diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 69c1a4e..5547713 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -907,6 +907,75 @@ $ip6t -A OUTPUT -o lo -j ACCEPT echo_done +echo + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + _deny_service_arr=() + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}") + fi + done + + done + + for _val in "${_deny_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]}") + fi + done + + done + + for _val in "${_deny_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + + echo_done +else + echo_skipped +fi + +echo + + # --- # - Already established connections # --- @@ -953,73 +1022,6 @@ for _vpn_if in ${vpn_if_arr[@]} ; do done echo_done -echo - - -# ------------- -# ---- Restrict local Servive to given (extern) IP-Address/Network -# ------------- - -echononl "\tRestrict local Servive to given (extern) IP-Address/Network" -if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then - - _deny_service_arr=() - - for _val in "${restrict_local_service_to_net_arr[@]}" ; do - IFS=',' read -a _val_arr <<< "${_val}" - - for _dev in ${ext_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT - - if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then - _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}") - fi - done - - done - - for _val in "${_deny_service_arr[@]}" ; do - IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP - done - - echo_done -else - echo_skipped -fi - - -# ------------- -# ---- Restrict local Network to given extern IP-Address/Network -# ------------- - -echononl "\tRestrict local Address/Network to given extern Address/Network" -if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then - - _deny_net_arr=() - - for _val in "${restrict_local_net_to_net_arr[@]}" ; do - IFS=',' read -a _val_arr <<< "${_val}" - for _dev in ${ext_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT - - if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then - _deny_net_arr+=("${_dev},${_val_arr[1]}") - fi - done - - done - - for _val in "${_deny_net_arr[@]}" ; do - IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP - done - - echo_done -else - echo_skipped -fi - # ------------- # --- Services diff --git a/ipt-firewall-server b/ipt-firewall-server index 28ac1bf..4e6f402 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1060,61 +1060,8 @@ $ipt -A OUTPUT -o lo -j ACCEPT echo_done -# --- -# - Already established connections -# --- - -echononl "\tAccept already established connections.." - -$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT -fi - -echo_done - - -# ------------- -# --- Allow all outgoing traffic -# ------------- -echononl "\tAllow all outgoing traffic.." -if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then - for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT - fi - done - echo_done -else - echo_skipped -fi - -# - unprotected_ifs -# - -# - Posiible values are 'true' and 'false' -# - -allow_all_outgoing_traffic=false - - -# --- -# - Permit all traffic through VPN lines -# --- -echononl "\tPermit all traffic through VPN lines.." -for _vpn_if in ${vpn_if_arr[@]} ; do - $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT - fi -done -echo_done - echo - # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- @@ -1128,7 +1075,7 @@ if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j ACCEPT if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}") @@ -1181,6 +1128,61 @@ else echo_skipped fi +echo + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + + +# ------------- +# --- Allow all outgoing traffic +# ------------- +echononl "\tAllow all outgoing traffic.." +if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + +# - unprotected_ifs +# - +# - Posiible values are 'true' and 'false' +# - +allow_all_outgoing_traffic=false + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + fi +done +echo_done + # ------------- # --- Services