From 01db31c39ca72a3607c7e7a78633345443449f78 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 23 May 2025 12:44:02 +0200 Subject: [PATCH] Support IP range for 'Allow extern service'. --- ip6t-firewall-gateway | 15 +++++++++++---- ipt-firewall-gateway | 15 +++++++++++---- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index fda33de..dafa834 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1885,18 +1885,25 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then IFS=',' read -a _val_arr <<< "${_val}" + if [[ "${_val_arr[1]}" == *"-"* ]]; then + _tmp_port=${_val_arr[1]} + _port="${_tmp_port//-/:}" + else + _port=${_val_arr[1]} + fi + for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_port} -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_port} -m conntrack --ctstate NEW -j ACCEPT fi done if $local_alias_interfaces && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then if [[ "${_val_arr[2]}" = "tcp" ]]; then - $ip6t -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_port} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT fi fi diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 35075ff..7e1d994 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2599,18 +2599,25 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then IFS=':' read -a _val_arr <<< "${_val}" + if [[ "${_val_arr[1]}" == *"-"* ]]; then + _tmp_port=${_val_arr[1]} + _port="${_tmp_port//-/:}" + else + _port=${_val_arr[1]} + fi + for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_port} -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_port} -m conntrack --ctstate NEW -j ACCEPT fi done if $local_alias_interfaces ; then if [[ "${_val_arr[2]}" = "tcp" ]]; then - $ipt -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_port} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT fi fi