From 5ec7c9bcea775e56271f72ef77bf09f08db3bcff Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 11 Jan 2021 19:59:08 +0100 Subject: [PATCH] Add support for dhclient. --- conf/main_ipv4.conf.sample | 9 ++++++++- conf/main_ipv6.conf.sample | 9 ++++++++- conf/post_decalrations.conf | 8 ++++++-- ip6t-firewall-server | 24 +++++++++++++++++++----- ipt-firewall-server | 18 ++++++++++++++++-- 5 files changed, 57 insertions(+), 11 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 8084c5f..a1f45a1 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -241,10 +241,17 @@ ntp_allowed_net="" # DHCP Server # -# Comma seperated Interface list for DHCP services +# Comma seperated list of Interface supporting DHCP services # dhcp_server_ifs="" +# DHCP Client +# +# Comma seperated list of Interface, which are dhcp clients +# +dhcp_client_ifs="" + + # - DNS Server # - # - Note: diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 0360e45..05e4f10 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -257,10 +257,17 @@ ntp_allowed_net="" # DHCP Server # -# Comma seperated Interface list for DHCP services +# Comma seperated list of Interface supporting DHCP services # dhcp_server_ifs="" +# DHCP Client +# +# Comma seperated list of Interface, which are dhcp clients +# +dhcp_client_ifs="" + + # - DNS Server # - # - Note: diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 596d5da..e240585 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -133,9 +133,13 @@ done # --- # - Network Interfaces DHCP Service # --- -declare -a dhcp_if_arr +declare -a dhcp_server_if_arr for _dev in $dhcp_server_ifs ; do - dhcp_if_arr+=($_dev) + dhcp_server_if_arr+=($_dev) +done +declare -a dhcp_client_if_arr +for _dev in $dhcp_client_ifs ; do + dhcp_client_if_arr+=($_dev) done # --- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 66c4f0c..69c1a4e 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1112,14 +1112,28 @@ echo # - DHCP # --- -echononl "\t\tDHCP" +echononl "\t\tDHCP Clients" -if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then +if [[ ${#dhcp_client_if_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_if_arr[@]} ; do - # - in - $ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out - $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + $ip6t -A OUTPUT -p udp -o $_dev --dport 67 -d ::/0 --sport 1024:65535 -j ACCEPT + # - in + $ipt -A INPUT -p udp -i $_dev --sport 67 -d ::/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + +echononl "\t\tDHCP Server" + +if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_server_if_arr[@]} ; do + # - in + $ip6t -A INPUT -p udp -i $_dev -s ::/0 --sport 68 --dport 67 -j ACCEPT + # - out + $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d ::/0 --dport 68 -j ACCEPT done echo_done else diff --git a/ipt-firewall-server b/ipt-firewall-server index f20d45e..28ac1bf 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1275,10 +1275,24 @@ echo # - DHCP # --- -echononl "\t\tDHCP" +echononl "\t\tDHCP Clients" -if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then +if [[ ${#dhcp_client_if_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_if_arr[@]} ; do + # - out + $ipt -A OUTPUT -p udp -o $_dev --dport 67 -d 0/0 --sport 1024:65535 -j ACCEPT + # - in + $ipt -A INPUT -p udp -i $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + +echononl "\t\tDHCP Server" + +if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_server_if_arr[@]} ; do # - in $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out