From a3d0c9161a86bd3600c625c29e47f3615287f632 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 15 Jul 2017 14:10:06 +0200 Subject: [PATCH] Add options 'restrict_local_service_to_net' and 'restrict_local_net_to_net' --- ip6t-firewall-server | 49 ++++++++++++++++++++++- ip6t-firewall-server.conf.sample | 68 ++++++++++++++++++++++++++++++++ ipt-firewall-server | 49 ++++++++++++++++++++++- ipt-firewall-server.conf.sample | 68 ++++++++++++++++++++++++++++++++ 4 files changed, 232 insertions(+), 2 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 64c7387..cc4c5e7 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -513,8 +513,8 @@ echo_done # - VPN # --- +echononl "\tPermit all traffic through VPN lines.." if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then - echononl "\tPermit all traffic through VPN lines.." if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do @@ -543,6 +543,53 @@ else echo_skipped fi +echo + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + done + + done + + echo_done +else + echo_skipped +fi + # ------------- # --- Services diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample index 7cd3735..a225f38 100644 --- a/ip6t-firewall-server.conf.sample +++ b/ip6t-firewall-server.conf.sample @@ -179,6 +179,58 @@ local_2_ip="" local_2_ip="" +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-netr,local-address,port,protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 +# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c +# - +# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=", [,] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + + # ------------- # --- Services local Network # ------------- @@ -422,6 +474,22 @@ for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + # --- # - Generally block ports # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index acf72e6..eea8666 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -703,8 +703,8 @@ echo_done # - VPN # --- +echononl "\tPermit all traffic through VPN lines.." if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then - echononl "\tPermit all traffic through VPN lines.." if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do @@ -733,6 +733,53 @@ else echo_skipped fi +echo + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + done + + done + + echo_done +else + echo_skipped +fi + # ------------- # --- Services diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample index 4899eea..9bac5b8 100644 --- a/ipt-firewall-server.conf.sample +++ b/ipt-firewall-server.conf.sample @@ -182,6 +182,58 @@ local_2_ip="" broadcast_ips="" +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-net:local-address:port:protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036 +# - allow access from 86.73.85.0/24 to https service at 83.223.86.98 +# - +# - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp +# - 86.73.85.0/24:83.223.86.98:443:tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 +# - 83.223.86.96/32:86.223.73.0/24" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + + # ------------- # --- Services local Network # ------------- @@ -506,6 +558,22 @@ for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + # --- # - Generally block ports # ---