From f535a29ca60734672317a1f460b748212077fbaa Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 9 Jul 2019 15:47:48 +0200 Subject: [PATCH] Add: Allow all traffic from local ip to the internet --- conf/main_ipv4.conf.sample | 12 ++++++++++++ conf/main_ipv6.conf.sample | 15 +++++++++++++++ conf/post_decalrations.conf | 8 ++++++++ ip6t-firewall-gateway | 28 ++++++++++++++++++++++++++++ ipt-firewall-gateway | 32 ++++++++++++++++++++++++++++++-- 5 files changed, 93 insertions(+), 2 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 739f1a5..1be7990 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -146,6 +146,18 @@ block_all_ext_to_local_net="" +# ============= +# - Allow all traffic from local ip to the internet +# ============= + +# - allow_local_ip_to_inet +# - +# - Blank separated list of ip-adresses +# - +allow_local_ip_to_inet="" + + + # ============= # - Allow local services from given local networks # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index c672646..f67565b 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -130,6 +130,21 @@ block_all_ext_to_local_net="" +# ============= +# - Allow all traffic from local ip to the internet +# ============= + +# - allow_local_ip_to_inet +# - +# - Example: +# - allow_local_ip_to_inet="2a01:30:1fff:fd01::1/64 2a01:505:1fff:fd04::1" +# - +# - Blank separated list of ip-adresses +# - +allow_local_ip_to_inet="" + + + # ============= # - Allow local services from given local networks # ============= diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index d6ddb34..0f273f0 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -109,6 +109,14 @@ for _net in $block_all_ext_to_local_net ; do block_all_ext_to_local_net_arr+=("$_net") done +# --- +# - Allow all traffic from local ip to the internet +# --- +declare -a allow_local_ip_to_inet_arr +for _ip in $allow_local_ip_to_inet ; do + allow_local_ip_to_inet_arr+=("$_ip") +done + # --- # - Allow local services from given local networks # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 895d3ed..d97575b 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -916,6 +916,34 @@ fi +# --- +# - Allow all traffic from local ip to the internet +# --- + +echononl "\tAllow all traffic from local ip to the internet" + +if [[ ${#allow_local_ip_to_inet_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _ip in ${allow_local_ip_to_inet_arr[@]} ; do + $ip6t -A FORWARD -p ALL -s $_ip -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + + # --- # - Allow local services from given local networks # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 505523f..08b9657 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1532,6 +1532,34 @@ fi +# --- +# - Allow all traffic from local ip to the internet +# --- + +echononl "\tAllow all traffic from local ip to the internet" + +if [[ ${#allow_local_ip_to_inet_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _ip in ${allow_local_ip_to_inet_arr[@]} ; do + $ipt -A FORWARD -p ALL -s $_ip -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + + # --- # - Allow local services from given local networks # --- @@ -1623,7 +1651,7 @@ if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done - echo_ok + echo_done else echo_skipped fi @@ -1688,7 +1716,7 @@ if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done - echo_ok + echo_done else echo_skipped fi