From 92acbfce17915088637bd3f3f2da0001fec07cdf Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 8 Jun 2023 15:31:32 +0200 Subject: [PATCH] Add support for ip-addresse, which have unlimited acces to inet but no access to (other) local networks - gaming devices.. --- conf/main_ipv4.conf.sample | 12 ++++++++- conf/main_ipv6.conf.sample | 11 ++++++++ conf/post_decalrations.conf | 8 ++++++ ip6t-firewall-gateway | 53 +++++++++++++++++++++++++++++++++--- ipt-firewall-gateway | 54 +++++++++++++++++++++++++++++++++---- 5 files changed, 128 insertions(+), 10 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index ae6dd0a..e65a7aa 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1611,7 +1611,6 @@ allow_local_mac_src_addresses="" allow_remote_mac_src_addresses="" - # ============= # - MAC Address Filtering Gaming Devices # ============= @@ -1623,6 +1622,17 @@ allow_remote_mac_src_addresses="" gaming_device_mac_addresses="" +# ============= +# - IP Address Filtering Gaming Devices +# ============= + +# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks +# - +# - Blank separated list +# - +gaming_device_ip_addresses="" + + # ============= # --- Basic behavior - overwrites settings from 'default_basic_behavior.conf' diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 8ad1afa..836151f 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -1535,6 +1535,17 @@ allow_remote_mac_src_addresses="" gaming_device_mac_addresses="" +# ============= +# - IP Address Filtering Gaming Devices +# ============= + +# - IP adresses here are only allowed connect to internet but NOT to loacl services and networks +# - +# - Blank separated list +# - +gaming_device_ip_addresses="" + + # ============= # --- Basic behavior diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 1a3f69d..3b78d64 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -1839,3 +1839,11 @@ declare -a gaming_device_mac_address_arr=() for _mac in $gaming_device_mac_addresses ; do gaming_device_mac_address_arr+=("$_mac") done + +# --- +# - IP Address Filtering Gaming Devices +# --- +declare -a gaming_device_ip_address_arr=() +for _ip in $gaming_device_ip_addresses ; do + gaming_device_ip_address_arr+=("$_ip") +done diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 09b24e4..6701769 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1112,10 +1112,10 @@ echo "" # --- -# - Allow remote Traffic for Gaming devices +# - Allow remote Traffic for Gaming devices (MAC) # --- -echononl "\tAllow remote Traffic OUT for Gaming devices" +echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do @@ -1135,10 +1135,10 @@ fi # --- -# - Deny Traffic to other local networks for Gaming devices +# - Deny Traffic to other local networks for Gaming devices (MAC) # --- -echononl "\tDeny Traffic to other local networks for Gaming devices" +echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do @@ -1153,6 +1153,51 @@ else echo_skipped fi +echo "" + + + +# --- +# - Allow remote Traffic for Gaming IP addresses (IP-address) +# --- + +echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)" + +if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then + for _ip in ${gaming_device_ip_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_forward_between_interfaces ; then + if ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Deny Traffic to other local networks for Gaming devices (IP-address) +# --- + +echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)" + +if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then + for _ip in ${gaming_device_ip_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $_ip -j DROP + fi + done + done + echo_done +else + echo_skipped +fi + echo "" diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 789b539..a8a3021 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1748,10 +1748,10 @@ echo "" # --- -# - Allow remote Traffic for Gaming devices +# - Allow remote Traffic for Gaming devices (MAC) # --- -echononl "\tAllow remote Traffic OUT for Gaming devices" +echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do @@ -1769,12 +1769,11 @@ else fi - # --- -# - Deny Traffic to other local networks for Gaming devices +# - Deny Traffic to other local networks for Gaming devices (MAC) # --- -echononl "\tDeny Traffic to other local networks for Gaming devices" +echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do @@ -1789,6 +1788,51 @@ else echo_skipped fi +echo "" + + + +# --- +# - Allow remote Traffic for Gaming IP addresses (IP-address) +# --- + +echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)" + +if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then + for _ip in ${gaming_device_ip_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + if ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Deny Traffic to other local networks for Gaming devices (IP-address) +# --- + +echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)" + +if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then + for _ip in ${gaming_device_ip_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -s $_ip -j DROP + fi + done + done + echo_done +else + echo_skipped +fi + echo ""