📄 shorewall
字号:
#!/bin/sh## Shorewall Packet Filtering Firewall Control Program - V4.2## This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]## (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008 - Tom Eastep (teastep@shorewall.net)## This file should be placed in /sbin/shorewall.## Shorewall documentation is available at http://www.shorewall.net## This program is free software; you can redistribute it and/or modify# it under the terms of Version 2 of the GNU General Public License# as published by the Free Software Foundation.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.## If an error occurs while starting or restarting the firewall, the# firewall is automatically stopped.## The firewall uses configuration files in /etc/shorewall/ - skeleton# files are included with the firewall.## Commands are:## shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone# shorewall dump Dumps all Shorewall-related information# for problem analysis# shorewall start Starts the firewall# shorewall restart Restarts the firewall# shorewall stop Stops the firewall# shorewall status Displays firewall status# shorewall reset Resets iptables packet and# byte counts# shorewall clear Open the floodgates by# removing all iptables rules# and setting the three permanent# chain policies to ACCEPT# shorewall refresh Rebuild the common chain to# compensate for a change of# broadcast address on any "detect"# interface.# shorewall [re]load [ <directory> ] <system># Compile a script and install it on a# remote Shorewall Lite system.# shorewall show <chain> [ <chain> ... ] Display the rules in each <chain> listed# shorewall show actions Displays the available actions# shorewall show log Print the last 20 log messages# shorewall show connections Show the kernel's connection# tracking table# shorewall show nat Display the rules in the nat table# shorewall show {mangle|tos} Display the rules in the mangle table# shorewall show tc Display traffic control info# shorewall show classifiers Display classifiers# shorewall show capabilities Display iptables/kernel capabilities# shorewall show vardir Display the VARDIR setting.# shorewall version Display the installed version id# shorewall check [ -e ] [ <directory> ] Dry-run compilation.# shorewall try <directory> [ <timeout> ] Try a new configuration and if# it doesn't work, revert to the# standard one. If a timeout is supplied# the command reverts back to the# standard configuration after that many# seconds have elapsed after successfully# starting the new configuration.# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall# messages.# shorewall drop <address> ... Temporarily drop all packets from the# listed address(es)# shorewall reject <address> ... Temporarily reject all packets from the# listed address(es)# shorewall allow <address> ... Reenable address(es) previously# disabled with "drop" or "reject"# shorewall save [ <file> ] Save the list of "rejected" and# "dropped" addresses so that it will# be automatically reinstated the# next time that Shorewall starts.# Save the current state so that 'shorewall# restore' can be used.## shorewall forget [ <file> ] Discard the data saved by 'shorewall save'## shorewall restore [ <file> ] Restore the state of the firewall from# previously saved information.## shorewall ipaddr { <address>/<cidr> | <address> <netmask> }## Displays information about the network# defined by the argument[s]## shorewall iprange <address>-<address> Decomposes a range of IP addresses into# a list of network/host addresses.## shorewall ipdecimal { <address> | <integer> }## Displays the decimal equivalent of an IP# address and vice versa.## shorewall safe-start [ <directory> ] Starts the firewall and promtp for a c# confirmation to accept or reject the new# configuration## shorewall safe-restart [ <directory> ] Restarts the firewall and prompt for a# confirmation to accept or reject the new# configuration## shorewall compile [ -e ] [ <directory> ] <filename># Compile a firewall program file.## Set the configuration variables from shorewall.conf## $1 = Yes: read the params file# $2 = Yes: check for STARTUP_ENABLED# $3 = Yes: Check for LOGFILE# #get_config() { ensure_config_path if [ "$1" = Yes ]; then params=$(find_file params) if [ -f $params ]; then . $params fi fi config=$(find_file shorewall.conf) if [ -f $config ]; then if [ -r $config ]; then . $config else echo "Cannot read $config! (Hint: Are you root?)" >&2 exit 1 fi else echo "$config does not exist!" >&2 exit 2 fi ensure_config_path if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then # # This block is avoided for compile for export and when the user isn't root # export CONFIG_PATH if [ "$3" = Yes ]; then [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if [ -n "$(syslog_circular_buffer)" ]; then LOGREAD="logread | tac" elif [ -f $LOGFILE ]; then LOGREAD="tac $LOGFILE" else echo "LOGFILE ($LOGFILE) does not exist!" >&2 exit 2 fi fi if [ -n "$IPTABLES" ]; then if [ ! -x "$IPTABLES" ]; then echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2 exit 2 fi else IPTABLES=$(mywhich iptables 2> /dev/null) if [ -z "$IPTABLES" ] ; then echo " ERROR: Can't find iptables executable" >&2 exit 2 fi fi export IPTABLES # # Compile by non-root needs no restore file # [ -n "$RESTOREFILE" ] || RESTOREFILE=restore validate_restorefile RESTOREFILE export RESTOREFILE if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) echo " ERROR: Shorewall startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/shorewall.conf" >&2 exit 2 ;; Yes|yes|YES) ;; *) if [ -n "$STARTUP_ENABLED" ]; then echo " ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2 exit 2 fi ;; esac fi case ${TC_ENABLED:=Internal} in No|NO|no) TC_ENABLED= ;; esac [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" export LOGFORMAT if [ -n "$STARTUP_LOG" ]; then if [ -n "$LOG_VERBOSITY" ]; then case $LOG_VERBOSITY in -1) ;; 0|1|2) ;; *) echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2 exit 2; ;; esac else LOG_VERBOSITY=2; fi else LOG_VERBOSITY=-1; fi else STARTUP_LOG= LOG_VERBOSITY=-1 fi if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2 SHOREWALL_SHELL=/bin/sh fi fi case $VERBOSITY in -1|0|1|2) ;; *) if [ -n "$VERBOSITY" ]; then echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2 exit 2 else VERBOSITY=2 fi ;; esac [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY)) if [ $VERBOSE -lt -1 ]; then VERBOSE=-1 elif [ $VERBOSE -gt 2 ]; then VERBOSE=2 fi export VERBOSE [ -n "${HOSTNAME:=$(hostname)}" ] [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}' [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' case $MANGLE_ENABLED in Yes|yes) ;; No|no) MANGLE_ENABLED= ;; *) if [ -n "$MANGLE_ENABLED" ]; then echo " ERROR: Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" >&2 exit 2 fi ;; esac case $FAST_STOP in Yes|yes) ;; No|no) FAST_STOP= ;; *) if [ -n "$FAST_STOP" ]; then echo " ERROR: Invalid FAST_STOP setting ($FAST_STOP)" >&2 exit 2 fi ;; esac}## Run the appropriate compiler#compiler() { local sc sc=${SHELLSHAREDIR}/compiler local pc pc=${PERLSHAREDIR}/compiler.pl startup_error() { echo " ERROR: $@" >&2 exit 1 } local command command=$1 shift if [ $(id -u) -ne 0 ]; then if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then startup_error "Ordinary users may not compile the /etc/shorewall configuration" fi fi # # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH # ensure_config_path compiler= haveparams= if [ -n "$SHOREWALL_COMPILER" ]; then compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line elif [ -x $sc ]; then if [ ! -x $pc ]; then compiler=shell fi elif [ -x $pc ]; then compiler=perl else fatal_error "No shorewall compiler installed" fi if [ -z "$compiler" ]; then # # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER # if [ -n "$SHOREWALL_DIR" ]; then shell=$SHOREWALL_SHELL [ -x $pc ] && set -a run_user_exit params set +a haveparams=Yes get_config No No No SHOREWALL_SHELL=$shell fi # # And initiate the appropriate compiler # if [ -n "$SHOREWALL_COMPILER" ]; then compiler="$SHOREWALL_COMPILER" elif [ -x $sc ]; then compiler=shell else compiler=perl fi fi case $COMMAND in *start|try|refresh) ;; *) STARTUP_LOG= LOG_VERBOSITY=-1 ;; esac [ $command = exec ] || command= case "$compiler" in perl) debugflags="-w" [ -n "$DEBUG" ] && debugflags='-wd' [ -n "$PROFILE" ] && debugflags='-wd:DProf' # Perl compiler only takes the output file as a argument [ "$1" = debug -o "$1" = trace ] && shift; [ "$1" = nolock ] && shift; shift options="--verbose=$VERBOSE" [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY"; [ -n "$EXPORT" ] && options="$options --export" [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR" [ -n "$TIMESTAMP" ] && options="$options --timestamp" [ -n "$TEST" ] && options="$options --test" [ "$debugging" = trace ] && options="$options --debug" [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS" [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" # # Run the appropriate params file # if [ -z "$haveparams" ]; then set -a; run_user_exit params set +a fi $command perl $debugflags $pc $options $@ ;; shell) [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed" [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains" $command $SHOREWALL_SHELL $sc $@ ;; *) startup_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" ;; esac} ## Start Command Executor#start_command() { local finished finished=0 do_it() { local rc rc=0 progress_message3 "Compiling..." if compiler run $debugging $nolock compile ${VARDIR}/.start; then [ -n "$nolock" ] || mutex_on ${VARDIR}/.start $debugging start rc=$? [ -n "$nolock" ] || mutex_off else rc=$? logger -p kern.err "ERROR:Shorewall start failed" fi exit $rc } if shorewall_is_started; then error_message "Shorewall is already running" exit 0 fi [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled" while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 case $option in -*) option=${option#-} while [ -n "$option" ]; do case $option in -) finished=1 option= ;; C) [ $# -gt 1 ] || fatal_error "-C must be followed by a compiler name" SHOREWALL_COMPILER=$2 option= shift ;; d*) DEBUG=Yes option=${option#d} ;; f*) FAST=Yes option=${option#f} ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" PURGE=Yes option=${option%p} ;; *) usage 1 ;; esac done shift ;; *) finished=1 ;; esac done case $# in 0) ;; 1) [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$(resolve_file $1) export SHOREWALL_DIR ;; *) usage 1 ;; esac export NOROUTES export PURGE if [ -n "$FAST" ]; then if qt mywhich make; then # # RESTOREFILE is exported by get_config() # make -qf ${CONFDIR}/Makefile || FAST= fi if [ -n "$FAST" ]; then RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then echo Restoring Ipsets... # # We must purge iptables to be sure that there are no # references to ipsets # iptables -F iptables -X $SHOREWALL_SHELL ${RESTOREPATH}-ipsets fi echo Restoring Shorewall... $SHOREWALL_SHELL $RESTOREPATH restore date > ${VARDIR}/restarted progress_message3 Shorewall restored from $RESTOREPATH else do_it fi else do_it fi else do_it fi}## Compile Command Executor#compile_command() { local finished finished=0 while [ $finished -eq 0 ]; do [ $# -eq 0 ] && usage 1 option=$1 case $option in -*) shift option=${option#-} [ -z "$option" ] && usage 1 while [ -n "$option" ]; do case $option in e*) EXPORT=Yes option=${option#e} ;; p*) PROFILE=Yes option=${option#p} ;; C) [ $# -gt 0 ] || fatal_error "-C must be followed by a compiler name" SHOREWALL_COMPILER=$1 option= shift ;; t*) TEST=Yes option=${option#t} ;; d*) DEBUG=Yes; option=${option#d} ;; -) finished=1 option= ;; *) usage 1 ;; esac done ;; *) finished=1 ;; esac done file= case $# in 1) file=$1 [ -d $file ] && echo " ERROR: $file is a directory" >&2 && exit 2; ;; 2) [ -n "$SHOREWALL_DIR" ] && usage 2 if [ ! -d $1 ]; then if [ -e $1 ]; then echo "$1 is not a directory" >&2 && exit 2 else echo "Directory $1 does not exist" >&2 && exit 2 fi fi SHOREWALL_DIR=$(resolve_file $1) export SHOREWALL_DIR file=$2 ;; *) usage 1 ;; esac export EXPORT progress_message3 "Compiling..." compiler exec $debugging compile $file}## Check Command Executor#check_command() { local finished finished=0⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -