Commit caf9aa22 authored by Branko Mikić's avatar Branko Mikić
Browse files

~ some helpers added for checking numbers like isNaturalNumber(), isInteger(),...

~ some helpers added for checking numbers like isNaturalNumber(), isInteger(), isFloat() and isNumber() functions.
~ ALLOW_DHCPV6_CLIENT revised to work with both IPv(4|6) therefore the function was renamed to ALLOW_DHCP_CLIENT.
~ obtainRouteToIP() renamed to obtainNetPrefix() and revised to work with both IPv(4|6)
~ obtainNetPrefix() renamed to checkSubnetArgFormat()
~ NEW! checkMACArgFormat(), checkIPArgFormat() and checkSubnetArgFormat() implemented to check passed arguments.
~ deleteRules() revised to return the number of rules deleted. Useful when giving a feedback to the usser about deletions.
~ The LOG target now includes the ENVID to distinguish between logs from iptables and ip6tables. Instead of [IN|OUT|FWD-DROP] prefix the logs are now prefixed like [IN4-DROP], [OU6-DROP] or [FW4-DROP], ...
~ When creating chain names usally formatSubnetAsHexID() function was used but for IPv6 subents this can lead to chain names longer than 28 chars which iptables will not accept therefore chain names now use the shorter ID created from cksum with '-IN' or '-OUT' suffixes (eg: A273DBBD-OUT or A0C182C8-IN)
~ FORWARD_MAC_FILTER renamed to MAC_FILTER and revised to accept a chain name on which the mac filter is placed.
~ FORWARD_PORT|FORWARD_ROUTING implemented to allow pre- & postrouting forwards in the nat table. This function can forward through a WAN into a private subnet but can be used to forward between hosts inside a private subnet.
~ REMOVE_RULES revised to show only chains on which entries were deleted instead of chains processed regardless of deletions. This way the user gets a better feedback about deletions when removing rules by regex expression.
~ ALLOW_TUNNEL implemented. Allows a router to receive ipip, gre or sit tunnels on the given node from a specified address. At the moment sit tunnels are working, ipip and grep still needs some work to do. A hacky script added to includes/sit_tunnel.sh which is not exactly a part of ipturntables but may be useful anyway.
parent 1833d749
#
# $1: tunne interface node name
#
removeSITtunnel() {
ip link show $1 >/dev/null 2>&1
if [ ${?} -eq 0 ]; then
printf "Removing tunnel '$1': "
ip link set dev $1 down >/dev/null 2>&1
ip tunnel del $1 >/dev/null 2>&1
[ ${?} -eq 0 ] && printf "done\n" || printf "failed\n"
fi
}
#
# $1: tunnel device node name
# $2: local IPv4
# $3; remote IPv4 peer
# $4: interface device node
# [$5]: P2P IPv6 address (optional)
#
addSITtunnel() {
modprobe sit
[ ${?} -ne 0 ] && "Kernel module 'sit' is required in order to create a tunnel."
removeSITtunnel $1
ip link show $1 >/dev/null 2>&1
[ ${?} -eq 0 ] && printf "Tunnel creation aborted." && exit 1
sleep 1
printf "sit tunnel '$1' from $2 to $3 on interface $4: "
ip tunnel add $1 mode sit local $2 remote $3 ttl 64 dev $4 >/dev/null 2>&1
[ ${?} -ne 0 ] && printf "failed\nTunnel creation aborted." && exit 2
printf "created\n"
if [ ! -z $5 ]; then
sleep 1
printf "sit tunnel '$1' has $5 as local IPv6 peer address: "
ip address add dev $1 $5 >/dev/null 2>&1
[ ${?} -ne 0 ] && printf "failed\nTunnel creation aborted." && exit 4
printf "created\n"
fi
sleep 1
printf "Bringing tunnel '$1' up: "
ip link set dev $1 up >/dev/null 2>&1
[ ${?} -ne 0 ] && printf "failed\nTunnel creation aborted." && exit 6
printf "online\n"
ip link show $1 >/dev/null 2>&1
}
......@@ -10,11 +10,18 @@ printAbout()
[PROBE_KERNEL_MODS mod1,mod2,...,modN]
[RESET [default_policy]]
[BASE_RULE_SET]
[ALLOW_SUBNETS link]
[ALLOW_SERVICE_DISCOVERY link]
[FORWARD_SUBNET subnet/mask destination_link]
[POSTROUTING_MASQUERADE subnet/mask destination_link]
[ALLOW_DHCPV6_CLIENT link]
[ALLOW_DHCP_CLIENT on_link]
[ALLOW_SUBNETS on_link]
[ALLOW_LINK_LOCAL on_link]
[ALLOW_SERVICE_DISCOVERY on_link]
[ALLOW_TUNNEL mode on_link from_address]
[FORWARD_SUBNET subnet/mask to_link]
[FORWARD_SUBNET_PROTECTIVE subnet/mask to_link]
[FORWARD_PORT|FORWARD_ROUTING ip|link port(s) to_address[:to_port]]
[MAC_FILTER chain mac_address]
[POSTROUTING_MASQUERADE subnet/mask to_link]
[DEBUG_CHAIN chain_name]
[REMOVE_RULES pattern]
Written by Branko Mikic in Nov 2ol4
All copyrights reserved. Free use of this software is granted under the terms of the GNU General Public License (GPLv3).
......@@ -38,6 +45,13 @@ error()
exit $1
}
# some helpers
function isNaturalNumber() { [[ ${1} =~ ^[0-9]+$ ]]; }
function isInteger() { [[ ${1} == ?(-)+([0-9]) ]]; }
function isFloat() { [[ ${1} == ?(-)@(+([0-9]).*([0-9])|*([0-9]).+([0-9]))?(E?(-|+)+([0-9])) ]]; }
function isNumber() { [[ ${1} == *[[:digit:]]* ]]; }
###
### Command environment setup for either IPv(4|6)
###
......@@ -56,6 +70,7 @@ setupEnv()
IP=$(which ip)
(( $? != 0 )) && error 3 "Can't use ip command. Please install missing command."
if [ $1 -eq 4 ]; then
IPTABLES=$(which iptables)
(( $? != 0 )) && error 1 "Can't use iptables command. Please install missing command."
......@@ -148,7 +163,7 @@ checkLink()
}
###
### $1: A network device (eg: eth0 or eth1, ...)
### $1: an interface node (eg: eth0 or eth1, ...)
###
### Returns an unique hex ID derived from the MAC address.
### Virtual network devices return a special hash value since
......@@ -171,7 +186,7 @@ getLinkID()
}
###
### $1: A network device (eg: eth0 or eth1, ...)
### $1: an interface node (eg: eth0 or eth1, ...)
###
### Returns the MAC address of the desired network interface
###
......@@ -208,31 +223,34 @@ obtainIPs()
}
###
### $1: Desired IP address to obtain corresponding net prefix
### $2: A link the IP address is configured on
###
### Returns list of net prefix addresses
### $1: Some IP of a local net
###
obtainNetPrefix()
obtainRouteToIP()
{
[ $ENVID -eq 4 ] && printf "%s" $($IP -o route list | grep -P -o "(\d+\.){3}+0+\/\d+(?=.* src $1)")
[ $ENVID -eq 6 ] && printf "%s" $($IP -o route list | grep -P -o "${1%::*}::\/\d* (?=dev $2)")
printf "%s" $($IP -o route get $1 | grep -o -P "(?<=src\s)(\d+\.){3}\d+")
}
###
### $1: A subnet/mask argument
### $1: Desired IP address to obtain corresponding net prefix
### $2: A link the IP address is configured on
### (Optional for IPv4 | Mandatory for IPv6 !!!)
###
### Returns 0 if argument has a subnet/mask format otherwise 1
### Returns a subnet prefix
###
checkSubnetArgFormat()
obtainNetPrefix()
{
local sz;
[ $ENVID -eq 4 ] && sz="(\d+\.){3}+0+\/\d+"
[ $ENVID -eq 6 ] && sz="^((\d|[a-fA-F])+:)+:+\/+\d+$"
local i;
echo "$1" | grep -q -P "$sz" 1>/dev/nul 2>/dev/nul
return $?
if [ $ENVID -eq 4 ]; then
# obtain ip of this host from given ip
if ! $IP addr show $1 &> /dev/null ; then
i=$(obtainRouteToIP $1)
else
i=$1
fi
printf "%s" $($IP -o route list | grep -oP "(\d+\.){3}+\d+\/\d+(?=.* src $i)")
fi
[ $ENVID -eq 6 ] && printf "%s" $($IP -o route list | grep -oP "${1%::*}::\/\d* (?=dev $2)")
}
###
......@@ -250,6 +268,50 @@ obtainLinkFromSubnetPrefix()
return 1
}
###
### $1: a MAC address (eg; 06:00:17:d3:97:b4)
###
### Return code == 0: Argument has MAC format
### != 0: Argument is not in MAC format
###
checkMACArgFormat()
{
echo "$1" | grep -q -oE "^(\w+{2}:){5}\w{2}$"
}
###
### $1: IP address with optional port assignment (eg: 192.168.1.1:80) or a device node
###
### Returns TRUE if $1 is an IPv4 or IPv6 address otherwise FALSE
###
checkIPArgFormat()
{
local sz;
[ $ENVID -eq 4 ] && sz="(\d+\.){3}\d+((\:)+(\d)+)*$"
# TODO: check for IPv6 address! Format is untested and likely to fail
[ $ENVID -eq 6 ] && sz="^([\da-fA-F]+:)+:*[\da-fA-F]+$"
echo "$1" | grep -q -P "$sz" 1>/dev/nul 2>/dev/nul
return $?
}
###
### $1: A subnet/mask argument
###
### Returns 0 if argument has a subnet/mask format otherwise 1
###
checkSubnetArgFormat()
{
local sz;
[ $ENVID -eq 4 ] && sz="(\d+\.){3}+\d+\/\d+"
[ $ENVID -eq 6 ] && sz="^([\da-fA-F]+:)+:*\/+\d+$"
echo "$1" | grep -q -P "$sz" 1>/dev/nul 2>/dev/nul
return $?
}
###
### $1: chain to search for device occurence in any rule
###
......@@ -310,12 +372,13 @@ obtainRuleIndices()
### $1: chain to delete rules by pattern in (eg: INPUT or -t nat POSTROUTING)
### $2: string pattern to look for
###
### Returns a list of rule indices in which the device occurs
### Deletes any rule in chain $1 containing the pattern $2
### Return code == Number of successfully removed rules
###
deleteRules()
{
local i; local ia;
local sz; local tgt;
local sz; local n;
if [[ $1 =~ -t ]]; then
[ -z $2 ] && error 70 "deleteRules() expects a tablename after optional -t argument."
......@@ -324,10 +387,13 @@ deleteRules()
fi
# putting it in brackets returns it as an array
ia=($(obtainRuleIndices $sz $1 "$2"))
(( n=0 ))
for (( i=${#ia[@]}-1; i>=0; i-- )); do
# delete rule
$IPTABLES $sz -D $1 ${ia[$i]}
(( $? == 0 )) && (( n++ ))
done
return $n
}
###
......@@ -561,7 +627,6 @@ formatSubnetAsHexID() {
# intercept all the TCP handshakes and correct on-the-fly the wrong MSS value requested by internal hosts
$IPTABLES -A FORWARD -t mangle -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IPv6
......@@ -633,10 +698,9 @@ formatSubnetAsHexID() {
# default log rules
# any of the default chains should end with this!
$IPTABLES -A INPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[IN-DROP] "
$IPTABLES -A OUTPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[OUT-DROP] "
$IPTABLES -A FORWARD -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[FWD-DROP] "
$IPTABLES -A INPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[IN$ENVID-DROP] "
$IPTABLES -A OUTPUT -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[OU$ENVID-DROP] "
$IPTABLES -A FORWARD -m limit --limit 8/min --limit-burst 16 -j LOG --log-prefix "[FW$ENVID-DROP] "
;;
ALLOW_DHCP_CLIENT)
......@@ -663,7 +727,7 @@ formatSubnetAsHexID() {
ALLOW_SUBNETS)
checkLink $1
(( $? != 0 )) && error 41 "ALLOW_SUBNETS expects a network device argument (eg: eth0)"
(( $? != 0 )) && error 41 "ALLOW_SUBNETS expects an interface node argument (eg: eth0)"
probeChains USER-IN USER-OUT
(( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
......@@ -709,7 +773,7 @@ formatSubnetAsHexID() {
ALLOW_LINK_LOCAL)
checkLink $1
(( $? != 0 )) && error 41 "ALLOW_LINK_LOCAL expects a network device argument (eg: eth0)"
(( $? != 0 )) && error 41 "ALLOW_LINK_LOCAL expects an interface node argument (eg: eth0)"
probeChains USER-IN USER-OUT
(( $? != 0 )) && error 42 "The 'USER-IN' or 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
......@@ -732,7 +796,7 @@ formatSubnetAsHexID() {
ALLOW_SERVICE_DISCOVERY)
checkLink $1
(( $? != 0 )) && error 36 "ALLOW_SERVICE_DISCOVERY expects a network device argument (eg: eth0)"
(( $? != 0 )) && error 36 "ALLOW_SERVICE_DISCOVERY expects an interface node argument (eg: eth0)"
probeChains USER-IN
(( $? != 0 )) && error 37 "The 'USER-IN' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
......@@ -754,6 +818,38 @@ formatSubnetAsHexID() {
shift;
;;
ALLOW_TUNNEL)
probeChains USER-IN
(( $? != 0 )) && error 37 "The 'USER-IN' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
probeChains USER-OUT
(( $? != 0 )) && error 37 "The 'USER-OUT' chain is missing. Setup a new base firewall with BASE_RULE_SET first."
# convert mode to lower case
sz=${1,,}
[ $sz == "ipip" ] && sz=94
[ $sz == "gre" ] && sz=47
[ $sz == "sit" ] && sz=41
isNaturalNumber $sz
(( $? != 0 )) && error 37 "ALLOW_TUNNEL expects a tunnel mode (eg: ipip, gre or sit)"
checkLink $2
(( $? != 0 )) && error 38 "ALLOW_TUNNEL expects an incoming interface to allow tunnel traffic from (eg: eth0)"
checkIPArgFormat $3
(( $? != 0 )) && error 39 "ALLOW_TUNNEL expects a source IP address to allow tunnel traffic from (eg: 192.168.1.1)"
printf "# allowing '%s' tunnel on %s link from %s.\n" ${1^^} $2 $3
ID="ALLOW_TUNNEL_${1^^}_$(getLinkID $2)_$3"
deleteRules USER-IN "$ID"
deleteRules USER-OUT "$ID"
$IPTABLES -A USER-IN -i $2 -p $sz -s $3 -j ACCEPT -m comment --comment "$ID"
$IPTABLES -A USER-OUT -o $2 -p $sz -d $3 -j ACCEPT -m comment --comment "$ID"
shift; shift; shift;
;;
FORWARD_SUBNET)
sz=""
[ $ENVID -eq 4 ] && sz=" (eg: 192.168.0.0/16)"
......@@ -788,6 +884,7 @@ formatSubnetAsHexID() {
sz=""
[ $ENVID -eq 4 ] && sz=" (eg: 192.168.0.0/16)"
[ $ENVID -eq 6 ] && sz=" (eg: 2001:DB8::/32)"
checkSubnetArgFormat $1
(( $? != 0 )) && error 51 "FORWARD_SUBNET_PROTECTIVE expects a subnet/mask argument$sz and a WAN device (eg: ppp0)"
......@@ -799,16 +896,19 @@ formatSubnetAsHexID() {
sz=""
checkLink $2
(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)"
printf "# forwarding protectively %s (%s) to %s.%s\n" $1 $DEV $2 $sz
(( $? != 0 )) && sz=" (WARNING! '$2' currently not available. Maybe invoked later?)"
printf "# forwarding protectively %s (%s) to %s.%s\n" $1 $DEV $2 "$sz"
ID=$(printf "FORWARD_SUBNET_PROTECTIVE %s_%s_%s" $DEV $(formatSubnetAsHexID "$1") $2)
ID=$(printf "FORWARD_SUBNET_PROTECTIVE_%s_%s_%s" $DEV $(formatSubnetAsHexID "$1") $2)
deleteRules FORWARD "$ID"
CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $2 $DEV)
# for IPv6 subnets the max chain name length can
# be easily exceeded so we need a shorter name
#CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $2 $DEV)
CHAIN=$(printf "%X-IN" $(cksum <<<"$ID" | grep -oP "^\d*"))
allocChain $CHAIN
# forward to the inside when a related or established connection exists
# forward to the inside for related or established traffic only!
$IPTABLES -A $CHAIN -m state --state RELATED,ESTABLISHED -j ACCEPT
# get index position for placing subchains in FORWARD chain
......@@ -830,14 +930,17 @@ formatSubnetAsHexID() {
$IPTABLES -A $CHAIN -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ANTI-FLOOD
# allow safe ports for inbound traffic
#$IPTABLES -A $CHAIN -p tcp -m tcp -m multiport --sports 80,443 -j ACCEPT
#$IPTABLES -A $CHAIN -p tcp -m tcp --sports 80,443 -j ACCEPT
$IPTABLES -I FORWARD $n -i $2 -o $DEV -d $1 -j $CHAIN -m comment --comment "$ID"
CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $DEV $2)
# for IPv6 subnets the max chain name length can
# be easily exceeded so we need a shorter name
#CHAIN=$(printf "%s-%s-%s" $(formatSubnetAsHexID "$1") $DEV $2)
CHAIN=$(printf "%X-OUT" $(cksum <<<"$ID" | grep -oP "^\d*"))
allocChain $CHAIN
# forward new, related & established traffic outside
$IPTABLES -A $CHAIN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A $CHAIN -m state --state NEW -j ACCEPT
......@@ -850,23 +953,87 @@ formatSubnetAsHexID() {
shift; shift
;;
FORWARD_MAC_FILTER)
printf "# filtering '%s' MAC address in FORWARD chain.\n" $1 $DEV $2 $sz
FORWARD_PORT|FORWARD_ROUTING)
ay=${2//,/} # check given port list
for sz in $ay; do
isNaturalNumber $sz
(( $? != 0 )) && error 70 "FORWARD_ROUTING expects a destination port argument (eg: 80,443)"
done
checkIPArgFormat "$3"
(( $? != 0 )) && error 71 "FORWARD_ROUTING expects a destination IP to your internal host and an optional destination port (eg: 192.168.1.1[:80])"
# $1 == device node or IP address?
checkIPArgFormat "$1"
if (( $? != 0 )); then
[[ ! $1 =~ [A-Za-z]{3}[0-9]+ ]] && error 72 "FORWARD_ROUTING expects '$1' to be a device node or an IP address."
checkLink $1
(( $? != 0 )) && sz=" (WARNING! '$1' currently not available. Maybe invoked later?)"
ID=$(printf "FORWARD_MAC_FILTER %s" ${1//:/})
FILTER_BY="-i $1"
else
sz=$(obtainNetPrefix $1)
[ -z $sz ] && error 73 "FORWARD_ROUTING has no route to '$1' or a malformed IP format (eg: 192.168.1.1)"
FILTER_BY="-i $(obtainLinkFromSubnetPrefix $sz) -d $1"
fi
# create a mark ID (cksum)
MARK_ID=$(printf "0x%x" $(cksum <<<"$1$2$3" | grep -oP "^\d*"))
printf "# prerouting port fowarding from %s:%s to %s (MARK_ID: %s)\n" $1 $2 $3 $MARK_ID
ID="FORWARD_ROUTING $MARK_ID"
deleteRules FORWARD "$ID"
deleteRules -t nat PREROUTING "$ID"
deleteRules -t nat POSTROUTING "$ID"
$IPTABLES -I FORWARD 1 -m mac --mac-source $1 -j DROP -m comment --comment "$ID"
shift
# We mark traffic originating from someone to our receiver IP|device on the
# specified port only.
# This may look complicated but makes absolutely sense since our POSTROUTING
# needs to distinguish from traffic carrying our MARK_ID _and_ traffic on the
# corresponding port returned from the forwarded host.
$IPTABLES -t nat -A PREROUTING $FILTER_BY -p tcp -m multiport --dports $2 -j MARK --set-mark $MARK_ID -m comment --comment "$ID"
$IPTABLES -t nat -A PREROUTING -m mark --mark $MARK_ID -p tcp -j DNAT --to $3 -m comment --comment "$ID"
# prerouting rewrites destination address for marked packets therefore these
# go through the FORWARD chain instead of INPUT, to avoid having other rules
# (eg: FORWARD_SUBNET_PROTECTIVE) blocking our marked packets accidentially
# we allow them to be forwarded explicitly
$IPTABLES -I FORWARD 1 -m mark --mark $MARK_ID -j ACCEPT -m comment --comment "$ID"
# allow packets back & forth from the forwarded host
# Attention! >> These response packets are _not_ carrying our MARK_ID
# therefore these rules are all inserted at index 1 so order matters!
sz=${3#*:}
[ -z $sz ] && sz=$2
$IPTABLES -I FORWARD 1 -p tcp -s ${3%:*}/32 -m multiport --sports $sz -j ACCEPT -m comment --comment "$ID"
$IPTABLES -I FORWARD 1 -p tcp -d ${3%:*}/32 -m multiport --dports $sz -j ACCEPT -m comment --comment "$ID"
# Masquerade only those carrying our MARK_ID!
$IPTABLES -t nat -I POSTROUTING 1 -m mark --mark $MARK_ID -d ${3%:*}/32 -j MASQUERADE -m comment --comment "$ID"
shift; shift; shift;
unset FILTER_BY; unset MARK_ID;
unset ID;
;;
FORWARD_PORT_FORWARDING)
#$IPTABLES -A FORWARD -i eth0 -p tcp --dport 80 -d YOUR_INTERNAL_HOST -j ACCEPT
;;
MAC_FILTER)
sz=$($IPTABLES -nvL | grep -oP "(?<=Chain\s)\S+" | grep ${1^^})
[ -z $sz ] && error 90 "MAC_FILTER expects a chain name to place filter in (eg: INPUT, FORWARD, ...)"
checkMACArgFormat "$2"
(( $? != 0 )) && error 91 "MAC_FILTER expects an ether address (MAC) (eg: 06:00:17:d3:97:b4)"
printf "# filtering '%s' MAC address in %s chain.\n" $2 $sz
ID=$(printf "MAC_FILTER_%s_%s" $sz ${2//:/})
deleteRules $sz "$ID"
PREROUTING_PORT_FORWARDING)
# these rules for a port forwarding example
#$IPTABLES -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 80 -j DNAT --to YOUR_INTERNAL_HOST:PORT
$IPTABLES -I $sz 1 -m mac --mac-source $2 -j DROP -m comment --comment "$ID"
unset sz;
shift; shift
;;
TRANSPARENT_PROXY)
......@@ -882,8 +1049,8 @@ formatSubnetAsHexID() {
sz=""
checkLink $2
(( $? != 0 )) && sz=" (WARNING! '$2' is currently not available. Maybe invoked later?)"
printf "# masquerading %s when leaving through %s.%s\n" $1 $2 $sz
(( $? != 0 )) && sz=" (WARNING! '$2' currently not available. Maybe invoked later?)"
printf "# masquerading %s when leaving through %s.%s\n" $1 $2 "$sz"
ID=$(printf "POSTROUTING_MASQUERADE %s_%s_%s" $(obtainLinkFromSubnetPrefix $1) $(formatSubnetAsHexID "$1") $2)
deleteRules -t nat POSTROUTING "$ID"
......@@ -894,6 +1061,9 @@ formatSubnetAsHexID() {
unset ID;
;;
PORT_KNOCKING)
# http://stackoverflow.com/questions/15451009/port-knocking-using-iptables
;;
DEBUG_CHAIN)
$IPTABLES -nvL $1 1>/dev/nul 2>/dev/nul
......@@ -912,15 +1082,15 @@ formatSubnetAsHexID() {
for sz in $($IPTABLES -nvL | grep -o -P "(?<=Chain\s)\S+"); do
$IPTABLES -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
if (( $? == 0 )); then
printf " $sz"
deleteRules $sz "$1"
(( $? != 0 )) && printf " $sz"
fi
done
for sz in $($IPTABLES -t nat -nvL | grep -o -P "(?<=Chain\s)\S+"); do
$IPTABLES -t nat -nvL $sz | grep "$1" 1>/dev/nul 2>/dev/nul
if (( $? == 0 )); then
printf " $sz"
deleteRules -t nat $sz "$1"
(( $? != 0 )) && printf " $sz"
fi
done
echo " ... done"
......@@ -957,3 +1127,4 @@ formatSubnetAsHexID() {
done
echo "#~~~ created by ${0##*/}"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment