Corrected: ip_forward does nothing if variable not set or set to ''. Renamed IP_TABLES > IPTABLES variable

etc/lfirewall.conf

@@ -26,9 +26,9 @@
 #################################
 # Set ALLOW_IP_FORWARDING to 1
 #     if IP forwarding is needed
-# Set ALLOW_IP_FORWARDING to 0
-#     will write 0 into /proc/sys/net/ipv4/ip_forward
 #ALLOW_IP_FORWARDING=0
+### WARNING: better solution is to use /etc/sysctl.conf
+
 
 # Set NETWORK_PROTECTION to 1
 #    to block additional network features from the kernel

scripts/lfirewall

@@ -128,18 +128,18 @@ do
 	shift
 done
 
-if ! [ -x $IP_TABLES ]; then
-	echo "$IP_TABLES is not executable or not present" >&2
+if ! [ -x $IPTABLES ]; then
+	echo "$IPTABLES is not executable or not present" >&2
 	exit 1
 fi
 
-if ! [ -x $IP_TABLES_RESTORE ]; then
-	echo "$IP_TABLES_RESTORE is not executable or not present" >&2
+if ! [ -x $IPTABLES_RESTORE ]; then
+	echo "$IPTABLES_RESTORE is not executable or not present" >&2
 	exit 3
 fi
 
-if ! [ -x $IP_TABLES_RESTORE_6 ]; then
-	echo "$IP_TABLES_RESTORE_6 is not executable or not present" >&2
+if ! [ -x $IPTABLES_RESTORE_6 ]; then
+	echo "$IPTABLES_RESTORE_6 is not executable or not present" >&2
 	exit 6
 fi
 
@@ -335,12 +335,12 @@ fw_blacklist(){
 			then
 				for ban_list in ${BANNED_LISTS}
 				do
-					if ipset list ${ban_list} > /dev/null
+					if $IPSET list ${ban_list} > /dev/null
 					then
-						if ! iptables -C INPUT -m set --match-set ${ban_list} src -j DROP > /dev/null 2>&1
+						if ! $IPTABLES -C INPUT -m set --match-set ${ban_list} src -j DROP > /dev/null 2>&1
 						then
 							echo "Enabling $ban_list"
-							iptables -I INPUT -m set --match-set ${ban_list} src -j DROP
+							$IPTABLES -I INPUT -m set --match-set ${ban_list} src -j DROP
 						fi
 					else
 						warn_user_missing_ban_list ${ban_list}
@@ -400,12 +400,18 @@ fw_network_protection(){
 	# Other network protections
 	# (some will only work with some kernel versions)
 	#**************************************************************************#
-	if [ "${ALLOW_IP_FORWARDING:-0}" = 0 ]
-	then
-		echo 0 > /proc/sys/net/ipv4/ip_forward
-	else
-		echo 1 > /proc/sys/net/ipv4/ip_forward
-	fi
+	$do_log "ALLOW_IP_FORWARDING='${ALLOW_IP_FORWARDING:-}'"
+	case "${ALLOW_IP_FORWARDING:-}" in
+		1)
+			echo 1 > /proc/sys/net/ipv4/ip_forward
+			;;
+		0)
+			echo 0 > /proc/sys/net/ipv4/ip_forward
+			;;
+		"")
+			:
+		;;
+	esac
 	if [ "${NETWORK_PROTECTION:-1}" = 1 ]
 	then
 		echo 1 > /proc/sys/net/ipv4/tcp_syncookies
@@ -430,8 +436,8 @@ do_this(){
 # Backups user rules
 ##########################
 fw_backup_user(){
-	$IP_TABLES_SAVE > ${USER_RULES_IPTABLES}
-	$IP_TABLES_SAVE_6 > ${USER_RULES_IPTABLES_6}
+	$IPTABLES_SAVE > ${USER_RULES_IPTABLES}
+	$IPTABLES_SAVE_6 > ${USER_RULES_IPTABLES_6}
 }
 
 ##########################
@@ -439,10 +445,10 @@ fw_backup_user(){
 ##########################
 fw_restore_user(){
 	if [ -f $USER_RULES_IPTABLES ] ; then
-		$IP_TABLES_RESTORE < ${USER_RULES_IPTABLES}
+		$IPTABLES_RESTORE < ${USER_RULES_IPTABLES}
 	fi
 	if [ -f $USER_RULES_IPTABLES_6 ] ; then
-		$IP_TABLES_RESTORE_6 < ${USER_RULES_IPTABLES_6}
+		$IPTABLES_RESTORE_6 < ${USER_RULES_IPTABLES_6}
 	fi
 }
 
@@ -470,12 +476,12 @@ fw_stop () {
 ##########################
 
 fw_dropall(){
-	do_this $IP_TABLES -F
-	do_this $IP_TABLES -t nat -F
-	do_this $IP_TABLES -t mangle -F
+	do_this $IPTABLES -F
+	do_this $IPTABLES -t nat -F
+	do_this $IPTABLES -t mangle -F
 	fw_exec_basic_input_rules do_exec
-	do_this $IP_TABLES -P FORWARD ACCEPT
-	do_this $IP_TABLES -P OUTPUT ACCEPT
+	do_this $IPTABLES -P FORWARD ACCEPT
+	do_this $IPTABLES -P OUTPUT ACCEPT
 }
 
 ##########################
@@ -483,11 +489,11 @@ fw_dropall(){
 ##########################
 
 fw_clear () {
-	do_this $IP_TABLES -F
-	do_this $IP_TABLES -X
-	do_this $IP_TABLES -P INPUT ACCEPT
-	do_this $IP_TABLES -P FORWARD ACCEPT
-	do_this $IP_TABLES -P OUTPUT ACCEPT
+	do_this $IPTABLES -F
+	do_this $IPTABLES -X
+	do_this $IPTABLES -P INPUT ACCEPT
+	do_this $IPTABLES -P FORWARD ACCEPT
+	do_this $IPTABLES -P OUTPUT ACCEPT
 }
 
 ##########################
@@ -496,10 +502,10 @@ fw_clear () {
 
 fw_save () {
 	if [ ${verbose} -ge 1 ] ; then
-	    echo "$IP_TABLES_SAVE > /etc/lfirewall/iptables.backup"
+	    echo "$IPTABLES_SAVE > /etc/lfirewall/iptables.backup"
 	fi
 
-	$IP_TABLES_SAVE > /etc/lfirewall/iptables.backup
+	$IPTABLES_SAVE > /etc/lfirewall/iptables.backup
 }
 
 fw_restore () {
@@ -507,10 +513,10 @@ fw_restore () {
 	BACKUP_FILE=/etc/lfirewall/iptables.backup
 	if [ -e $BACKUP_FILE ]; then
 	  if [ ${verbose} -ge 1 ] ; then
-	    echo "IP_TABLES_RESTORE > $BACKUP_FILE"
+	    echo "IPTABLES_RESTORE > $BACKUP_FILE"
 	  fi
 
-		$IP_TABLES_RESTORE < $BACKUP_FILE
+		$IPTABLES_RESTORE < $BACKUP_FILE
 	fi
 }
 

scripts/setup

@@ -26,13 +26,14 @@ REMOTE_UDP_SERVICES="53" # DNS
 SSH_PORT="22"
 
 ###############################################################
-# Default IP_TABLES command path
+# Default IPTABLES command path
 ###############################################################
-IP_TABLES="/sbin/iptables"
-IP_TABLES_RESTORE="/sbin/iptables-restore"
-IP_TABLES_RESTORE_6="/sbin/ip6tables-restore"
-IP_TABLES_SAVE="/sbin/iptables-save"
-IP_TABLES_SAVE_6="/sbin/ip6tables-save"
+IPTABLES="/sbin/iptables"
+IPTABLES_RESTORE="/sbin/iptables-restore"
+IPTABLES_RESTORE_6="/sbin/ip6tables-restore"
+IPTABLES_SAVE="/sbin/iptables-save"
+IPTABLES_SAVE_6="/sbin/ip6tables-save"
+IPSET=/usr/sbin/ipset
 
 ###############################################################
 # iptables action definition
@@ -47,7 +48,7 @@ export IPTABLES_INSERT=__iptable_insert_action
 # -P
 export IPTABLES_SET_POLICY=__iptable_set_policy_action
 
-export IP_TABLES
+export IPTABLESexport IPSET
 export NETWORK_IF
 
 
@@ -143,12 +144,12 @@ do_exec () {
 			echo "Nothing to be done for $1"
 		;;
 	esac
-	if ! $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
+	if ! $IPTABLES $it_table -C $it_command > /dev/null 2>&1
 	then
 		if [ ${verbose} -ge 1 ] ; then
-			echo $IP_TABLES $it_table $it_option $it_command
+			echo $IPTABLES $it_table $it_option $it_command
 		fi
-		$IP_TABLES $it_table $it_option $it_command
+		$IPTABLES $it_table $it_option $it_command
 	fi
 }
 
@@ -180,11 +181,11 @@ do_check () {
 		echo "it_action=$it_action"
 		echo "it_table=$it_table"
 		echo "it_command=$it_command"
-		echo $do_log "$it_action:" $IP_TABLES $it_table -C $it_command
-		echo $IP_TABLES $it_table -C $it_command
+		echo $do_log "$it_action:" $IPTABLES $it_table -C $it_command
+		echo $IPTABLES $it_table -C $it_command
 	fi
-	$do_log "$it_action:" $IP_TABLES $it_table -C $it_command
-	$IP_TABLES $it_table -C $it_command
+	$do_log "$it_action:" $IPTABLES $it_table -C $it_command
+	$IPTABLES $it_table -C $it_command
 	global_status=$((global_status+$?))
 }
 
@@ -196,7 +197,7 @@ do_delete () {
     local it_option
 	if [ ${verbose} -gt 1 ] ; then
 		$do_log "Trying to delete:" \
-         $(translate_iptables_rule $IP_TABLES $it_table $it_action $it_command)
+         $(translate_iptables_rule $IPTABLES $it_table $it_action $it_command)
 	fi
 	case $it_action in
 		__iptable_add_action)
@@ -207,8 +208,8 @@ do_delete () {
 		;;
 		__iptable_set_policy_action)
 			CHAIN_NAME=`get_chain_information $*`
-			$do_log "DELETING: $IP_TABLES $it_table -P $CHAIN_NAME DROP"
-			$IP_TABLES $it_table -P $CHAIN_NAME ACCEPT
+			$do_log "DELETING: $IPTABLES $it_table -P $CHAIN_NAME DROP"
+			$IPTABLES $it_table -P $CHAIN_NAME ACCEPT
 			return 0
 		;;
 		*)
@@ -218,12 +219,12 @@ do_delete () {
 
 
 	# Checks the rule then delete it, if it exists
-	if $IP_TABLES $it_table -C $it_command > /dev/null 2>&1
+	if $IPTABLES $it_table -C $it_command > /dev/null 2>&1
 	then
-		$IP_TABLES $it_table $it_option $it_command || echo "DID NOT EXIST: "$IP_TABLES $it_option $it_command
-		$do_log "DELETING:" $IP_TABLES $it_table $it_option $it_command
+		$IPTABLES $it_table $it_option $it_command || echo "DID NOT EXIST: "$IPTABLES $it_option $it_command
+		$do_log "DELETING:" $IPTABLES $it_table $it_option $it_command
 	else
-		$do_log "NOT EXISTING:" $IP_TABLES $it_table $it_option $it_command
+		$do_log "NOT EXISTING:" $IPTABLES $it_table $it_option $it_command
 	fi
 	global_status=$((global_status+$?))
 }