firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for ip-addresse, which have unlimited acces to inet but no access to (other) local networks - gaming devices..

Browse Source
This commit is contained in:
Christoph 2023-06-08 15:31:32 +02:00
parent 0decc57848
commit 92acbfce17
5 changed files with 128 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
conf/main_ipv4.conf.sample
View File

@ -1611,7 +1611,6 @@ allow_local_mac_src_addresses=""
allow_remote_mac_src_addresses=""
# =============
# - MAC Address Filtering Gaming Devices
# =============
@ -1623,6 +1622,17 @@ allow_remote_mac_src_addresses=""
gaming_device_mac_addresses=""
# =============
# - IP Address Filtering Gaming Devices
# =============
# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
# -
# - Blank separated list
# -
gaming_device_ip_addresses=""
# =============
# --- Basic behavior - overwrites settings from 'default_basic_behavior.conf'

11
conf/main_ipv6.conf.sample
View File

@ -1535,6 +1535,17 @@ allow_remote_mac_src_addresses=""
gaming_device_mac_addresses=""
# =============
# - IP Address Filtering Gaming Devices
# =============
# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks
# -
# - Blank separated list
# -
gaming_device_ip_addresses=""
# =============
# --- Basic behavior

8
conf/post_decalrations.conf
View File

@ -1839,3 +1839,11 @@ declare -a gaming_device_mac_address_arr=()
for _mac in $gaming_device_mac_addresses ; do
gaming_device_mac_address_arr+=("$_mac")
done
# ---
# - IP Address Filtering Gaming Devices
# ---
declare -a gaming_device_ip_address_arr=()
for _ip in $gaming_device_ip_addresses ; do
gaming_device_ip_address_arr+=("$_ip")
done

53
ip6t-firewall-gateway
View File

@ -1112,10 +1112,10 @@ echo ""
# ---
# - Allow remote Traffic for Gaming devices
# - Allow remote Traffic for Gaming devices (MAC)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices"
echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
@ -1135,10 +1135,10 @@ fi
# ---
# - Deny Traffic to other local networks for Gaming devices
# - Deny Traffic to other local networks for Gaming devices (MAC)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices"
echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
@ -1153,6 +1153,51 @@ else
echo_skipped
fi
echo ""
# ---
# - Allow remote Traffic for Gaming IP addresses (IP-address)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
if ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Deny Traffic to other local networks for Gaming devices (IP-address)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $_ip -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
echo ""

54
ipt-firewall-gateway
View File

@ -1748,10 +1748,10 @@ echo ""
# ---
# - Allow remote Traffic for Gaming devices
# - Allow remote Traffic for Gaming devices (MAC)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices"
echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
@ -1769,12 +1769,11 @@ else
fi
# ---
# - Deny Traffic to other local networks for Gaming devices
# - Deny Traffic to other local networks for Gaming devices (MAC)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices"
echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
@ -1789,6 +1788,51 @@ else
echo_skipped
fi
echo ""
# ---
# - Allow remote Traffic for Gaming IP addresses (IP-address)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
if $kernel_activate_forwarding ; then
if ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Deny Traffic to other local networks for Gaming devices (IP-address)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $_ip -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
echo ""