Add rules for local ssh services

2017-02-24 13:31:20 +01:00 · 2017-02-24 13:31:20 +01:00 · 47487219f1
commit 47487219f1
parent 1c5531ccaf
5 changed files with 111 additions and 2 deletions
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -266,6 +266,13 @@ dns_server_ips=""
 local_ssh_service=true


+# - SSH Services local Networks
+# -
+# - Blank separated list
+# -
+ssh_server_only_local_ips=""
+
+
 # - SSH Services DMZ (reachable also from WAN)
 # -
 # - ssh_server_dmz_arr[<ip-address>]=<extern-device>
@ -568,6 +575,7 @@ munin_remote_port="4949"
 # - Munin Server local Networks (usually TCP port 4949)
 # -
 # - Blank separated list
+# -
 munin_local_server_ips=""


@ -583,10 +591,18 @@ munin_local_server_ips=""
 # -
 # - munin_local_client_ip_arr[<ip-address>]=<dsl-device>
 # -
+# - Multiple settins of this parameter is possible
+# -
 #munin_remote_server="83.223.86.163"
 munin_remote_server=""
+
+
+# - Munin - clients on local network (server is $munin_remote_server)
+# -
+# - Example:
+# -    munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
+# -
 declare -A munin_local_client_ip_arr
-#munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1

 # - Munin Port
 # -
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -260,6 +260,13 @@ dns_server_ips=""
 local_ssh_service=true


+# - SSH Services local Networks
+# -
+# - Blank separated list
+# -
+ssh_server_only_local_ips=""
+
+
 # - SSH Services DMZ (reachable also from WAN)
 # -
 # - ssh_server_dmz_arr[<ip-address>]=<extern-device>
@ -572,8 +579,14 @@ munin_local_server_ips=""
 # -
 #munin_remote_server="2a01:30:1fff:a::163"
 munin_remote_server=""
+
+
+# - Munin - clients on local network (server is $munin_remote_server)
+# -
+# - Example:
+# -    munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
+# -
 declare -A munin_local_client_ip_arr
-#munin_local_client_ip_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1

 # - Munin Port
 # -
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -165,6 +165,14 @@ for _ip in $dns_server_ips ; do
   dns_server_ip_arr+=("$_ip")
 done

+# ---
+# - IP Adresses SSH Server only at ocal Networks
+# ---
+declare -a ssh_server_only_local_ip_arr
+for _ip in $ssh_server_only_local_ips ; do
+   ssh_server_only_local_ip_arr+=("$_ip")
+done
+
 # ---
 # - IP Adresses HTTP Server only local Networks
 # ---
--- a/36
+++ b/36
@ -1152,6 +1152,42 @@ else
 fi


+# ---
+# - SSH Services only local Network
+# ---
+
+echononl "\t\tSSH Services only local Network"
+
+if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
+   for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
+      for _port in ${ssh_port_arr[@]} ; do
+
+         $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+
+         if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
+            for _dev in ${local_if_arr[@]} ; do
+               $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
+            done
+         fi
+
+         # - Note:
+         # - If (local) alias interfaces like eth1:0 in use, youe need a further
+         # - special rule.
+         # -
+         if $kernel_activate_forwarding && $local_alias_interfaces ; then
+            $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
+            $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
+         fi
+
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - SSH Services DMZ
 # ---
--- a/36
+++ b/36
@ -1517,6 +1517,42 @@ else
 fi


+# ---
+# - SSH Services only local Network
+# ---
+
+echononl "\t\tSSH Services only local Network"
+
+if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
+   for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
+      for _port in ${ssh_port_arr[@]} ; do
+
+         $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
+
+         if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
+            for _dev in ${local_if_arr[@]} ; do
+               $ipt -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
+            done
+         fi
+
+         # - Note:
+         # - If (local) alias interfaces like eth1:0 in use, youe need a further
+         # - special rule.
+         # -
+         if $kernel_activate_forwarding && $local_alias_interfaces ; then
+            $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
+            $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
+         fi
+
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - SSH Services DMZ
 # ---