From a2fe7ce5ff3d1eeadeea5ab4f873ef986df517ff Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Thu, 4 May 2017 01:22:52 +0200
Subject: [PATCH] - Add 'any_access_from_inet_networks' - Add
 'allow_ext_net_to_local_service' - Add 'allow_ext_net_to_local_net' - Add
 'block_all_ext_to_local_net'

---
 conf/main_ipv4.conf.sample  |  91 ++++++++++++++++++++++
 conf/main_ipv6.conf.sample  |  76 ++++++++++++++++++
 conf/post_decalrations.conf |  29 +++++++
 ip6t-firewall-gateway       |  95 ++++++++++++++++++++---
 ipt-firewall-gateway        | 150 +++++++++++++++++++++++++++++++++++-
 5 files changed, 430 insertions(+), 11 deletions(-)

diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample
index 63989a3..be174aa 100644
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@@ -50,6 +50,97 @@ unprotected_ifs=""
 any_access_to_inet_networks=""
 
 
+# - Allow these networks getting any access from the internet.
+# -
+# - Note:
+# - =====
+# -    Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Blank separated list of networks
+# -
+any_access_from_inet_networks=""
+
+
+
+# =============
+# - Allow local services from given extern networks
+# =============
+
+# - allow_ext_net_to_local_service
+# - 
+# - allow_ext_net_to_local_service="ext-net:local-address:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some local netwoks access to special local 
+# - services (but not for all local networks as you can configure later).
+# -
+# - If you plan to separate networks (see parameter 'separate_local_networks'), but 
+# - to allow these networks some special local services, you can also use this parameter.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.73.204
+# -
+# -    allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp 
+# -                                      86.73.85.0/24:83.223.73.204:$standard_https_port:tcp"
+# -
+# - Blank separated list
+# -    
+allow_ext_net_to_local_service=""
+
+
+
+# =============
+# - Allow all traffic from extern address/network to local address/network
+# =============
+
+# - allow_ext_net_to_local_net
+# -
+# -    allow_ext_net_to_local_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+allow_ext_net_to_local_net=""
+
+
+
+# =============
+# - Block all extern traffic to (given) local network
+# =============
+
+# - block_all_ext_to_local_net
+# -
+# -    block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
+# -
+# - Blocks all extern traffic to given local network(s)
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Example:
+# -    block_all_ext_to_local_net="83.223.73.32/29 83.223.73.48/29"
+# - 
+# - Blank separated list
+# -
+block_all_ext_to_local_net=""
+
+
 
 # =============
 # - Allow local services from given local networks
diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample
index edde3b6..c92659c 100644
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@@ -50,6 +50,82 @@ unprotected_ifs=""
 any_access_to_inet_networks=""
 
 
+# - Allow these networks getting any access from the internet.
+# -
+# - Blank separated list of networks
+# -
+any_access_from_inet_networks=""
+
+
+
+# =============
+# - Allow local services from given extern networks
+# =============
+
+# - allow_ext_net_to_local_service
+# - 
+# - allow_ext_net_to_local_service="ext-net,local-address,port,protocol"
+# -
+# - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -
+# - Use this parameter to (only) give some local netwoks access to special local 
+# - services (but not for all local networks as you can configure later).
+# -
+# - If you plan to separate networks (see parameter 'separate_local_networks'), but 
+# - to allow these networks some special local services, you can also use this parameter.
+# -
+# - Example:
+# -    allow access from 2001:6f8:107e:63::20/128 to ssh service at 2a01:30:1fff:fd00::210 on port 1036
+# -    allow access from 2a01:30:0:13:5054:ff:fe09:2318/64 to https service at 2a01:30:1fff:fd00::204
+# -
+# -    allow_ext_net_to_local_service="2001:6f8:107e:63::20/128,2a01:30:1fff:fd00::210,1036,tcp 
+# -                                    2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::204,$standard_https_port,tcp"
+# -
+# - Blank separated list
+# -    
+allow_ext_net_to_local_service=""
+
+
+
+# =============
+# - Allow all traffic from extern address/network to local address/network
+# =============
+
+# - allow_ext_net_to_local_net
+# -
+# -    allow_ext_net_to_local_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="2a01:30:0:13:5054:ff:fe09:2318/64,2a01:30:1fff:fd00::0/64
+# -                               2001:6f8:107e:63::/64,2a01:30:ff:fd00::204/128"
+# - 
+# - Blank separated list
+# -
+allow_ext_net_to_local_net="2a01:30:0:13:5054:ff:fe09:2318/64,2001:6f8:107e:63::/64
+                            2a01:30:1fff:fd00::0/64,2001:6f8:107e:63::20"
+
+
+
+# =============
+# - Block all extern traffic to (given) local network
+# =============
+
+# - block_all_ext_to_local_net
+# -
+# -    block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
+# -
+# - Blocks all extern traffic to given local network(s)
+# -
+# - Example:
+# -    block_all_ext_to_local_net="2a01:30:1fff:fd01::1/64 2a01:30:1fff:fd04::1/64"
+# - 
+# - Blank separated list
+# -
+block_all_ext_to_local_net=""
+
+
 
 # =============
 # - Allow local services from given local networks
diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf
index 5d647bd..16fe088 100644
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@@ -80,6 +80,35 @@ for _net in $any_access_to_inet_networks ; do
    any_access_to_inet_network_arr+=("$_net")
 done
 
+declare -a any_access_from_inet_network_arr
+for _net in $any_access_from_inet_networks ; do
+   any_access_from_inet_network_arr+=("$_net")
+done
+
+# ---
+# - Allow local services from given extern networks
+# ---
+declare -a allow_ext_net_to_local_service_arr 
+for _val in $allow_ext_net_to_local_service ; do
+   allow_ext_net_to_local_service_arr+=("$_val")
+done
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+declare -a allow_ext_net_to_local_net_arr
+for _val in $allow_ext_net_to_local_net ; do
+   allow_ext_net_to_local_net_arr+=("$_val")
+done
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+declare -a block_all_ext_to_local_net_arr
+for _net in $block_all_ext_to_local_net ; do
+   block_all_ext_to_local_net_arr+=("$_net")
+done
+
 # ---
 # - Allow local services from given local networks
 # ---
diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway
index 8a4f795..d33dfaf 100755
--- a/ip6t-firewall-gateway
+++ b/ip6t-firewall-gateway
@@ -812,6 +812,86 @@ else
 fi
 
 
+echononl "\tAllow these local networks any access from the internet"
+if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
+      && $kernel_forward_between_interfaces ; then
+
+   for _net in ${any_access_from_inet_network_arr[@]}; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Allow local services from given extern networks
+# ---
+
+echononl "\tAllow local services from given extern networks"
+if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
+      && $kernel_forward_between_interfaces ; then
+
+   for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+      done
+
+   done
+   
+   echo_done
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+
+echononl "\tAllow all traffic from extern to local network/address"
+
+if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
+      && $kernel_forward_between_interfaces ; then
+
+   for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+
+echononl "\tBlock all extern traffic to (given) local network"
+if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
+      && $kernel_forward_between_interfaces ; then
+
+   for _net in ${block_all_ext_to_local_net_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+         $ip6t -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 
 # ---
 # - Allow local services from given local networks
@@ -819,8 +899,7 @@ fi
 
 echononl "\tAllow local services from given local networks"
 if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
-      && $kernel_forward_between_interfaces \
-      && ! $permit_local_net_to_inet ; then
+      && $kernel_forward_between_interfaces ; then
 
    for _val in "${allow_local_net_to_local_service_arr[@]}" ; do
       IFS=',' read -a _val_arr <<< "${_val}"
@@ -852,8 +931,7 @@ fi
 echononl "\tAllow all traffic from local network to local ip-address"
 
 if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \
-      && $kernel_forward_between_interfaces \
-      && ! $permit_between_local_networks ; then
+      && $kernel_forward_between_interfaces ; then
 
    for _val in ${allow_local_net_to_local_ip_arr[@]} ; do
       IFS=',' read -a _val_arr <<< "${_val}"
@@ -882,8 +960,7 @@ fi
 echononl "\tAllow all traffic from local ip-address to local network"
 
 if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \
-      && $kernel_forward_between_interfaces \
-      && ! $permit_between_local_networks ; then
+      && $kernel_forward_between_interfaces ; then
 
    for _val in ${allow_local_ip_to_local_net_arr[@]} ; do
       IFS=',' read -a _val_arr <<< "${_val}"
@@ -912,8 +989,7 @@ fi
 echononl "\tAllow all traffic from local network to (another) local network"
 
 if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \
-      && $kernel_forward_between_interfaces \
-      && ! $permit_between_local_networks ; then
+      && $kernel_forward_between_interfaces ; then
 
    for _val in ${allow_local_net_to_local_net_arr[@]} ; do
       IFS=',' read -a _val_arr <<< "${_val}"
@@ -942,8 +1018,7 @@ fi
 echononl "\tAllow local ip address from given local interface"
 
 if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \
-      && $kernel_forward_between_interfaces \
-      && ! $permit_between_local_networks ; then
+      && $kernel_forward_between_interfaces ; then
 
    for _val in ${allow_local_if_to_local_ip_arr[@]} ; do
       IFS=',' read -a _val_arr <<< "${_val}"
diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index dd99dab..f009171 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -1163,7 +1163,8 @@ fi
 
 echononl "\tAllow these local networks any access to the internet"
 if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
-      && $kernel_activate_forwarding ; then
+      && $kernel_activate_forwarding \
+      && ! $permit_local_net_to_inet ; then
 
    for _net in ${any_access_to_inet_network_arr[@]}; do
       for _dev in ${ext_if_arr[@]} ; do
@@ -1176,6 +1177,153 @@ else
 fi
 
 
+echononl "\tAllow these local networks any access from the internet"
+if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
+      && $kernel_activate_forwarding ; then
+
+   _found=false
+   for _net in ${any_access_from_inet_network_arr[@]}; do
+      for _dev in ${ext_if_arr[@]} ; do
+
+         # - Traffic recieved on natted interfaces will be ommitted!
+         # -
+         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
+            continue
+         else
+            _found=true
+         fi
+
+         $ipt -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+   if $_found ; then
+      echo_done
+   else
+      echo_skipped
+   fi
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Allow local services from given extern networks
+# ---
+
+echononl "\tAllow local services from given extern networks"
+if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
+      && $kernel_activate_forwarding ; then
+
+   _found=false
+   for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+
+         # - Traffic recieved on natted interfaces will be ommitted!
+         # -
+         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
+            continue
+         else
+            _found=true
+         fi
+
+         $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+
+      done
+
+   done
+
+   if $_found ; then
+      echo_done
+   else
+      echo_skipped
+   fi
+   
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Allow all traffic from extern address/network to local address/network
+# ---
+
+# - !! Note:
+# -    does NOT depend on settings 'permit_between_local_networks' !!
+# -
+echononl "\tAllow all traffic from extern to local network/address"
+
+if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
+      && $kernel_activate_forwarding ; then
+
+   _found=false
+   for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+
+         # - Traffic recieved on natted interfaces will be ommitted!
+         # -
+         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
+            continue
+         else
+            _found=true
+         fi
+
+         $ipt -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+
+      done
+   done
+
+   if $_found ; then
+      echo_done
+   else
+      echo_skipped
+   fi
+
+else
+   echo_skipped
+fi
+
+
+
+# ---
+# - Block all extern traffic to (given) local network
+# ---
+
+echononl "\tBlock all extern traffic to (given) local network"
+if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
+      && $kernel_activate_forwarding ; then
+
+   _found=false
+   for _net in ${block_all_ext_to_local_net_arr[@]} ; do
+      for _dev in ${ext_if_arr[@]} ; do
+
+         # - Traffic recieved on natted interfaces will be ommitted!
+         # -
+         if containsElement "$_dev" "${nat_device_arr[@]}" ; then
+            continue
+         else
+            _found=true
+         fi
+
+         $ipt -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP
+
+      done
+   done
+
+   if $_found ; then
+      echo_done
+   else
+      echo_skipped
+   fi
+
+else
+   echo_skipped
+fi
+
+
 
 # ---
 # - Allow local services from given local networks