diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 24fcd65..0191f18 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -15,11 +15,14 @@ standard_https_port=443 standard_ftp_port=21 standard_tftp_udp_port=69 standard_ntp_port=123 +standard_snmp_port=161 +standard_snmp_trap_port=162 standard_timeserver_port=37 standard_pgp_keyserver_port=11371 standard_telnet_port=23 standard_whois_port=43 standard_cpan_wait_port=1404 +standard_xymon_port=1984 standard_hbci_port=3000 standard_mysql_port=3306 standard_ipp_port=631 diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 09679b3..1eba57d 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -81,11 +81,13 @@ allow_local_net_to_local_service="" # ============= -# - Allow local ip address from given local network +# - Allow all traffic from local network to local ip-address # ============= # - allow_local_net_to_local_ip # - +# - allow_local_net_to_local_ip=": [:] [..]" +# - # - All traffic from the given network to the given ip address is allowed # - # - Example: @@ -98,6 +100,50 @@ allow_local_net_to_local_ip="" +# ============= +# - Allow all traffic from local ip-address to local network +# ============= + +# - allow_local_ip_to_local_net +# - +# - allow_local_ip_to_local_net=": [:] [..]" +# - +# - All traffic from the given ip address to the given network is allowed +# - +# - Example: +# - allow_local_ip_to_local_net="192.168.10.9:10.10.10.0/24 +# - 192.168.10.16:10.10.10.0/24" +# - +# - Blank separated list +# - +allow_local_ip_to_local_net=" + 192.168.10.16:10.10.10.0/24" + + + +# ============= +# - Allow all traffic from (one) local network to (another) local network +# ============= + +# - allow_local_net_to_local_net +# - +# - allow_local_net_to_local_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Notice: +# - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_local_net_to_local_net="192.168.11.0/24:10.10.11.0/24 +# - 192.168.78.0/24:10.10.11.0/24" +# - +# - Blank separated list +# - +allow_local_net_to_local_net="" + + + # ============= # - Allow local ip address from given local interface # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index e833aba..84030a2 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -81,11 +81,13 @@ allow_local_net_to_local_service="" # ============= -# - Allow local ip address from given local network +# - Allow all traffic from local network to local ip-address # ============= # - allow_local_net_to_local_ip # - +# - allow_local_net_to_local_ip=": [:] [..]" +# - # - All traffic from the given network to the given ip address is allowed # - # - Example: @@ -98,6 +100,49 @@ allow_local_net_to_local_ip="" +# ============= +# - Allow all traffic from local ip-address to local network +# ============= + +# - allow_local_ip_to_local_net +# - +# - allow_local_ip_to_local_net=": [:] [..]" +# - +# - All traffic from the given ip address to the given network is allowed +# - +# - Example: +# - allow_local_ip_to_local_net="2001:6f8:107e:63::20,2001:6f8:107e:64::/64 +# - 2001:6f8:107e:63::10,2001:6f8:107e:64::/64" +# - +# - Blank separated list +# - +allow_local_ip_to_local_net="" + + + +# ============= +# - Allow all traffic from (one) local network to (another) local network +# ============= + +# - allow_local_net_to_local_net +# - +# - allow_local_net_to_local_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Notice: +# - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_local_net_to_local_net="2001:6f8:107e:64::/64,2001:6f8:107e:63::/64 +# - 2001:6f8:107e:63::/64,2001:6f8:107e:64::/64" +# - +# - Blank separated list +# - +allow_local_net_to_local_net="" + + + # ============= # - Allow local ip address from given local interface # ============= @@ -509,7 +554,9 @@ snmp_server_ips="" # - SNMP Port # - -snmp_port="161" +snmp_port="$standard_snmp_port" +snmp_trap_port="$standard_snmp_trap_port" + # ====== @@ -540,7 +587,7 @@ local_xymon_client="" # - XyMon Ports # - -xymon_port=1984 +xymon_port="$standard_xymon_port" # ====== diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 4774925..a90ea98 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -83,13 +83,29 @@ for _val in $allow_local_net_to_local_service ; do done # --- -# - Allow local ip address from given local network +# - Allow all traffic from local network to local ip-address # --- declare -a allow_local_net_to_local_ip_arr for _val in $allow_local_net_to_local_ip ; do allow_local_net_to_local_ip_arr+=("$_val") done +# --- +# - Allow all traffic from local ip-address to local network +# --- +declare -a allow_local_ip_to_local_net_arr +for _val in $allow_local_ip_to_local_net ; do + allow_local_ip_to_local_net_arr+=("$_val") +done + +# --- +# - Allow all traffic from (one) local network to (another) local network +# --- +declare -a allow_local_net_to_local_net_arr +for _val in $allow_local_net_to_local_net ; do + allow_local_net_to_local_net_arr+=("$_val") +done + # --- # - Allow local ip address from given local interface # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d6bccbc..eae15b0 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -797,7 +797,10 @@ fi # --- echononl "\tAllow these local networks any access to the internet" -if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then +if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_local_net_to_inet ; then + for _net in ${any_access_to_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do $ip6t -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT @@ -815,7 +818,10 @@ fi # --- echononl "\tAllow local services from given local networks" -if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then +if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_local_net_to_inet ; then + for _val in "${allow_local_net_to_local_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT @@ -824,7 +830,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_forward_be # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT @@ -840,12 +846,16 @@ fi # --- -# - Allow local ip address from given local network +# - Allow all traffic from local network to local ip-address # --- -echononl "\tAllow local ip address from given local network" -if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then - for _val in ${allow_local_net_to_local_service_arr[@]} ; do +echononl "\tAllow all traffic from local network to local ip-address" + +if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_net_to_local_ip_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -853,7 +863,67 @@ if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from local ip-address to local network +# --- + +echononl "\tAllow all traffic from local ip-address to local network" + +if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_ip_to_local_net_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from (one) local network to (another) local network +# --- + +echononl "\tAllow all traffic from local network to (another) local network" + +if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_net_to_local_net_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi @@ -870,7 +940,11 @@ fi # --- echononl "\tAllow local ip address from given local interface" -if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + +if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks ; then + for _val in ${allow_local_if_to_local_ip_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -879,7 +953,7 @@ if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_ # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi @@ -1038,7 +1112,7 @@ for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT #$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT @@ -1164,7 +1238,7 @@ if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -1174,7 +1248,7 @@ if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT fi @@ -1224,7 +1298,7 @@ if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then # - Rule is needed if (local) interface aliases in use (like eth0:1) # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then for _port in ${ssh_port_arr[@]} ; do $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT @@ -2546,10 +2620,11 @@ echononl "\t\tSNMP Services local Networks" if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${snmp_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT done fi done @@ -2658,7 +2733,7 @@ if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_ # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT if $provide_hotspot ; then diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index ca6dd78..50a7156 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1144,7 +1144,10 @@ fi # --- echononl "\tAllow these local networks any access to the internet" -if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then +if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_local_net_to_inet ; then + for _net in ${any_access_to_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do $ipt -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT @@ -1162,7 +1165,10 @@ fi # --- echononl "\tAllow local services from given local networks" -if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then +if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + for _val in "${allow_local_net_to_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT @@ -1171,7 +1177,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_activate_f # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT @@ -1187,12 +1193,16 @@ fi # --- -# - Allow local ip address from given local network +# - Allow all traffic from local network to local ip-address # --- -echononl "\tAllow local ip address from given local network" -if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then - for _val in ${allow_local_net_to_local_service_arr[@]} ; do +echononl "\tAllow all traffic from local network to local ip-address" + +if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_net_to_local_ip_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -1200,7 +1210,67 @@ if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwar # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from local ip-address to local network +# --- + +echononl "\tAllow all traffic from local ip-address to local network" + +if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_ip_to_local_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from (one) local network to (another) local network +# --- + +echononl "\tAllow all traffic from local network to (another) local network" + +if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + + for _val in ${allow_local_net_to_local_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi @@ -1217,7 +1287,10 @@ fi # --- echononl "\tAllow local ip address from given local interface" -if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + +if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then for _val in ${allow_local_if_to_local_ip_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -1226,7 +1299,7 @@ if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forward # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi @@ -2947,7 +3020,7 @@ fi echononl "\t\tRsync Out from given local machines" -if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding $$ ! $permit_local_net_to_inet; then +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then for _port in ${rsync_port_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT @@ -2965,12 +3038,13 @@ fi echononl "\t\tSNMP Services local Networks" -if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then +if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then for _ip in ${snmp_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT done fi done