diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index b745312..c9ef417 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -73,6 +73,32 @@ any_access_to_inet_networks="" any_access_from_inet_networks="" +# ============= +# - Allow local services from ALL extern netwoks +# ============= + +# - allow_all_ext_traffic_to_local_service +# - +# - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .." +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Example: +# - allow extern traffic to service at 83.223.73.210 on port 1036 +# - allow extern traffic to https service at 83.223.73.204 +# - +# - allow_ext_net_to_local_service=" +# - 83.223.73.210:1036:tcp +# - 83.223.73.204:$standard_https_port:tcp +# - " +# - +# - Blank separated list +# - +allow_all_ext_traffic_to_local_service="" + + # ============= # - Allow local services from given extern networks diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 6c091a8..c695b9d 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -70,6 +70,33 @@ any_access_from_inet_networks="" +# ============= +# - Allow local services from ALL extern netwoks +# ============= + +# - allow_all_ext_traffic_to_local_service +# - +# - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .." +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Example: +# - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036 +# - allow extern traffic to https service at 2a01:30:1fff:fd00::204 +# - +# - allow_ext_net_to_local_service=" +# - 83.223.73.210,1036,tcp +# - 83.223.73.204,$standard_https_port,tcp +# - " +# - +# - Blank separated list +# - +allow_all_ext_traffic_to_local_service="" + + + # ============= # - Allow local services from given extern networks # ============= diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index ce23112..3169879 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -85,6 +85,14 @@ for _net in $any_access_from_inet_networks ; do any_access_from_inet_network_arr+=("$_net") done +# --- +# - Allow local services from ALL extern netwoks +# --- +declare -a allow_all_ext_traffic_to_local_service_arr +for _val in $allow_all_ext_traffic_to_local_service ; do + allow_all_ext_traffic_to_local_service_arr+=("$_val") +done + # --- # - Allow local services from given extern networks # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index c46b3c5..dd1fcdb 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -903,6 +903,56 @@ fi +# --- +# - Allow local services from ALL extern netwoks +# --- + +echononl "\tAllow local services from ALL extern netwoks" + +if [[ ${#allow_all_ext_traffic_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in "${allow_all_ext_traffic_to_local_service_arr[@]}" ; do + + IFS=',' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[0]}" "${gateway_ipv4_address_arr[@]}" ; then + $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + continue + fi + + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${_val_arr[0]}" "${nat_device_arr[@]}" ; then + $ip6t -t nat -A PREROUTING -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -j DNAT --to ${_val_arr[0]}:${_val_arr[1]} + fi + $ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + fi + + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ip6t -A FORWARD -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p ${_val_arr[2]} -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done + +else + echo_skipped +fi + + + # --- # - Allow local services from given extern networks # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index b9fa1d7..5d86521 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1465,6 +1465,56 @@ fi +# --- +# - Allow local services from ALL extern netwoks +# --- + +echononl "\tAllow local services from ALL extern netwoks" + +if [[ ${#allow_all_ext_traffic_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in "${allow_all_ext_traffic_to_local_service_arr[@]}" ; do + + IFS=':' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[0]}" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + continue + fi + + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${_val_arr[0]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -j DNAT --to ${_val_arr[0]}:${_val_arr[1]} + fi + $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + fi + + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p ${_val_arr[2]} -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done + +else + echo_skipped +fi + + + # --- # - Allow local services from given extern networks # ---