From 358a81cce90840efef039aca3fbbaacffb8c9b81 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 7 Dec 2023 22:37:04 +0100 Subject: [PATCH] Add support for speedtest. fix error txp/udp ports out. --- conf/default_basic_behavior.conf | 4 +++ conf/default_ports.conf | 4 +++ conf/post_decalrations.conf | 47 ++++++++++++++++++-------------- ip6t-firewall-gateway | 45 +++++++++++++++--------------- ipt-firewall-gateway | 16 +++++------ 5 files changed, 64 insertions(+), 52 deletions(-) diff --git a/conf/default_basic_behavior.conf b/conf/default_basic_behavior.conf index a7b9674..de580e6 100644 --- a/conf/default_basic_behavior.conf +++ b/conf/default_basic_behavior.conf @@ -53,6 +53,10 @@ allow_wg_out=true allow_cisco_vpn_out=true +# speedtest +# +allow_speedtest=true + # Gaming # diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 8a6d5cf..cd7663a 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -39,6 +39,10 @@ standard_wg_port=51820 standard_whois_port=43 standard_xymon_port=1984 +# - speedtest +# - +standard_speedtest_port=8080 + # - Brother (brscan) # - diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 703fe14..8f0bf2c 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -572,7 +572,7 @@ out_tcp_port_arr+=("$standard_dns_port") # - SSH out only # --- if $allow_ssh_request_out ; then - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_ssh_port") fi # --- @@ -818,7 +818,7 @@ if $allow_ntp_request_out ; then continue fi - out_udp_port_arr+=("$_port") + out_udp_port_arr+=("$standard_ntp_port") fi @@ -832,7 +832,7 @@ if $allow_pgpserver_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_pgp_keyserver_port") fi @@ -846,7 +846,7 @@ if $allow_telnet_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_telnet_port") fi @@ -860,7 +860,7 @@ if $allow_whois_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_whois_port") fi @@ -874,7 +874,7 @@ if $allow_cpan_wait_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_cpan_wait_port") fi @@ -888,7 +888,7 @@ if $allow_hbci_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_hbci_port") fi @@ -902,16 +902,7 @@ if $allow_jabber_request_out ; then continue fi - out_tcp_port_arr+=("$_port") - -fi -if $allow_jabber_request_out ; then - - if containsElement "${standard_jabber_port}" "${out_tcp_port_arr[@]}" ; then - continue - fi - - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_jabber_port") fi @@ -925,7 +916,7 @@ if $allow_silc_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_silc_port") fi @@ -939,7 +930,7 @@ if $allow_irc_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_irc_port") fi @@ -953,7 +944,7 @@ if $allow_mysql_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_mysql_port") fi @@ -987,7 +978,21 @@ if $allow_remote_console_request_out ; then continue fi - out_tcp_port_arr+=("$_port") + out_tcp_port_arr+=("$standard_remote_console_port") + +fi + + +# --- +# - Allow speedtest ? +# --- +if $allow_speedtest ; then + + if containsElement "${standard_speedtest_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$standard_speedtest_port") fi diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 97d0396..8a5b76d 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -885,7 +885,6 @@ if [[ ${#restrict_vpn_net_to_local_service_arr[@]} -gt 0 ]] \ # Allow also ICMP (ping) $ip6t -A INPUT -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT -$ipt -A INPUT -s $_net else @@ -4282,21 +4281,21 @@ fi # --- -# - Special TCP Ports OUT +# - Collected TCP Ports OUT # --- -echononl "\t\tSpecial TCP Ports OUT" +echononl "\t\tCollected TCP Ports OUT" -if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then +if [[ ${#out_tcp_port_arr[@]} -gt 0 ]] ; then - for _dev in ${ext_if_arr[@]} ; do - for _port in ${tcp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done + for _dev in ${ext_if_arr[@]} ; do + for _port in ${out_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done echo_done else @@ -4305,21 +4304,21 @@ fi # --- -# - Special UDP Ports OUT +# - Collected UDP Ports OUT # --- -echononl "\t\tSpecial UDP Ports OUT" +echononl "\t\tCollected UDP Ports OUT" -if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then +if [[ ${#out_udp_port_arr[@]} -gt 0 ]] ; then - for _dev in ${ext_if_arr[@]} ; do - for _port in ${udp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done + for _dev in ${ext_if_arr[@]} ; do + for _port in ${out_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done echo_done else diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 15433ca..7c1d33a 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -5090,15 +5090,15 @@ fi # --- -# - Special TCP Ports OUT +# - Collected TCP Ports OUT # --- -echononl "\t\tSpecial TCP Ports OUT" +echononl "\t\tCollected TCP Ports OUT" -if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then +if [[ ${#out_tcp_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do - for _port in ${tcp_out_port_arr[@]} ; do + for _port in ${out_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT @@ -5113,15 +5113,15 @@ fi # --- -# - Special UDP Ports OUT +# - Collected UDP Ports OUT # --- -echononl "\t\tSpecial UDP Ports OUT" +echononl "\t\tCollected UDP Ports OUT" -if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then +if [[ ${#out_udp_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do - for _port in ${udp_out_port_arr[@]} ; do + for _port in ${out_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT