From 1f5c01d8c98c114240cc1dcc4ccebeefc32160af Mon Sep 17 00:00:00 2001
From: chris <ckubu@oopen.de>
Date: Tue, 3 Mar 2026 15:50:51 +0100
Subject: [PATCH] Its now possible to define port range at 'Allow extern
 service from given local network' instead of a single port.

---
 conf/main_ipv4.conf.sample |  4 +++-
 conf/main_ipv6.conf.sample |  7 +++++--
 ip6t-firewall-gateway      | 18 +++++++++++++++---
 ipt-firewall-gateway       | 16 +++++++++++++---
 4 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample
index 437bf02..e381cba 100644
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@@ -378,9 +378,11 @@ allow_local_if_to_ext_net=""
 # -
 # - All traffic from the given (local) network to the given (extern) service is allowed
 # -
+# - It's possible to give a port range. use the hyphen as the connecting character, like '3306-3308'
+# -
 # - Example:
 # -   allow_local_net_to_ext_service="192.168.63.0/24:83.223.86.98:3306:tcp
-# -                                   192.168.64.0/24:83.223.86.98:3306:tcp"
+# -                                   192.168.64.0/24:83.223.86.98:3306-3308:tcp"
 # -
 # - Blank separated list
 # -
diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample
index 1b66447..a178e17 100644
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@@ -363,9 +363,12 @@ allow_local_if_to_ext_net=""
 # -
 # - All traffic from the given (local) network to the given (extern) service is allowed
 # -
+# - It's possible to givbe a port range like '3306:3308"
+# -
 # - Example:
-# -   allow_local_net_to_ext_service="2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp
-# -                                   2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp"
+# -   allow_local_net_to_ext_service="
+# -     2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp
+# -     2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306:3308,tcp"
 # -
 # - Blank separated list
 # -
diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway
index 56b5175..688e78b 100755
--- a/ip6t-firewall-gateway
+++ b/ip6t-firewall-gateway
@@ -1823,7 +1823,17 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
 
    for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do
       IFS=',' read -a _val_arr <<< "${_val}"
-      $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+
+      # if the port range is specified with a hyphen instead of a colon
+      #
+      if [[ "${_val_arr[2]}" =~ ^[^-]*-[^-]*$ ]]; then
+         _ports="${_val_arr[2]/-/:}"
+      else
+         _ports="${_val_arr[2]}"
+      fi
+
+      $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} \
+         -m multiport --dports ${_ports} -m conntrack --ctstate NEW -j ACCEPT
 
       # - Note:
       # - If (local) alias interfaces like eth1:0 in use, youe need a further
@@ -1831,8 +1841,10 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
       # -
       if $local_alias_interfaces ; then
          if [[ "${_val_arr[3]}" = "tcp" ]]; then
-            $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
-            $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
+            $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} \
+               -m multiport --dports ${_ports} --tcp-flag ACK ACK -j ACCEPT
+            $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} \
+               -m multiport --sports ${_ports} --tcp-flag ACK ACK -j ACCEPT
          fi
       fi
    done
diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index 77b3ed1..3521efc 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -2564,7 +2564,17 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
 
    for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do
       IFS=':' read -a _val_arr <<< "${_val}"
-      $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+
+      # Is a port range given?
+      #
+      if [[ "${_val_arr[2]}" =~ ^[^-]*-[^-]*$ ]]; then
+         _ports="${_val_arr[2]/-/:}"
+      else
+         _ports="${_val_arr[2]}"
+      fi
+         
+      $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} \
+         -m multiport --dports ${_ports} -m conntrack --ctstate NEW -j ACCEPT
 
       # - Note:
       # - If (local) alias interfaces like eth1:0 in use, youe need a further
@@ -2572,8 +2582,8 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
       # -
       if $local_alias_interfaces ; then
          if [[ "${_val_arr[3]}" = "tcp" ]]; then
-            $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
-            $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
+            $ipt -A FORWARD -p tcp -d ${_val_arr[1]} -m multiport --dports ${_ports} --tcp-flag ACK ACK -j ACCEPT
+            $ipt -A FORWARD -p tcp -s ${_val_arr[1]} -m multiport --sports ${_ports} --tcp-flag ACK ACK -j ACCEPT
          fi
       fi
    done