diff --git a/ip6t-firewall-server b/ip6t-firewall-server index cc4c5e7..f377888 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -553,16 +553,26 @@ echo echononl "\tRestrict local Servive to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + _deny_service_arr=() + for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}") + fi done done + for _val in "${_deny_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + echo_done else echo_skipped @@ -575,16 +585,26 @@ fi echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + + if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]}") + fi done done + for _val in "${_deny_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + echo_done else echo_skipped diff --git a/ipt-firewall-server b/ipt-firewall-server index eea8666..96890be 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -743,16 +743,30 @@ echo echononl "\tRestrict local Servive to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + _deny_service_arr=() + echo "" + for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do + echo "$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT" $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + + if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}") + fi + done done + for _val in "${_deny_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + echo "$ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP" + $ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + echo_done else echo_skipped @@ -765,16 +779,27 @@ fi echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + + if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev}:${_val_arr[1]}") + fi + done done + for _val in "${_deny_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + echo_done else echo_skipped