From 2d07d39a55c013dba24b54029cafee1d9345dbf9 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 26 Oct 2021 11:02:59 +0200 Subject: [PATCH] allow those ssh ports out, which are also allowed for incoming traffic. --- ip6t-firewall-server | 36 +++++++++++++++++++++++++++++++++--- ipt-firewall-server | 37 ++++++++++++++++++++++++++++++++++--- 2 files changed, 67 insertions(+), 6 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 2dc41fc..ca677a1 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1268,11 +1268,41 @@ for _dev in ${ext_if_arr[@]} ; do if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT fi + + if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then + for _port in ${ssh_port_arr[@]} ; do + + [[ "$_port" = "$standard_ssh_port" ]] && continue + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + + done + fi + done -for _dev in ${local_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT -done +if [[ ${#local_if_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + + if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then + for _port in ${ssh_port_arr[@]} ; do + + [[ "$_port" = "$standard_ssh_port" ]] && continue + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + fi + done +fi echo_done diff --git a/ipt-firewall-server b/ipt-firewall-server index 616805b..dd0dfa7 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1436,11 +1436,42 @@ for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT fi + + if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then + for _port in ${ssh_port_arr[@]} ; do + + [[ "$_port" = "$standard_ssh_port" ]] && continue + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + + done + fi + done -for _dev in ${local_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT -done +if [[ ${#local_if_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + + if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then + for _port in ${ssh_port_arr[@]} ; do + + [[ "$_port" = "$standard_ssh_port" ]] && continue + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + fi + + done +fi echo_done