diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index a82d3fa..8be4cdc 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -256,6 +256,86 @@ allow_local_if_to_local_ip="" +# ============= +# - Allow extern service from given local interface +# ============= + +# - allow_local_if_to_ext_service +# - +# - allow_local_if_to_ext_service="::: [.." +# - +# - All traffic from the given (local) network interface to the given (extern) service is allowed +# - +# - Example: +# - allow_local_if_to_ext_service="${local_if_1}:83.223.86.98:3306:tcp +# - ${local_if_2}:83.223.86.98:3306:tcp" +# - +# - Blank separated list +# - +allow_local_if_to_ext_service="" + + + +# ============= +# - Allow extern network from given local interface +# ============= + +# - allow_local_if_to_ext_net +# - +# - allow_local_if_to_ext_net=":ext-network> [:ext-network> [.." +# - +# - All traffic from the given (local) network interface to the given (extern) network is allowed +# - +# - Example: +# - allow_local_if_to_ext_net="${local_if_1}:83.223.86.98/32 +# - ${local_if_2}:83.223.86.98/32" +# - +# - Blank separated list +# - +allow_local_if_to_ext_net="" + + + +# ============= +# - Allow extern service from given local network +# ============= + +# - allow_local_net_to_ext_service +# - +# - allow_local_net_to_ext_service=" [ [.." +# - +# - All traffic from the given (local) network to the given (extern) service is allowed +# - +# - Example: +# - allow_local_net_to_ext_service="192.168.63.0/24:83.223.86.98:3306:tcp +# - 192.168.64.0/24:83.223.86.98:3306:tcp" +# - +# - Blank separated list +# - +allow_local_net_to_ext_service="" + + + +# ============= +# - Allow extern network from given local network +# ============= + +# - allow_local_net_to_ext_net +# - +# - allow_local_net_to_ext_net=" [ [.." +# - +# - All traffic from the given (local) network to the given (extern) network is allowed +# - +# - Example: +# - allow_local_net_to_ext_net="192.168.63.0/24:83.223.86.98/32 +# - 192.168.63.0/24:83.223.86.98/32" +# - +# - Blank separated list +# - +allow_local_net_to_ext_net="" + + + # ============= # --- Separate local Networks # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 6754049..8eff9ba 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -241,6 +241,86 @@ allow_local_if_to_local_ip="" +# ============= +# - Allow extern service from given local interface +# ============= + +# - allow_local_if_to_ext_service +# - +# - allow_local_if_to_ext_service=",:: [.." +# - +# - All traffic from the given (local) network interface to the given (extern) service is allowed +# - +# - Example: +# - allow_local_if_to_ext_service="${local_if_1},2a01:30:0:13:211:84ff:feb7:7f9c,3306:tcp +# - ${local_if_2},2a01:30:0:13:211:84ff:feb7:7f9c,3306:tcp" +# - +# - Blank separated list +# - +allow_local_if_to_ext_service="" + + + +# ============= +# - Allow extern network from given local interface +# ============= + +# - allow_local_if_to_ext_net +# - +# - allow_local_if_to_ext_net=" [ [.." +# - +# - All traffic from the given (local) network interface to the given (extern) network is allowed +# - +# - Example: +# - allow_local_if_to_ext_net="${local_if_1},2a01:30:0:13:211:84ff:feb7:7f9c/128 +# - ${local_if_2},2a01:30:0:13:211:84ff:feb7:7f9c/128" +# - +# - Blank separated list +# - +allow_local_if_to_ext_net="" + + + +# ============= +# - Allow extern service from given local network +# ============= + +# - allow_local_net_to_ext_service +# - +# - allow_local_net_to_ext_service=" [ [.." +# - +# - All traffic from the given (local) network to the given (extern) service is allowed +# - +# - Example: +# - allow_local_net_to_ext_service="2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp +# - 2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c,3306,tcp" +# - +# - Blank separated list +# - +allow_local_net_to_ext_service="" + + + +# ============= +# - Allow extern network from given local network +# ============= + +# - allow_local_net_to_ext_net +# - +# - allow_local_net_to_ext_net=" [ [.." +# - +# - All traffic from the given (local) network to the given (extern) network is allowed +# - +# - Example: +# - allow_local_net_to_ext_net="2003:ec:df10:49fd:fd34:b41c:c667:fe79/64,2a01:30:0:13:211:84ff:feb7:7f9c +# - 2003:ec:df10:49fe:ec4:7aff:feac:5ece/64,2a01:30:0:13:211:84ff:feb7:7f9c" +# - +# - Blank separated list +# - +allow_local_net_to_ext_net="" + + + # ============= # --- Separate local Networks # ============= diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 7d0e9bf..7937499 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -149,6 +149,38 @@ for _val in $allow_local_if_to_local_ip ; do allow_local_if_to_local_ip_arr+=("$_val") done +# --- +# - Allow extern service from given local interface +# --- +declare -a allow_local_if_to_ext_service_arr +for val in $allow_local_if_to_ext_service ; do + allow_local_if_to_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern network from given local interface +# --- +declare -a allow_local_if_to_ext_net_arr +for val in $allow_local_if_to_ext_net ; do + allow_local_if_to_ext_net_arr+=("$_val") +done + +# --- +# - Allow extern service from given local network +# --- +declare -a allow_local_net_to_ext_service_arr +for val in $allow_local_net_to_ext_service ; do + allow_local_net_to_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern network from given local network +# --- +declare -a allow_local_net_to_ext_net_arr +for val in $allow_local_net_to_ext_net ; do + allow_local_net_to_ext_net_arr+=("$_val") +done + # --- # - Separate local Networks # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index b30b1c0..c2b17f8 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1046,6 +1046,128 @@ fi +# --- +# - Allow extern service from given local interface +# --- + +echononl "\tAllow extern service from given local interface" + +if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in "${#allow_local_if_to_ext_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow extern network from given local interface +# --- + +echononl "\tAllow extern network from given local interface" + +if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in ${allow_local_if_to_ext_net_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow extern service from given local network +# --- + +echononl "\tAllow extern service from given local network" + +if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow extern network from given local network +# --- + +echononl "\tAllow extern network from given local network" + +if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in ${allow_local_net_to_ext_net_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + # --- # - Separate local networks # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 699b89c..1e294f8 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1644,6 +1644,7 @@ fi + # --- # - Allow local ip address from given local interface # --- @@ -1676,6 +1677,126 @@ fi +# --- +# - Allow extern service from given local interface +# --- + +echononl "\tAllow extern service from given local interface" + +if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in "${#allow_local_if_to_ext_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow extern network from given local interface +# --- + +echononl "\tAllow extern network from given local interface" + +if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_if_to_ext_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow extern service from given local network +# --- + +echononl "\tAllow extern service from given local network" +if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow extern network from given local network +# --- + +echononl "\tAllow extern network from given local network" +if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_net_to_ext_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + # --- # - Separate local networks # ---