firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add some comments for DNS rules.

Browse Source
This commit is contained in:
Christoph 2017-06-02 11:34:43 +02:00
parent 60dd071fc9
commit b5f8bc672b
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.*.swp
ip6t-firewall-server.conf ip6t-firewall-server.conf
ipt-firewall-server.conf ipt-firewall-server.conf
BAK/* BAK/*

15
ip6t-firewall-server
View File

@ -608,18 +608,29 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do for _ip in ${dns_server_ips[@]} ; do
# dns requests # dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done done
fi fi

17
ipt-firewall-server
View File

@ -797,19 +797,30 @@ echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do for _ip in ${dns_server_ips[@]} ; do
# dns requests # dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done done
fi fi