Add rules for extern services, extern networks and local (non-standard) services.

2019-02-25 15:24:51 +01:00 · 2019-02-25 15:24:51 +01:00 · e7fd6ee87a
commit e7fd6ee87a
parent 7219691f1e
4 changed files with 286 additions and 2 deletions
--- a/60
+++ b/60
@ -756,6 +756,66 @@ echo
 echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"


+# -------------
+# ---- Allow extern Service 
+# -------------
+
+echononl "\t\tAllow extern Service"
+
+if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_ext_service_arr[@]}" ; do
+         IFS=',' read -a _val_arr <<< "${_val}"
+         $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+echononl "\t\tAllow extern IP-Address/Network"
+
+if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _net in "${allow_ext_net_arr[@]}" ; do
+         $ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+echo
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+echononl "\t\tAllow (non-standard) local Services"
+
+if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_local_service_arr[@]}" ; do
+         IFS=':' read -a _val_arr <<< "${_val}"
+         $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+echo
+
+
 # ---
 # - DHCP
 # ---
--- a/ip6t-firewall-server.conf.sample
+++ b/ip6t-firewall-server.conf.sample
@ -236,6 +236,64 @@ restrict_local_service_to_net=""
 restrict_local_net_to_net=""


+# -------------
+# ---- Allow extern Service 
+# -------------
+
+# - allow_ext_service
+# -
+# - allow_ext_service="<ext-ip>,<ext_port>,<protocol> [<ext-ip>,<ext_port>,<protocol> [ ..
+# -
+# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
+# - are allowed
+# -
+# - Example:
+# -    allow_ext_service="
+# -       2a01:4f8:221:3b4e::247,8443,tcp 
+# -       2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp
+# -    "
+# -
+# - Blank separated list
+# -
+allow_ext_service=""
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+# - allow_ext_net
+# -
+# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
+# -
+# - Allow all traffic to the given extern network/ip-address.
+# -
+# - Example:
+# -    allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c"
+# -
+# - Blank separated list
+# -
+allow_ext_net=""
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+# - allow_local_service
+# -
+# - allow_local_service="<port>:<protocol> [<port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service
+# -
+# - Example:
+# -    allow_local_service="8443:tcp 8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service=""
+
+
 # -------------
 # --- Services local Network
 # -------------
@ -495,6 +553,30 @@ for _val in $restrict_local_net_to_net ; do
   restrict_local_net_to_net_arr+=("$_val")
 done

+# ---
+# - Allow extern Service 
+# ---
+declare -a allow_ext_service_arr
+for _val in $allow_ext_service ; do
+   allow_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern IP-Address/Network
+# ---
+declare -a allow_ext_net_arr
+for _net in $allow_ext_net ; do
+   allow_ext_net_arr+=("$_net")
+done
+
+# ---
+# - Allow (non-standard) local Services 
+# ---
+declare -a allow_local_service_arr
+for _val in $allow_local_service ; do
+   allow_local_service_arr+=("$_val")
+done
+
 # ---
 # - Generally block ports
 # ---
--- a/62
+++ b/62
@ -967,7 +967,7 @@ echo
 # ---- Restrict local Servive to given (extern) IP-Address/Network
 # -------------

-echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
+echononl "\tRestrict local Service to given (extern) IP-Address/Network"
 if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then

   _deny_service_arr=()
@ -1038,6 +1038,66 @@ echo
 echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"


+# -------------
+# ---- Allow extern Service 
+# -------------
+
+echononl "\t\tAllow extern Service"
+
+if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_ext_service_arr[@]}" ; do
+         IFS=':' read -a _val_arr <<< "${_val}"
+         $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+echononl "\t\tAllow extern IP-Address/Network"
+
+if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _net in "${allow_ext_net_arr[@]}" ; do
+         $ipt -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+echo
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+echononl "\t\tAllow (non-standard) local Services"
+
+if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
+   for _dev in "${ext_if_arr[@]}" ; do
+      for _val in "${allow_local_service_arr[@]}" ; do
+         IFS=':' read -a _val_arr <<< "${_val}"
+         $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT
+      done
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+echo
+
+
 # ---
 # - DHCP
 # ---
--- a/ipt-firewall-server.conf.sample
+++ b/ipt-firewall-server.conf.sample
@ -35,7 +35,7 @@ log_blocked=false
 log_unprotected=false
 log_prohibited=false
 log_voip=false
-log_rejected=true
+log_rejected=false

 log_ssh=false

@ -239,6 +239,64 @@ restrict_local_service_to_net=""
 restrict_local_net_to_net=""


+# -------------
+# ---- Allow extern Service 
+# -------------
+
+# - allow_ext_service
+# -
+# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
+# -
+# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
+# - are allowed
+# -
+# - Example:
+# -    allow_ext_service="
+# -       80.152.216.128:9998:tcp 
+# -       80.152.216.128:8443:tcp
+# -    "
+# -
+# - Blank separated list
+# -
+allow_ext_service=""
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+# - allow_ext_net
+# -
+# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
+# -
+# - Allow all traffic to the given extern network/ip-address.
+# -
+# - Example:
+# -    allow_ext_net="80.152.216.128 84.140.157.102"
+# -
+# - Blank separated list
+# -
+allow_ext_net=""
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+# - allow_local_service
+# -
+# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service
+# -
+# - Example:
+# -    allow_local_service="8443:tcp 8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service=""
+
+
 # -------------
 # --- Services local Network
 # -------------
@ -579,6 +637,30 @@ for _val in $restrict_local_net_to_net ; do
   restrict_local_net_to_net_arr+=("$_val")
 done

+# ---
+# - Allow extern Service 
+# ---
+declare -a allow_ext_service_arr
+for _val in $allow_ext_service ; do
+   allow_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern IP-Address/Network
+# ---
+declare -a allow_ext_net_arr
+for _net in $allow_ext_net ; do
+   allow_ext_net_arr+=("$_net")
+done
+
+# ---
+# - Allow (non-standard) local Services 
+# ---
+declare -a allow_local_service_arr
+for _val in $allow_local_service ; do
+   allow_local_service_arr+=("$_val")
+done
+
 # ---
 # - Generally block ports
 # ---