firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add rules for local ssh services

Browse Source
This commit is contained in:
Christoph 2017-02-24 13:31:20 +01:00
parent 1c5531ccaf
commit 47487219f1
5 changed files with 111 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
conf/main_ipv4.conf.sample
View File

@ -266,6 +266,13 @@ dns_server_ips=""
local_ssh_service=true local_ssh_service=true
# - SSH Services local Networks
# -
# - Blank separated list
# -
ssh_server_only_local_ips=""
# - SSH Services DMZ (reachable also from WAN) # - SSH Services DMZ (reachable also from WAN)
# - # -
# - ssh_server_dmz_arr[<ip-address>]=<extern-device> # - ssh_server_dmz_arr[<ip-address>]=<extern-device>
@ -568,6 +575,7 @@ munin_remote_port="4949"
# - Munin Server local Networks (usually TCP port 4949) # - Munin Server local Networks (usually TCP port 4949)
# - # -
# - Blank separated list # - Blank separated list
# -
munin_local_server_ips="" munin_local_server_ips=""
@ -583,10 +591,18 @@ munin_local_server_ips=""
# - # -
# - munin_local_client_ip_arr[<ip-address>]=<dsl-device> # - munin_local_client_ip_arr[<ip-address>]=<dsl-device>
# - # -
# - Multiple settins of this parameter is possible
# -
#munin_remote_server="83.223.86.163" #munin_remote_server="83.223.86.163"
munin_remote_server="" munin_remote_server=""
# - Munin - clients on local network (server is $munin_remote_server)
# -
# - Example:
# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
# -
declare -A munin_local_client_ip_arr declare -A munin_local_client_ip_arr
#munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
# - Munin Port # - Munin Port
# - # -

15
conf/main_ipv6.conf.sample
View File

@ -260,6 +260,13 @@ dns_server_ips=""
local_ssh_service=true local_ssh_service=true
# - SSH Services local Networks
# -
# - Blank separated list
# -
ssh_server_only_local_ips=""
# - SSH Services DMZ (reachable also from WAN) # - SSH Services DMZ (reachable also from WAN)
# - # -
# - ssh_server_dmz_arr[<ip-address>]=<extern-device> # - ssh_server_dmz_arr[<ip-address>]=<extern-device>
@ -572,8 +579,14 @@ munin_local_server_ips=""
# - # -
#munin_remote_server="2a01:30:1fff:a::163" #munin_remote_server="2a01:30:1fff:a::163"
munin_remote_server="" munin_remote_server=""
# - Munin - clients on local network (server is $munin_remote_server)
# -
# - Example:
# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
# -
declare -A munin_local_client_ip_arr declare -A munin_local_client_ip_arr
#munin_local_client_ip_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1
# - Munin Port # - Munin Port
# - # -

8
conf/post_decalrations.conf
View File

@ -165,6 +165,14 @@ for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip") dns_server_ip_arr+=("$_ip")
done done
# ---
# - IP Adresses SSH Server only at ocal Networks
# ---
declare -a ssh_server_only_local_ip_arr
for _ip in $ssh_server_only_local_ips ; do
ssh_server_only_local_ip_arr+=("$_ip")
done
# --- # ---
# - IP Adresses HTTP Server only local Networks # - IP Adresses HTTP Server only local Networks
# --- # ---

36
ip6t-firewall-gateway
View File

@ -1152,6 +1152,42 @@ else
fi fi
# ---
# - SSH Services only local Network
# ---
echononl "\t\tSSH Services only local Network"
if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_activate_forwarding && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - SSH Services DMZ # - SSH Services DMZ
# --- # ---

36
ipt-firewall-gateway
View File

@ -1517,6 +1517,42 @@ else
fi fi
# ---
# - SSH Services only local Network
# ---
echononl "\t\tSSH Services only local Network"
if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_activate_forwarding && $local_alias_interfaces ; then
$ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - SSH Services DMZ # - SSH Services DMZ
# --- # ---