diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 5479c0c..a48710c 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -183,6 +183,24 @@ allow_ext_net="" allow_local_service="" +# ------------- +# ---- Allow local Services from given (extern) network +# ------------- + +# - allow_local_service_from_networks +# - +# - allow_local_service_from_networks=" [: [.." +# - +# - Allow all traffic to given local service from given (extern) network +# - +# - Example: +# - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" +# - +# - Blank separated list +# - +allow_local_service_from_networks="" + + # ------------- # --- Services local Network # ------------- diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 768feb4..a5ae101 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -196,6 +196,24 @@ allow_ext_net="" allow_local_service="" +# ------------- +# ---- Allow local Services from given (extern) network +# ------------- + +# - allow_local_service_from_networks +# - +# - allow_local_service_from_networks=" [, [.." +# - +# - Allow all traffic to given local service from given (extern) network +# - +# - Example: +# - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" +# - +# - Blank separated list +# - +allow_local_service_from_networks="" + + # ------------- # --- Services local Network # ------------- diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 2ebc4bc..49954c1 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -101,6 +101,14 @@ for _val in $allow_local_service ; do allow_local_service_arr+=("$_val") done +# --- +# - Allow (non-standard) local Services from specified network +# --- +declare -a allow_local_service_from_network_arr +for _service in $allow_local_service_from_networks ; do + allow_local_service_from_network_arr+=("$_service") +done + # --- # - Generally block ports # --- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 9461923..7505068 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -938,7 +938,7 @@ echononl "\t\tAllow (non-standard) local Services" if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_arr[@]}" ; do - IFS=':' read -a _val_arr <<< "${_val}" + IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT done done @@ -947,6 +947,25 @@ else echo_skipped fi + +# ------------- +# ---- Allow local Services from given (extern) network +# ------------- + +echononl "\t\tAllow local Services from given (extern) network" + +if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_from_network_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + echo diff --git a/ipt-firewall-server b/ipt-firewall-server index eaed5bd..e75b345 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1191,6 +1191,27 @@ else echo_skipped fi + +# ------------- +# ---- Allow local Services from given (extern) network +# ------------- + +echononl "\t\tAllow local Services from given (extern) network" + +if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_from_network_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + echo