udp_timeout=60
  482 
  483 #  sysctl_multi -w net.netfilter.nf_conntrack_udp_timeout_stream=180 \
  484 #                  net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
  485 
  486   # Enable Conntrack Accounting (kernel config CONFIG_NF_CT_ACCT)
  487   # CONFIG_NF_CT_ACCT is deprecated and will be removed sometime after kernel 2.6.27
  488   sysctl -w net.netfilter.nf_conntrack_acct=1 2>/dev/null
  489 
  490   # Always set IPv4 options for IPv4 or IPv4/IPv6
  491   ######################################################
  492   echo "Configuring kernel parameters:"
  493 
  494   # Disable ICMP send_redirect
  495   ############################
  496   echo " Disabling send redirects"
  497   sysctl_set_all "net.ipv4.conf" "send_redirects" 0
  498   if [ "$IPV6_SUPPORT" = "1" ]; then
  499     sysctl_set_all "net.ipv6.conf" "send_redirects" 0
  500   fi
  501 
  502   # Don't accept source routed packets.
  503   # Attackers can use source routing to generate
  504   # traffic pretending to be from inside your network, but which is routed back along
  505   # the path from which it came, namely outside, so attackers can compromise your
  506   # network. Source routing is rarely used for legitimate purposes.
  507   ###################################################################################
  508   if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then
  509     echo " DISABLING protection against source routed packets"
  510     sysctl_set_all "net.ipv4.conf" "accept_source_route" 1
  511     if [ "$IPV6_SUPPORT" = "1" ]; then
  512       sysctl_set_all "net.ipv6.conf" "accept_source_route" 1
  513     fi
  514   else
  515     echo " Enabling protection against source routed packets"
  516     sysctl_set_all "net.ipv4.conf" "accept_source_route" 0
  517     if [ "$IPV6_SUPPORT" = "1" ]; then
  518       sysctl_set_all "net.ipv6.conf" "accept_source_route" 0
  519     fi
  520   fi
  521 
  522   # ICMP Broadcasting protection (smurf amplifier protection)
  523   ###########################################################
  524   sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
  525 
  526   # ICMP Dead Error Messages protection
  527   #####################################
  528   sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
  529 
  530   # IP forwarding (need it to perform for example NAT)
  531   ####################################################
  532   if [ "$IP_FORWARDING" = "1" ]; then
  533     echo " Enabling packet forwarding"
  534     sysctl_set_all "net.ipv4.conf" "forwarding" 1 || sysctl -w net.ipv4.ip_forward=1 ||
  535     {
  536       printf "\033[40m\033[1;31m WARNING: net.ipv4.conf.*.forwarding (or net.ipv4.ip_forward) could not be set! If you're using\033[0m\n" >&2
  537       printf "\033[40m\033[1;31m          NAT or any other type of forwarding this may be a problem.\033[0m\n" >&2
  538     }
  539     if [ "$IPV6_SUPPORT" = "1" ]; then
  540       sysctl_set_all "net.ipv6.conf" "forwarding" 1
  541       echo " Disabling Local IPv6 Auto-Configuration"
  542       sysctl_set_all "net.ipv6.conf" "autoconf" 0
  543       ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
  544     fi
  545   elif [ "$IP_FORWARDING" = "0" ]; then
  546     echo " DISABLING packet forwarding"
  547     sysctl_set_all "net.ipv4.conf" "forwarding" 0 2>/dev/null || sysctl -w -e net.ipv4.ip_forward=0 2>/dev/null
  548     if [ "$IPV6_SUPPORT" = "1" ]; then
  549       sysctl_set_all "net.ipv6.conf" "forwarding" 0 2>/dev/null
  550       if [ "$IPV6_AUTO_CONFIGURATION" != "0" ]; then
  551         echo " Enabling IPv6 Auto-Configuration"
  552         sysctl_set_all "net.ipv6.conf" "autoconf" 1
  553         sysctl_set_all "net.ipv6.conf" "accept_ra" 1
  554       else
  555         echo " DISABLING IPv6 Auto-Configuration"
  556         sysctl_set_all "net.ipv6.conf" "autoconf" 0
  557         sysctl_set_all "net.ipv6.conf" "accept_ra" 0
  558       fi
  559     fi
  560   fi
  561 
  562   # Enable some general settings
  563   ##############################
  564   echo " Setting some kernel performance options"
  565   sysctl -w net.ipv4.tcp_window_scaling=1
  566   sysctl -w net.ipv4.tcp_timestamps=1
  567   sysctl -w net.ipv4.tcp_sack=1
  568   sysctl -w net.ipv4.tcp_dsack=1
  569   sysctl -w net.ipv4.tcp_fack=1
  570   sysctl -w net.ipv4.tcp_low_latency=0
  571 
  572   # Reduce DoS'ing ability by reducing timeouts
  573   #############################################################
  574   if [ "$REDUCE_DOS_ABILITY" = "1" ]; then
  575     echo " Enabling reduction of the DoS'ing ability"
  576 
  577     sysctl -w net.ipv4.tcp_fin_timeout=30
  578     sysctl -w net.ipv4.tcp_keepalive_time=1800
  579 
  580     # Set number of times to retry SYN in a new connection
  581     sysctl -w net.ipv4.tcp_syn_retries=3
  582 
  583     # Set number of times to retry a SYN-ACK in a half-open new connections
  584     sysctl -w net.ipv4.tcp_synack_retries=2
  585 
  586     # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
  587     sysctl -w net.ipv4.tcp_rfc1337=1
  588   elif [ "$REDUCE_DOS_ABILITY" = "0" ]; then
  589     echo " Disabling reduction of the DoS'ing ability"
  590 
  591     # Defaults:
  592     sysctl -w net.ipv4.tcp_fin_timeout=60
  593     sysctl -w net.ipv4.tcp_keepalive_time=7200
  594     sysctl -w net.ipv4.tcp_syn_retries=5
  595     sysctl -w net.ipv4.tcp_synack_retries=5
  596     sysctl -w net.ipv4.tcp_rfc1337=0
  597   fi
  598 
  599   # Set our local port range. Kernel default = "32768 60999"
  600   ##########################################################
  601   if [ -z "$LOCAL_PORT_RANGE" ]; then
  602     LOCAL_PORT_RANGE="32768 60999"
  603   fi
  604   sysctl -w net.ipv4.ip_local_port_range="$LOCAL_PORT_RANGE"
  605 
  606   # Now we change the LOCAL_PORT_RANGE for further use by iptables (replace space with :)
  607   LOCAL_PORT_RANGE="$(echo "$LOCAL_PORT_RANGE" |tr ' ' ':')"
  608 
  609   # Add synflood protection?
  610   ##########################
  611   if [ "$SYN_PROT" != "0" ]; then
  612     echo " Enabling SYN-flood protection via SYN-cookies"
  613     sysctl -w net.ipv4.tcp_syncookies=1
  614   else
  615     echo " Disabling SYN-flood protection via SYN-cookies"
  616     sysctl -w net.ipv4.tcp_syncookies=0
  617   fi
  618 
  619   # Use rp_filter to drop connections from non-routable IPs
  620   ######################################################################
  621   if [ "$RP_FILTER" = "2" ]; then
  622     echo " Enabling loose anti-spoof with rp_filter"
  623     sysctl_set_all "net.ipv4.conf" "rp_filter" 2
  624   elif [ "$RP_FILTER" = "1" ]; then
  625     echo " Enabling strict anti-spoof with rp_filter"
  626     sysctl_set_all "net.ipv4.conf" "rp_filter" 1
  627   elif [ "$RP_FILTER" = "0" ]; then
  628     echo " Disabling anti-spoof with rp_filter"
  629     sysctl_set_all "net.ipv4.conf" "rp_filter" 0
  630   fi
  631 
  632   # Block ALL ICMP echo requests?
  633   ###############################
  634   if [ "$ECHO_IGNORE" = "1" ]; then
  635     echo " Blocking all ICMP echo-requests"
  636     sysctl -w net.ipv4.icmp_echo_ignore_all=1
  637   elif [ "$ECHO_IGNORE" = "0" ]; then
  638     sysctl -w net.ipv4.icmp_echo_ignore_all=0
  639   fi
  640 
  641   # Log martians?
  642   ###############
  643   if [ "$LOG_MARTIANS" = "1" ]; then
  644     echo " Enabling the logging of martians"
  645     sysctl_set_all "net.ipv4.conf" "log_martians" 1
  646   elif [ "$LOG_MARTIANS" = "0" ]; then
  647     echo " Disabling the logging of martians"
  648     sysctl_set_all "net.ipv4.conf" "log_martians" 0
  649   fi
  650 
  651   # Accept ICMP redirect messages?
  652   ################################
  653   if [ "$ICMP_REDIRECT" = "1" ]; then
  654     echo " Enabling the acception of ICMP-redirect messages"
  655     sysctl_set_all "net.ipv4.conf" "accept_redirects" 1
  656     if [ "$IPV6_SUPPORT" = "1" ]; then
  657       sysctl_set_all "net.ipv6.conf" "accept_redirects" 1
  658     fi
  659   elif [ "$ICMP_REDIRECT" = "0" ]; then
  660     echo " Disabling the acception of ICMP-redirect messages"
  661     sysctl_set_all "net.ipv4.conf" "accept_redirects" 0
  662     if [ "$IPV6_SUPPORT" = "1" ]; then
  663       sysctl_set_all "net.ipv6.conf" "accept_redirects" 0
  664     fi
  665   fi
  666 
  667   # Enable ECN? (Explicit Congestion Notification)
  668   ################################################
  669   if [ "$ECN" = "1" ]; then
  670     echo " Enabling ECN (Explicit Congestion Notification)"
  671     sysctl -w net.ipv4.tcp_ecn=1
  672   elif [ "$ECN" = "0" ]; then
  673     echo " Disabling ECN (Explicit Congestion Notification)"
  674     sysctl -w net.ipv4.tcp_ecn=0
  675   fi
  676 
  677   # This enables dynamic-address hacking which makes the
  678   # life with Diald and similar programs much easier.
  679   ######################################################
  680   if [ "$EXT_IF_DHCP_IP" = "1" ]; then
  681     echo " Enabling kernel support for dynamic IPs"
  682     sysctl -w net.ipv4.ip_dynaddr=1
  683   elif [ "$EXT_IF_DHCP_IP" = "0" ]; then
  684     echo " Disabling kernel support for dynamic IPs"
  685     sysctl -w net.ipv4.ip_dynaddr=0
  686   fi
  687 
  688   # In most cases pmtu discovery is ok, but in some rare cases (when having problems)
  689   # you might want to disable it.
  690   if [ "$NO_PMTU_DISCOVERY" = "1" ]; then
  691     echo " Disabling PMTU discovery"
  692     sysctl -w net.ipv4.ip_no_pmtu_disc=1
  693   elif [ "$NO_PMTU_DISCOVERY" = "0" ]; then
  694     echo " Enabling PMTU discovery"
  695     sysctl -w net.ipv4.ip_no_pmtu_disc=0
  696   fi
  697 
  698   # Time To Live (TTL) is the term for a data field in the internet protocol.
  699   # TTL is today interpreted to indicate the maximum number of routers a packet may transit.
  700   # Each router that handles a packet will decrement the TTL field by 1.
  701   # Raise if you have a huge network.
  702   # Set the default ttl. (Kernel Default: 64)
  703   ###########################################################################################
  704   if [ -n "$DEFAULT_TTL" ]; then
  705     if [ $DEFAULT_TTL -gt 9 -a $DEFAULT_TTL -lt 256 ]; then
  706       echo " Setting default TTL=$DEFAULT_TTL"
  707       sysctl -w net.ipv4.ip_default_ttl=$DEFAULT_TTL
  708     else
  709       printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" >&2
  710     fi
  711   fi
  712 
  713   # Increase the default queuelength. (Kernel Default: 1024)
  714   ##########################################################
  715   # sysctl -w -e net.ipv4.ip_queue_maxlen=2048
  716 
  717   # With eg. open iscsi some systems may have problems under heavy load. Enable tcp_be_liberal to workaround this
  718   if [ "$TCP_BE_LIBERAL" = "1" ]; then
  719     sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1
  720   fi
  721 
  722   echo " Flushing route table"
  723   sysctl -w net.ipv4.route.flush=1
  724   if [ "$IPV6_SUPPORT" = "1" ]; then
  725     sysctl -w net.ipv6.route.flush=1
  726   fi
  727 
  728   echo " Kernel setup done..."
  729 
  730   # Return "no error"
  731   return 0
  732 }
  733 
  734 
  735 init_firewall_chains()
  736 {
  737   echo "Initializing firewall chains"
  738 
  739   # Set INDENT for functions
  740   INDENT='  '
  741 
  742   # Attempt to flush all IPv4 chains
  743   ##################################
  744   ip4tables -F
  745   ip4tables -X
  746 
  747   # Flush builtin IPv4 chains
  748   ###########################
  749   ip4tables -F INPUT
  750   ip4tables -F OUTPUT
  751   ip4tables -F FORWARD
  752 
  753   # Flush rules in nat/mangle/raw tables
  754   ######################################
  755   ip4tables -t nat -F
  756   ip4tables -t nat -X
  757   ip4tables -t mangle -F
  758   ip4tables -t mangle -X
  759   try_ip4tables -t raw -F
  760   try_ip4tables -t raw -X
  761 
  762   if [ "$IPV6_DETECTED" = "1" ]; then
  763     # Attempt to flush all IPv6 chains
  764     ##################################
  765     ip6tables -F
  766     ip6tables -X
  767 
  768     # Flush builtin IPv6 chains
  769     ###########################
  770     ip6tables -F INPUT
  771     ip6tables -F OUTPUT
  772     ip6tables -F FORWARD
  773 
  774     # Flush rules in nat/mangle/raw tables
  775     ######################################
  776     try_ip6tables -t nat -F
  777     try_ip6tables -t nat -X
  778     ip6tables -t mangle -F
  779     ip6tables -t mangle -X
  780     try_ip6tables -t raw -F
  781     try_ip6tables -t raw -X
  782   fi
  783 
  784   # Create our "base" chains
  785   ##########################
  786   iptables -N BASE_INPUT_CHAIN
  787   iptables -N BASE_FORWARD_CHAIN
  788   iptables -N BASE_OUTPUT_CHAIN
  789 
  790   # Accept packets of ESTABLISHED connections
  791   ###########################################
  792   iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT
  793   iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT
  794   iptables -A BASE_OUTPUT_CHAIN $NF_CONNTRACK_STATE ESTABLISHED -j ACCEPT
  795 
  796   # Accept packets of RELATED connections
  797   #######################################
  798   iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p icmp -j ACCEPT
  799   iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p icmp -j ACCEPT
  800 
  801   # Apply conntrack helper chain, fallback to RELATED connections
  802   ###############################################################
  803   if [ "$(sysctl_get_value net.netfilter.nf_conntrack_helper)" = "0" ]; then
  804     iptables -N CONNTRACK_HELPER
  805     iptables -A BASE_INPUT_CHAIN -j CONNTRACK_HELPER
  806     iptables -A BASE_FORWARD_CHAIN -j CONNTRACK_HELPER
  807   else
  808     iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p tcp --dport 1024: -j ACCEPT
  809     iptables -A BASE_INPUT_CHAIN $NF_CONNTRACK_STATE RELATED -p udp --dport 1024: -j ACCEPT
  810     iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p tcp --dport 1024: -j ACCEPT
  811     iptables -A BASE_FORWARD_CHAIN $NF_CONNTRACK_STATE RELATED -p udp --dport 1024: -j ACCEPT
  812   fi
  813 
  814   # Drop all IPv6 packets with Routing Header Type 0
  815   ##################################################
  816   if [ "$IPV6_SUPPORT" = "1" -a "$IPV6_DROP_RH_ZERO" != "0" ]; then
  817     if try_ip6tables -A BASE_INPUT_CHAIN -m rt --rt-type 0 -j DROP; then
  818       ip6tables -A BASE_FORWARD_CHAIN -m rt --rt-type 0 -j DROP
  819       ip6tables -A BASE_OUTPUT_CHAIN -m rt --rt-type 0 -j DROP
  820     else
  821       echo " WARNING: IPv6 Routing Header Type 0 matching not supported"
  822     fi
  823   fi
  824 
  825   # Accept all packets for the loopback device
  826   ############################################
  827   iptables -A BASE_INPUT_CHAIN -i lo -j ACCEPT
  828   iptables -A BASE_FORWARD_CHAIN -i lo -j ACCEPT
  829   iptables -A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
  830 
  831   # Insert our base chains
  832   ########################
  833   iptables -A INPUT -j BASE_INPUT_CHAIN
  834   iptables -A FORWARD -j BASE_FORWARD_CHAIN
  835   iptables -A OUTPUT -j BASE_OUTPUT_CHAIN
  836 
  837   # Create several chains that we will use later on
  838   #################################################
  839   create_user_chains
  840 }
  841 
  842 
  843 # Check if the base chains are appropriate for the IPV6_SUPPORT setting
  844 #######################################################################
  845 check_for_base_chains()
  846 {
  847   local ipv4_rtn ipv6_rtn
  848 
  849   ip4tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1
  850   ipv4_rtn=$?
  851 
  852   if [ "$IPV6_DETECTED" = "1" ]; then
  853     ip6tables -nL BASE_INPUT_CHAIN >/dev/null 2>&1
  854     ipv6_rtn=$?
  855   else
  856     # No IPv6 available, therefore no ip6tables call
  857     # Set a return error result of 1 to specify no IPv6 BASE_INPUT_CHAIN
  858     ipv6_rtn=1
  859   fi
  860 
  861   if [ "$IPV6_SUPPORT" = "1" ]; then
  862     if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then
  863       echo "yes"
  864     elif [ $ipv4_rtn -eq 0 ]; then
  865       echo "other"
  866     else
  867       echo "no"
  868     fi
  869   else
  870     if [ $ipv4_rtn -eq 0 -a $ipv6_rtn -eq 0 ]; then
  871       echo "other"
  872     elif [ $ipv4_rtn -eq 0 ]; then
  873       echo "yes"
  874     else
  875       echo "no"
  876     fi
  877   fi
  878 }
  879 
  880 
  881 setup_default_policies()
  882 {
  883   # Set the default policies for the builtin INPUT & FORWARD tables. The
  884   # default for other chains (eg. OUTPUT) is always set to ACCEPT.
  885   #######################################################################
  886   if [ "$DEFAULT_POLICY_DROP" != "0" ]; then
  887     echo " Setting all default policies to DROP while \"setting up firewall rules\""
  888     iptables -P INPUT DROP
  889     iptables -P FORWARD DROP
  890     iptables -P OUTPUT DROP
  891   else
  892     echo " WARNING: Setting all default policies to ACCEPT while \"setting up firewall rules\""
  893     iptables -P INPUT ACCEPT
  894     iptables -P FORWARD ACCEPT
  895     iptables -P OUTPUT ACCEPT
  896   fi
  897 
  898   if [ "$IPV6_SUPPORT" = "1" ]; then
  899     echo "IPv4/IPv6 mixed mode selected"
  900   elif [ "$IPV6_DETECTED" = "1" ]; then
  901     echo "IPv4 mode selected but IPv6 available, DROP all IPv6 packets"
  902     ip6tables -P INPUT DROP
  903     ip6tables -P FORWARD DROP
  904     ip6tables -P OUTPUT DROP
  905 
  906     # Allow IPv6 traffic from the loopback (localhost)
  907     ip6tables -A INPUT -i lo -j ACCEPT
  908     ip6tables -A FORWARD -i lo -j ACCEPT
  909     ip6tables -A OUTPUT -o lo -j ACCEPT
  910 
  911     # DROP all IPv6 traffic
  912     ip6tables -A INPUT -j DROP
  913     ip6tables -A FORWARD -j DROP
  914     ip6tables -A OUTPUT -j DROP
  915   else
  916     echo "IPv4 mode selected, no IPv6 available"
  917   fi
  918 
  919   # The POST_INPUT_DROP_CHAIN should temporarily DROP for now
  920   # We'll change this once the rules are in place
  921   ###########################################################
  922   iptables -A POST_INPUT_DROP_CHAIN -j DROP
  923 
  924   # The HOST_BLOCK_SRC_DROP chain should always DROP
  925   ###########################################################
  926   if [ "$BLOCKED_HOST_LOG" = "1" -o "$BLOCKED_HOST_LOG" = "2" ]; then
  927     iptables -A HOST_BLOCK_SRC_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked inbound host: "
  928   fi
  929   iptables -A HOST_BLOCK_SRC_DROP -j DROP
  930 
  931   # The HOST_BLOCK_DST_DROP chain should always DROP
  932   ###########################################################
  933   if [ "$BLOCKED_HOST_LOG" = "1" -o "$BLOCKED_HOST_LOG" = "3" ]; then
  934     iptables -A HOST_BLOCK_DST_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Blocked outbound host: "
  935   fi
  936   iptables -A HOST_BLOCK_DST_DROP -j DROP
  937 
  938   # The LINK_LOCAL_DROP chain should always DROP
  939   ###########################################################
  940   if [ "$IPV6_SUPPORT" = "1" ]; then
  941     if [ "$LINK_LOCAL_DROP_LOG" != "0" ]; then
  942       ip6tables -A LINK_LOCAL_DROP -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped Link-Local: "
  943     fi
  944     ip6tables -A LINK_LOCAL_DROP -j DROP
  945   fi
  946 }
  947 
  948 
  949 ##################################################################################################################
  950 ## Chain VALID_CHK - Check packets for invalid flags etc.                                                       ##
  951 ##################################################################################################################
  952 setup_valid_chk_chain()
  953 {
  954   ## Log scanning of nmap etc.
  955   ############################
  956   if [ "$SCAN_LOG" != "0" ]; then
  957     echo "Logging of stealth scans (nmap probes etc.) enabled"
  958 
  959     # (NMAP) FIN/URG/PSH
  960     ####################
  961     iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \
  962       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS scan: "
  963 
  964     # SYN/RST/ACK/FIN/URG
  965     #####################
  966     iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
  967       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-PSH scan: "
  968 
  969     # ALL/ALL
  970     #########
  971     iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL \
  972       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth XMAS-ALL scan: "
  973 
  974     # NMAP FIN Stealth
  975     ##################
  976     iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN \
  977       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth FIN scan: "
  978 
  979     # SYN/RST
  980     #########
  981     iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \
  982       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/RST scan: "
  983 
  984     # SYN/FIN (probably)
  985     ####################
  986     iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \
  987       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth SYN/FIN scan?: "
  988 
  989     # Null scan
  990     ###########
  991     iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE \
  992       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth Null scan: "
  993 
  994   else
  995     echo "Logging of stealth scans (nmap probes etc.) disabled"
  996   fi
  997 
  998   # Drop (NMAP) scan packets:
  999   ###########################
 1000 
 1001   # NMAP FIN/URG/PSH
 1002   ##################
 1003   iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j POST_INPUT_DROP_CHAIN
 1004 
 1005   # SYN/RST/ACK/FIN/URG
 1006   #####################
 1007   iptables -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j POST_INPUT_DROP_CHAIN
 1008 
 1009   # ALL/ALL Scan
 1010   ##############
 1011   iptables -A VALID_CHK -p tcp --tcp-flags ALL ALL -j POST_INPUT_DROP_CHAIN
 1012 
 1013   # NMAP FIN Stealth
 1014   ##################
 1015   iptables -A VALID_CHK -p tcp --tcp-flags ALL FIN -j POST_INPUT_DROP_CHAIN
 1016 
 1017   # SYN/RST
 1018   #########
 1019   iptables -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j POST_INPUT_DROP_CHAIN
 1020 
 1021   # SYN/FIN -- Scan(probably)
 1022   ###########################
 1023   iptables -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j POST_INPUT_DROP_CHAIN
 1024 
 1025   # NMAP Null Scan
 1026   ################
 1027   iptables -A VALID_CHK -p tcp --tcp-flags ALL NONE -j POST_INPUT_DROP_CHAIN
 1028 
 1029   # These packets are normally from "lost connection" and thus can generate false alarms
 1030   # So we might want to ignore such packets
 1031   ######################################################################################
 1032 #  if [ "$LOST_CONNECTION_LOG" != "1" ]; then
 1033 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j POST_INPUT_DROP_CHAIN
 1034 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j POST_INPUT_DROP_CHAIN
 1035 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j POST_INPUT_DROP_CHAIN
 1036 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j POST_INPUT_DROP_CHAIN
 1037 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j POST_INPUT_DROP_CHAIN
 1038 #    iptables -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j POST_INPUT_DROP_CHAIN
 1039 #  fi
 1040 
 1041   # Here we add some protection from random packets we receive, such as random sweeps from other
 1042   # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection
 1043   ###############################################################################################
 1044   if [ "$INVALID_TCP_LOG" = "1" ]; then
 1045     echo "Logging of INVALID TCP packets enabled"
 1046 
 1047     iptables -A VALID_CHK -p tcp $NF_CONNTRACK_STATE INVALID \
 1048       -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID TCP: "
 1049   else
 1050     echo "Logging of INVALID TCP packets disabled"
 1051   fi
 1052 
 1053   if [ "$INVALID_UDP_LOG" = "1" ]; then
 1054     echo "Logging of INVALID UDP packets enabled"
 1055 
 1056     iptables -A VALID_CHK -p udp $NF_CONNTRACK_STATE INVALID \
 1057       -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID UDP: "
 1058   else
 1059     echo "Logging of INVALID UDP packets disabled"
 1060   fi
 1061 
 1062   if [ "$INVALID_ICMP_LOG" = "1" ]; then
 1063     echo "Logging of INVALID ICMP packets enabled"
 1064 
 1065     # Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets
 1066     if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 1067       iptables -A VALID_CHK -p icmp --icmp-type echo-request $NF_CONNTRACK_STATE INVALID \
 1068         -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-request: "
 1069     fi
 1070 
 1071     # Only log INVALID ICMP-other when enabled in the config
 1072     if [ "$ICMP_OTHER_LOG" != "0" ]; then
 1073       iptables -A VALID_CHK -p icmp ! --icmp-type echo-request $NF_CONNTRACK_STATE INVALID \
 1074         -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INVALID ICMP-other: "
 1075     fi
 1076   else
 1077     echo "Logging of INVALID ICMP packets disabled"
 1078   fi
 1079 
 1080   # Drop invalid packets
 1081   ######################
 1082   iptables -A VALID_CHK $NF_CONNTRACK_STATE INVALID -j POST_INPUT_DROP_CHAIN
 1083 
 1084   # Fragmented packets handling
 1085   # NOTE: Fragmentation cannot happen with IPv6 (and probably even not with iptables/IPv4)
 1086   ########################################################################################
 1087   if [ "$FRAG_DROP" = "1" ]; then
 1088     echo "Dropping and logging of IPv4 fragmented packets enabled"
 1089     ip4tables -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
 1090     ip4tables -A VALID_CHK -f -j DROP
 1091   else
 1092     echo "Dropping and logging of IPv4 fragmented packets disabled"
 1093   fi
 1094 }
 1095 
 1096 
 1097 ################################################################################################################
 1098 ## Chain RESERVED_NET_CHK - Check if the source addresses of the packets are (in)valid                        ##
 1099 ################################################################################################################
 1100 setup_reserved_net_chk_chain()
 1101 {
 1102   # Log access from reserved addresses
 1103   ####################################
 1104   if [ "$RESERVED_NET_LOG" = "1" ]; then
 1105     echo "Logging of access from reserved nets enabled"
 1106     ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 \
 1107       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "
 1108 
 1109     ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 \
 1110       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "
 1111 
 1112     ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 \
 1113       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Private address: "
 1114 
 1115     ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 \
 1116       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Link-local address: "
 1117 
 1118     ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 \
 1119       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: "
 1120 
 1121     ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 \
 1122       -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv4 Multicast address: "
 1123 
 1124     if [ "$IPV6_SUPPORT" = "1" ]; then
 1125       # IPv6 not 2000::/3 is non-Global Unicast
 1126       ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 \
 1127         -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IPv6 non-Global address: "
 1128     fi
 1129   else
 1130     echo "Logging of access from reserved nets disabled"
 1131   fi
 1132 
 1133   if [ "$RESERVED_NET_DROP" = "1" ]; then
 1134     # rp_filter drops some of these addresses, but just to be sure :)
 1135     ################################################################
 1136     #echo "Denying access from reserved addresses..."
 1137     ip4tables -A RESERVED_NET_CHK -s 10.0.0.0/8 -j POST_INPUT_DROP_CHAIN
 1138     ip4tables -A RESERVED_NET_CHK -s 172.16.0.0/12 -j POST_INPUT_DROP_CHAIN
 1139     ip4tables -A RESERVED_NET_CHK -s 192.168.0.0/16 -j POST_INPUT_DROP_CHAIN
 1140     ip4tables -A RESERVED_NET_CHK -s 169.254.0.0/16 -j POST_INPUT_DROP_CHAIN
 1141     ip4tables -A RESERVED_NET_CHK -s 224.0.0.0/24 -j POST_INPUT_DROP_CHAIN
 1142     ip4tables -A RESERVED_NET_CHK -s 239.0.0.0/24 -j POST_INPUT_DROP_CHAIN
 1143 
 1144     if [ "$IPV6_SUPPORT" = "1" ]; then
 1145       # IPv6 not 2000::/3 is non-Global Unicast
 1146       ip6tables -A RESERVED_NET_CHK ! -s 2000::/3 -j POST_INPUT_DROP_CHAIN
 1147     fi
 1148   fi
 1149 }
 1150 
 1151 
 1152 ################################################################################################################
 1153 ## Chain SPOOF_CHK - Check if the source address is not spoofed                                               ##
 1154 ################################################################################################################
 1155 setup_spoof_chk_chain()
 1156 {
 1157   # Anti-spoof protection for the internal net
 1158   if [ -n "$INT_IF" -a -n "$INTERNAL_NET" ]; then
 1159     if [ "$INTERNAL_NET_ANTISPOOF" != "0" ]; then
 1160       printf "Setting up antispoof for INTERNAL net(s): "
 1161       IFS=' ,'
 1162       for net in $INTERNAL_NET; do
 1163         printf "$net "
 1164         for interface in $INT_IF; do
 1165           # Any internal net is valid
 1166           iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
 1167         done
 1168         iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
 1169         iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
 1170       done
 1171       echo ""
 1172     else
 1173       echo "Antispoof for INTERNAL net(s) DISABLED!"
 1174     fi
 1175   fi
 1176 
 1177   # Anti-spoof protection for the DMZ net
 1178   if [ -n "$DMZ_IF" -a -n "$DMZ_NET" ]; then
 1179     if [ "$DMZ_NET_ANTISPOOF" != "0" ]; then
 1180       printf "Setting up antispoof for DMZ net(s): "
 1181       IFS=' ,'
 1182       for net in $DMZ_NET; do
 1183         printf "$net "
 1184         for interface in $DMZ_IF; do
 1185           # Any dmz net is valid
 1186           iptables -A SPOOF_CHK -i $interface -s $net -j RETURN
 1187         done
 1188         iptables -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed packet: "
 1189         iptables -A SPOOF_CHK -s $net -j POST_INPUT_DROP_CHAIN
 1190       done
 1191       echo ""
 1192     else
 1193       echo "Antispoof for DMZ net(s) DISABLED!"
 1194     fi
 1195   fi
 1196 
 1197   # Everything else is valid
 1198   iptables -A SPOOF_CHK -j RETURN
 1199 }
 1200 
 1201 
 1202 ################################################################
 1203 # Setup rules to forward INET IPv6 and non-NAT'ed IPv4 traffic #
 1204 ################################################################
 1205 setup_inet_forward_rules()
 1206 {
 1207   # TCP ports to ALLOW for certain INET hosts
 1208   #########################################
 1209   unset IFS
 1210   for rule in $INET_FORWARD_TCP; do
 1211     if parse_rule "$rule" INET_FORWARD_TCP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then
 1212 
 1213       echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) TCP port(s): $ports from $shosts(INET) to $dhosts"
 1214 
 1215       IFS=' ,'
 1216       for shost in `ip_range "$shosts"`; do
 1217         for dhost in `ip_range "$dhosts"`; do
 1218           for port in $ports; do
 1219             for interface in $interfaces; do
 1220               iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 1221             done
 1222           done
 1223         done
 1224       done
 1225     fi
 1226   done
 1227 
 1228   # UDP ports to ALLOW for certain INET hosts
 1229   #########################################
 1230   unset IFS
 1231   for rule in $INET_FORWARD_UDP; do
 1232     if parse_rule "$rule" INET_FORWARD_UDP "interfaces:EXT_IF-shosts-dhosts-ports:ANYPORT"; then
 1233 
 1234       echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) UDP port(s): $ports from $shosts(INET) to $dhosts"
 1235 
 1236       IFS=' ,'
 1237       for shost in `ip_range "$shosts"`; do
 1238         for dhost in `ip_range "$dhosts"`; do
 1239           for port in $ports; do
 1240             for interface in $interfaces; do
 1241               iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 1242             done
 1243           done
 1244         done
 1245       done
 1246     fi
 1247   done
 1248 
 1249   # (Other) IP protocols to ALLOW for certain INET hosts
 1250   ######################################################
 1251   unset IFS
 1252   for rule in $INET_FORWARD_IP; do
 1253     if parse_rule "$rule" INET_FORWARD_IP "interfaces:EXT_IF-shosts-dhosts-protos"; then
 1254 
 1255       echo "$(show_if_ip "$interfaces")Forwarding(non-NAT) IP protocol(s): $protos from $shosts(INET) to $dhosts"
 1256 
 1257       IFS=' ,'
 1258       for shost in `ip_range "$shosts"`; do
 1259         for dhost in `ip_range "$dhosts"`; do
 1260           for proto in $protos; do
 1261             for interface in $interfaces; do
 1262               iptables -A EXT_FORWARD_IN_CHAIN -i $interface ! -o $interface -s $shost -d $dhost -p $proto -j ACCEPT
 1263             done
 1264           done
 1265         done
 1266       done
 1267     fi
 1268   done
 1269 }
 1270 
 1271 
 1272 ##################################################
 1273 # Setup chain for the DMZ input traffic          #
 1274 ##################################################
 1275 setup_dmz_input_chain()
 1276 {
 1277   # Add TCP ports to allow for certain hosts
 1278   ##########################################
 1279   unset IFS
 1280   for rule in $DMZ_HOST_OPEN_TCP; do
 1281     if parse_rule "$rule" DMZ_HOST_OPEN_TCP "hosts-ports"; then
 1282 
 1283       echo " Allowing $hosts(DMZ) for TCP port(s): $ports"
 1284 
 1285       IFS=','
 1286       for host in `ip_range "$hosts"`; do
 1287         for port in $ports; do
 1288           iptables -A DMZ_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT
 1289         done
 1290       done
 1291     fi
 1292   done
 1293 
 1294   # Add UDP ports to allow for certain hosts
 1295   ##########################################
 1296   unset IFS
 1297   for rule in $DMZ_HOST_OPEN_UDP; do
 1298     if parse_rule "$rule" DMZ_HOST_OPEN_UDP "hosts-ports"; then
 1299 
 1300       echo " Allowing $hosts(DMZ) for UDP port(s): $ports"
 1301 
 1302       IFS=','
 1303       for host in `ip_range "$hosts"`; do
 1304         for port in $ports; do
 1305           iptables -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT
 1306         done
 1307       done
 1308     fi
 1309   done
 1310 
 1311   # Add IP protocols to allow for certain hosts
 1312   #############################################
 1313   unset IFS
 1314   for rule in $DMZ_HOST_OPEN_IP; do
 1315     if parse_rule "$rule" DMZ_HOST_OPEN_IP "hosts-protos"; then
 1316 
 1317       echo " Allowing $hosts(DMZ) for IP protocol(s): $protos"
 1318 
 1319       IFS=','
 1320       for host in `ip_range "$hosts"`; do
 1321         for proto in $protos; do
 1322           iptables -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT
 1323         done
 1324       done
 1325     fi
 1326   done
 1327 
 1328   # Adding TCP ports NOT to be firewalled
 1329   #######################################
 1330   if [ -n "$DMZ_OPEN_TCP" ]; then
 1331     echo " Allowing TCP port(s): $DMZ_OPEN_TCP"
 1332     IFS=' ,'
 1333     for port in $DMZ_OPEN_TCP; do
 1334       iptables -A DMZ_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
 1335     done
 1336   fi
 1337 
 1338   # Adding UDP ports NOT to be firewalled
 1339   #######################################
 1340   if [ -n "$DMZ_OPEN_UDP" ]; then
 1341     echo " Allowing UDP port(s): $DMZ_OPEN_UDP"
 1342     IFS=' ,'
 1343     for port in $DMZ_OPEN_UDP; do
 1344       iptables -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT
 1345     done
 1346   fi
 1347 
 1348   # Adding IP protocols NOT to be firewalled
 1349   ##########################################
 1350   if [ -n "$DMZ_OPEN_IP" ]; then
 1351     echo " Allowing IP protocol(s): $DMZ_OPEN_IP"
 1352     IFS=' ,'
 1353     for proto in $DMZ_OPEN_IP; do
 1354       iptables -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT
 1355     done
 1356   fi
 1357 
 1358   # Allow to send ICMP packets?
 1359   #############################
 1360   if [ "$DMZ_OPEN_ICMP" != "0" ]; then
 1361     echo " Allowing ICMP-requests(ping)"
 1362     iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 1363     if [ "$IPV6_SUPPORT" = "1" ]; then
 1364       unset IFS
 1365       for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
 1366         ip6tables -A DMZ_INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
 1367       done
 1368     fi
 1369   fi
 1370 
 1371   # Log incoming ICMP-request packets?
 1372   ####################################
 1373   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 1374     iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request \
 1375       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 1376   fi
 1377 
 1378   # Drop ICMP packets
 1379   iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP
 1380 
 1381   # Log everything else
 1382   if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1383     iptables -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ-INPUT denied: "
 1384   fi
 1385 
 1386   # Everything else is denied
 1387   iptables -A DMZ_INPUT_CHAIN -j DROP
 1388 }
 1389 
 1390 
 1391 ##################################################
 1392 # Setup chain for the DMZ-to-LAN forward traffic #
 1393 ##################################################
 1394 setup_dmz_lan_forward_chain()
 1395 {
 1396   echo " Setting up DMZ->LAN policy"
 1397 
 1398   # TCP ports to ALLOW for certain DMZ hosts
 1399   ##########################################
 1400   unset IFS
 1401   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
 1402     if parse_rule "$rule" DMZ_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1403 
 1404       echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
 1405 
 1406       IFS=','
 1407       for shost in `ip_range "$shosts"`; do
 1408         for dhost in `ip_range "$dhosts"`; do
 1409           for port in $ports; do
 1410             iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 1411           done
 1412         done
 1413       done
 1414     fi
 1415   done
 1416 
 1417   # UDP ports to ALLOW for certain DMZ hosts
 1418   ##########################################
 1419   unset IFS
 1420   for rule in $DMZ_LAN_HOST_OPEN_UDP; do
 1421     if parse_rule "$rule" DMZ_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1422 
 1423       echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for UDP port(s): $ports"
 1424 
 1425       IFS=','
 1426       for shost in `ip_range "$shosts"`; do
 1427         for dhost in `ip_range "$dhosts"`; do
 1428           for port in $ports; do
 1429             iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 1430           done
 1431         done
 1432       done
 1433     fi
 1434   done
 1435 
 1436   # IP protocol(s) to ALLOW for certain DMZ hosts
 1437   ###############################################
 1438   unset IFS
 1439   for rule in $DMZ_LAN_HOST_OPEN_IP; do
 1440     if parse_rule "$rule" DMZ_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
 1441 
 1442       echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for IP protocol(s): $protos"
 1443 
 1444       IFS=','
 1445       for shost in `ip_range "$shosts"`; do
 1446         for dhost in `ip_range "$dhosts"`; do
 1447           for proto in $protos; do
 1448             iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
 1449           done
 1450         done
 1451       done
 1452     fi
 1453   done
 1454 
 1455   # Allow ICMP-requests(ping) for DMZ->LAN?
 1456   ##########################################
 1457   if [ "$DMZ_LAN_OPEN_ICMP" = "1" ]; then
 1458     echo "  Allowing ICMP-requests(ping)"
 1459     iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 1460       -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 1461   fi
 1462 
 1463   # Log incoming ICMP-request packets?
 1464   ####################################
 1465   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 1466     iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 1467       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 1468   fi
 1469 
 1470   # Drop ICMP packets
 1471   iptables -A DMZ_LAN_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
 1472 
 1473   # Log everything else
 1474   if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 1475     iptables -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->LAN denied: "
 1476   fi
 1477 
 1478   # Everything else is denied
 1479   iptables -A DMZ_LAN_FORWARD_CHAIN -j DROP
 1480 }
 1481 
 1482 
 1483 ###################################################
 1484 # Setup chain for the INET-to-DMZ forward traffic #
 1485 ###################################################
 1486 setup_inet_dmz_forward_chain()
 1487 {
 1488   echo " Setting up INET->DMZ policy"
 1489 
 1490   # TCP ports to ALLOW for certain INET hosts
 1491   #########################################
 1492   unset IFS
 1493   for rule in $INET_DMZ_HOST_OPEN_TCP; do
 1494     if parse_rule "$rule" INET_DMZ_HOST_OPEN_TCP "interfaces-shosts-dhosts-ports:ANYPORT"; then
 1495 
 1496       echo "  $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports"
 1497 
 1498       IFS=','
 1499       for shost in `ip_range "$shosts"`; do
 1500         for dhost in `ip_range "$dhosts"`; do
 1501           for port in $ports; do
 1502             for interface in $interfaces; do
 1503               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 1504             done
 1505           done
 1506         done
 1507       done
 1508     fi
 1509   done
 1510 
 1511   # UDP ports to ALLOW for certain INET hosts
 1512   #########################################
 1513   unset IFS
 1514   for rule in $INET_DMZ_HOST_OPEN_UDP; do
 1515     if parse_rule "$rule" INET_DMZ_HOST_OPEN_UDP "interfaces-shosts-dhosts-ports:ANYPORT"; then
 1516 
 1517       echo "  $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports"
 1518 
 1519       IFS=','
 1520       for shost in `ip_range "$shosts"`; do
 1521         for dhost in `ip_range "$dhosts"`; do
 1522           for port in $ports; do
 1523             for interface in $interfaces; do
 1524               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 1525             done
 1526           done
 1527         done
 1528       done
 1529     fi
 1530   done
 1531 
 1532   # (Other) IP protocols to ALLOW for certain INET hosts
 1533   ######################################################
 1534   unset IFS
 1535   for rule in $INET_DMZ_HOST_OPEN_IP; do
 1536     if parse_rule "$rule" INET_DMZ_HOST_OPEN_IP "interfaces-shosts-dhosts-protos"; then
 1537 
 1538       echo "  $(show_if_ip "$interfaces")Allowing $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos"
 1539 
 1540       IFS=','
 1541       for shost in `ip_range "$shosts"`; do
 1542         for dhost in `ip_range "$dhosts"`; do
 1543           for proto in $protos; do
 1544             for interface in $interfaces; do
 1545               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto -j ACCEPT
 1546             done
 1547           done
 1548         done
 1549       done
 1550     fi
 1551   done
 1552 
 1553 
 1554   # TCP ports to DENY for certain INET hosts
 1555   #########################################
 1556   unset IFS
 1557   for rule in $INET_DMZ_HOST_DENY_TCP; do
 1558     if parse_rule "$rule" INET_DMZ_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1559 
 1560       echo "  $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for TCP port(s): $ports"
 1561 
 1562       IFS=','
 1563       for shost in `ip_range "$shosts"`; do
 1564         for dhost in `ip_range "$dhosts"`; do
 1565           for port in $ports; do
 1566             for interface in $interfaces; do
 1567               if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1568                 iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port \
 1569                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
 1570               fi
 1571               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP
 1572             done
 1573           done
 1574         done
 1575       done
 1576     fi
 1577   done
 1578 
 1579   # UDP ports to DENY for certain INET hosts
 1580   #########################################
 1581   unset IFS
 1582   for rule in $INET_DMZ_HOST_DENY_UDP; do
 1583     if parse_rule "$rule" INET_DMZ_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1584 
 1585       echo "  $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for UDP port(s): $ports"
 1586 
 1587       IFS=','
 1588       for shost in `ip_range "$shosts"`; do
 1589         for dhost in `ip_range "$dhosts"`; do
 1590           for port in $ports; do
 1591             for interface in $interfaces; do
 1592               if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1593                 iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port \
 1594                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
 1595               fi
 1596               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP
 1597             done
 1598           done
 1599         done
 1600       done
 1601     fi
 1602   done
 1603 
 1604   # (Other) IP protocols to DENY for certain INET hosts
 1605   #####################################################
 1606   unset IFS
 1607   for rule in $INET_DMZ_HOST_DENY_IP; do
 1608     if parse_rule "$rule" INET_DMZ_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then
 1609 
 1610       echo "  $(show_if_ip "$interfaces")Denying $shosts(INET) to $dhosts(DMZ) for IP protocol(s): $protos"
 1611 
 1612       IFS=','
 1613       for shost in `ip_range "$shosts"`; do
 1614         for dhost in `ip_range "$dhosts"`; do
 1615           for proto in $protos; do
 1616             for interface in $interfaces; do
 1617               if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1618                 iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto \
 1619                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET->DMZ denied: "
 1620               fi
 1621               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -s $shost -d $dhost -p $proto -j DROP
 1622             done
 1623           done
 1624         done
 1625       done
 1626     fi
 1627   done
 1628 
 1629   # Allow only certain TCP ports to be used from the INET->DMZ?
 1630   #############################################################
 1631   unset IFS
 1632   for rule in $INET_DMZ_OPEN_TCP; do
 1633     if parse_rule "$rule" INET_DMZ_OPEN_TCP "interfaces-destips-ports"; then
 1634 
 1635       echo " $(show_if_ip "$interfaces" "$destips")Allowing TCP port(s): $ports"
 1636 
 1637       IFS=','
 1638       for port in $ports; do
 1639         for destip in $destips; do
 1640           for interface in $interfaces; do
 1641             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j ACCEPT
 1642           done
 1643         done
 1644       done
 1645     fi
 1646   done
 1647 
 1648   # Allow only certain UDP ports to be used from the INET->DMZ?
 1649   #############################################################
 1650   unset IFS
 1651   for rule in $INET_DMZ_OPEN_UDP; do
 1652     if parse_rule "$rule" INET_DMZ_OPEN_UDP "interfaces-destips-ports"; then
 1653 
 1654       echo " $(show_if_ip "$interfaces" "$destips")Allowing UDP port(s): $ports"
 1655 
 1656       IFS=','
 1657       for port in $ports; do
 1658         for destip in $destips; do
 1659           for interface in $interfaces; do
 1660             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j ACCEPT
 1661           done
 1662         done
 1663       done
 1664     fi
 1665   done
 1666 
 1667   # Allow only certain IP protocols to be used from the INET->DMZ?
 1668   ################################################################
 1669   unset IFS
 1670   for rule in $INET_DMZ_OPEN_IP; do
 1671     if parse_rule "$rule" INET_DMZ_OPEN_IP "interfaces-destips-protos"; then
 1672 
 1673       echo " $(show_if_ip "$interfaces" "$destips")Allowing IP protocol(s): $protos"
 1674 
 1675       IFS=','
 1676       for proto in $protos; do
 1677         for destip in $destips; do
 1678           for interface in $interfaces; do
 1679             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j ACCEPT
 1680           done
 1681         done
 1682       done
 1683     fi
 1684   done
 1685 
 1686   # Allow ICMP-requests(ping) for INET->DMZ?
 1687   ##########################################
 1688   if [ "$INET_DMZ_OPEN_ICMP" = "1" ]; then
 1689     echo "  Allowing ICMP-requests(ping)"
 1690     iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 1691       -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 1692   fi
 1693 
 1694   # TCP ports to DENY for INET->DMZ
 1695   #################################
 1696   unset IFS
 1697   for rule in $INET_DMZ_DENY_TCP; do
 1698     if parse_rule "$rule" INET_DMZ_DENY_TCP "interfaces-destips-ports"; then
 1699 
 1700       echo " $(show_if_ip "$interfaces" "$destips")Denying TCP port(s): $ports"
 1701 
 1702       IFS=','
 1703       for port in $ports; do
 1704         for destip in $destips; do
 1705           for interface in $interfaces; do
 1706             if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1707               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -m limit \
 1708                 --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
 1709             fi
 1710             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j DROP
 1711           done
 1712         done
 1713       done
 1714     fi
 1715   done
 1716 
 1717   # UDP ports to DENY for INET->DMZ
 1718   #################################
 1719   unset IFS
 1720   for rule in $INET_DMZ_DENY_UDP; do
 1721     if parse_rule "$rule" INET_DMZ_DENY_UDP "interfaces-destips-ports"; then
 1722 
 1723       echo " $(show_if_ip "$interfaces" "$destips")Denying UDP port(s): $ports"
 1724 
 1725       IFS=','
 1726       for port in $ports; do
 1727         for destip in $destips; do
 1728           for interface in $interfaces; do
 1729             if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1730               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -m limit \
 1731                 --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
 1732             fi
 1733             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j DROP
 1734           done
 1735         done
 1736       done
 1737     fi
 1738   done
 1739 
 1740   # IP protocols to DENY for INET->DMZ
 1741   ####################################
 1742   unset IFS
 1743   for rule in $INET_DMZ_DENY_IP; do
 1744     if parse_rule "$rule" INET_DMZ_DENY_IP "interfaces-destips-protos"; then
 1745 
 1746       echo " $(show_if_ip "$interfaces" "$destips")Denying IP protocol(s): $protos"
 1747 
 1748       IFS=','
 1749       for proto in $protos; do
 1750         for destip in $destips; do
 1751           for interface in $interfaces; do
 1752             if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1753               iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -m limit \
 1754                 --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
 1755             fi
 1756             iptables -A INET_DMZ_FORWARD_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j DROP
 1757           done
 1758         done
 1759       done
 1760     fi
 1761   done
 1762 
 1763   # Log incoming ICMP-request packets?
 1764   ####################################
 1765   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 1766     iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 1767       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 1768   fi
 1769 
 1770   echo "  Denying all other INET->DMZ packets"
 1771 
 1772   # Drop ICMP packets
 1773   iptables -A INET_DMZ_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
 1774 
 1775   if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then
 1776     iptables -A INET_DMZ_FORWARD_CHAIN \
 1777       -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET->DMZ denied: "
 1778   fi
 1779   iptables -A INET_DMZ_FORWARD_CHAIN -j DROP
 1780 }
 1781 
 1782 
 1783 ###################################################
 1784 # Setup chain for the DMZ-to-INET forward traffic #
 1785 ###################################################
 1786 setup_dmz_inet_forward_chain()
 1787 {
 1788   echo " Setting up DMZ->INET policy"
 1789 
 1790   # TCP ports to ALLOW for certain DMZ hosts
 1791   #########################################
 1792   unset IFS
 1793   for rule in $DMZ_INET_HOST_OPEN_TCP; do
 1794     if parse_rule "$rule" DMZ_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1795 
 1796       echo "  $(show_if_ip "$interfaces" "$destips")Allowing $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports"
 1797 
 1798       IFS=','
 1799       for shost in `ip_range "$shosts"`; do
 1800         for dhost in `ip_range "$dhosts"`; do
 1801           for port in $ports; do
 1802             for interface in $interfaces; do
 1803               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 1804             done
 1805           done
 1806         done
 1807       done
 1808     fi
 1809   done
 1810 
 1811   # UDP ports to ALLOW for certain DMZ hosts
 1812   #########################################
 1813   unset IFS
 1814   for rule in $DMZ_INET_HOST_OPEN_UDP; do
 1815     if parse_rule "$rule" DMZ_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1816 
 1817       echo "  $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports"
 1818 
 1819       IFS=','
 1820       for shost in `ip_range "$shosts"`; do
 1821         for dhost in `ip_range "$dhosts"`; do
 1822           for port in $ports; do
 1823             for interface in $interfaces; do
 1824               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 1825             done
 1826           done
 1827         done
 1828       done
 1829     fi
 1830   done
 1831 
 1832   # (Other) IP protocols to ALLOW for certain DMZ hosts
 1833   #####################################################
 1834   unset IFS
 1835   for rule in $DMZ_INET_HOST_OPEN_IP; do
 1836     if parse_rule "$rule" DMZ_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then
 1837 
 1838       echo "  $(show_if_ip "$interfaces")Allowing $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos"
 1839 
 1840       IFS=','
 1841       for shost in `ip_range "$shosts"`; do
 1842         for dhost in `ip_range "$dhosts"`; do
 1843           for proto in $protos; do
 1844             for interface in $interfaces; do
 1845               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j ACCEPT
 1846             done
 1847           done
 1848         done
 1849       done
 1850     fi
 1851   done
 1852 
 1853 
 1854   # TCP ports to DENY for certain DMZ hosts
 1855   #########################################
 1856   unset IFS
 1857   for rule in $DMZ_INET_HOST_DENY_TCP; do
 1858     if parse_rule "$rule" DMZ_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1859 
 1860       echo "  $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for TCP port(s): $ports"
 1861 
 1862       IFS=','
 1863       for shost in `ip_range "$shosts"`; do
 1864         for dhost in `ip_range "$dhosts"`; do
 1865           for port in $ports; do
 1866             for interface in $interfaces; do
 1867               if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 1868                 iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port \
 1869                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: "
 1870               fi
 1871               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP
 1872             done
 1873           done
 1874         done
 1875       done
 1876     fi
 1877   done
 1878 
 1879   # UDP ports to DENY for certain DMZ hosts
 1880   #########################################
 1881   unset IFS
 1882   for rule in $DMZ_INET_HOST_DENY_UDP; do
 1883     if parse_rule "$rule" DMZ_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 1884 
 1885       echo "  $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for UDP port(s): $ports"
 1886 
 1887       IFS=','
 1888       for shost in `ip_range "$shosts"`; do
 1889         for dhost in `ip_range "$dhosts"`; do
 1890           for port in $ports; do
 1891             for interface in $interfaces; do
 1892               if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 1893                 iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port \
 1894                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: "
 1895               fi
 1896               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP
 1897             done
 1898           done
 1899         done
 1900       done
 1901     fi
 1902   done
 1903 
 1904   # (Other) IP protocols to DENY for certain DMZ hosts
 1905   #####################################################
 1906   unset IFS
 1907   for rule in $DMZ_INET_HOST_DENY_IP; do
 1908     if parse_rule "$rule" DMZ_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then
 1909 
 1910       echo "  $(show_if_ip "$interfaces")Denying $shosts(DMZ) to $dhosts(INET) for IP protocol(s): $protos"
 1911 
 1912       IFS=','
 1913       for shost in `ip_range "$shosts"`; do
 1914         for dhost in `ip_range "$dhosts"`; do
 1915           for proto in $protos; do
 1916             for interface in $interfaces; do
 1917               if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 1918                 iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto \
 1919                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host DMZ->INET denied: "
 1920               fi
 1921               iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j DROP
 1922             done
 1923           done
 1924         done
 1925       done
 1926     fi
 1927   done
 1928 
 1929   # Allow only certain TCP ports to be used from the DMZ->INET?
 1930   #############################################################
 1931   unset IFS
 1932   for rule in $DMZ_INET_OPEN_TCP; do
 1933     if parse_rule "$rule" DMZ_INET_OPEN_TCP "interfaces-ports"; then
 1934 
 1935       echo " $(show_if_ip "$interfaces")Allowing TCP port(s): $ports"
 1936 
 1937       IFS=','
 1938       for port in $ports; do
 1939         for interface in $interfaces; do
 1940           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j ACCEPT
 1941         done
 1942       done
 1943     fi
 1944   done
 1945 
 1946   # Allow only certain UDP ports to be used from the DMZ->INET?
 1947   #############################################################
 1948   unset IFS
 1949   for rule in $DMZ_INET_OPEN_UDP; do
 1950     if parse_rule "$rule" DMZ_INET_OPEN_UDP "interfaces-ports"; then
 1951 
 1952       echo " $(show_if_ip "$interfaces")Allowing UDP port(s): $ports"
 1953 
 1954       IFS=','
 1955       for port in $ports; do
 1956         for interface in $interfaces; do
 1957           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j ACCEPT
 1958         done
 1959       done
 1960     fi
 1961   done
 1962 
 1963   # Allow only certain IP protocols to be used from the DMZ->INET?
 1964   ################################################################
 1965   unset IFS
 1966   for rule in $DMZ_INET_OPEN_IP; do
 1967     if parse_rule "$rule" DMZ_INET_OPEN_IP "interfaces-protos"; then
 1968 
 1969       echo " $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos"
 1970 
 1971       IFS=','
 1972       for proto in $protos; do
 1973         for interface in $interfaces; do
 1974           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j ACCEPT
 1975         done
 1976       done
 1977     fi
 1978   done
 1979 
 1980   # Allow ICMP-requests(ping) for DMZ->INET?
 1981   ##########################################
 1982   if [ "$DMZ_INET_OPEN_ICMP" != "0" ]; then
 1983     echo "  Allowing ICMP-requests(ping)"
 1984     iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 1985       -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 1986   fi
 1987 
 1988   # TCP ports to DENY for DMZ->INET
 1989   #################################
 1990   unset IFS
 1991   for rule in $DMZ_INET_DENY_TCP; do
 1992     if parse_rule "$rule" DMZ_INET_DENY_TCP "interfaces-ports"; then
 1993 
 1994       echo " $(show_if_ip "$interfaces")Denying TCP port(s): $ports"
 1995 
 1996       IFS=','
 1997       for port in $ports; do
 1998         for interface in $interfaces; do
 1999           if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 2000             iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -m limit \
 2001               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
 2002           fi
 2003           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j DROP
 2004         done
 2005       done
 2006     fi
 2007   done
 2008 
 2009   # UDP ports to DENY for DMZ->INET
 2010   #################################
 2011   unset IFS
 2012   for rule in $DMZ_INET_DENY_UDP; do
 2013     if parse_rule "$rule" DMZ_INET_DENY_UDP "interfaces-ports"; then
 2014 
 2015       echo " $(show_if_ip "$interfaces")Denying UDP port(s): $ports"
 2016 
 2017       IFS=','
 2018       for port in $ports; do
 2019         for interface in $interfaces; do
 2020           if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 2021             iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -m limit \
 2022               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
 2023           fi
 2024           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j DROP
 2025         done
 2026       done
 2027     fi
 2028   done
 2029 
 2030   # IP protocols to DENY for DMZ->INET
 2031   ####################################
 2032   unset IFS
 2033   for rule in $DMZ_INET_DENY_IP; do
 2034     if parse_rule "$rule" DMZ_INET_DENY_IP "interfaces-protos"; then
 2035 
 2036       echo " $(show_if_ip "$interfaces")Denying IP protocol(s): $protos"
 2037 
 2038       IFS=','
 2039       for proto in $protos; do
 2040         for interface in $interfaces; do
 2041           if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 2042             iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -m limit \
 2043               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
 2044           fi
 2045           iptables -A DMZ_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j DROP
 2046         done
 2047       done
 2048     fi
 2049   done
 2050 
 2051   # Log incoming ICMP-request packets?
 2052   ####################################
 2053   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 2054     iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 2055       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 2056   fi
 2057 
 2058   # Drop ICMP packets
 2059   iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
 2060 
 2061   # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
 2062   ###########################################################################################
 2063   if [ -z "$DMZ_INET_OPEN_TCP" -a -z "$DMZ_INET_HOST_OPEN_TCP" -a \
 2064        -z "$DMZ_INET_OPEN_UDP" -a -z "$DMZ_INET_HOST_OPEN_UDP" -a \
 2065        -z "$DMZ_INET_OPEN_IP"  -a -z "$DMZ_INET_HOST_OPEN_IP"  -a -z "$DMZ_INET_DEFAULT_POLICY_DROP" ] \
 2066      || [ "$DMZ_INET_DEFAULT_POLICY_DROP" = "0" ]; then
 2067     echo "  Allowing all (other) ports/protocols"
 2068     iptables -A DMZ_INET_FORWARD_CHAIN -j ACCEPT
 2069   else
 2070     if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
 2071       iptables -A DMZ_INET_FORWARD_CHAIN -m limit \
 2072         --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
 2073     fi
 2074     echo "  Denying all (other) ports/protocols"
 2075     iptables -A DMZ_INET_FORWARD_CHAIN -j DROP
 2076   fi
 2077 }
 2078 
 2079 
 2080 #########################################
 2081 # Setup chain for the LAN input traffic #
 2082 #########################################
 2083 setup_int_input_chain()
 2084 {
 2085   # TCP ports to OPEN for certain LAN hosts
 2086   #########################################
 2087   unset IFS
 2088   for rule in $LAN_HOST_OPEN_TCP; do
 2089     if parse_rule "$rule" LAN_HOST_OPEN_TCP "hosts-ports"; then
 2090 
 2091       echo " Allowing $hosts(LAN) for TCP port(s): $ports"
 2092 
 2093       IFS=','
 2094       for host in `ip_range "$hosts"`; do
 2095         for port in $ports; do
 2096           iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j ACCEPT
 2097         done
 2098       done
 2099     fi
 2100   done
 2101 
 2102   # UDP ports to OPEN for certain LAN hosts
 2103   #########################################
 2104   unset IFS
 2105   for rule in $LAN_HOST_OPEN_UDP; do
 2106     if parse_rule "$rule" LAN_HOST_OPEN_UDP "hosts-ports"; then
 2107 
 2108       echo " Allowing $hosts(LAN) for UDP port(s): $ports"
 2109 
 2110       IFS=','
 2111       for host in `ip_range "$hosts"`; do
 2112         for port in $ports; do
 2113           iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT
 2114         done
 2115       done
 2116     fi
 2117   done
 2118 
 2119   # IP protocols to OPEN for certain LAN hosts
 2120   ############################################
 2121   unset IFS
 2122   for rule in $LAN_HOST_OPEN_IP; do
 2123     if parse_rule "$rule" LAN_HOST_OPEN_IP "hosts-protos"; then
 2124 
 2125       echo " Allowing $hosts(LAN) for IP protocol(s): $protos"
 2126 
 2127       IFS=','
 2128       for host in `ip_range "$hosts"`; do
 2129         for proto in $protos; do
 2130           iptables -A INT_INPUT_CHAIN -s $host -p $proto -j ACCEPT
 2131         done
 2132       done
 2133     fi
 2134   done
 2135 
 2136   # TCP ports to DENY for certain LAN hosts
 2137   #########################################
 2138   unset IFS
 2139   for rule in $LAN_HOST_DENY_TCP; do
 2140     if parse_rule "$rule" LAN_HOST_DENY_TCP "hosts:ANYHOST-ports:ANYPORT"; then
 2141 
 2142       echo " Denying $hosts(LAN) for TCP port(s): $ports"
 2143 
 2144       IFS=','
 2145       for host in `ip_range "$hosts"`; do
 2146         for port in $ports; do
 2147           if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2148             iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port \
 2149               -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: "
 2150           fi
 2151           iptables -A INT_INPUT_CHAIN -s $host -p tcp --dport $port -j DROP
 2152         done
 2153       done
 2154     fi
 2155   done
 2156 
 2157   # UDP ports to DENY for certain LAN hosts
 2158   #########################################
 2159   unset IFS
 2160   for rule in $LAN_HOST_DENY_UDP; do
 2161     if parse_rule "$rule" LAN_HOST_DENY_UDP "hosts:ANYHOST-ports:ANYPORT"; then
 2162 
 2163       echo " Denying $hosts(LAN) for UDP port(s): $ports"
 2164 
 2165       IFS=','
 2166       for host in `ip_range "$hosts"`; do
 2167         for port in $ports; do
 2168           if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2169             iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port \
 2170               -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: "
 2171           fi
 2172           iptables -A INT_INPUT_CHAIN -s $host -p udp --dport $port -j DROP
 2173         done
 2174       done
 2175     fi
 2176   done
 2177 
 2178   # IP protocols to DENY for certain LAN hosts
 2179   ############################################
 2180   unset IFS
 2181   for rule in $LAN_HOST_DENY_IP; do
 2182     if parse_rule "$rule" LAN_HOST_DENY_IP "hosts:ANYHOST-protos"; then
 2183 
 2184       echo " Denying $hosts(LAN) for IP protocol(s): $protos"
 2185 
 2186       IFS=','
 2187       for host in `ip_range "$hosts"`; do
 2188         for proto in $protos; do
 2189           if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2190             iptables -A INT_INPUT_CHAIN -s $host -p $proto \
 2191               -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN denied: "
 2192           fi
 2193           iptables -A INT_INPUT_CHAIN -s $host -p $proto -j DROP
 2194         done
 2195       done
 2196     fi
 2197   done
 2198 
 2199   # Allow only certain TCP ports to be used from the LAN?
 2200   #######################################################
 2201   if [ -n "$LAN_OPEN_TCP" ]; then
 2202     echo " Allowing TCP port(s): $LAN_OPEN_TCP"
 2203     IFS=' ,'
 2204     for port in $LAN_OPEN_TCP; do
 2205       iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j ACCEPT
 2206     done
 2207   fi
 2208 
 2209   # Allow only certain UDP ports to be used from the LAN?
 2210   #######################################################
 2211   if [ -n "$LAN_OPEN_UDP" ]; then
 2212     echo " Allowing UDP port(s): $LAN_OPEN_UDP"
 2213     IFS=' ,'
 2214     for port in $LAN_OPEN_UDP; do
 2215       iptables -A INT_INPUT_CHAIN -p udp --dport $port -j ACCEPT
 2216     done
 2217   fi
 2218 
 2219   # Allow only certain IP protocols to be used from the LAN?
 2220   ##########################################################
 2221   if [ -n "$LAN_OPEN_IP" ]; then
 2222     echo " Allowing IP protocol(s): $LAN_OPEN_IP"
 2223     IFS=' ,'
 2224     for proto in $LAN_OPEN_IP; do
 2225       iptables -A INT_INPUT_CHAIN -p $proto -j ACCEPT
 2226     done
 2227   fi
 2228 
 2229   # Allow world to send ICMP packets?
 2230   ###################################
 2231   if [ "$LAN_OPEN_ICMP" != "0" ]; then
 2232     echo " Allowing ICMP-requests(ping)"
 2233     iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 2234   fi
 2235 
 2236   # TCP ports to DENY for LAN hosts
 2237   #################################
 2238   if [ -n "$LAN_DENY_TCP" ]; then
 2239     echo " Denying TCP port(s): $LAN_DENY_TCP"
 2240     IFS=' ,'
 2241     for port in $LAN_DENY_TCP; do
 2242       if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2243         iptables -A INT_INPUT_CHAIN -p tcp --dport $port -m limit \
 2244           --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: "
 2245       fi
 2246       iptables -A INT_INPUT_CHAIN -p tcp --dport $port -j DROP
 2247     done
 2248   fi
 2249 
 2250   # UDP ports to DENY for LAN hosts
 2251   #################################
 2252   if [ -n "$LAN_DENY_UDP" ]; then
 2253     echo " Denying UDP port(s): $LAN_DENY_UDP"
 2254     IFS=' ,'
 2255     for port in $LAN_DENY_UDP; do
 2256       if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2257         iptables -A INT_INPUT_CHAIN -p udp --dport $port -m limit \
 2258           --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: "
 2259       fi
 2260       iptables -A INT_INPUT_CHAIN -p udp --dport $port -j DROP
 2261     done
 2262   fi
 2263 
 2264   # IP protocols to DENY for LAN hosts
 2265   ####################################
 2266   if [ -n "$LAN_DENY_IP" ]; then
 2267     echo " Denying IP protocol(s): $LAN_DENY_IP"
 2268     IFS=' ,'
 2269     for proto in $LAN_DENY_IP; do
 2270       if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2271         iptables -A INT_INPUT_CHAIN -p $proto -m limit \
 2272           --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: "
 2273       fi
 2274       iptables -A INT_INPUT_CHAIN -p $proto -j DROP
 2275     done
 2276   fi
 2277 
 2278   # Log incoming ICMP-request packets?
 2279   ####################################
 2280   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 2281     iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request \
 2282       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 2283   fi
 2284 
 2285   # Drop ICMP packets
 2286   iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP
 2287 
 2288   # Set the default policy
 2289   ########################
 2290   if [ -z "$LAN_OPEN_TCP" -a -z "$LAN_HOST_OPEN_TCP" -a \
 2291        -z "$LAN_OPEN_UDP" -a -z "$LAN_HOST_OPEN_UDP" -a \
 2292        -z "$LAN_OPEN_IP"  -a -z "$LAN_HOST_OPEN_IP"  -a -z "$LAN_DEFAULT_POLICY_DROP" ] \
 2293      || [ "$LAN_DEFAULT_POLICY_DROP" = "0" ]; then
 2294     echo " Allowing all (other) ports/protocols"
 2295     iptables -A INT_INPUT_CHAIN -j ACCEPT
 2296   else
 2297     echo " Denying all (other) ports/protocols"
 2298     if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
 2299       iptables -A INT_INPUT_CHAIN -m limit \
 2300         --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN-INPUT denied: "
 2301     fi
 2302     iptables -A INT_INPUT_CHAIN -j DROP
 2303   fi
 2304 }
 2305 
 2306 
 2307 ##################################################
 2308 # Setup chain for the LAN-to-LAN forward traffic #
 2309 ##################################################
 2310 setup_lan_lan_forward_chain()
 2311 {
 2312   local rtn_val=1
 2313 
 2314   echo " Setting up LAN->LAN policy"
 2315 
 2316   # TCP ports to ALLOW for certain Inter-LAN hosts
 2317   ################################################
 2318   unset IFS
 2319   for rule in $LAN_LAN_HOST_OPEN_TCP; do
 2320     if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2321 
 2322       echo "  Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports"
 2323 
 2324       IFS=','
 2325       for shost in `ip_range "$shosts"`; do
 2326         for dhost in `ip_range "$dhosts"`; do
 2327           for port in $ports; do
 2328             iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 2329             rtn_val=0
 2330           done
 2331         done
 2332       done
 2333     fi
 2334   done
 2335 
 2336   # UDP ports to ALLOW for certain Inter-LAN hosts
 2337   ################################################
 2338   unset IFS
 2339   for rule in $LAN_LAN_HOST_OPEN_UDP; do
 2340     if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2341 
 2342       echo "  Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports"
 2343 
 2344       IFS=','
 2345       for shost in `ip_range "$shosts"`; do
 2346         for dhost in `ip_range "$dhosts"`; do
 2347           for port in $ports; do
 2348             iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 2349             rtn_val=0
 2350           done
 2351         done
 2352       done
 2353     fi
 2354   done
 2355 
 2356   # IP protocol(s) to ALLOW for certain Inter-LAN hosts
 2357   #####################################################
 2358   unset IFS
 2359   for rule in $LAN_LAN_HOST_OPEN_IP; do
 2360     if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
 2361 
 2362       echo "  Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos"
 2363 
 2364       IFS=','
 2365       for shost in `ip_range "$shosts"`; do
 2366         for dhost in `ip_range "$dhosts"`; do
 2367           for proto in $protos; do
 2368             iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
 2369             rtn_val=0
 2370           done
 2371         done
 2372       done
 2373     fi
 2374   done
 2375 
 2376   return $rtn_val
 2377 }
 2378 
 2379 
 2380 ###################################################
 2381 # Setup chain for the LAN-to-INET forward traffic #
 2382 ###################################################
 2383 setup_lan_inet_forward_chain()
 2384 {
 2385   echo " Setting up LAN->INET policy"
 2386 
 2387   # TCP ports to ALLOW for certain LAN hosts
 2388   #########################################
 2389   unset IFS
 2390   for rule in $LAN_INET_HOST_OPEN_TCP; do
 2391     if parse_rule "$rule" LAN_INET_HOST_OPEN_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2392 
 2393       echo "  $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports"
 2394 
 2395       IFS=','
 2396       for shost in `ip_range "$shosts"`; do
 2397         for dhost in `ip_range "$dhosts"`; do
 2398           for port in $ports; do
 2399             for interface in $interfaces; do
 2400               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
 2401             done
 2402           done
 2403         done
 2404       done
 2405     fi
 2406   done
 2407 
 2408   # UDP ports to ALLOW for certain LAN hosts
 2409   #########################################
 2410   unset IFS
 2411   for rule in $LAN_INET_HOST_OPEN_UDP; do
 2412     if parse_rule "$rule" LAN_INET_HOST_OPEN_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2413 
 2414       echo "  $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports"
 2415 
 2416       IFS=','
 2417       for shost in `ip_range "$shosts"`; do
 2418         for dhost in `ip_range "$dhosts"`; do
 2419           for port in $ports; do
 2420             for interface in $interfaces; do
 2421               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j ACCEPT
 2422             done
 2423           done
 2424         done
 2425       done
 2426     fi
 2427   done
 2428 
 2429   # (Other) IP protocols to ALLOW for certain LAN hosts
 2430   #####################################################
 2431   unset IFS
 2432   for rule in $LAN_INET_HOST_OPEN_IP; do
 2433     if parse_rule "$rule" LAN_INET_HOST_OPEN_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then
 2434 
 2435       echo "  $(show_if_ip "$interfaces")Allowing $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos"
 2436 
 2437       IFS=','
 2438       for shost in `ip_range "$shosts"`; do
 2439         for dhost in `ip_range "$dhosts"`; do
 2440           for proto in $protos; do
 2441             for interface in $interfaces; do
 2442               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j ACCEPT
 2443             done
 2444           done
 2445         done
 2446       done
 2447     fi
 2448   done
 2449 
 2450   # TCP ports to DENY for certain LAN hosts
 2451   #########################################
 2452   unset IFS
 2453   for rule in $LAN_INET_HOST_DENY_TCP; do
 2454     if parse_rule "$rule" LAN_INET_HOST_DENY_TCP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2455 
 2456       echo "  $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for TCP port(s): $ports"
 2457 
 2458       IFS=','
 2459       for shost in `ip_range "$shosts"`; do
 2460         for dhost in `ip_range "$dhosts"`; do
 2461           for port in $ports; do
 2462             for interface in $interfaces; do
 2463               if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2464                 iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port \
 2465                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: "
 2466               fi
 2467               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p tcp --dport $port -j DROP
 2468             done
 2469           done
 2470         done
 2471       done
 2472     fi
 2473   done
 2474 
 2475   # UDP ports to DENY for certain LAN hosts
 2476   #########################################
 2477   unset IFS
 2478   for rule in $LAN_INET_HOST_DENY_UDP; do
 2479     if parse_rule "$rule" LAN_INET_HOST_DENY_UDP "interfaces-shosts:ANYHOST-dhosts-ports:ANYPORT"; then
 2480 
 2481       echo "  $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for UDP port(s): $ports"
 2482 
 2483       IFS=','
 2484       for shost in `ip_range "$shosts"`; do
 2485         for dhost in `ip_range "$dhosts"`; do
 2486           for port in $ports; do
 2487             for interface in $interfaces; do
 2488               if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2489                 iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port \
 2490                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: "
 2491               fi
 2492               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p udp --dport $port -j DROP
 2493             done
 2494           done
 2495         done
 2496       done
 2497     fi
 2498   done
 2499 
 2500   # (Other) IP protocols to DENY for certain LAN hosts
 2501   #####################################################
 2502   unset IFS
 2503   for rule in $LAN_INET_HOST_DENY_IP; do
 2504     if parse_rule "$rule" LAN_INET_HOST_DENY_IP "interfaces-shosts:ANYHOST-dhosts-protos"; then
 2505 
 2506       echo "  $(show_if_ip "$interfaces")Denying $shosts(LAN) to $dhosts(INET) for IP protocol(s): $protos"
 2507 
 2508       IFS=','
 2509       for shost in `ip_range "$shosts"`; do
 2510         for dhost in `ip_range "$dhosts"`; do
 2511           for proto in $protos; do
 2512             for interface in $interfaces; do
 2513               if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2514                 iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto \
 2515                   -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host LAN->INET denied: "
 2516               fi
 2517               iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -s $shost -d $dhost -p $proto -j DROP
 2518             done
 2519           done
 2520         done
 2521       done
 2522     fi
 2523   done
 2524 
 2525   # Allow only certain udp ports to be used from the LAN->INET?
 2526   #############################################################
 2527   unset IFS
 2528   for rule in $LAN_INET_OPEN_TCP; do
 2529     if parse_rule "$rule" LAN_INET_OPEN_TCP "interfaces-ports"; then
 2530 
 2531       echo "  $(show_if_ip "$interfaces")Allowing TCP port(s): $ports"
 2532 
 2533       IFS=','
 2534       for port in $ports; do
 2535         for interface in $interfaces; do
 2536           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j ACCEPT
 2537         done
 2538       done
 2539     fi
 2540   done
 2541 
 2542   # Allow only certain UDP ports to be used from the LAN->INET?
 2543   #############################################################
 2544   unset IFS
 2545   for rule in $LAN_INET_OPEN_UDP; do
 2546     if parse_rule "$rule" LAN_INET_OPEN_UDP "interfaces-ports"; then
 2547 
 2548       echo "  $(show_if_ip "$interfaces")Allowing UDP port(s): $ports"
 2549 
 2550       IFS=','
 2551       for port in $ports; do
 2552         for interface in $interfaces; do
 2553           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j ACCEPT
 2554         done
 2555       done
 2556     fi
 2557   done
 2558 
 2559   # Allow only certain IP protocols to be used from the LAN->INET?
 2560   ################################################################
 2561   unset IFS
 2562   for rule in $LAN_INET_OPEN_IP; do
 2563     if parse_rule "$rule" LAN_INET_OPEN_IP "interfaces-protos"; then
 2564 
 2565       echo "  $(show_if_ip "$interfaces")Allowing IP protocol(s): $protos"
 2566 
 2567       IFS=','
 2568       for proto in $protos; do
 2569         for interface in $interfaces; do
 2570           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j ACCEPT
 2571         done
 2572       done
 2573     fi
 2574   done
 2575 
 2576   # Allow ICMP-requests(ping) for LAN->INET?
 2577   ##########################################
 2578   if [ "$LAN_INET_OPEN_ICMP" != "0" ]; then
 2579     echo "  Allowing ICMP-requests(ping)"
 2580     iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 2581       -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 2582   fi
 2583 
 2584   # TCP ports to DENY for LAN->INET
 2585   #################################
 2586   unset IFS
 2587   for rule in $LAN_INET_DENY_TCP; do
 2588     if parse_rule "$rule" LAN_INET_DENY_TCP "interfaces-ports"; then
 2589 
 2590       echo "  $(show_if_ip "$interfaces")Denying TCP port(s): $ports"
 2591 
 2592       IFS=','
 2593       for port in $ports; do
 2594         for interface in $interfaces; do
 2595           if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2596             iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -m limit \
 2597               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
 2598           fi
 2599           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p tcp --dport $port -j DROP
 2600         done
 2601       done
 2602     fi
 2603   done
 2604 
 2605   # UDP ports to DENY for LAN->INET
 2606   #################################
 2607   unset IFS
 2608   for rule in $LAN_INET_DENY_UDP; do
 2609     if parse_rule "$rule" LAN_INET_DENY_UDP "interfaces-ports"; then
 2610 
 2611       echo "  $(show_if_ip "$interfaces")Denying UDP port(s): $ports"
 2612 
 2613       IFS=','
 2614       for port in $ports; do
 2615         for interface in $interfaces; do
 2616           if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2617             iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -m limit \
 2618               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
 2619           fi
 2620           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p udp --dport $port -j DROP
 2621         done
 2622       done
 2623     fi
 2624   done
 2625 
 2626   # IP protocols to DENY for LAN->INET
 2627   ####################################
 2628   unset IFS
 2629   for rule in $LAN_INET_DENY_IP; do
 2630     if parse_rule "$rule" LAN_INET_DENY_IP "interfaces-protos"; then
 2631 
 2632       echo "  $(show_if_ip "$interfaces")Denying IP protocol(s): $protos"
 2633 
 2634       IFS=','
 2635       for proto in $protos; do
 2636         for interface in $interfaces; do
 2637           if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2638             iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -m limit \
 2639               --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
 2640           fi
 2641           iptables -A LAN_INET_FORWARD_CHAIN $(ipt_if -o "$interface") -p $proto -j DROP
 2642         done
 2643       done
 2644     fi
 2645   done
 2646 
 2647   # Log incoming ICMP-request packets?
 2648   ####################################
 2649   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 2650     iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request \
 2651       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 2652   fi
 2653 
 2654   # Drop ICMP packets
 2655   iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
 2656 
 2657   # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
 2658   ###########################################################################################
 2659   if [ -z "$LAN_INET_OPEN_TCP" -a -z "$LAN_INET_HOST_OPEN_TCP" -a \
 2660        -z "$LAN_INET_OPEN_UDP" -a -z "$LAN_INET_HOST_OPEN_UDP" -a \
 2661        -z "$LAN_INET_OPEN_IP"  -a -z "$LAN_INET_HOST_OPEN_IP"  -a -z "$LAN_INET_DEFAULT_POLICY_DROP" ] \
 2662      || [ "$LAN_INET_DEFAULT_POLICY_DROP" = "0" ]; then
 2663     echo "  Allowing all (other) ports/protocols"
 2664     iptables -A LAN_INET_FORWARD_CHAIN -j ACCEPT
 2665   else
 2666     if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
 2667       iptables -A LAN_INET_FORWARD_CHAIN -m limit \
 2668         --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
 2669     fi
 2670     echo "  Denying all (other) ports/protocols"
 2671     iptables -A LAN_INET_FORWARD_CHAIN -j DROP
 2672   fi
 2673 }
 2674 
 2675 
 2676 ######################################################################################################################
 2677 ## Chain EXT_INPUT_CHAIN - Checks all incoming packets for the EXTERNAL interface(s)                                ##
 2678 ######################################################################################################################
 2679 setup_ext_input_chain()
 2680 {
 2681   ## Log scanning of port 0 fingerprinting
 2682   ########################################
 2683   if [ "$SCAN_LOG" != "0" ]; then
 2684     iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 \
 2685       -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: "
 2686     iptables -A EXT_INPUT_CHAIN -p udp --dport 0 \
 2687       -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Port 0 OS fingerprint: "
 2688   fi
 2689 
 2690   # Drop port 0 scan packets
 2691   ##########################
 2692   iptables -A EXT_INPUT_CHAIN -p tcp --dport 0 -j POST_INPUT_DROP_CHAIN
 2693   iptables -A EXT_INPUT_CHAIN -p udp --dport 0 -j POST_INPUT_DROP_CHAIN
 2694 
 2695   ## Log scanning of source port 0
 2696   ################################
 2697   if [ "$SCAN_LOG" != "0" ]; then
 2698     iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 \
 2699       -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP source port 0: "
 2700     iptables -A EXT_INPUT_CHAIN -p udp --sport 0 \
 2701       -m limit --limit 6/h --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP source port 0: "
 2702   fi
 2703 
 2704   # Drop source port 0 packets
 2705   ############################
 2706   iptables -A EXT_INPUT_CHAIN -p tcp --sport 0 -j POST_INPUT_DROP_CHAIN
 2707   iptables -A EXT_INPUT_CHAIN -p udp --sport 0 -j POST_INPUT_DROP_CHAIN
 2708 
 2709   # Here we add support for DHCP assigned IP
 2710   ##########################################
 2711   if [ "$EXT_IF_DHCP_IP" = "1" ]; then
 2712     echo " Enabling support for DHCP-assigned-IP (DHCP client)"
 2713     # Allow this host to be an DHCP client:
 2714     ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
 2715   fi
 2716   if [ "$EXT_IF_DHCP_IP" = "1" -o "$EXT_IF_DHCPV6_IPV6" = "1" ]; then
 2717     if [ "$IPV6_SUPPORT" = "1" ]; then
 2718       # Allow this host to be an DHCPv6 client:
 2719       ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT
 2720     fi
 2721   fi
 2722 
 2723   # Support for a DHCP/BootP service on the EXTERNAL interface
 2724   ############################################################
 2725   if [ "$EXTERNAL_DHCP_SERVER" = "1" ]; then
 2726     echo " Enabling support for DHCP/BOOTP (DHCP server) for subnet(s): $EXTERNAL_NET"
 2727     IFS=' ,'
 2728     for net in $EXTERNAL_NET; do
 2729       # Allow this host to be a DHCP/BOOTP-server:
 2730       ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --dport 67 -j ACCEPT
 2731       ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --dport 67 -j ACCEPT
 2732 #      ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT
 2733 #      ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 68 --dport 67 -j ACCEPT
 2734 
 2735       # Extra rules to allow packets from other dhcp servers in the same segment
 2736       ip4tables -A EXT_INPUT_CHAIN -s $net -d 255.255.255.255 -p udp --sport 67 --dport 68 -j ACCEPT
 2737     done
 2738   fi
 2739 
 2740   # Support for a DHCPv6 service on the EXTERNAL interface
 2741   ########################################################
 2742   if [ "$IPV6_SUPPORT" = "1" -a "$EXTERNAL_DHCPV6_SERVER" = "1" ]; then
 2743     echo " Enabling support for DHCPv6 server on external interface(s)"
 2744     # Allow only Link-Local clients
 2745     ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --dport 547 -j ACCEPT
 2746   fi
 2747 
 2748   # This is the fix(hack) for nmb broadcast packets (nmblookup/Samba)
 2749   ###################################################################
 2750   if [ "$NMB_BROADCAST_FIX" = "1" ]; then
 2751     echo " Enabling support for NMB-broadcasts(Samba) for subnet(s): $EXTERNAL_NET"
 2752     IFS=' ,'
 2753     for net in $EXTERNAL_NET; do
 2754       ip4tables -A EXT_INPUT_CHAIN -s $net -p udp --sport 137 --dport "$LOCAL_PORT_RANGE" -j ACCEPT
 2755     done
 2756   fi
 2757 
 2758   # Enable logging of blocked hosts?
 2759   ##################################
 2760   if [ "$BLOCKED_HOST_LOG" = "1" ]; then
 2761     echo " Logging of explicitly blocked hosts inbound/outbound enabled"
 2762   elif [ "$BLOCKED_HOST_LOG" = "2" ]; then
 2763     echo " Logging of explicitly blocked hosts inbound enabled"
 2764   elif [ "$BLOCKED_HOST_LOG" = "3" ]; then
 2765     echo " Logging of explicitly blocked hosts outbound enabled"
 2766   else
 2767     echo " Logging of explicitly blocked hosts disabled"
 2768   fi
 2769 
 2770   # Enable logging of denied output connections?
 2771   ##############################################
 2772   if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 2773     echo " Logging of denied local output connections enabled"
 2774   else
 2775     echo " Logging of denied local output connections disabled"
 2776   fi
 2777 
 2778   # Add TCP ports to allow for certain hosts
 2779   ##########################################
 2780   unset IFS
 2781   for rule in $HOST_OPEN_TCP; do
 2782     if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then
 2783 
 2784       echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports"
 2785 
 2786       IFS=','
 2787       for host in `ip_range "$hosts"`; do
 2788         for port in $ports; do
 2789           for destip in $destips; do
 2790             for interface in $interfaces; do
 2791               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j ACCEPT
 2792             done
 2793           done
 2794         done
 2795       done
 2796     fi
 2797   done
 2798 
 2799 
 2800   # Add UDP ports to allow for certain hosts
 2801   ##########################################
 2802   unset IFS
 2803   for rule in $HOST_OPEN_UDP; do
 2804     if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then
 2805 
 2806       echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports"
 2807 
 2808       IFS=','
 2809       for host in `ip_range "$hosts"`; do
 2810         for port in $ports; do
 2811           for destip in $destips; do
 2812             for interface in $interfaces; do
 2813               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j ACCEPT
 2814             done
 2815           done
 2816         done
 2817       done
 2818     fi
 2819   done
 2820 
 2821 
 2822   # Add IP protocols to allow for certain hosts
 2823   #############################################
 2824   unset IFS
 2825   for rule in $HOST_OPEN_IP; do
 2826     if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then
 2827 
 2828       echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos"
 2829 
 2830       IFS=','
 2831       for host in `ip_range "$hosts"`; do
 2832         for proto in $protos; do
 2833           for destip in $destips; do
 2834             for interface in $interfaces; do
 2835               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j ACCEPT
 2836             done
 2837           done
 2838         done
 2839       done
 2840     fi
 2841   done
 2842 
 2843 
 2844   # Add ICMP to allow for certain hosts
 2845   #####################################
 2846   unset IFS
 2847   for rule in $HOST_OPEN_ICMP; do
 2848     if parse_rule "$rule" HOST_OPEN_ICMP "interfaces-destips-hosts"; then
 2849 
 2850       echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)"
 2851 
 2852       IFS=','
 2853       for host in `ip_range "$hosts"`; do
 2854         for destip in $destips; do
 2855           for interface in $interfaces; do
 2856             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p icmp --icmp-type echo-request -j ACCEPT
 2857           done
 2858         done
 2859       done
 2860     fi
 2861   done
 2862 
 2863 
 2864   # Add TCP ports to REJECT for certain hosts but NOT logged
 2865   ##########################################################
 2866   unset IFS
 2867   for rule in $HOST_REJECT_TCP_NOLOG; do
 2868     if parse_rule "$rule" HOST_REJECT_TCP_NOLOG "interfaces-destips-hosts-ports"; then
 2869 
 2870       echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s) (NO LOG): $ports"
 2871 
 2872       IFS=','
 2873       for host in `ip_range "$hosts"`; do
 2874         for port in $ports; do
 2875           for destip in $destips; do
 2876             for interface in $interfaces; do
 2877               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset
 2878             done
 2879           done
 2880         done
 2881       done
 2882     fi
 2883   done
 2884 
 2885 
 2886   # Add UDP ports to REJECT for certain hosts NOT logged
 2887   ######################################################
 2888   unset IFS
 2889   for rule in $HOST_REJECT_UDP_NOLOG; do
 2890     if parse_rule "$rule" HOST_REJECT_UDP_NOLOG "interfaces-destips-hosts-ports"; then
 2891 
 2892       echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s) (NO LOG): $ports"
 2893 
 2894       IFS=','
 2895       for host in `ip_range "$hosts"`; do
 2896         for port in $ports; do
 2897           for destip in $destips; do
 2898             for interface in $interfaces; do
 2899               ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable
 2900               if [ "$IPV6_SUPPORT" = "1" ]; then
 2901                 ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable
 2902               fi
 2903             done
 2904           done
 2905         done
 2906       done
 2907     fi
 2908   done
 2909 
 2910 
 2911   # Add TCP ports to REJECT for certain hosts
 2912   ###########################################
 2913   unset IFS
 2914   for rule in $HOST_REJECT_TCP; do
 2915     if parse_rule "$rule" HOST_REJECT_TCP "interfaces-destips-hosts-ports"; then
 2916 
 2917       echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for TCP port(s): $ports"
 2918 
 2919       IFS=','
 2920       for host in `ip_range "$hosts"`; do
 2921         for port in $ports; do
 2922           for destip in $destips; do
 2923             for interface in $interfaces; do
 2924               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port \
 2925                 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP rejected: "
 2926 
 2927               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset
 2928             done
 2929           done
 2930         done
 2931       done
 2932     fi
 2933   done
 2934 
 2935 
 2936   # Add UDP ports to REJECT for certain hosts
 2937   ###########################################
 2938   unset IFS
 2939   for rule in $HOST_REJECT_UDP; do
 2940     if parse_rule "$rule" HOST_REJECT_UDP "interfaces-destips-hosts-ports"; then
 2941 
 2942       echo " $(show_if_ip "$interfaces" "$destips")Rejecting $hosts for UDP port(s): $ports"
 2943 
 2944       IFS=','
 2945       for host in `ip_range "$hosts"`; do
 2946         for port in $ports; do
 2947           for destip in $destips; do
 2948             for interface in $interfaces; do
 2949               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port \
 2950                 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP rejected: "
 2951 
 2952               ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable
 2953               if [ "$IPV6_SUPPORT" = "1" ]; then
 2954                 ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable
 2955               fi
 2956             done
 2957           done
 2958         done
 2959       done
 2960     fi
 2961   done
 2962 
 2963 
 2964   # Add TCP ports to DENY for certain hosts but NOT logged
 2965   ########################################################
 2966   unset IFS
 2967   for rule in $HOST_DENY_TCP_NOLOG; do
 2968     if parse_rule "$rule" HOST_DENY_TCP_NOLOG "interfaces-destips-hosts-ports"; then
 2969 
 2970       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s) (NO LOG): $ports"
 2971 
 2972       IFS=','
 2973       for host in `ip_range "$hosts"`; do
 2974         for port in $ports; do
 2975           for destip in $destips; do
 2976             for interface in $interfaces; do
 2977               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN
 2978             done
 2979           done
 2980         done
 2981       done
 2982     fi
 2983   done
 2984 
 2985 
 2986   # Add UDP ports to DENY for certain hosts but NOT logged
 2987   ########################################################
 2988   unset IFS
 2989   for rule in $HOST_DENY_UDP_NOLOG; do
 2990     if parse_rule "$rule" HOST_DENY_UDP_NOLOG "interfaces-destips-hosts-ports"; then
 2991 
 2992       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s) (NO LOG): $ports"
 2993 
 2994       IFS=','
 2995       for host in `ip_range "$hosts"`; do
 2996         for port in $ports; do
 2997           for destip in $destips; do
 2998             for interface in $interfaces; do
 2999               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN
 3000             done
 3001           done
 3002         done
 3003       done
 3004     fi
 3005   done
 3006 
 3007   # Add IP protocols to DENY for certain hosts but NOT logged
 3008   ###########################################################
 3009   unset IFS
 3010   for rule in $HOST_DENY_IP_NOLOG; do
 3011     if parse_rule "$rule" HOST_DENY_IP_NOLOG "interfaces-destips-hosts-protos"; then
 3012 
 3013       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s) (NO LOG): $protos"
 3014 
 3015       IFS=','
 3016       for host in `ip_range "$hosts"`; do
 3017         for proto in $protos; do
 3018           for destip in $destips; do
 3019             for interface in $interfaces; do
 3020               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j POST_INPUT_DROP_CHAIN
 3021             done
 3022           done
 3023         done
 3024       done
 3025     fi
 3026   done
 3027 
 3028   # Add ICMP-request to DENY for certain hosts but NOT logged
 3029   ############################################################
 3030   unset IFS
 3031   for rule in $HOST_DENY_ICMP_NOLOG; do
 3032     if parse_rule "$rule" HOST_DENY_ICMP_NOLOG "interfaces-destips-hosts"; then
 3033 
 3034       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)"
 3035 
 3036       IFS=','
 3037       for host in `ip_range "$hosts"`; do
 3038         for destip in $destips; do
 3039           for interface in $interfaces; do
 3040             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN
 3041           done
 3042         done
 3043       done
 3044     fi
 3045   done
 3046 
 3047 
 3048   # Add TCP ports to DENY for certain hosts
 3049   #########################################
 3050   unset IFS
 3051   for rule in $HOST_DENY_TCP; do
 3052     if parse_rule "$rule" HOST_DENY_TCP "interfaces-destips-hosts-ports"; then
 3053 
 3054       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for TCP port(s): $ports"
 3055 
 3056       IFS=','
 3057       for host in `ip_range "$hosts"`; do
 3058         for port in $ports; do
 3059           for destip in $destips; do
 3060             for interface in $interfaces; do
 3061               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port \
 3062                 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: "
 3063 
 3064               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN
 3065             done
 3066           done
 3067         done
 3068       done
 3069     fi
 3070   done
 3071 
 3072 
 3073   # Add UDP ports to DENY for certain hosts
 3074   #########################################
 3075   unset IFS
 3076   for rule in $HOST_DENY_UDP; do
 3077     if parse_rule "$rule" HOST_DENY_UDP "interfaces-destips-hosts-ports"; then
 3078 
 3079       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for UDP port(s): $ports"
 3080 
 3081       IFS=','
 3082       for host in `ip_range "$hosts"`; do
 3083         for port in $ports; do
 3084           for destip in $destips; do
 3085             for interface in $interfaces; do
 3086               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port \
 3087                 -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: "
 3088 
 3089               iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN
 3090             done
 3091           done
 3092         done
 3093       done
 3094     fi
 3095   done
 3096 
 3097 
 3098   # Add IP protocols to DENY for certain hosts
 3099   ############################################
 3100   unset IFS
 3101   for rule in $HOST_DENY_IP; do
 3102     if parse_rule "$rule" HOST_DENY_IP "interfaces-destips-hosts-protos"; then
 3103 
 3104       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for IP protocol(s): $protos"
 3105 
 3106       IFS=','
 3107       for host in `ip_range "$hosts"`; do
 3108         for proto in $protos; do
 3109           for destip in $destips; do
 3110             for interface in $interfaces; do
 3111               iptables -A EXT_INPUT_CHAIN -s $host -p $proto \
 3112                  -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: "
 3113 
 3114               iptables -A EXT_INPUT_CHAIN -s $host -p $proto -j POST_INPUT_DROP_CHAIN
 3115             done
 3116           done
 3117         done
 3118       done
 3119     fi
 3120   done
 3121 
 3122 
 3123   # Add ICMP-request to DENY for certain hosts
 3124   ############################################
 3125   unset IFS
 3126   for rule in $HOST_DENY_ICMP; do
 3127     if parse_rule "$rule" HOST_DENY_ICMP "interfaces-destips-hosts"; then
 3128 
 3129       echo " $(show_if_ip "$interfaces" "$destips")Denying $hosts for ICMP-requests(ping)"
 3130 
 3131       IFS=','
 3132       for host in `ip_range "$hosts"`; do
 3133         for destip in $destips; do
 3134           for interface in $interfaces; do
 3135             if [ "$ICMP_DROP_LOG" != "0" ]; then
 3136               iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -m limit --limit 1/h --limit-burst 1 \
 3137                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host INET denied: "
 3138             fi
 3139             iptables -A EXT_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN
 3140           done
 3141         done
 3142       done
 3143     fi
 3144   done
 3145 
 3146   # Adding TCP ports to be denied for everyone
 3147   ############################################
 3148   unset IFS
 3149   for rule in $DENY_TCP; do
 3150     if parse_rule "$rule" DENY_TCP "interfaces-destips-ports"; then
 3151 
 3152       echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s): $ports"
 3153 
 3154       IFS=','
 3155       for port in $ports; do
 3156         for destip in $destips; do
 3157           for interface in $interfaces; do
 3158             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port \
 3159               -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: "
 3160 
 3161             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN
 3162           done
 3163         done
 3164       done
 3165     fi
 3166   done
 3167 
 3168   # Adding UDP ports to be denied for everyone
 3169   ############################################
 3170   unset IFS
 3171   for rule in $DENY_UDP; do
 3172     if parse_rule "$rule" DENY_UDP "interfaces-destips-ports"; then
 3173 
 3174       echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s): $ports"
 3175 
 3176       IFS=','
 3177       for port in $ports; do
 3178         for destip in $destips; do
 3179           for interface in $interfaces; do
 3180             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port \
 3181               -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-INPUT denied: "
 3182 
 3183             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN
 3184           done
 3185         done
 3186       done
 3187     fi
 3188   done
 3189 
 3190   # Adding TCP ports to be rejected for everyone
 3191   ##############################################
 3192   unset IFS
 3193   for rule in $REJECT_TCP; do
 3194     if parse_rule "$rule" REJECT_TCP "interfaces-destips-ports"; then
 3195 
 3196       echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s): $ports"
 3197 
 3198       IFS=','
 3199       for port in $ports; do
 3200         for destip in $destips; do
 3201           for interface in $interfaces; do
 3202             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port \
 3203               -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected TCP port: "
 3204 
 3205             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset
 3206           done
 3207         done
 3208       done
 3209     fi
 3210   done
 3211 
 3212   # Adding UDP ports to be rejected for everyone
 3213   ##############################################
 3214   unset IFS
 3215   for rule in $REJECT_UDP; do
 3216     if parse_rule "$rule" REJECT_UDP "interfaces-destips-ports"; then
 3217 
 3218       echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s): $ports"
 3219 
 3220       IFS=','
 3221       for port in $ports; do
 3222         for destip in $destips; do
 3223           for interface in $interfaces; do
 3224             iptables -A EXT_INPUT_CHAIN -p udp --dport $port \
 3225               -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Rejected UDP port: "
 3226 
 3227             ip4tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable
 3228             if [ "$IPV6_SUPPORT" = "1" ]; then
 3229               ip6tables -A EXT_INPUT_CHAIN -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable
 3230             fi
 3231           done
 3232         done
 3233       done
 3234     fi
 3235   done
 3236 
 3237   # Adding the "full access hosts"
 3238   ################################
 3239   unset IFS
 3240   for rule in $FULL_ACCESS_HOSTS; do
 3241     if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-destips-hosts"; then
 3242 
 3243       echo " $(show_if_ip "$interfaces" "$destips")Allowing $hosts full (inbound) access"
 3244 
 3245       IFS=','
 3246       for host in `ip_range "$hosts"`; do
 3247         for destip in $destips; do
 3248           for interface in $interfaces; do
 3249             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -s $host -d $destip -j ACCEPT
 3250           done
 3251         done
 3252       done
 3253     fi
 3254   done
 3255 
 3256   # TCP ports to DENY but NOT to LOG
 3257   ##################################
 3258   unset IFS
 3259   for rule in $DENY_TCP_NOLOG; do
 3260     if parse_rule "$rule" DENY_TCP_NOLOG "interfaces-destips-ports"; then
 3261 
 3262       echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for TCP port(s) (NO LOG): $ports"
 3263 
 3264       IFS=','
 3265       for port in $ports; do
 3266         for destip in $destips; do
 3267           for interface in $interfaces; do
 3268             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j POST_INPUT_DROP_CHAIN
 3269           done
 3270         done
 3271       done
 3272     fi
 3273   done
 3274 
 3275   # UDP ports to DENY but NOT to LOG
 3276   ##################################
 3277   unset IFS
 3278   for rule in $DENY_UDP_NOLOG; do
 3279     if parse_rule "$rule" DENY_UDP_NOLOG "interfaces-destips-ports"; then
 3280 
 3281       echo " $(show_if_ip "$interfaces" "$destips")Denying ANYHOST for UDP port(s) (NO LOG): $ports"
 3282 
 3283       IFS=','
 3284       for port in $ports; do
 3285         for destip in $destips; do
 3286           for interface in $interfaces; do
 3287             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j POST_INPUT_DROP_CHAIN
 3288           done
 3289         done
 3290       done
 3291     fi
 3292   done
 3293 
 3294   # TCP ports to REJECT but NOT to LOG
 3295   ####################################
 3296   unset IFS
 3297   for rule in $REJECT_TCP_NOLOG; do
 3298     if parse_rule "$rule" REJECT_TCP_NOLOG "interfaces-destips-ports"; then
 3299 
 3300       echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for TCP port(s) (NO LOG): $ports"
 3301 
 3302       IFS=','
 3303       for port in $ports; do
 3304         for destip in $destips; do
 3305           for interface in $interfaces; do
 3306             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j REJECT --reject-with tcp-reset
 3307           done
 3308         done
 3309       done
 3310     fi
 3311   done
 3312 
 3313   # UDP ports to REJECT but NOT to LOG
 3314   ####################################
 3315   unset IFS
 3316   for rule in $REJECT_UDP_NOLOG; do
 3317     if parse_rule "$rule" REJECT_UDP_NOLOG "interfaces-destips-ports"; then
 3318 
 3319       echo " $(show_if_ip "$interfaces" "$destips")Rejecting ANYHOST for UDP port(s) (NO LOG): $ports"
 3320 
 3321       IFS=','
 3322       for port in $ports; do
 3323         for destip in $destips; do
 3324           for interface in $interfaces; do
 3325             ip4tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j REJECT --reject-with icmp-host-unreachable
 3326             if [ "$IPV6_SUPPORT" = "1" ]; then
 3327               ip6tables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j REJECT --reject-with icmp6-addr-unreachable
 3328             fi
 3329           done
 3330         done
 3331       done
 3332     fi
 3333   done
 3334 
 3335   # Check the packet source address
 3336   #################################
 3337   if [ "$RESERVED_NET_DROP" = "1" ]; then
 3338     echo " Packets will be checked for reserved source addresses"
 3339   else
 3340     echo " Packets will NOT be checked for reserved source addresses"
 3341   fi
 3342 
 3343   if [ "$RESERVED_NET_DROP" = "1" -o "$RESERVED_NET_LOG" = "1" ]; then
 3344     iptables -A EXT_INPUT_CHAIN -j RESERVED_NET_CHK
 3345   fi
 3346 
 3347   # Do NOT allow DRDOS abuse (Distributed Reflection Denial Of Service attack)
 3348   ############################################################################
 3349   if [ "$DRDOS_PROTECT" = "1" ]; then
 3350     echo " Enabling protection against DRDOS-abuse"
 3351 
 3352     iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \
 3353       -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: "
 3354     iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 \
 3355       -m limit --limit 6/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Possible DRDOS abuse: "
 3356 
 3357     iptables -A EXT_INPUT_CHAIN -p tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN
 3358     iptables -A EXT_INPUT_CHAIN -p udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j POST_INPUT_DROP_CHAIN
 3359   fi
 3360 
 3361   # Adding TCP ports NOT to be firewalled
 3362   #######################################
 3363   unset IFS
 3364   for rule in $OPEN_TCP; do
 3365     if parse_rule "$rule" OPEN_TCP "interfaces-destips-ports"; then
 3366 
 3367       echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for TCP port(s): $ports"
 3368 
 3369       IFS=','
 3370       for port in $ports; do
 3371         for destip in $destips; do
 3372           for interface in $interfaces; do
 3373             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p tcp --dport $port -j ACCEPT
 3374           done
 3375         done
 3376       done
 3377     fi
 3378   done
 3379 
 3380 
 3381   # Adding UDP ports NOT to be firewalled
 3382   #######################################
 3383   unset IFS
 3384   for rule in $OPEN_UDP; do
 3385     if parse_rule "$rule" OPEN_UDP "interfaces-destips-ports"; then
 3386 
 3387       echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for UDP port(s): $ports"
 3388 
 3389       IFS=','
 3390       for port in $ports; do
 3391         for destip in $destips; do
 3392           for interface in $interfaces; do
 3393             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p udp --dport $port -j ACCEPT
 3394           done
 3395         done
 3396       done
 3397     fi
 3398   done
 3399 
 3400 
 3401   # Adding IP protocols NOT to be firewalled
 3402   ##########################################
 3403   unset IFS
 3404   for rule in $OPEN_IP; do
 3405     if parse_rule "$rule" OPEN_IP "interfaces-destips-protos"; then
 3406 
 3407       echo " $(show_if_ip "$interfaces" "$destips")Allowing ANYHOST for IP protocol(s): $protos"
 3408 
 3409       IFS=','
 3410       for proto in $protos; do
 3411         for destip in $destips; do
 3412           for interface in $interfaces; do
 3413             iptables -A EXT_INPUT_CHAIN $(ipt_if -i "$interface") -d $destip -p $proto -j ACCEPT
 3414           done
 3415         done
 3416       done
 3417     fi
 3418   done
 3419 
 3420   # Allow world to send IPv4 ICMP packets?
 3421   ########################################
 3422   if [ "$OPEN_ICMP" = "1" ]; then
 3423     echo " Allowing ANYHOST to send IPv4 ICMP-requests (ping)"
 3424     ip4tables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 3425   else
 3426     echo " Denying ANYHOST to send IPv4 ICMP-requests (ping)"
 3427   fi
 3428 
 3429   # Allow world to send IPv6 ICMPv6 packets?
 3430   ##########################################
 3431   if [ "$IPV6_SUPPORT" = "1" ]; then
 3432     if [ "$OPEN_ICMPV6" != "0" ]; then
 3433       echo " Allowing ANYHOST to send IPv6 ICMPv6-requests"
 3434       ip6tables -A EXT_INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
 3435     else
 3436       echo " Denying ANYHOST to send IPv6 ICMPv6-requests"
 3437     fi
 3438   fi
 3439 
 3440   # Logging of possible stealth scans
 3441   ###################################
 3442   if [ "$POSSIBLE_SCAN_LOG" = "1" ]; then
 3443     echo " Logging of possible stealth scans enabled"
 3444     if [ "$UNPRIV_TCP_LOG" != "0" ]; then
 3445       iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport 1024: \
 3446         -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (UNPRIV): "
 3447     fi
 3448 
 3449     if [ "$PRIV_TCP_LOG" != "0" ]; then
 3450       iptables -A EXT_INPUT_CHAIN -p tcp ! --syn --dport :1023 \
 3451         -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Stealth scan? (PRIV): "
 3452     fi
 3453   else
 3454     echo " Logging of possible stealth scans disabled"
 3455   fi
 3456 
 3457   # General stealth scan drop
 3458   ###########################
 3459   iptables -A EXT_INPUT_CHAIN -p tcp ! --syn -j POST_INPUT_DROP_CHAIN
 3460 
 3461   # Setup IPv4 chain to handle broadcast traffic
 3462   ##############################################
 3463   ip4tables -A EXT_INPUT_CHAIN -d 255.255.255.255 -j EXT_BROADCAST_CHAIN
 3464 
 3465   # ip4tables -A EXT_INPUT_CHAIN -m pkttype --pkt-type broadcast -j EXT_BROADCAST_CHAIN
 3466   # ip4tables -A EXT_INPUT_CHAIN -m addrtype --dst-type BROADCAST -j EXT_BROADCAST_CHAIN
 3467   if [ -n "$EXT_NET_BCAST_ADDRESS" ]; then
 3468     IFS=' ,'
 3469     for address in $EXT_NET_BCAST_ADDRESS; do
 3470       ip4tables -A EXT_INPUT_CHAIN -d $address -j EXT_BROADCAST_CHAIN
 3471     done
 3472   fi
 3473 
 3474   # Handle multicast traffic
 3475   ##########################
 3476   ip4tables -A EXT_INPUT_CHAIN -d 224.0.0.0/4 -j EXT_MULTICAST_CHAIN
 3477   if [ "$IPV6_SUPPORT" = "1" ]; then
 3478     ip6tables -A EXT_INPUT_CHAIN -d ff00::/8 -j EXT_MULTICAST_CHAIN
 3479   fi
 3480 
 3481   # Allow all packets that have been locally redirected
 3482   #####################################################
 3483   if [ "$NAT_LOCAL_REDIRECT" = "1" ]; then
 3484     echo " Enabling support for NAT local redirect"
 3485     ip4tables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT
 3486   fi
 3487 
 3488   # Log packets to privileged TCP ports?
 3489   ##################################################
 3490   if [ "$PRIV_TCP_LOG" != "0" ]; then
 3491     echo " Logging of (other) packets to PRIVILEGED TCP ports enabled"
 3492     iptables -A EXT_INPUT_CHAIN -p tcp --dport :1023 \
 3493       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP packet: "
 3494     iptables -A EXT_MULTICAST_CHAIN -p tcp --dport :1023 \
 3495       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP multicast: "
 3496     iptables -A EXT_BROADCAST_CHAIN -p tcp --dport :1023 \
 3497       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV TCP broadcast: "
 3498   else
 3499     echo " Logging of (other) packets to PRIVILEGED TCP ports disabled"
 3500   fi
 3501 
 3502   # Log packets to privileged UDP ports?
 3503   ##################################################
 3504   if [ "$PRIV_UDP_LOG" != "0" ]; then
 3505     echo " Logging of (other) packets to PRIVILEGED UDP ports enabled"
 3506     iptables -A EXT_INPUT_CHAIN -p udp --dport :1023 \
 3507       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP packet: "
 3508     iptables -A EXT_MULTICAST_CHAIN -p udp --dport :1023 \
 3509       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP multicast: "
 3510     iptables -A EXT_BROADCAST_CHAIN -p udp --dport :1023 \
 3511       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:PRIV UDP broadcast: "
 3512   else
 3513     echo " Logging of (other) packets to PRIVILEGED UDP ports disabled"
 3514   fi
 3515 
 3516   # Log packets to unprivileged TCP ports?
 3517   ####################################################
 3518   if [ "$UNPRIV_TCP_LOG" != "0" ]; then
 3519     echo " Logging of (other) packets to UNPRIVILEGED TCP ports enabled"
 3520     iptables -A EXT_INPUT_CHAIN -p tcp --dport 1024: \
 3521       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP packet: "
 3522     iptables -A EXT_MULTICAST_CHAIN -p tcp --dport 1024: \
 3523       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP multicast: "
 3524     iptables -A EXT_BROADCAST_CHAIN -p tcp --dport 1024: \
 3525       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV TCP broadcast: "
 3526   else
 3527     echo " Logging of (other) packets to UNPRIVILEGED TCP ports disabled"
 3528   fi
 3529 
 3530   # Log packets to unprivileged UDP ports?
 3531   ####################################################
 3532   if [ "$UNPRIV_UDP_LOG" != "0" ]; then
 3533     echo " Logging of (other) packets to UNPRIVILEGED UDP ports enabled"
 3534     iptables -A EXT_INPUT_CHAIN -p udp --dport 1024: \
 3535       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP packet: "
 3536     iptables -A EXT_MULTICAST_CHAIN -p udp --dport 1024 \
 3537       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP multicast: "
 3538     iptables -A EXT_BROADCAST_CHAIN -p udp --dport 1024 \
 3539       -m limit --limit 6/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UNPRIV UDP broadcast: "
 3540   else
 3541     echo "Logging of (other) packets to UNPRIVILEGED UDP ports disabled"
 3542   fi
 3543 
 3544   # Do we want to log igmp packets?
 3545   #############################################
 3546   if [ "$IGMP_LOG" != "0" ]; then
 3547     echo " Logging of IGMP packets enabled"
 3548     ip4tables -A EXT_INPUT_CHAIN -p 2 \
 3549       -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IGMP packet: "
 3550   else
 3551     echo " Logging of IPv4 IGMP packets disabled"
 3552   fi
 3553 
 3554   # Finally drop all in the broadcast chain
 3555   iptables -A EXT_BROADCAST_CHAIN -j DROP
 3556 
 3557   # Jump into the POST_INPUT_CHAIN before we start to DROP
 3558   iptables -A EXT_INPUT_CHAIN -j POST_INPUT_CHAIN
 3559 
 3560   if [ "$ICMP_REQUEST_LOG" != "0" ]; then
 3561     echo " Logging of dropped ICMP-request(ping) packets enabled"
 3562     iptables -A EXT_INPUT_CHAIN -p icmp --icmp-type echo-request \
 3563       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request: "
 3564     iptables -A EXT_MULTICAST_CHAIN -p icmp --icmp-type echo-request \
 3565       -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-request: "
 3566   else
 3567     echo " Logging of dropped ICMP-request(ping) packets disabled"
 3568   fi
 3569 
 3570   if [ "$ICMP_OTHER_LOG" != "0" ]; then
 3571     echo " Logging of dropped other ICMP packets enabled"
 3572     iptables -A EXT_INPUT_CHAIN -p icmp ! --icmp-type echo-request \
 3573       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-other: "
 3574     iptables -A EXT_MULTICAST_CHAIN -p icmp ! --icmp-type echo-request \
 3575       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-multicast-other: "
 3576   else
 3577     echo " Logging of dropped other ICMP packets disabled"
 3578   fi
 3579 
 3580   # Drop all in the multicast chain
 3581   iptables -A EXT_MULTICAST_CHAIN -j DROP
 3582 
 3583   # Drop all "standard" IP protocols
 3584   ##################################
 3585   iptables -A EXT_INPUT_CHAIN -p tcp -j POST_INPUT_DROP_CHAIN
 3586   iptables -A EXT_INPUT_CHAIN -p udp -j POST_INPUT_DROP_CHAIN
 3587   ip4tables -A EXT_INPUT_CHAIN -p 2 -j POST_INPUT_DROP_CHAIN
 3588   iptables -A EXT_INPUT_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
 3589 
 3590   # Do we want to log non udp/tcp/icmp packets?
 3591   #############################################
 3592   if [ "$OTHER_IP_LOG" != "0" ]; then
 3593     echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled"
 3594     iptables -A EXT_INPUT_CHAIN \
 3595       -m limit --limit 1/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Other connect: "
 3596   else
 3597     echo " Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets disabled"
 3598   fi
 3599 
 3600   # Drop all remaining packets
 3601   ############################
 3602   iptables -A EXT_INPUT_CHAIN -j POST_INPUT_DROP_CHAIN
 3603 }
 3604 
 3605 
 3606 ######################################################################################################################
 3607 ## Chain EXT_ICMP_FLOOD_CHAIN - Checks all ICMP (flooded) packets for the EXTERNAL interface(s)                     ##
 3608 ######################################################################################################################
 3609 setup_ext_icmp_flood_chain()
 3610 {
 3611   # Log of ICMP flooding
 3612   ######################
 3613   if [ "$ICMP_FLOOD_LOG" != "0" ]; then
 3614     echo " Logging of ICMP flooding enabled"
 3615 
 3616     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable \
 3617       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-unreachable flood: "
 3618     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type destination-unreachable -j POST_INPUT_DROP_CHAIN
 3619 
 3620     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded \
 3621       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-time-exceeded fld: "
 3622     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type time-exceeded -j POST_INPUT_DROP_CHAIN
 3623 
 3624     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem \
 3625       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-param-problem fld: "
 3626     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type parameter-problem -j POST_INPUT_DROP_CHAIN
 3627 
 3628     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request \
 3629       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-request(ping) fld: "
 3630     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-request -j POST_INPUT_DROP_CHAIN
 3631 
 3632     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply \
 3633       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-reply(pong) flood: "
 3634     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type echo-reply -j POST_INPUT_DROP_CHAIN
 3635 
 3636     ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench \
 3637       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-source-quench fld: "
 3638     ip4tables -A EXT_ICMP_FLOOD_CHAIN -p icmp --icmp-type source-quench -j POST_INPUT_DROP_CHAIN
 3639 
 3640     if [ "$IPV6_SUPPORT" = "1" ]; then
 3641       ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big \
 3642         -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP-packet-too-big fld: "
 3643       ip6tables -A EXT_ICMP_FLOOD_CHAIN -p icmpv6 --icmpv6-type packet-too-big -j POST_INPUT_DROP_CHAIN
 3644     fi
 3645 
 3646     # All other ICMP into the general log rule
 3647     iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp \
 3648       -m limit --limit 12/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:ICMP(other) flood: "
 3649   else
 3650     echo " Logging of ICMP flooding disabled"
 3651   fi
 3652 
 3653   # Drop any ICMP packets left
 3654   iptables -A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
 3655 }
 3656 
 3657 
 3658 ######################################################################################################################
 3659 ## Chain EXT_OUTPUT_CHAIN - Checks all outgoing packets for the EXTERNAL interface(s)                               ##
 3660 ######################################################################################################################
 3661 setup_ext_output_chain()
 3662 {
 3663   # This rule is for hostwise OUTPUT TCP blocking
 3664   ###############################################
 3665   unset IFS
 3666   for rule in $HOST_DENY_TCP_OUTPUT; do
 3667     if parse_rule "$rule" HOST_DENY_TCP_OUTPUT "interfaces-srcips-hosts-ports"; then
 3668 
 3669       echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for TCP port(s): $ports"
 3670 
 3671       IFS=','
 3672       for host in `ip_range "$hosts"`; do
 3673         for port in $ports; do
 3674           for srcip in $srcips; do
 3675             for interface in $interfaces; do
 3676               if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3677                 iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port \
 3678                   -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3679               fi
 3680               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port -j DROP
 3681             done
 3682           done
 3683         done
 3684       done
 3685     fi
 3686   done
 3687 
 3688   # This rule is for hostwise OUTPUT UDP blocking
 3689   ###############################################
 3690   unset IFS
 3691   for rule in $HOST_DENY_UDP_OUTPUT; do
 3692     if parse_rule "$rule" HOST_DENY_UDP_OUTPUT "interfaces-srcips-hosts-ports"; then
 3693 
 3694       echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for UDP port(s): $ports"
 3695 
 3696       IFS=','
 3697       for host in `ip_range "$hosts"`; do
 3698         for port in $ports; do
 3699           for srcip in $srcips; do
 3700             for interface in $interfaces; do
 3701               if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3702                 iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port \
 3703                   -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3704               fi
 3705               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port -j DROP
 3706             done
 3707           done
 3708         done
 3709       done
 3710     fi
 3711   done
 3712 
 3713   # This rule is for hostwise OUTPUT IP blocking
 3714   ##############################################
 3715   unset IFS
 3716   for rule in $HOST_DENY_IP_OUTPUT; do
 3717     if parse_rule "$rule" HOST_DENY_IP_OUTPUT "interfaces-srcips-hosts-protos"; then
 3718 
 3719       echo " $(show_if_ip "$interfaces" "$srcips")Denying $hosts for IP protocol(s): $protos"
 3720 
 3721       IFS=','
 3722       for host in `ip_range "$hosts"`; do
 3723         for proto in $protos; do
 3724           for srcip in $srcips; do
 3725             for interface in $interfaces; do
 3726               if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3727                 iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p $proto \
 3728                   -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3729               fi
 3730               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -p $proto -j DROP
 3731             done
 3732           done
 3733         done
 3734       done
 3735     fi
 3736   done
 3737 
 3738   # Adding the "full access hosts"
 3739   ################################
 3740   unset IFS
 3741   for rule in $FULL_ACCESS_HOSTS; do
 3742     if parse_rule "$rule" FULL_ACCESS_HOSTS "interfaces-srcips-hosts"; then
 3743 
 3744       echo " $(show_if_ip "$interfaces")Allowing $hosts full (outbound) access"
 3745 
 3746       IFS=','
 3747       for host in `ip_range "$hosts"`; do
 3748         for srcip in $srcips; do
 3749           for interface in $interfaces; do
 3750             iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -d $host -j ACCEPT
 3751           done
 3752         done
 3753       done
 3754     fi
 3755   done
 3756 
 3757   # This rule is for local OUTPUT TCP blocking
 3758   ############################################
 3759   unset IFS
 3760   for rule in $DENY_TCP_OUTPUT; do
 3761     if parse_rule "$rule" DENY_TCP_OUTPUT "interfaces-srcips-ports"; then
 3762 
 3763       echo " $(show_if_ip "$interfaces" "$srcips")Denying TCP port(s): $ports"
 3764 
 3765       IFS=','
 3766       for port in $ports; do
 3767         for srcip in $srcips; do
 3768           for interface in $interfaces; do
 3769             if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3770               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port \
 3771                 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3772             fi
 3773             iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port -j DROP
 3774           done
 3775         done
 3776       done
 3777     fi
 3778   done
 3779 
 3780   # This rule is for local OUTPUT UDP blocking
 3781   ############################################
 3782   unset IFS
 3783   for rule in $DENY_UDP_OUTPUT; do
 3784     if parse_rule "$rule" DENY_UDP_OUTPUT "interfaces-srcips-ports"; then
 3785 
 3786       echo " $(show_if_ip "$interfaces" "$srcips")Denying UDP port(s): $ports"
 3787 
 3788       IFS=','
 3789       for port in $ports; do
 3790         for srcip in $srcips; do
 3791           for interface in $interfaces; do
 3792             if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3793               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p udp --dport $port \
 3794                 -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3795             fi
 3796             iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p udp --dport $port -j DROP
 3797           done
 3798         done
 3799       done
 3800     fi
 3801   done
 3802 
 3803   # This rule is for local OUTPUT IP blocking
 3804   ############################################
 3805   unset IFS
 3806   for rule in $DENY_IP_OUTPUT; do
 3807     if parse_rule "$rule" DENY_IP_OUTPUT "interfaces-srcips-protos"; then
 3808 
 3809       echo " $(show_if_ip "$interfaces" "$srcips")Denying IP protocol(s): $protos"
 3810 
 3811       IFS=','
 3812       for proto in $protos; do
 3813         for srcip in $srcips; do
 3814           for interface in $interfaces; do
 3815             if [ "$INET_OUTPUT_DENY_LOG" != "0" ]; then
 3816               iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p $proto \
 3817                 -m limit --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:INET-OUTPUT denied: "
 3818             fi
 3819             iptables -A EXT_OUTPUT_CHAIN $(ipt_if -o "$interface") -s $srcip -p $proto -j DROP
 3820           done
 3821         done
 3822       done
 3823     fi
 3824   done
 3825 }
 3826 
 3827 
 3828 # Helper chain to catch broadcast traffic
 3829 setup_ext_broadcast_chain()
 3830 {
 3831   # Disable logging of certain TCP broadcasts on the external interface
 3832   #####################################################################
 3833   unset IFS
 3834   for rule in $BROADCAST_TCP_NOLOG; do
 3835     if parse_rule "$rule" BROADCAST_TCP_NOLOG "interfaces-destips-ports"; then
 3836 
 3837       echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for TCP port(s): $ports"
 3838 
 3839       IFS=' ,'
 3840       for port in $ports; do
 3841         for interface in $interfaces; do
 3842           iptables -A EXT_BROADCAST_CHAIN $(ipt_if -i "$interface") -p tcp --dport $port -j DROP
 3843         done
 3844       done
 3845     fi
 3846   done
 3847 
 3848   # Disable logging of certain UDP broadcasts on the external interface
 3849   ##########################################################################################
 3850   unset IFS
 3851   for rule in $BROADCAST_UDP_NOLOG; do
 3852     if parse_rule "$rule" BROADCAST_UDP_NOLOG "interfaces-destips-ports"; then
 3853 
 3854       echo " $(show_if_ip "$interfaces" "$destips")Logging of external subnet broadcasts disabled for UDP port(s): $ports"
 3855 
 3856       IFS=' ,'
 3857       for port in $ports; do
 3858         for interface in $interfaces; do
 3859           iptables -A EXT_BROADCAST_CHAIN $(ipt_if -i "$interface") -p udp --dport $port -j DROP
 3860         done
 3861       done
 3862     fi
 3863   done
 3864 }
 3865 
 3866 
 3867 # This creates the input logging rules
 3868 ##########################################################
 3869 setup_input_log()
 3870 {
 3871   # This rule is for local INPUT TCP watching
 3872   ############################################
 3873   unset IFS
 3874   for rule in $LOG_INPUT_TCP; do
 3875     if parse_rule "$rule" LOG_INPUT_TCP "interfaces-destips-ports"; then
 3876 
 3877       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming TCP port(s): $ports"
 3878 
 3879       IFS=' ,'
 3880       for port in $ports; do
 3881         for destip in $destips; do
 3882           for interface in $interfaces; do
 3883             iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p tcp --dport $port $NF_CONNTRACK_STATE NEW -m limit \
 3884               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP INPUT log: "
 3885           done
 3886         done
 3887       done
 3888     fi
 3889   done
 3890 
 3891 
 3892   # This rule is for local INPUT UDP watching
 3893   ###########################################
 3894   unset IFS
 3895   for rule in $LOG_INPUT_UDP; do
 3896     if parse_rule "$rule" LOG_INPUT_UDP "interfaces-destips-ports"; then
 3897 
 3898       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming UDP port(s): $ports"
 3899 
 3900       IFS=' ,'
 3901       for port in $ports; do
 3902         for destip in $destips; do
 3903           for interface in $interfaces; do
 3904             iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p udp --dport $port $NF_CONNTRACK_STATE NEW -m limit \
 3905               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP INPUT log: "
 3906           done
 3907         done
 3908       done
 3909     fi
 3910   done
 3911 
 3912   # This rule is for local INPUT IP watching
 3913   ##########################################
 3914   unset IFS
 3915   for rule in $LOG_INPUT_IP; do
 3916     if parse_rule "$rule" LOG_INPUT_IP "interfaces-destips-protos"; then
 3917 
 3918       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming IP protocol(s): $protos"
 3919 
 3920       IFS=' ,'
 3921       for proto in $protos; do
 3922         for destip in $destips; do
 3923           for interface in $interfaces; do
 3924             iptables -A INPUT $(ipt_if -i "$interface") -d $destip -p $proto $NF_CONNTRACK_STATE NEW -m limit \
 3925               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP INPUT log: "
 3926           done
 3927         done
 3928       done
 3929     fi
 3930   done
 3931 
 3932 
 3933   # Hostwise logging of input connection attempts
 3934   ###############################################
 3935   unset IFS
 3936   for rule in $LOG_HOST_INPUT; do
 3937     if parse_rule "$rule" LOG_HOST_INPUT "interfaces-destips-hosts"; then
 3938 
 3939       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of: $hosts"
 3940 
 3941       IFS=' ,'
 3942       for host in `ip_range "$hosts"`; do
 3943         for destip in $destips; do
 3944           for interface in $interfaces; do
 3945             iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip $NF_CONNTRACK_STATE NEW \
 3946               -m limit --limit 12/m --limit-burst 50 \
 3947               -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise INPUT log: "
 3948           done
 3949         done
 3950       done
 3951     fi
 3952   done
 3953 
 3954   # Hostwise logging of certain TCP port connection attempts
 3955   ##########################################################
 3956   unset IFS
 3957   for rule in $LOG_HOST_INPUT_TCP; do
 3958     if parse_rule "$rule" LOG_HOST_INPUT_TCP "interfaces-destips-hosts-ports"; then
 3959 
 3960       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to TCP port(s): $ports"
 3961 
 3962       IFS=' ,'
 3963       for host in `ip_range "$hosts"`; do
 3964         for port in $ports; do
 3965           for destip in $destips; do
 3966             for interface in $interfaces; do
 3967               iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port $NF_CONNTRACK_STATE NEW \
 3968                 -m limit --limit 12/m --limit-burst 5 \
 3969                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise TCP log (IN): "
 3970             done
 3971           done
 3972         done
 3973       done
 3974     fi
 3975   done
 3976 
 3977 
 3978   # Hostwise logging of certain UDP port connection attempts
 3979   ##########################################################
 3980   unset IFS
 3981   for rule in $LOG_HOST_INPUT_UDP; do
 3982     if parse_rule "$rule" LOG_HOST_INPUT_UDP "interfaces-destips-hosts-ports"; then
 3983 
 3984       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to UDP port(s): $ports"
 3985 
 3986       IFS=' ,'
 3987       for host in `ip_range "$hosts"`; do
 3988         for port in $ports; do
 3989           for destip in $destips; do
 3990             for interface in $interfaces; do
 3991               iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port $NF_CONNTRACK_STATE NEW \
 3992                 -m limit --limit 12/m --limit-burst 5 \
 3993                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise UDP INPUT log: "
 3994             done
 3995           done
 3996         done
 3997       done
 3998     fi
 3999   done
 4000 
 4001   # Hostwise logging of certain IP protocols connection attempts
 4002   ##############################################################
 4003   unset IFS
 4004   for rule in $LOG_HOST_INPUT_IP; do
 4005     if parse_rule "$rule" LOG_HOST_INPUT_IP "interfaces-destips-hosts-protos"; then
 4006 
 4007       echo "$(show_if_ip "$interfaces" "$destips")Logging incoming connections of $hosts to IP protocol(s): $protos"
 4008 
 4009       IFS=' ,'
 4010       for host in `ip_range "$hosts"`; do
 4011         for proto in $protos; do
 4012           for destip in $destips; do
 4013             for interface in $interfaces; do
 4014               iptables -A INPUT $(ipt_if -i "$interface") -s $host -d $destip -p $proto $NF_CONNTRACK_STATE NEW \
 4015                 -m limit --limit 12/m --limit-burst 5 \
 4016                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise IP INPUT log: "
 4017             done
 4018           done
 4019         done
 4020       done
 4021     fi
 4022   done
 4023 }
 4024 
 4025 
 4026 # This creates the output logging rules
 4027 ##########################################################
 4028 setup_output_log()
 4029 {
 4030   # This rule is for local OUTPUT TCP watching
 4031   ############################################
 4032   unset IFS
 4033   for rule in $LOG_OUTPUT_TCP; do
 4034     if parse_rule "$rule" LOG_OUTPUT_TCP "interfaces-srcips-ports"; then
 4035 
 4036       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing TCP port(s): $ports"
 4037 
 4038       IFS=' ,'
 4039       for port in $ports; do
 4040         for srcip in $srcips; do
 4041           for interface in $interfaces; do
 4042             iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p tcp --dport $port $NF_CONNTRACK_STATE NEW -m limit \
 4043               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:TCP OUTPUT log: "
 4044           done
 4045         done
 4046       done
 4047     fi
 4048   done
 4049 
 4050   # This rule is for local OUTPUT UDP watching
 4051   ############################################
 4052   unset IFS
 4053   for rule in $LOG_OUTPUT_UDP; do
 4054     if parse_rule "$rule" LOG_OUTPUT_UDP "interfaces-srcips-ports"; then
 4055 
 4056       echo "$(show_if_ip "$interfaces")Logging outgoing UDP port(s): $ports"
 4057 
 4058       IFS=' ,'
 4059       for port in $ports; do
 4060         for srcip in $srcips; do
 4061           for interface in $interfaces; do
 4062             iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p udp --dport $port $NF_CONNTRACK_STATE NEW -m limit \
 4063               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:UDP OUTPUT log: "
 4064           done
 4065         done
 4066       done
 4067     fi
 4068   done
 4069 
 4070   # This rule is for local OUTPUT IP watching
 4071   ###########################################
 4072   unset IFS
 4073   for rule in $LOG_OUTPUT_IP; do
 4074     if parse_rule "$rule" LOG_OUTPUT_IP "interfaces-srcips-protos"; then
 4075 
 4076       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing IP protocol(s): $protos"
 4077 
 4078       IFS=' ,'
 4079       for proto in $protos; do
 4080         for srcip in $srcips; do
 4081           for interface in $interfaces; do
 4082             iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -p $proto $NF_CONNTRACK_STATE NEW -m limit \
 4083               --limit 3/m --limit-burst 15 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:IP OUTPUT log: "
 4084           done
 4085         done
 4086       done
 4087     fi
 4088   done
 4089 
 4090   # Hostwise logging of output connection attempts
 4091   ################################################
 4092   unset IFS
 4093   for rule in $LOG_HOST_OUTPUT; do
 4094     if parse_rule "$rule" LOG_HOST_OUTPUT "interfaces-srcips-hosts"; then
 4095 
 4096       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections to: $hosts"
 4097 
 4098       IFS=' ,'
 4099       for host in `ip_range "$hosts"`; do
 4100         for srcip in $srcips; do
 4101           for interface in $interfaces; do
 4102             iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host $NF_CONNTRACK_STATE NEW \
 4103               -m limit --limit 12/m --limit-burst 50 \
 4104               -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Hostwise OUTPUT log: "
 4105           done
 4106         done
 4107       done
 4108     fi
 4109   done
 4110 
 4111 
 4112   # Hostwise logging of certain TCP port connection attempts
 4113   ##########################################################
 4114   unset IFS
 4115   for rule in $LOG_HOST_OUTPUT_TCP; do
 4116     if parse_rule "$rule" LOG_HOST_OUTPUT_TCP "interfaces-srcips-hosts-ports"; then
 4117 
 4118       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to TCP port(s): $ports"
 4119 
 4120       IFS=' ,'
 4121       for host in `ip_range "$hosts"`; do
 4122         for port in $ports; do
 4123           for srcip in $srcips; do
 4124             for interface in $interfaces; do
 4125               iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p tcp --dport $port $NF_CONNTRACK_STATE NEW \
 4126                 -m limit --limit 12/m --limit-burst 5 \
 4127                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host TCP log (OUT): "
 4128             done
 4129           done
 4130         done
 4131       done
 4132     fi
 4133   done
 4134 
 4135 
 4136   # Hostwise logging of certain UDP port connection attempts
 4137   ##########################################################
 4138   unset IFS
 4139   for rule in $LOG_HOST_OUTPUT_UDP; do
 4140     if parse_rule "$rule" LOG_HOST_OUTPUT_UDP "interfaces-srcips-hosts-ports"; then
 4141 
 4142       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to UDP port(s): $ports"
 4143 
 4144       IFS=' ,'
 4145       for host in `ip_range "$hosts"`; do
 4146         for port in $ports; do
 4147           for srcip in $srcips; do
 4148             for interface in $interfaces; do
 4149               iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p udp --dport $port $NF_CONNTRACK_STATE NEW \
 4150                 -m limit --limit 12/m --limit-burst 5 \
 4151                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host UDP log (OUT): "
 4152             done
 4153           done
 4154         done
 4155       done
 4156     fi
 4157   done
 4158 
 4159   # Hostwise logging of certain IP protocols connection attempts
 4160   ##############################################################
 4161   unset IFS
 4162   for rule in $LOG_HOST_OUTPUT_IP; do
 4163     if parse_rule "$rule" LOG_HOST_OUTPUT_IP "interfaces-srcips-hosts-protos"; then
 4164 
 4165       echo "$(show_if_ip "$interfaces" "$srcips")Logging outgoing connections of $hosts to IP protocol(s): $protos"
 4166 
 4167       IFS=' ,'
 4168       for host in `ip_range "$hosts"`; do
 4169         for proto in $protos; do
 4170           for srcip in $srcips; do
 4171             for interface in $interfaces; do
 4172               iptables -A OUTPUT $(ipt_if -o "$interface") -s $srcip -d $host -p $proto $NF_CONNTRACK_STATE NEW \
 4173                 -m limit --limit 12/m --limit-burst 5 \
 4174                 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Host IP log (OUT): "
 4175             done
 4176           done
 4177         done
 4178       done
 4179     fi
 4180   done
 4181 }
 4182 
 4183 
 4184 # Helper function for setup_hostblock_chain
 4185 ###########################################
 4186 setup_ipset_netset()
 4187 {
 4188   local dir="$1" hashsize="$2" maxelem="$3" family netset set_name IFS
 4189 
 4190   ## Setup Whitelist
 4191   ipset create -exist aif_whitelist hash:net family inet hashsize $hashsize maxelem $maxelem
 4192 
 4193   ip4tables -A HOST_BLOCK_SRC -m set --match-set aif_whitelist src -j RETURN
 4194   if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4195     ip4tables -A HOST_BLOCK_DST -m set --match-set aif_whitelist dst -j RETURN
 4196   fi
 4197   if [ "$IPV6_SUPPORT" = "1" ]; then
 4198     ipset create -exist aif_whitelistv6 hash:net family inet6 hashsize $hashsize maxelem $maxelem
 4199 
 4200     ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_whitelistv6 src -j RETURN
 4201     if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4202       ip6tables -A HOST_BLOCK_DST -m set --match-set aif_whitelistv6 dst -j RETURN
 4203     fi
 4204   fi
 4205 
 4206   ## Setup *.netset files
 4207   unset IFS
 4208   for netset in "$dir"/*.netset; do
 4209     set_name="${netset##*/}"
 4210     set_name="${set_name%.netset}"
 4211 
 4212     ## Kernel limits set names to 31 characters, subtract 4 for _tmp
 4213     if [ ${#set_name} -gt 27 ]; then
 4214       continue
 4215     fi
 4216 
 4217     ## Naming convention, *v6.netset files for IPv6, all other *.netset files default to IPv4
 4218     case $set_name in
 4219       *v6|*V6) family="inet6" ;;
 4220             *) family="inet" ;;
 4221     esac
 4222 
 4223     if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then
 4224       continue
 4225     fi
 4226 
 4227     ## Whitelist already setup above
 4228     if [ "$set_name" = "whitelist" -o "$set_name" = "whitelistv6" ]; then
 4229       continue
 4230     fi
 4231 
 4232     ipset create -exist ${set_name} hash:net family $family hashsize $hashsize maxelem $maxelem
 4233 
 4234     if [ "$family" = "inet" ]; then
 4235       ip4tables -A HOST_BLOCK_SRC -m set --match-set ${set_name} src -j HOST_BLOCK_SRC_DROP
 4236       if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4237         ip4tables -A HOST_BLOCK_DST -m set --match-set ${set_name} dst -j HOST_BLOCK_DST_DROP
 4238       fi
 4239     else
 4240       ip6tables -A HOST_BLOCK_SRC -m set --match-set ${set_name} src -j HOST_BLOCK_SRC_DROP
 4241       if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4242         ip6tables -A HOST_BLOCK_DST -m set --match-set ${set_name} dst -j HOST_BLOCK_DST_DROP
 4243       fi
 4244     fi
 4245   done
 4246 }
 4247 
 4248 
 4249 # Helper function for setup_hostblock_chain
 4250 ###########################################
 4251 apply_ipset_netset()
 4252 {
 4253   local dir="$1" hashsize="$2" maxelem="$3" family netset set_name swap_err IFS
 4254   local x default_whitelist default_whitelistv6
 4255 
 4256   default_whitelist="127.0.0.0/8 0.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 224.0.0.0/3"
 4257   default_whitelistv6="::1 fe80::/10 ff00::/8"
 4258 
 4259   ## Apply Whitelist
 4260   unset IFS
 4261   for netset in "$dir/whitelist.netset" "$dir/whitelistv6.netset"; do
 4262     set_name="${netset##*/}"
 4263     set_name="aif_${set_name%.netset}"
 4264 
 4265     case $set_name in
 4266       *v6|*V6) family="inet6" ;;
 4267             *) family="inet" ;;
 4268     esac
 4269 
 4270     if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then
 4271       continue
 4272     fi
 4273 
 4274     ipset create -exist ${set_name}_tmp hash:net family $family hashsize $hashsize maxelem $maxelem
 4275     ipset flush ${set_name}_tmp
 4276 
 4277     if [ "$family" = "inet" ]; then
 4278       unset IFS
 4279       for x in ${DEFAULT_NETSET_WHITELIST:-$default_whitelist}; do
 4280         ipset add -exist ${set_name}_tmp $x
 4281         if [ $? -ne 0 ]; then
 4282           RULE_WARNING=$((RULE_WARNING + 1))
 4283         fi
 4284       done
 4285       if [ -f "$netset" ]; then
 4286         printf "Loading IPv4 Whitelist Set: whitelist.netset ... "
 4287         sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore
 4288         if [ $? -ne 0 ]; then
 4289           RULE_WARNING=$((RULE_WARNING + 1))
 4290         fi
 4291         echo "Done."
 4292       fi
 4293     else
 4294       unset IFS
 4295       for x in ${DEFAULT_NETSET_WHITELISTV6:-$default_whitelistv6}; do
 4296         ipset add -exist ${set_name}_tmp $x
 4297         if [ $? -ne 0 ]; then
 4298           RULE_WARNING=$((RULE_WARNING + 1))
 4299         fi
 4300       done
 4301       if [ -f "$netset" ]; then
 4302         printf "Loading IPv6 Whitelist Set: whitelistv6.netset ... "
 4303         sed -n -r -e "s/^([0-9a-fA-F][0-9a-fA-F:/]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore
 4304         if [ $? -ne 0 ]; then
 4305           RULE_WARNING=$((RULE_WARNING + 1))
 4306         fi
 4307         echo "Done."
 4308       fi
 4309     fi
 4310     ipset swap ${set_name} ${set_name}_tmp
 4311     ipset destroy ${set_name}_tmp
 4312   done
 4313 
 4314   ## Apply *.netset files
 4315   unset IFS
 4316   for netset in "$dir"/*.netset; do
 4317     set_name="${netset##*/}"
 4318     set_name="${set_name%.netset}"
 4319 
 4320     ## Kernel limits set names to 31 characters, subtract 4 for _tmp
 4321     if [ ${#set_name} -gt 27 ]; then
 4322       printf "\033[40m\033[1;31mERROR: The \"${set_name}.netset\" name is too long, filenames are limited to <27-characters>.netstat\033[0m\n" >&2
 4323       RULE_WARNING=$((RULE_WARNING + 1))
 4324       continue
 4325     fi
 4326 
 4327     ## Naming convention, *v6.netset files for IPv6, all other *.netset files default to IPv4
 4328     case $set_name in
 4329       *v6|*V6) family="inet6" ;;
 4330             *) family="inet" ;;
 4331     esac
 4332 
 4333     if [ "$IPV6_SUPPORT" != "1" -a "$family" = "inet6" ]; then
 4334       continue
 4335     fi
 4336 
 4337     ## Whitelist already applied above
 4338     if [ "$set_name" = "whitelist" -o "$set_name" = "whitelistv6" ]; then
 4339       continue
 4340     fi
 4341 
 4342     ipset create -exist ${set_name}_tmp hash:net family $family hashsize $hashsize maxelem $maxelem
 4343     ipset flush ${set_name}_tmp
 4344 
 4345     swap_err=0
 4346 
 4347     if [ "$family" = "inet" ]; then
 4348       printf "Loading IPv4 Blocklist Set: ${set_name}.netset ... "
 4349       sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore
 4350       if [ $? -ne 0 ]; then
 4351         swap_err=1
 4352         RULE_WARNING=$((RULE_WARNING + 1))
 4353       fi
 4354     else
 4355       printf "Loading IPv6 Blocklist Set: ${set_name}.netset ... "
 4356       sed -n -r -e "s/^([0-9a-fA-F][0-9a-fA-F:/]+)([[:space:]].*|)$/add -exist ${set_name}_tmp \1/p" "$netset" | ipset restore
 4357       if [ $? -ne 0 ]; then
 4358         swap_err=1
 4359         RULE_WARNING=$((RULE_WARNING + 1))
 4360       fi
 4361     fi
 4362 
 4363     if [ $swap_err -eq 0 ]; then
 4364       ipset swap ${set_name} ${set_name}_tmp
 4365       echo "Done."
 4366     else
 4367       echo ""
 4368       printf "\033[40m\033[1;31mERROR: \"ipset swap ${set_name} ...\" not applied.\033[0m\n" >&2
 4369     fi
 4370     ipset destroy ${set_name}_tmp
 4371   done
 4372 }
 4373 
 4374 
 4375 # This creates the separate host block
 4376 ######################################
 4377 setup_hostblock_chain()
 4378 {
 4379   local hashsize maxelem swap4_err swap6_err
 4380 
 4381   if iptables -F HOST_BLOCK_SRC 2>&1 |grep -q "No chain" || \
 4382      iptables -F HOST_BLOCK_DST 2>&1 |grep -q "No chain"; then
 4383     printf "\033[40m\033[1;31mERROR: The firewall isn't running!\033[0m\n" >&2
 4384     printf "\033[40m\033[1;31m       You should first run this script with the \"start\" command.\033[0m\n" >&2
 4385     return 5
 4386   fi
 4387 
 4388   # Return if no Blocked Hosts are defined
 4389   if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" -a -z "$BLOCK_NETSET_DIR" ]; then
 4390     return
 4391   fi
 4392 
 4393   if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4394     echo "Blocking (blackhole) direction: Inbound and Outbound"
 4395   else
 4396     echo "Blocking (blackhole) direction: Inbound Only"
 4397   fi
 4398 
 4399 ## Use 'ipset' if enabled and available, else fallback to discrete iptables rules
 4400 ##
 4401 if ipset_check; then
 4402   hashsize="${IPTABLES_IPSET_HASHSIZE:-2048}"
 4403   maxelem="${IPTABLES_IPSET_MAXELEM:-131072}"
 4404 
 4405   if [ -n "$BLOCK_HOSTS" -o -n "$BLOCK_HOSTS_FILE" ]; then
 4406     ipset create -exist aif_blocklist hash:net family inet hashsize $hashsize maxelem $maxelem
 4407 
 4408     ip4tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklist src -j HOST_BLOCK_SRC_DROP
 4409     if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4410       ip4tables -A HOST_BLOCK_DST -m set --match-set aif_blocklist dst -j HOST_BLOCK_DST_DROP
 4411     fi
 4412     if [ "$IPV6_SUPPORT" = "1" ]; then
 4413       ipset create -exist aif_blocklistv6 hash:net family inet6 hashsize $hashsize maxelem $maxelem
 4414 
 4415       ip6tables -A HOST_BLOCK_SRC -m set --match-set aif_blocklistv6 src -j HOST_BLOCK_SRC_DROP
 4416       if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4417         ip6tables -A HOST_BLOCK_DST -m set --match-set aif_blocklistv6 dst -j HOST_BLOCK_DST_DROP
 4418       fi
 4419     fi
 4420   fi
 4421 
 4422   if [ -d "$BLOCK_NETSET_DIR" ] && ls "$BLOCK_NETSET_DIR"/*.netset >/dev/null 2>&1; then
 4423     setup_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem
 4424 
 4425     ## Optimization, add ipsets to iptables (above) first, then apply ipset contents (below) which takes time
 4426 
 4427     apply_ipset_netset "$BLOCK_NETSET_DIR" $hashsize $maxelem
 4428   fi
 4429 
 4430   if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then
 4431     return
 4432   fi
 4433 
 4434   ipset create -exist aif_blocklist_tmp hash:net family inet hashsize $hashsize maxelem $maxelem
 4435   ipset flush aif_blocklist_tmp
 4436   if [ "$IPV6_SUPPORT" = "1" ]; then
 4437     ipset create -exist aif_blocklistv6_tmp hash:net family inet6 hashsize $hashsize maxelem $maxelem
 4438     ipset flush aif_blocklistv6_tmp
 4439   fi
 4440 
 4441   swap4_err=0
 4442   swap6_err=0
 4443 
 4444   if [ -n "$BLOCK_HOSTS" ]; then
 4445     printf "Blocking (blackhole) host(s): "
 4446 
 4447     IFS=' ,'
 4448     for hosts in $BLOCK_HOSTS; do
 4449       printf "$hosts "
 4450 
 4451       for host in `ip_range "$hosts"`; do
 4452         get_numeric_ip_version "$host"
 4453         case $? in
 4454         4)
 4455           ipset add -exist aif_blocklist_tmp $host
 4456           if [ $? -ne 0 ]; then
 4457             swap4_err=1
 4458             RULE_WARNING=$((RULE_WARNING + 1))
 4459           fi
 4460           ;;
 4461         6)
 4462           if [ "$IPV6_SUPPORT" = "1" ]; then
 4463             ipset add -exist aif_blocklistv6_tmp $host
 4464             if [ $? -ne 0 ]; then
 4465               swap6_err=1
 4466               RULE_WARNING=$((RULE_WARNING + 1))
 4467             fi
 4468           fi
 4469           ;;
 4470         esac
 4471       done
 4472     done
 4473     echo ""
 4474   fi
 4475 
 4476   # Setup the blocked hosts from our file
 4477   if [ -n "$BLOCK_HOSTS_FILE" ]; then
 4478     if [ -f "$BLOCK_HOSTS_FILE" ]; then
 4479       local cur_cnt=0 total_cnt
 4480       total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) ))
 4481 
 4482       : > "$IP4TABLES_BATCH_FILE"
 4483       if [ "$IPV6_SUPPORT" = "1" ]; then
 4484         : > "$IP6TABLES_BATCH_FILE"
 4485       fi
 4486 
 4487       echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..."
 4488       if [ $total_cnt -gt 0 ]; then
 4489         progress_bar $cur_cnt $total_cnt
 4490 
 4491         # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file
 4492         unset IFS
 4493         cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |while read hosts; do
 4494           cur_cnt=$((cur_cnt + 100))
 4495           progress_bar $cur_cnt $total_cnt
 4496 
 4497           if [ -n "$hosts" ]; then
 4498             IFS=','
 4499             for host in `ip_range "$hosts"`; do
 4500               get_numeric_ip_version "$host"
 4501               case $? in
 4502               4)
 4503                 echo "add -exist aif_blocklist_tmp $host" >> "$IP4TABLES_BATCH_FILE"
 4504                 ;;
 4505               6)
 4506                 if [ "$IPV6_SUPPORT" = "1" ]; then
 4507                   echo "add -exist aif_blocklistv6_tmp $host" >> "$IP6TABLES_BATCH_FILE"
 4508                 fi
 4509                 ;;
 4510               esac
 4511             done
 4512             unset IFS
 4513           fi
 4514         done
 4515         printf "........."
 4516       fi
 4517 
 4518       echo "$total_cnt host line(s) read"
 4519 
 4520       ipset restore < "$IP4TABLES_BATCH_FILE"
 4521       if [ $? -ne 0 ]; then
 4522         swap4_err=1
 4523         RULE_WARNING=$((RULE_WARNING + 1))
 4524       fi
 4525       rm -f "$IP4TABLES_BATCH_FILE"
 4526       if [ "$IPV6_SUPPORT" = "1" ]; then
 4527         ipset restore < "$IP6TABLES_BATCH_FILE"
 4528         if [ $? -ne 0 ]; then
 4529           swap6_err=1
 4530           RULE_WARNING=$((RULE_WARNING + 1))
 4531         fi
 4532         rm -f "$IP6TABLES_BATCH_FILE"
 4533       fi
 4534     else
 4535       printf "\033[40m\033[1;31mNOTE: Cannot read the blocked hosts file \"$BLOCK_HOSTS_FILE\".\033[0m\n"
 4536     fi
 4537   fi
 4538 
 4539   if [ $swap4_err -eq 0 ]; then
 4540     ipset swap aif_blocklist aif_blocklist_tmp
 4541   else
 4542     printf "\033[40m\033[1;31mERROR: IPv4 \"ipset swap ...\" not applied.\033[0m\n" >&2
 4543   fi
 4544   ipset destroy aif_blocklist_tmp
 4545   if [ "$IPV6_SUPPORT" = "1" ]; then
 4546     if [ $swap6_err -eq 0 ]; then
 4547       ipset swap aif_blocklistv6 aif_blocklistv6_tmp
 4548     else
 4549       printf "\033[40m\033[1;31mERROR: IPv6 \"ipset swap ...\" not applied.\033[0m\n" >&2
 4550     fi
 4551     ipset destroy aif_blocklistv6_tmp
 4552   fi
 4553 else
 4554   if [ -n "$BLOCK_NETSET_DIR" ]; then
 4555     printf "\033[40m\033[1;31mNOTE: Blocking using .netset files in BLOCK_NETSET_DIR requires IPTABLES_IPSET to be enabled.\033[0m\n"
 4556   fi
 4557 
 4558   if [ -z "$BLOCK_HOSTS" -a -z "$BLOCK_HOSTS_FILE" ]; then
 4559     return
 4560   fi
 4561 
 4562   # Set default to DROP all while rules are added
 4563   iptables -A HOST_BLOCK_SRC -j DROP
 4564   iptables -A HOST_BLOCK_DST -j DROP
 4565 
 4566   iptables_batch start
 4567   iptables_batch init HOST_BLOCK_SRC
 4568   iptables_batch init HOST_BLOCK_DST
 4569 
 4570   if [ -n "$BLOCK_HOSTS" ]; then
 4571     printf "Blocking (blackhole) host(s): "
 4572 
 4573     IFS=' ,'
 4574     for hosts in $BLOCK_HOSTS; do
 4575       printf "$hosts "
 4576 
 4577       for host in `ip_range "$hosts"`; do
 4578         get_numeric_ip_version "$host"
 4579         case $? in
 4580         4)
 4581           ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP
 4582           if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4583             ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP
 4584           fi
 4585           ;;
 4586         6)
 4587           if [ "$IPV6_SUPPORT" = "1" ]; then
 4588             ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP
 4589             if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4590               ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP
 4591             fi
 4592           fi
 4593           ;;
 4594         esac
 4595       done
 4596     done
 4597     echo ""
 4598   fi
 4599 
 4600 
 4601   # Setup the blocked hosts from our file
 4602   if [ -n "$BLOCK_HOSTS_FILE" ]; then
 4603     if [ -f "$BLOCK_HOSTS_FILE" ]; then
 4604       local cur_cnt=0 total_cnt
 4605       total_cnt=$(( $(cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |wc -l) ))
 4606 
 4607       echo "(Re)loading list of BLOCKED hosts from $BLOCK_HOSTS_FILE..."
 4608       if [ $total_cnt -gt 0 ]; then
 4609         progress_bar $cur_cnt $total_cnt
 4610 
 4611         # Support both a '#' and a ';' as a comment delimiter in BLOCK_HOSTS_FILE file
 4612         unset IFS
 4613         cat "$BLOCK_HOSTS_FILE" |sed -e 's|[#;].*||' -e 's| *$||' -e '/^$/d' |while read hosts; do
 4614           cur_cnt=$((cur_cnt + 100))
 4615           progress_bar $cur_cnt $total_cnt
 4616 
 4617           if [ -n "$hosts" ]; then
 4618             IFS=','
 4619             for host in `ip_range "$hosts"`; do
 4620               get_numeric_ip_version "$host"
 4621               case $? in
 4622               4)
 4623                 ip4tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP
 4624                 if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4625                   ip4tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP
 4626                 fi
 4627                 ;;
 4628               6)
 4629                 if [ "$IPV6_SUPPORT" = "1" ]; then
 4630                   ip6tables_batch -A HOST_BLOCK_SRC -s $host -j HOST_BLOCK_SRC_DROP
 4631                   if [ "$BLOCK_HOSTS_BIDIRECTIONAL" != "0" ]; then
 4632                     ip6tables_batch -A HOST_BLOCK_DST -d $host -j HOST_BLOCK_DST_DROP
 4633                   fi
 4634                 fi
 4635                 ;;
 4636               esac
 4637             done
 4638             unset IFS
 4639           fi
 4640         done
 4641         printf "........."
 4642       fi
 4643 
 4644       echo "$total_cnt host line(s) read"
 4645     else
 4646       printf "\033[40m\033[1;31mNOTE: Cannot read the blocked hosts file \"$BLOCK_HOSTS_FILE\".\033[0m\n"
 4647     fi
 4648   fi
 4649 
 4650   iptables_batch apply HOST_BLOCK_SRC
 4651   iptables_batch apply HOST_BLOCK_DST
 4652   iptables_batch stop
 4653 
 4654   # All Blocked Host rules are applied
 4655   # Remove default rule at the beginning of the HOST_BLOCK_SRC and HOST_BLOCK_DST chains
 4656   iptables -D HOST_BLOCK_SRC 1
 4657   iptables -D HOST_BLOCK_DST 1
 4658 fi
 4659 }
 4660 
 4661 
 4662 setup_mangle_tables()
 4663 {
 4664   # The following line is intended to hide the firewall during a traceroute.
 4665   ##########################################################################
 4666   if [ "$TTL_INC" = "1" ]; then
 4667     echo "Enabling TTL-increase for the PREROUTING chain"
 4668     IFS=' ,'
 4669     for interface in $EXT_IF; do
 4670       ip4tables -t mangle -A PREROUTING -i $interface -j TTL --ttl-inc 1
 4671     done
 4672   fi
 4673 
 4674   # Set TTL on outgoing & forwarded packets:
 4675   ##########################################
 4676   if [ -n "$PACKET_TTL" ]; then
 4677     if [ $PACKET_TTL -gt 9 -a $PACKET_TTL -lt 256 ]; then
 4678       echo "Setting TTL=$PACKET_TTL for the FORWARD & OUTPUT chains"
 4679       IFS=' ,'
 4680       for interface in $EXT_IF; do
 4681         ip4tables -t mangle -A FORWARD -o $interface -j TTL --ttl-set $PACKET_TTL
 4682         ip4tables -t mangle -A OUTPUT -o $interface -j TTL --ttl-set $PACKET_TTL
 4683       done
 4684     else
 4685       printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for PACKET_TTL ($PACKET_TTL), it should be between 10 and 255!\033[0m\n" >&2
 4686     fi
 4687   fi
 4688 
 4689   # Mangles the TOS on standard ports so they get priority in routers
 4690   ###################################################################
 4691   # TOS table
 4692   # Options:
 4693   #               Normal-Service = 0 (0x00)
 4694   #               Minimize-Cost = 2 (0x02)
 4695   #               Maximize-Reliability = 4 (0x04)
 4696   #               Maximize-Throughput = 8 (0x08)
 4697   #               Minimize-Delay = 16 (0x10)
 4698   if [ "$MANGLE_TOS" = "1" ]; then
 4699     echo "Enabling mangling TOS"
 4700     # ToS: Client Applications; data => tos_client
 4701     # Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
 4702     # To view mangle table, type: iptables -L -t mangle
 4703     IFS=' ,'
 4704     for interface in $EXT_IF; do
 4705       # Mangle values of packets created locally.
 4706       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
 4707       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
 4708       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
 4709       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
 4710       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
 4711       iptables -t mangle -A OUTPUT -o $interface -p udp --dport 53 -j TOS --set-tos Maximize-Throughput
 4712       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
 4713       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
 4714       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
 4715       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
 4716       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
 4717       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
 4718       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
 4719       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
 4720       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
 4721       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
 4722       iptables -t mangle -A OUTPUT -o $interface -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
 4723     done
 4724 
 4725     # Rules to mangle TOS values of packets routed through the firewall
 4726     iptables -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
 4727     iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
 4728     iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
 4729     iptables -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
 4730     iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
 4731     iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay
 4732     iptables -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
 4733     iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
 4734     iptables -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
 4735     iptables -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
 4736     iptables -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
 4737     iptables -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
 4738     iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
 4739     iptables -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
 4740     iptables -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
 4741     iptables -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
 4742     iptables -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
 4743   fi
 4744 }
 4745 
 4746 
 4747 setup_tcp_mss()
 4748 {
 4749   # Besides MTU, there is yet another way to set the maximum packet size, the so called Maximum Segment Size.
 4750   # This is a field in the TCP Options part of a SYN packet.
 4751   # The good thing about this is that by setting the MSS value, you are telling the remote side unequivocally
 4752   # 'do not ever try to send me packets bigger than this value'. No ICMP traffic is needed to get this to work.
 4753   # In order for this to work you need at least iptables-1.2.1a and Linux 2.4.3 or higher.
 4754   ##################################################################################################################
 4755   if [ "$SET_MSS" = "1" ]; then
 4756     echo "Enabling setting the maximum packet size via MSS"
 4757     IFS=' ,'
 4758     for interface in $EXT_IF; do
 4759       iptables -A FORWARD -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 4760       iptables -A OUTPUT -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 4761 
 4762       if [ "$NAT" = "1" ]; then
 4763         ip4tables -t nat -A POSTROUTING -o $interface -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 4764       fi
 4765     done
 4766   fi
 4767 }
 4768 
 4769 
 4770 plugins_start()
 4771 {
 4772   local plugin_count=0
 4773 
 4774   # Truncate/create file
 4775   : > "$PLUGIN_LOAD_FILE"
 4776 
 4777   printf "Checking for (user) plugins in $PLUGIN_BIN_PATH..."
 4778 
 4779   PLUGIN_ERRORS=0
 4780 
 4781   # Check for plugins in our plugins binary path:
 4782   if ls "$PLUGIN_BIN_PATH"/*.plugin >/dev/null 2>&1; then
 4783     echo ""
 4784 
 4785     unset IFS
 4786     for plugin in "$PLUGIN_BIN_PATH"/*.plugin; do
 4787       PLUGIN_CMD=start
 4788       if [ -f "$PLUGIN_LOAD_FILE_RESTART" ]; then
 4789         IFS=$EOL
 4790         for plugin_restart in `cat "$PLUGIN_LOAD_FILE_RESTART"`; do
 4791           if [ "$plugin_restart" = "$plugin" ]; then
 4792             if grep -q "^plugin_restart\(\)" "$plugin"; then
 4793               PLUGIN_CMD=restart
 4794             fi
 4795             break
 4796           fi
 4797         done
 4798       fi
 4799 
 4800       # Preset ENABLED=0 to make sure the plugin only
 4801       # gets loaded if the config has an explicit ENABLED=1:
 4802       ENABLED=0
 4803 
 4804       # Preinit to 0, just in case
 4805       PLUGIN_RET_VAL=0
 4806 
 4807       # Store current amount of iptables rule warnings
 4808       STORE_RULE_WARNING=$RULE_WARNING
 4809 
 4810       # Set indent
 4811       INDENT=' '
 4812 
 4813       # Explicit unset IFS, just in case
 4814       unset IFS
 4815 
 4816       # Source the plugin:
 4817       . "$plugin"
 4818 
 4819       if [ "$ENABLED" = "1" ]; then
 4820         # By checking the ENABLED variable, we know whether the plugin
 4821         # was actually loaded. If so increase the plugin count:
 4822         echo "$plugin" >> "$PLUGIN_LOAD_FILE"
 4823         plugin_count=$((plugin_count + 1))
 4824 
 4825         # Check result
 4826         if [ "$PLUGIN_RET_VAL" != "0" -o $STORE_RULE_WARNING -ne $RULE_WARNING ]; then
 4827           PLUGIN_ERRORS=$((PLUGIN_ERRORS + 1))
 4828         fi
 4829       fi
 4830     done
 4831     rm -f "$PLUGIN_LOAD_FILE_RESTART"
 4832 
 4833     echo " Loaded $plugin_count plugin(s)..."
 4834   else
 4835     echo "None found"
 4836   fi
 4837 }
 4838 
 4839 
 4840 plugins_stop()
 4841 {
 4842   local restart="$1"
 4843   local plugin_count=0
 4844 
 4845   # Remove any stale plugin restart file
 4846   rm -f "$PLUGIN_LOAD_FILE_RESTART"
 4847 
 4848   PLUGIN_ERRORS=0
 4849 
 4850   if [ -f "$PLUGIN_LOAD_FILE" ]; then
 4851     echo "Stopping (user) plugins..."
 4852 
 4853     IFS=$EOL
 4854     for plugin in `cat "$PLUGIN_LOAD_FILE"`; do
 4855       plugin_name="$(basename "$plugin" |sed 's/^[0-9]*//')"
 4856 
 4857       if [ -f "$plugin" ]; then
 4858         plugin_file="$plugin"
 4859       else
 4860         # If we can't find it, ignore the priority number in front of the plugin-filename
 4861         plugin_file="$(ls "$PLUGIN_BIN_PATH"/*.plugin |grep "[0-9]*$plugin_name$" |head -n1)"
 4862       fi
 4863 
 4864       if [ -f "$plugin_file" ]; then
 4865         # Only issue the stop command for plugins that support it:
 4866         if grep -q "^plugin_stop\(\)" "$plugin_file"; then
 4867           # Preset ENABLED=0 to make sure the plugin only
 4868           # gets loaded if the config has an explicit ENABLED=1:
 4869           ENABLED=0
 4870 
 4871           # Preinit to 0, just in case
 4872           PLUGIN_RET_VAL=0
 4873 
 4874           # Store current amount of iptables rule warnings
 4875           STORE_RULE_WARNING=$RULE_WARNING
 4876 
 4877           # Set indent
 4878           INDENT=' '
 4879 
 4880           PLUGIN_CMD=stop
 4881           if [ "$restart" = "restart" ] && grep -q "^plugin_restart\(\)" "$plugin_file"; then
 4882             echo "$plugin" >> "$PLUGIN_LOAD_FILE_RESTART"
 4883             PLUGIN_CMD=stop-restart
 4884           fi
 4885 
 4886           # Explicit unset IFS, just in case
 4887           unset IFS
 4888 
 4889           # Source the plugin:
 4890           . "$plugin_file"
 4891 
 4892           # Check result
 4893           if [ "$PLUGIN_RET_VAL" != "0" -o $STORE_RULE_WARNING -ne $RULE_WARNING ]; then
 4894             PLUGIN_ERRORS=$((PLUGIN_ERRORS + 1))
 4895           fi
 4896 
 4897           plugin_count=$((plugin_count + 1))
 4898         fi
 4899       else
 4900         printf "\033[40m\033[1;31mERROR: Could not stop plugin \"$plugin_name\" as it does no exist!\033[0m\n" >&2
 4901       fi
 4902     done
 4903 
 4904     echo " Unloaded $plugin_count plugin(s)..."
 4905 
 4906     rm -f "$PLUGIN_LOAD_FILE"
 4907   fi
 4908 }
 4909 
 4910 
 4911 plugins_status()
 4912 {
 4913   local match="$1"
 4914 
 4915   # Load/insert user plugins
 4916   if [ -f "$PLUGIN_LOAD_FILE" ]; then
 4917     printf "\nShowing status of (user) plugins:${match:+ $match}\n"
 4918     echo "---------------------------------"
 4919 
 4920     IFS=$EOL
 4921     for plugin in `cat "$PLUGIN_LOAD_FILE"`; do
 4922       # Only issue the status command for plugins that support the PLUGIN_CMD-variable:
 4923       if grep -q "^plugin_status\(\)" "$plugin"; then
 4924         if [ "${plugin%$match.plugin}" != "${plugin}" ]; then
 4925           # Preset ENABLED=0 to make sure the plugin only
 4926           # gets loaded if the config has an explicit ENABLED=1:
 4927           ENABLED=0
 4928 
 4929           # Set indent
 4930           INDENT=' '
 4931 
 4932           PLUGIN_CMD=status
 4933 
 4934           # Source the plugin:
 4935           printf "=>"
 4936           . "$plugin"
 4937           echo ""
 4938         fi
 4939       fi
 4940     done
 4941   fi
 4942 }
 4943 
 4944 
 4945 # Remove (background) job
 4946 # $1 = Job name
 4947 job_remove()
 4948 {
 4949   local SCRIPT_NAME="$1"
 4950 
 4951   if [ -f "$JOBS_FILE" ]; then
 4952     echo "${INDENT}Removing background job \"$SCRIPT_NAME\""
 4953 
 4954     # Remove job from jobs file
 4955     sed -i "s,^$SCRIPT_NAME[[:blank:]].*,," "$JOBS_FILE"
 4956   fi
 4957 
 4958   return 0
 4959 }
 4960 
 4961 
 4962 # Add (background) job
 4963 # $1 = Job name
 4964 # $2 = Time in minutes between executes
 4965 # $3 = Path to script/binary
 4966 job_add()
 4967 {
 4968   local SCRIPT_NAME SCRIPT_TIME SCRIPT_PATH
 4969 
 4970   if [ -z "$JOBS_FILE" ]; then
 4971     echo "** ERROR: Unable to add job since JOBS_FILE is not defined" >&2
 4972     return 1
 4973   fi
 4974 
 4975   SCRIPT_NAME="$1"
 4976   shift
 4977   SCRIPT_TIME="$1"
 4978   shift
 4979   SCRIPT_PATH="$*"
 4980 
 4981   # First remove job (if one exists)
 4982   job_remove "$SCRIPT_NAME" >/dev/null
 4983 
 4984   echo "${INDENT}Adding background job \"$SCRIPT_NAME\""
 4985 
 4986   # Add new job to jobs file
 4987   # NOTE: The 2nd and 3rd argument are the job repeat time and job passed time
 4988   #       by setting the job passed time to the repeat time, the job will execute
 4989   #       as soon as the job processor is executed
 4990   echo "$SCRIPT_NAME $SCRIPT_TIME $SCRIPT_TIME $SCRIPT_PATH" >> "$JOBS_FILE"
 4991 
 4992   return 0
 4993 }
 4994 
 4995 
 4996 # Run job once (in foreground)
 4997 # $1 = Path to job helper
 4998 job_run_once()
 4999 {
 5000   local SCRIPT_NAME="$1"
 5001 
 5002   if [ -z "$JOB_EXECUTER" ]; then
 5003     echo "** ERROR: Unable to execute job \"$SCRIPT_NAME\" since JOB_EXECUTER is not defined" >&2
 5004     return 1
 5005   fi
 5006 
 5007   echo "${INDENT}Foreground running job helper script \"$SCRIPT_NAME\""
 5008 
 5009   # Source script
 5010   if ! "$JOB_EXECUTER" --indent="${INDENT} " "$SCRIPT_NAME"; then
 5011     return 1
 5012   fi
 5013 
 5014   return 0
 5015 }
 5016 
 5017 
 5018 # Check if job process is running
 5019 job_process_is_running()
 5020 {
 5021   if [ -z "$JOB_PROCESSOR" ]; then
 5022     return 1
 5023   fi
 5024 
 5025   if ! pgrep -f "$JOB_PROCESSOR" >/dev/null 2>&1; then
 5026     return 1
 5027   fi
 5028 
 5029   return 0
 5030 }
 5031 
 5032 
 5033 # Check whether the jobs process is terminated, if not wait 10 seconds for it
 5034 # else (hard) pkill it. This function assumes jobs_process_stop() was previously called
 5035 jobs_process_terminate_check()
 5036 {
 5037   local wait_count=10
 5038   local cnt=0
 5039 
 5040   if ! job_process_is_running; then
 5041     return # Nothing to do
 5042   fi
 5043 
 5044   echo "Waiting for background job processor \"$JOB_PROCESSOR\" to terminate"
 5045 
 5046   # Check if process is not still running
 5047   while [ $cnt -lt $wait_count ]; do
 5048     sleep 1
 5049 
 5050     if ! job_process_is_running; then
 5051       return # We're done
 5052     fi
 5053 
 5054     cnt=$((cnt+1))
 5055   done
 5056 
 5057   echo "** WARNING: Jobs processor \"$JOB_PROCESSOR\" is still running! Attempting to kill" >&2
 5058 
 5059   # Kill background process
 5060   if ! pkill -f "$JOB_PROCESSOR"; then
 5061     echo "** ERROR: Killing jobs processor \"$JOB_PROCESSOR\" failed!" >&2
 5062     return
 5063   fi
 5064 
 5065   # Remove possible leftover jobs file (unlikely)
 5066   rm -f "$JOBS_FILE"
 5067 
 5068   return
 5069 }
 5070 
 5071 
 5072 # Start jobs processor
 5073 jobs_process_start()
 5074 {
 5075   if [ -f "$JOBS_FILE" ]; then
 5076     if [ -z "$JOB_PROCESSOR" ]; then
 5077       echo "** ERROR: Unable to start jobs processor since JOB_PROCESSOR is not defined" >&2
 5078       return
 5079     fi
 5080 
 5081     echo "Starting background jobs processor"
 5082 
 5083     # Run script for background process
 5084     if check_command start-stop-daemon; then
 5085       start-stop-daemon -S -b -x "$JOB_PROCESSOR"
 5086     else
 5087       # Fallback:
 5088       "$JOB_PROCESSOR" &
 5089     fi
 5090 
 5091     # Wait a bit
 5092     sleep 1
 5093 
 5094     # Check if job process is running
 5095     if ! job_process_is_running; then
 5096       echo "** ERROR: Starting jobs processor \"$JOB_PROCESSOR\" failed!" >&2
 5097     fi
 5098   fi
 5099 }
 5100 
 5101 
 5102 # Stop jobs processor
 5103 jobs_process_stop()
 5104 {
 5105   if [ -f "$JOBS_FILE" ]; then
 5106     echo "Stopping background jobs processor"
 5107 
 5108     # Enter critical section (ignore whether we actually can obtain the lock)
 5109     lock_enter "$JOBS_LOCK_NAME"
 5110 
 5111     # Remove jobs file (also kills background process (if any))
 5112     rm -f "$JOBS_FILE"
 5113 
 5114     # Leave critical section (ignore whether we actually can release the lock)
 5115     lock_leave "$JOBS_LOCK_NAME"
 5116   fi
 5117 
 5118   # Make sure process is properly terminated
 5119   jobs_process_terminate_check
 5120 }
 5121 
 5122 
 5123 # Here the actual iptables rules are loaded
 5124 ###########################################
 5125 setup_firewall_rules()
 5126 {
 5127   # Set indent for functions
 5128   INDENT=' '
 5129 
 5130   echo "Using loglevel \"$LOGLEVEL\" for syslogd"
 5131   echo ""
 5132 
 5133   echo "Setting up firewall rules:"
 5134   echo "-------------------------------------------------------------------------------"
 5135 
 5136   # Assign conntrack helper modules
 5137   #################################
 5138   echo "Enabling assignment of selected conntrack helpers"
 5139   load_conntrack_helper_module ftp tcp 21
 5140   if [ "$USE_IRC" = "1" ]; then
 5141     load_conntrack_helper_module irc tcp 6667:7001
 5142   fi
 5143 
 5144   # Setup all TCP MSS stuff
 5145   #########################
 5146   setup_tcp_mss
 5147 
 5148   # Setup all mangle stuff
 5149   ########################
 5150   setup_mangle_tables
 5151 
 5152   # Setup basic input/forward/output/... chains
 5153   #############################################
 5154   iptables -A INPUT -j INPUT_CHAIN
 5155   iptables -A FORWARD -j FORWARD_CHAIN
 5156   iptables -A OUTPUT -j OUTPUT_CHAIN
 5157   ip4tables -t nat -A PREROUTING -j NAT_PREROUTING_CHAIN
 5158   ip4tables -t nat -A POSTROUTING -j NAT_POSTROUTING_CHAIN
 5159 
 5160   # Block all hosts in the custom blocked hosts file
 5161   ##################################################
 5162   iptables -A INPUT -j HOST_BLOCK_SRC
 5163   iptables -A FORWARD -j HOST_BLOCK_SRC
 5164   iptables -A FORWARD -j HOST_BLOCK_DST
 5165   iptables -A OUTPUT -j HOST_BLOCK_DST
 5166 
 5167   # Allow DNS out for plugins and iptables while setting up rules
 5168   ###############################################################
 5169   iptables -A OUTPUT_CHAIN -p udp --dport 53 -j ACCEPT
 5170   iptables -A OUTPUT_CHAIN -p tcp --dport 53 -j ACCEPT
 5171 
 5172   # Setup global helper chains
 5173   ############################
 5174   setup_valid_chk_chain
 5175   setup_reserved_net_chk_chain
 5176   setup_spoof_chk_chain
 5177 
 5178   # Check if source address is spoofed
 5179   ####################################
 5180   iptables -A INPUT -j SPOOF_CHK
 5181 
 5182   # Setup rules for input/output logging
 5183   ######################################
 5184   setup_input_log
 5185   setup_output_log
 5186 
 5187   # Explicit unset IFS, just in case
 5188   unset IFS
 5189 
 5190   # Insert the custom rules
 5191   #########################
 5192   if [ -f "$CUSTOM_RULES" ]; then
 5193     echo "Reading custom rules from $CUSTOM_RULES"
 5194     . $CUSTOM_RULES
 5195   fi
 5196 
 5197   # Start (user) plugins
 5198   ######################
 5199   plugins_start
 5200 
 5201   # Fragmented packets handling
 5202   # NOTE: Fragmentation cannot happen with IPv6 (and probably even not with iptables/IPv4)
 5203   ########################################################################################
 5204   if [ "$FRAG_DROP" = "1" ]; then
 5205     ip4tables -A OUTPUT -f \
 5206       -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Fragment packet: "
 5207     ip4tables -A OUTPUT -f -j DROP
 5208   fi
 5209 
 5210   # Setup helper chains for EXTERNAL input traffic:
 5211   echo "Setting up external(INET) INPUT policy"
 5212   setup_ext_broadcast_chain
 5213   setup_ext_icmp_flood_chain
 5214   setup_ext_input_chain
 5215 
 5216   # Setup helper chains for EXTERNAL output traffic:
 5217   echo "Setting up external(INET) OUTPUT policy"
 5218   setup_ext_output_chain
 5219 
 5220   # This is used for your external (untrusted) interfaces
 5221   #######################################################
 5222   IFS=' ,'
 5223   for interface in $EXT_IF; do
 5224     echo "Applying external(INET) policy to interface: $interface"
 5225 
 5226     # Apply external (internet) interface policy for the output chain:
 5227     ##################################################################
 5228     iptables -A OUTPUT -o $interface -j EXT_OUTPUT_CHAIN
 5229 
 5230     # We must allow special icmpv6 packets since CONNTRACK doesn't handle all icmpv6 types:
 5231     #######################################################################################
 5232     if [ "$IPV6_SUPPORT" = "1" -a "$OPEN_ICMPV6" != "0" ]; then
 5233       for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
 5234         ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
 5235       done
 5236       if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
 5237         for icmpv6_type in $ICMPV6_MLD_TYPES; do
 5238           ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
 5239         done
 5240       fi
 5241     fi
 5242 
 5243     # Apply external (internet) interface policy for the input chain:
 5244     #################################################################
 5245     # Check packets for invalid flags:
 5246     iptables -A INPUT -i $interface -j VALID_CHK
 5247 
 5248     # Perform check:
 5249     ################
 5250     # Non-ICMP traffic:
 5251     iptables -A INPUT -i $interface ! -p icmp $NF_CONNTRACK_STATE NEW -j EXT_INPUT_CHAIN
 5252 
 5253     # ICMP traffic (rate limited):
 5254     iptables -A INPUT -i $interface -p icmp $NF_CONNTRACK_STATE NEW \
 5255       -m limit --limit 60/second --limit-burst 100 -j EXT_INPUT_CHAIN
 5256 
 5257     # ICMP traffic (flood)
 5258     iptables -A INPUT -i $interface -p icmp $NF_CONNTRACK_STATE NEW -j EXT_ICMP_FLOOD_CHAIN
 5259 
 5260     # Drop any remaining ICMPv6 traffic
 5261     if [ "$IPV6_SUPPORT" = "1" ]; then
 5262       ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
 5263     fi
 5264   done
 5265 
 5266 
 5267   # Setup input rules for your internal net
 5268   #########################################
 5269   if [ -n "$INT_IF" ]; then
 5270     # Setup helper chain for the LAN:
 5271     echo "Setting up internal(LAN) INPUT policy"
 5272     setup_int_input_chain
 5273 
 5274     IFS=' ,'
 5275     for interface in $INT_IF; do
 5276       echo "Applying internal(LAN) policy to interface: $interface"
 5277       iptables -A INPUT -i $interface -j INT_INPUT_CHAIN
 5278       iptables -A OUTPUT -o $interface -j INT_OUTPUT_CHAIN
 5279     done
 5280   fi
 5281 
 5282   # Setup input rules for your DMZ net
 5283   ####################################
 5284   if [ -n "$DMZ_IF" ]; then