Add options 'restrict_local_service_to_net' and 'restrict_local_net_to_net'
This commit is contained in:
parent
350f2dc487
commit
a3d0c9161a
@ -513,8 +513,8 @@ echo_done
|
||||
# - VPN
|
||||
# ---
|
||||
|
||||
echononl "\tPermit all traffic through VPN lines.."
|
||||
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
echononl "\tPermit all traffic through VPN lines.."
|
||||
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
for _ip in ${vpn_server_ip_arr[@]} ; do
|
||||
for _port in ${vpn_port_arr[@]} ; do
|
||||
@ -543,6 +543,53 @@ else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
echo
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
|
||||
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _val in "${restrict_local_service_to_net_arr[@]}" ; do
|
||||
IFS=',' read -a _val_arr <<< "${_val}"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
echononl "\tRestrict local Address/Network to given extern Address/Network"
|
||||
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
||||
IFS=',' read -a _val_arr <<< "${_val}"
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services
|
||||
|
||||
@ -179,6 +179,58 @@ local_2_ip=""
|
||||
local_2_ip=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_service_to_net
|
||||
# -
|
||||
# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# -
|
||||
# - Use this parameter to (only) give some extern netwoks access to special local
|
||||
# - services.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
|
||||
# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
|
||||
# -
|
||||
# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp
|
||||
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_service_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_net_to_net
|
||||
# -
|
||||
# - restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
|
||||
# -
|
||||
# - All traffic from the given first network to the given second network is allowed
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
|
||||
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_net_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services local Network
|
||||
# -------------
|
||||
@ -422,6 +474,22 @@ for _dev in $unprotected_ifs ; do
|
||||
unprotected_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Servive to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_service_to_net_arr
|
||||
for _val in $restrict_local_service_to_net ; do
|
||||
restrict_local_service_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Network to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_net_to_net_arr
|
||||
for _val in $restrict_local_net_to_net ; do
|
||||
restrict_local_net_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Generally block ports
|
||||
# ---
|
||||
|
||||
@ -703,8 +703,8 @@ echo_done
|
||||
# - VPN
|
||||
# ---
|
||||
|
||||
echononl "\tPermit all traffic through VPN lines.."
|
||||
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
echononl "\tPermit all traffic through VPN lines.."
|
||||
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
|
||||
for _ip in ${vpn_server_ip_arr[@]} ; do
|
||||
for _port in ${vpn_port_arr[@]} ; do
|
||||
@ -733,6 +733,53 @@ else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
echo
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
|
||||
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _val in "${restrict_local_service_to_net_arr[@]}" ; do
|
||||
IFS=':' read -a _val_arr <<< "${_val}"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
echononl "\tRestrict local Address/Network to given extern Address/Network"
|
||||
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
||||
IFS=':' read -a _val_arr <<< "${_val}"
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services
|
||||
|
||||
@ -182,6 +182,58 @@ local_2_ip=""
|
||||
broadcast_ips=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_service_to_net
|
||||
# -
|
||||
# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# -
|
||||
# - Use this parameter to (only) give some extern netwoks access to special local
|
||||
# - services.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
|
||||
# - allow access from 86.73.85.0/24 to https service at 83.223.86.98
|
||||
# -
|
||||
# - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp
|
||||
# - 86.73.85.0/24:83.223.86.98:443:tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_service_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_net_to_net
|
||||
# -
|
||||
# - restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
|
||||
# -
|
||||
# - All traffic from the given first network to the given second network is allowed
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
|
||||
# - 83.223.86.96/32:86.223.73.0/24"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_net_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services local Network
|
||||
# -------------
|
||||
@ -506,6 +558,22 @@ for _dev in $unprotected_ifs ; do
|
||||
unprotected_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Servive to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_service_to_net_arr
|
||||
for _val in $restrict_local_service_to_net ; do
|
||||
restrict_local_service_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Network to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_net_to_net_arr
|
||||
for _val in $restrict_local_net_to_net ; do
|
||||
restrict_local_net_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Generally block ports
|
||||
# ---
|
||||
|
||||
Loading…
Reference in New Issue
Block a user