diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 207e773..2e6aa1f 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -266,6 +266,13 @@ dns_server_ips="" local_ssh_service=true +# - SSH Services local Networks +# - +# - Blank separated list +# - +ssh_server_only_local_ips="" + + # - SSH Services DMZ (reachable also from WAN) # - # - ssh_server_dmz_arr[]= @@ -568,6 +575,7 @@ munin_remote_port="4949" # - Munin Server local Networks (usually TCP port 4949) # - # - Blank separated list +# - munin_local_server_ips="" @@ -583,10 +591,18 @@ munin_local_server_ips="" # - # - munin_local_client_ip_arr[]= # - +# - Multiple settins of this parameter is possible +# - #munin_remote_server="83.223.86.163" munin_remote_server="" + + +# - Munin - clients on local network (server is $munin_remote_server) +# - +# - Example: +# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 +# - declare -A munin_local_client_ip_arr -#munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 # - Munin Port # - diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 453bc3b..ced81bc 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -260,6 +260,13 @@ dns_server_ips="" local_ssh_service=true +# - SSH Services local Networks +# - +# - Blank separated list +# - +ssh_server_only_local_ips="" + + # - SSH Services DMZ (reachable also from WAN) # - # - ssh_server_dmz_arr[]= @@ -572,8 +579,14 @@ munin_local_server_ips="" # - #munin_remote_server="2a01:30:1fff:a::163" munin_remote_server="" + + +# - Munin - clients on local network (server is $munin_remote_server) +# - +# - Example: +# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 +# - declare -A munin_local_client_ip_arr -#munin_local_client_ip_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 # - Munin Port # - diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index c8dc0c3..f6f55d8 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -165,6 +165,14 @@ for _ip in $dns_server_ips ; do dns_server_ip_arr+=("$_ip") done +# --- +# - IP Adresses SSH Server only at ocal Networks +# --- +declare -a ssh_server_only_local_ip_arr +for _ip in $ssh_server_only_local_ips ; do + ssh_server_only_local_ip_arr+=("$_ip") +done + # --- # - IP Adresses HTTP Server only local Networks # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index cd08c92..1032700 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1152,6 +1152,42 @@ else fi +# --- +# - SSH Services only local Network +# --- + +echononl "\t\tSSH Services only local Network" + +if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_only_local_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + + echo_done +else + echo_skipped +fi + + # --- # - SSH Services DMZ # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index f66f5ad..9cf6416 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1517,6 +1517,42 @@ else fi +# --- +# - SSH Services only local Network +# --- + +echononl "\t\tSSH Services only local Network" + +if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_only_local_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + + echo_done +else + echo_skipped +fi + + # --- # - SSH Services DMZ # ---