From aead4e0ba8ceae3762119f7157dd62497ead5949 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 13 Jun 2019 13:03:53 +0200 Subject: [PATCH] Add support or forwarding rsynd protokoll from local networks. --- conf/main_ipv4.conf.sample | 4 ++++ conf/main_ipv6.conf.sample | 4 ++++ ip6t-firewall-gateway | 36 ++++++++++++++++++++++++++++++++++-- ipt-firewall-gateway | 35 +++++++++++++++++++++++++++++++++-- 4 files changed, 75 insertions(+), 4 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 5356f27..46caf3b 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1005,6 +1005,10 @@ rsync_ports="873" # - local_rsync_out=false +# - forward rsync out for all machine's behind the firewall? +# - +forward_rsync_out=false + # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 4a0a6e5..47f5096 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -972,6 +972,10 @@ rsync_ports="873" # - local_rsync_out=false +# - forward rsync out for all machine's behind the firewall? +# - +forward_rsync_out=false + # ============= diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 94d3d32..f745bdf 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -3168,10 +3168,10 @@ fi # --- -# - Rsync only Out Gateway +# - Rsyncd (only Out) Gateway # --- -echononl "\t\tRsync (only OUT) Gateway" +echononl "\t\tRsyncd (only OUT) Gateway" if $local_rsync_out ; then for _dev in ${ext_if_arr[@]} ; do @@ -3186,6 +3186,38 @@ else fi +# --- +# - Rsyncd (only OUT) from all local networks" +# --- + +echononl "\t\tRsyncd (only OUT) from all local networks" + +if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + for _local_dev in ${local_if_arr[@]} ; do + for _ext_dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + + $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + done + + echo_done +else + echo_skipped +fi + + + # --- # - Rsync only Out from given local machines # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 24b80d2..3e138ef 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3876,10 +3876,10 @@ fi # --- -# - Rsync only Out Gateway +# - Rsyncd (only Out) Gateway # --- -echononl "\t\tRsync (only OUT) Gateway" +echononl "\t\tRsyncd (only OUT) Gateway" if $local_rsync_out ; then for _dev in ${ext_if_arr[@]} ; do @@ -3894,6 +3894,37 @@ else fi +# --- +# - Rsyncd (only OUT) from all local networks" +# --- + +echononl "\t\tRsyncd (only OUT) from all local networks" + +if $forward_rsync_out && $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + for _local_dev in ${local_if_arr[@]} ; do + for _ext_dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + + $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + done + + echo_done +else + echo_skipped +fi + + # --- # - Rsync only Out from given local machines # ---