Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 4
- 92045b0e8e17
- parent 3
- 6b45cf9df8cf
- child 5
- 2340826a516b
equal
deleted
inserted
replaced
| 3:6b45cf9df8cf | 4:92045b0e8e17 |
|---|---|
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.15" | 25 MBSEFW_VERSION="0.0.16" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 116 $IP6TABLES -P FORWARD $1 | 116 $IP6TABLES -P FORWARD $1 |
| 117 echo "Reset ip6tables default policy $1" | $LOGGER | 117 echo "Reset ip6tables default policy $1" | $LOGGER |
| 118 fi | 118 fi |
| 119 | 119 |
| 120 # Remove any ipset tables. | 120 # Remove any ipset tables. |
| 121 $IPSET flush | 121 HOST="$(hostname)" |
| 122 $IPSET destroy | 122 SETS="$(${IPSET} list -n | grep ${HOST})" |
| 123 for MySET in ${SETS}; do | |
| 124 $IPSET flush ${MySET} | |
| 125 $IPSET destroy ${MySET} | |
| 126 echo "Destroyed IPSET table ${MySET}" | $LOGGER | |
| 127 done | |
| 123 } | 128 } |
| 124 | 129 |
| 125 | 130 |
| 126 | 131 |
| 127 is_external_if4() { | 132 is_external_if4() { |
| 144 | 149 |
| 145 | 150 |
| 146 reload_blocklist4() { | 151 reload_blocklist4() { |
| 147 | 152 |
| 148 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | 153 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
| 154 HOST="$(hostname)" | |
| 155 | |
| 149 if [ -f $BLOCKLIST ]; then | 156 if [ -f $BLOCKLIST ]; then |
| 150 echo "Reload $BLOCKLIST" | $LOGGER | 157 echo "Reload $BLOCKLIST" | $LOGGER |
| 151 $IPSET create new-mbsefw-blk4ip hash:ip counters -exist | 158 $IPSET create ${HOST}-new-mbsefw-blk4ip hash:ip counters -exist |
| 152 $IPSET create new-mbsefw-blk4net hash:net counters -exist | 159 $IPSET create ${HOST}new-mbsefw-blk4net hash:net counters -exist |
| 153 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 160 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 154 set $L | 161 set $L |
| 155 if echo $1 | $GREP -q "/" ; then | 162 if echo $1 | $GREP -q "/" ; then |
| 156 $IPSET add new-mbsefw-blk4net $1 -exist | 163 $IPSET add ${HOST}-new-mbsefw-blk4net $1 -exist |
| 157 else | 164 else |
| 158 $IPSET add new-mbsefw-blk4ip $1 -exist | 165 $IPSET add ${HOST}-new-mbsefw-blk4ip $1 -exist |
| 159 fi | 166 fi |
| 160 done | 167 done |
| 161 $IPSET swap mbsefw-blk4net new-mbsefw-blk4net | 168 $IPSET swap ${HOST}-mbsefw-blk4net ${HOST}-new-mbsefw-blk4net |
| 162 $IPSET flush new-mbsefw-blk4net | 169 $IPSET flush ${HOST}-new-mbsefw-blk4net |
| 163 $IPSET destroy new-mbsefw-blk4net | 170 $IPSET destroy ${HOST}-new-mbsefw-blk4net |
| 164 $IPSET swap mbsefw-blk4ip new-mbsefw-blk4ip | 171 $IPSET swap ${HOST}-mbsefw-blk4ip ${HOST}-new-mbsefw-blk4ip |
| 165 $IPSET flush new-mbsefw-blk4ip | 172 $IPSET flush ${HOST}-new-mbsefw-blk4ip |
| 166 $IPSET destroy new-mbsefw-blk4ip | 173 $IPSET destroy ${HOST}-new-mbsefw-blk4ip |
| 167 fi | 174 fi |
| 168 } | 175 } |
| 169 | 176 |
| 170 | 177 |
| 171 | 178 |
| 172 reload_blocklist6() { | 179 reload_blocklist6() { |
| 173 | 180 |
| 174 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | 181 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
| 182 HOST="$(hostname)" | |
| 183 | |
| 175 if [ -f $BLOCKLIST ]; then | 184 if [ -f $BLOCKLIST ]; then |
| 176 echo "Reload $BLOCKLIST" | $LOGGER | 185 echo "Reload $BLOCKLIST" | $LOGGER |
| 177 $IPSET create new-mbsefw-blk6 hash:net family inet6 counters -exist | 186 $IPSET create ${HOST}-new-mbsefw-blk6 hash:net family inet6 counters -exist |
| 178 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 187 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 179 set $L ; $IPSET add new-mbsefw-blk6 $1 -exist | 188 set $L ; $IPSET add ${HOST}-new-mbsefw-blk6 $1 -exist |
| 180 done | 189 done |
| 181 $IPSET swap mbsefw-blk6 new-mbsefw-blk6 | 190 $IPSET swap ${HOST}-mbsefw-blk6 ${HOST}-new-mbsefw-blk6 |
| 182 $IPSET flush new-mbsefw-blk6 | 191 $IPSET flush ${HOST}-new-mbsefw-blk6 |
| 183 $IPSET destroy new-mbsefw-blk6 | 192 $IPSET destroy ${HOST}-new-mbsefw-blk6 |
| 184 fi | 193 fi |
| 185 } | 194 } |
| 186 | 195 |
| 187 | 196 |
| 188 | 197 |
| 222 fw_start_init() { | 231 fw_start_init() { |
| 223 | 232 |
| 224 echo "Init new firewall" | $LOGGER | 233 echo "Init new firewall" | $LOGGER |
| 225 | 234 |
| 226 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" | 235 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist4.conf" |
| 236 HOST="$(hostname)" | |
| 237 | |
| 227 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then | 238 if [ -f $BLOCKLIST -a -n "$IF_EXT" ]; then |
| 228 echo " Install $BLOCKLIST" | $LOGGER | 239 echo " Install $BLOCKLIST" | $LOGGER |
| 229 $IPSET create mbsefw-blk4ip hash:ip counters -exist | 240 $IPSET create ${HOST}-mbsefw-blk4ip hash:ip counters -exist |
| 230 $IPSET create mbsefw-blk4net hash:net counters -exist | 241 $IPSET create ${HOST}-mbsefw-blk4net hash:net counters -exist |
| 231 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP | 242 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
| 232 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP | 243 $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
| 233 if [ "$FW_FORWARD" = "1" ]; then | 244 if [ "$FW_FORWARD" = "1" ]; then |
| 234 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4ip src -j DROP | 245 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4ip src -j DROP |
| 235 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set mbsefw-blk4net src -j DROP | 246 $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk4net src -j DROP |
| 236 fi | 247 fi |
| 237 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 248 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 238 set $L | 249 set $L |
| 239 if echo $1 | $GREP -q "/" ; then | 250 if echo $1 | $GREP -q "/" ; then |
| 240 $IPSET add mbsefw-blk4net $1 -exist | 251 $IPSET add ${HOST}-mbsefw-blk4net $1 -exist |
| 241 else | 252 else |
| 242 $IPSET add mbsefw-blk4ip $1 -exist | 253 $IPSET add ${HOST}-mbsefw-blk4ip $1 -exist |
| 243 fi | 254 fi |
| 244 done | 255 done |
| 245 echo -n "." | 256 echo -n "." |
| 246 fi | 257 fi |
| 247 | 258 |
| 248 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" | 259 BLOCKLIST="/etc/mbse-firewall/conf.d/blocklist6.conf" |
| 249 if [ -f $BLOCKLIST ]; then | 260 if [ -f $BLOCKLIST ]; then |
| 250 echo " Install $BLOCKLIST" | $LOGGER | 261 echo " Install $BLOCKLIST" | $LOGGER |
| 251 $IPSET create mbsefw-blk6 hash:net family inet6 counters -exist | 262 $IPSET create ${HOST}-mbsefw-blk6 hash:net family inet6 counters -exist |
| 252 if [ -n "$IF_EXT6" ]; then | 263 if [ -n "$IF_EXT6" ]; then |
| 253 IF6=$IF_EXT6 | 264 IF6=$IF_EXT6 |
| 254 else | 265 else |
| 255 IF6=$IF_EXT | 266 IF6=$IF_EXT |
| 256 fi | 267 fi |
| 257 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP | 268 $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
| 258 if [ "$FW_FORWARD" = "1" ]; then | 269 if [ "$FW_FORWARD" = "1" ]; then |
| 259 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set mbsefw-blk6 src -j DROP | 270 $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set ${HOST}-mbsefw-blk6 src -j DROP |
| 260 fi | 271 fi |
| 261 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do | 272 $GREP -Ev '^#|^;|^\s*$' $BLOCKLIST | while read L ; do |
| 262 set $L | 273 set $L |
| 263 $IPSET add mbsefw-blk6 $1 -exist | 274 $IPSET add ${HOST}-mbsefw-blk6 $1 -exist |
| 264 done | 275 done |
| 265 echo -n "." | 276 echo -n "." |
| 266 fi | 277 fi |
| 267 | 278 |
| 268 fw_init_nfacct | 279 fw_init_nfacct |
| 378 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | 389 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
| 379 fi | 390 fi |
| 380 | 391 |
| 381 # rules to permit IPv6 Neighbor discovery | 392 # rules to permit IPv6 Neighbor discovery |
| 382 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | 393 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
| 394 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 | |
| 383 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | 395 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
| 384 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | 396 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
| 397 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j DROP # Silent drop HOPLIMIT <> 255 | |
| 385 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | 398 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
| 386 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | 399 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
| 387 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | 400 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
| 388 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | 401 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT |
| 389 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | 402 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT |
| 459 CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf" | 472 CONFFILE="/etc/mbse-firewall/conf.d/${INTF}-${FCHAIN}.conf" |
| 460 is_external_if4 $1 | 473 is_external_if4 $1 |
| 461 EXTERN4=$? | 474 EXTERN4=$? |
| 462 is_external_if6 $1 | 475 is_external_if6 $1 |
| 463 EXTERN6=$? | 476 EXTERN6=$? |
| 477 | |
| 478 HOST="$(hostname)" | |
| 464 | 479 |
| 465 # TODO: use subchains, but we need to do 2 passes on the config | 480 # TODO: use subchains, but we need to do 2 passes on the config |
| 466 # files to make it work. | 481 # files to make it work. |
| 467 | 482 |
| 468 # Are there rules for this chain? | 483 # Are there rules for this chain? |
| 475 # See the end of this function for the actual test. | 490 # See the end of this function for the actual test. |
| 476 if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then | 491 if [ "$NCHAIN" = "INPUT" -o "$NCHAIN" = "FORWARD" ]; then |
| 477 if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then | 492 if [ "$IF_EXT_AUTO_BLOCK" = "1" ]; then |
| 478 if [ "$EXTERN4" = "1" ]; then | 493 if [ "$EXTERN4" = "1" ]; then |
| 479 echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER | 494 echo " Installing IPv4 auto blacklisting on interface ${INTF}" | $LOGGER |
| 480 $IPSET create mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist | 495 $IPSET create ${HOST}-mbsefw-auto4 hash:ip timeout $IF_EXT_AUTO_TO counters -exist |
| 481 $IPTABLES -I $NCHAIN -m set --match-set mbsefw-auto4 src -j DROP | 496 $IPTABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto4 src -j DROP |
| 482 fi | 497 fi |
| 483 if [ "$EXTERN6" = "1" ]; then | 498 if [ "$EXTERN6" = "1" ]; then |
| 484 echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER | 499 echo " Installing IPv6 auto blacklisting on interface ${INTF}" | $LOGGER |
| 485 $IPSET create mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist | 500 $IPSET create ${HOST}-mbsefw-auto6 hash:ip family inet6 timeout $IF_EXT_AUTO_TO counters -exist |
| 486 $IP6TABLES -I $NCHAIN -m set --match-set mbsefw-auto6 src -j DROP | 501 $IP6TABLES -I $NCHAIN -m set --match-set ${HOST}-mbsefw-auto6 src -j DROP |
| 487 fi | 502 fi |
| 488 fi | 503 fi |
| 489 fi | 504 fi |
| 490 | 505 |
| 491 # Adjust for the direction of the chain | 506 # Adjust for the direction of the chain |
| 597 # First, ignore these. Can happen after a temporary network problem. | 612 # First, ignore these. Can happen after a temporary network problem. |
| 598 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP | 613 $IPTABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
| 599 # Now the real rule. | 614 # Now the real rule. |
| 600 $IPTABLES -A $NCHAIN $iodir ${INTF} \ | 615 $IPTABLES -A $NCHAIN $iodir ${INTF} \ |
| 601 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ | 616 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto4 \ |
| 602 -j SET --add-set mbsefw-auto4 src | 617 -j SET --add-set ${HOST}-mbsefw-auto4 src |
| 603 fi | 618 fi |
| 604 if [ "${EXTERN6}" = "1" ]; then | 619 if [ "${EXTERN6}" = "1" ]; then |
| 605 # First, ignore these. Can happen after a temporary network problem. | 620 # First, ignore these. Can happen after a temporary network problem. |
| 606 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP | 621 $IP6TABLES -A $NCHAIN $iodir ${INTF} -p tcp -m tcp --tcp-flags ALL ACK -j DROP |
| 607 # Now the real rule. | 622 # Now the real rule. |
| 608 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ | 623 $IP6TABLES -A $NCHAIN $iodir ${INTF} \ |
| 609 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ | 624 -m hashlimit --hashlimit-above ${IF_EXT_AUTO_LIMIT} --hashlimit-burst ${IF_EXT_AUTO_BURST} --hashlimit-mode srcip --hashlimit-name hash-auto6 \ |
| 610 -j SET --add-set mbsefw-auto6 src | 625 -j SET --add-set ${HOST}-mbsefw-auto6 src |
| 611 fi | 626 fi |
| 612 fi | 627 fi |
| 613 # deny and log the rest | 628 # deny and log the rest |
| 614 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | 629 $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
| 615 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " | 630 [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " |
| 741 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data | 756 [ -n "$IP6TABLES_SAVE" ] && $IP6TABLES_SAVE > /etc/mbse-firewall/data/firewall-ipv6.data |
| 742 echo -n "." | 757 echo -n "." |
| 743 | 758 |
| 744 rm -f /etc/mbse-firewall/data/firewall-ipset.data | 759 rm -f /etc/mbse-firewall/data/firewall-ipset.data |
| 745 touch /etc/mbse-firewall/data/firewall-ipset.data | 760 touch /etc/mbse-firewall/data/firewall-ipset.data |
| 746 SETS="$($IPSET list -n)" | 761 HOST="$(hostname)" |
| 762 SETS="$($IPSET list -n | grep ${HOST})" | |
| 747 for set in $SETS ; do | 763 for set in $SETS ; do |
| 748 if [ "$set" = "mbsefw-auto4" -o "$set" = "mbsefw-auto6" ]; then | 764 if [ "$set" = "${HOST}-mbsefw-auto4" -o "$set" = "${HOST}-mbsefw-auto6" ]; then |
| 749 # Only save structure for auto blocklists | 765 # Only save structure for auto blocklists |
| 750 $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data | 766 $IPSET save $set -t >> /etc/mbse-firewall/data/firewall-ipset.data |
| 751 else | 767 else |
| 752 $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data | 768 $IPSET save $set >> /etc/mbse-firewall/data/firewall-ipset.data |
| 753 fi | 769 fi |
| 841 echo ' SECURITY TABLE IPv6' | 857 echo ' SECURITY TABLE IPv6' |
| 842 echo | 858 echo |
| 843 $IP6TABLES -t security -L -v -n --line-numbers | 859 $IP6TABLES -t security -L -v -n --line-numbers |
| 844 fi | 860 fi |
| 845 | 861 |
| 846 if [ -n "$IPSET" ] && [ ! -z "$($IPSET list)" ]; then | 862 HOST="$(hostname)" |
| 863 if [ -n "$IPSET" ] && [ ! -z "$($IPSET list -n | grep ${HOST})" ]; then | |
| 847 echo | 864 echo |
| 848 echo ' IPSET listing' | 865 echo ' IPSET listing' |
| 849 echo | 866 SETS="$(${IPSET} list -n | grep ${HOST})" |
| 850 $IPSET list | 867 for MySET in ${SETS}; do |
| 868 echo | |
| 869 ${IPSET} list ${MySET} | |
| 870 done | |
| 851 fi | 871 fi |
| 852 } | 872 } |
| 853 | 873 |
| 854 | 874 |
| 855 | 875 |
