From b071e7b606f91278b825218dd6ba86499107cb89 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 16 Jul 2017 00:50:00 +0200 Subject: [PATCH] Fix Error for handling 'restrict_local_service_to_net' and 'restrict_local_net_to_net' --- ip6t-firewall-server | 24 ++++++++++++++++++++++-- ipt-firewall-server | 29 +++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 4 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index cc4c5e7..f377888 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -553,16 +553,26 @@ echo echononl "\tRestrict local Servive to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + _deny_service_arr=() + for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}") + fi done done + for _val in "${_deny_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + echo_done else echo_skipped @@ -575,16 +585,26 @@ fi echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + + if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]}") + fi done done + for _val in "${_deny_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + echo_done else echo_skipped diff --git a/ipt-firewall-server b/ipt-firewall-server index eea8666..96890be 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -743,16 +743,30 @@ echo echononl "\tRestrict local Servive to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + _deny_service_arr=() + echo "" + for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do + echo "$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT" $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + + if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}") + fi + done done + for _val in "${_deny_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + echo "$ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP" + $ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + echo_done else echo_skipped @@ -765,16 +779,27 @@ fi echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -i $_dev -d ${_val_arr[1]} -j DROP + + if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev}:${_val_arr[1]}") + fi + done done + for _val in "${_deny_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + echo_done else echo_skipped