summaryrefslogtreecommitdiffhomepage
path: root/contrib/init.d/luci_fw
blob: 766a5313dea2c579d8608216286f71e190f9ca60 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/bin/sh /etc/rc.common
START=46

apply_portfw() {
	local cfg="$1"
	config_get proto "$cfg" proto
	config_get dport "$cfg" dport
	config_get iface "$cfg" iface
	config_get to    "$cfg" to

	ports=$(echo $to | cut -sd: -f2)
	[ -n "$ports" ] && ports="--dport $(echo $ports | sed -e 's/-/:/')"

	ip=$(echo $to | cut -d: -f1)
	
	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
		iptables -t nat -A luci_prerouting -i "$iface" -p tcp --dport "$dport" -j DNAT --to "$to"
		iptables -A luci_forward -i "$iface" -p tcp -d "$ip" $ports -j ACCEPT
	fi

	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
		iptables -t nat -A luci_prerouting -i "$iface" -p udp --dport "$dport" -j DNAT --to "$to"
		iptables -A luci_forward -i "$iface" -p udp -d "$ip" $ports -j ACCEPT
	fi
}

apply_rule() {
	local cfg="$1"
	local cmd=""

	config_get chain "$cfg" chain
	[ -n "$chain" ] || return 0
	[ "$chain" == "forward" ] && cmd="$cmd -A luci_forward"
	[ "$chain" == "input" ] && cmd="$cmd -A luci_input"
	[ "$chain" == "output" ] && cmd="$cmd -A luci_output"
	[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_prerouting"
	[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_postrouting"
	
	config_get iface "$cfg" iface
	[ -n "$iface" ] && cmd="$cmd -i $iface"	

	config_get oface "$cfg" oface
	[ -n "$oface" ] && cmd="$cmd -o $oface"	

	config_get proto "$cfg" proto
	[ -n "$proto" ] && cmd="$cmd -p $proto"	

	config_get source "$cfg" source
	[ -n "$source" ] && cmd="$cmd -s $source"	

	config_get destination "$cfg" destination
	[ -n "$destination" ] && cmd="$cmd -d $destination"	

	config_get sport "$cfg" sport
	[ -n "$sport" ] && cmd="$cmd --sport $sport"	

	config_get dport "$cfg" dport
	[ -n "$dport" ] && cmd="$cmd --dport $dport"	
	
	config_get todest "$cfg" todest
	[ -n "$todest" ] && cmd="$cmd --to-destination $todest"	

	config_get tosrc "$cfg" tosrc
	[ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"	

	config_get jump "$cfg" jump
	[ -n "$jump" ] && cmd="$cmd -j $jump"	

	config_get command "$cfg" command
	[ -n "$command" ] && cmd="$cmd $command"	

	iptables $cmd
}

start() {
	### Create subchains
	iptables -N luci_input
	iptables -N luci_output
	iptables -N luci_forward
	iptables -t nat -N luci_prerouting
	iptables -t nat -N luci_postrouting
	
	### Hook in the chains
	iptables -A input_rule -j luci_input
	iptables -A output_rule -j luci_output
	iptables -A forwarding_rule -j luci_forward
	iptables -t nat -A prerouting_rule -j luci_prerouting
	iptables -t nat -A postrouting_rule -j luci_postrouting
	
	### Read chains from config
	config_load luci_fw
	config_foreach apply_portfw portfw
	config_foreach apply_rule rule
}

stop() {
	### Hook out the chains
	iptables -D input_rule -j luci_input
	iptables -D output_rule -j luci_output
	iptables -D forwarding_rule -j luci_forward
	iptables -t nat -D prerouting_rule -j luci_prerouting
	iptables -t nat -D postrouting_rule -j luci_postrouting	
	
	### Clear subchains
	iptables -F luci_input
	iptables -F luci_output
	iptables -F luci_forward
	iptables -t nat -F luci_prerouting
	iptables -t nat -F luci_postrouting
	
	### Delete subchains
	iptables -X luci_input
	iptables -X luci_output
	iptables -X luci_forward
	iptables -t nat -X luci_prerouting
	iptables -t nat -X luci_postrouting
}