[Firewall] I modified arno-iptables-firewall

GG g-arnofw at greboca.org
Mon May 1 22:51:35 CEST 2017


Hi!

On the version 2.0.1f, I made some modifications near the line 4768:

# Forward traffic for LAN interface(s) that trust each other

My modifications works well, but my code is dirty, and I can't use
the variable to call awk program.

On this part, originally, the code make all combination on grouped
interface.

For example, with IF_TRUSTS="A B C | C D" we will obtain:

A B, A C, B A, C A, A C, B C, C B and C D, D C.

I added a sign to make another group:

With IF_TRUSTS="A = B C | C D"

we obtain : A B, A C, B A, C A and C D, D C.

The "=" sign is optional. I didn't tested the case if there is more
than one per group.

I did it because I need to connect some interface with other, and
not all combination.

So, here the dirty code:

  # Forward traffic for LAN interface(s) that trust each other
 
#######################################################################
 # IFS=$SEP3
 # for if_group in $IF_TRUSTS; do
 #   echo "Setting up trust FORWARD policy for interface(s): $if_group"
 #   IFS=' ,'
 #   for input_if in $if_group; do
 #     for output_if in $if_group; do
 #       if [ "$input_if" != "$output_if" ]; then
 #         iptables -A FORWARD -i $input_if -o $output_if -j ACCEPT
 #       fi
 #     done
 #   done
 # done

  SEPGRP="="
  IFS=$SEP3
  for if_group in $IF_TRUSTS; do
        echo "Setting up trust FORWARD policy for interface(s):
$if_group"
        IFS=$SEPGRP
        for input_if in $if_group; do
          for output_if in $if_group; do
                if [ "$input_if" != "$output_if" ]; then
                        #echo " A combiner : $input_if / $output_if"
                        IFS=' ,'
                        for inif in $input_if; do
                          for outif in $output_if; do
                                if [ "$inif" != "$outif" ]; then
                                 iptables -A FORWARD -i $inif -o
$outif -j ACCEPT
                                 # echo "## Combi :  $inif : $outif"
                                fi
                          done
                        done
                fi
                IFS=$SEPGRP
                done
        done
        # echo " --------  $if_group "
    # remove the group with "=" sign because previously treated
        # AWK_BIN="/usr/bin/awk"
        #Choose one bellow:
        #if_group=$(echo "$if_group" | $AWK_BIN -v sep="$SEPGRP" '
{if (index($0,sep)) next; printf("%s", $0) }')
        #if_group=$(echo "$if_group" | $AWK_BIN -v sep="$SEPGRP" '
$0 ~ sep {next}; {printf("%s", $0) }')
        if_group=$(echo "$if_group" |  awk -v sep="$SEPGRP" '$0 !~
sep {printf("%s", $0) }')
        #echo "traitement  : $if_group"
        IFS=' ,'
        for input_if in $if_group; do
            for output_if in $if_group; do
               if [ "$input_if" != "$output_if" ]; then
                  iptables -A FORWARD -i $input_if -o $output_if -j
ACCEPT
                  # echo "On combine : $input_if -o $output_if -j
ACCEPT"
               fi
            done
        done
  done

This is my contribution for Arno-iptables-firewall I discovered so
many years ago.

Thanks
GG


More information about the Firewall mailing list