Support local service from given extern network

2019-09-04 01:11:31 +02:00 · 2019-09-04 01:11:31 +02:00 · e292be4141
commit e292be4141
parent 051e7da995
5 changed files with 85 additions and 1 deletions
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -183,6 +183,24 @@ allow_ext_net=""
 allow_local_service=""


+# -------------
+# ---- Allow local Services from given (extern) network
+# -------------
+
+# - allow_local_service_from_networks
+# -
+# - allow_local_service_from_networks="<ext-net:local-port:protocol> [<ext-net:local-port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service from given (extern) network
+# -
+# - Example:
+# -    allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service_from_networks=""
+
+
 # -------------
 # --- Services local Network
 # -------------
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -196,6 +196,24 @@ allow_ext_net=""
 allow_local_service=""


+# -------------
+# ---- Allow local Services from given (extern) network
+# -------------
+
+# - allow_local_service_from_networks
+# -
+# - allow_local_service_from_networks="<ext-net,local-port,protocol> [<ext-net,local-port>,<protocol> [.."
+# -
+# - Allow all traffic to given local service from given (extern) network
+# -
+# - Example:
+# -    allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service_from_networks=""
+
+
 # -------------
 # --- Services local Network
 # -------------
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -101,6 +101,14 @@ for _val in $allow_local_service ; do
   allow_local_service_arr+=("$_val")
 done

+# ---
+# - Allow (non-standard) local Services from specified network
+# ---
+declare -a allow_local_service_from_network_arr
+for _service in $allow_local_service_from_networks ; do
+   allow_local_service_from_network_arr+=("$_service")
+done
+
 # ---
 # - Generally block ports
 # ---
--- a/21
+++ b/21
@ -938,7 +938,7 @@ echononl "\t\tAllow (non-standard) local Services"
 if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
   for _dev in "${ext_if_arr[@]}" ; do
      for _val in "${allow_local_service_arr[@]}" ; do
-         IFS=':' read -a _val_arr <<< "${_val}"
+         IFS=',' read -a _val_arr <<< "${_val}"
         $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT
      done
   done
@ -947,6 +947,25 @@ else
   echo_skipped
 fi

+
+# -------------
+# ---- Allow local Services from given (extern) network
+# -------------
+
+echononl "\t\tAllow local Services from given (extern) network"
+
+if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_local_service_from_network_arr[@]}" ; do
+         IFS=',' read -a _val_arr <<< "${_val}"
+         $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
 echo


--- a/21
+++ b/21
@ -1191,6 +1191,27 @@ else
   echo_skipped
 fi

+
+# -------------
+# ---- Allow local Services from given (extern) network
+# -------------
+
+echononl "\t\tAllow local Services from given (extern) network"
+
+if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_local_service_from_network_arr[@]}" ; do
+         IFS=':' read -a _val_arr <<< "${_val}"
+         $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+echo
+
 echo