From 8ed62f837702375d4bb376af58310447bd238756 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 20 May 2017 02:55:06 +0200 Subject: [PATCH] Support dhcp client on gateway on extern interfaces. --- conf/main_ipv4.conf.sample | 9 +++++++++ conf/main_ipv6.conf.sample | 9 +++++++++ conf/post_decalrations.conf | 8 ++++++++ ip6t-firewall-gateway | 21 ++++++++++++++++++--- ipt-firewall-gateway | 18 ++++++++++++++++-- 5 files changed, 60 insertions(+), 5 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index b4bbda7..7615f6d 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -371,6 +371,15 @@ vpn_local_net_ports="1194" # - DHCP Service # ====== +# - Ist this Gateway DHCP Client? +# - +# - local_dhcp_client_interfaces=" [ [.." +# - +# - Example: +# - dhcp_client_interfaces="$ext_if_static_1" +# - +dhcp_client_interfaces="" + # - DHCP Server Gateway # - local_dhcp_service=true diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 46fa5c2..ec0b1cf 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -352,6 +352,15 @@ vpn_local_net_ports="1194" # - DHCP Service # ====== +# - Ist this Gateway DHCP Client? +# - +# - local_dhcp_client_interfaces=" [ [.." +# - +# - Example: +# - dhcp_client_interfaces="$ext_if_static_1" +# - +dhcp_client_interfaces="$ext_if_static_1" + # - DHCP Server Gateway # - local_dhcp_service=true diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 16fe088..82b444f 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -207,6 +207,14 @@ for _ip in $log_ips ; do log_ip_arr+=("$_ip") done +# --- +# - Network Devices local DHCP Client +# --- +declare -a dhcp_client_interfaces_arr +for _dev in $dhcp_client_interfaces ; do + dhcp_client_interfaces_arr+=("$_dev") +done + # --- # - IP Addresses DHCP Failover Server # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 9c2ed26..5d0a2cc 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -186,6 +186,7 @@ $ip6t -F -t raw $ip6t -X $ip6t -Z +#$ip6t -t nat -A POSTROUTING -o $ext_if_static_1 -j MASQUERADE $ip6t -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu echo_done # Flushing firewall iptable (IPv6).. @@ -1144,7 +1145,21 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" # - DHCP # --- -echononl "\t\tDHCP" +echononl "\t\tLocal DHCP Client" + +if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_client_interfaces_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp -m udp --dport 546 -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m udp --dport 547 -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +echononl "\t\tDHCP Service (local network only)" if $local_dhcp_service ; then for _dev in ${local_if_arr[@]} ; do @@ -1190,13 +1205,13 @@ echononl "\t\tDNS out only" for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT fi done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 566f541..8ea1923 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1618,6 +1618,20 @@ fi # - DHCP # --- +echononl "\t\tLocal DHCP Client" + +if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_client_interfaces_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT + $ip6t -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + echononl "\t\tDHCP" if $local_dhcp_service ; then @@ -1662,13 +1676,13 @@ echononl "\t\tDNS out only" for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT fi done