From e7fd6ee87aefec9cf68ca05dfa563a448fccda8b Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 25 Feb 2019 15:24:51 +0100 Subject: [PATCH] Add rules for extern services, extern networks and local (non-standard) services. --- ip6t-firewall-server | 60 +++++++++++++++++++++++ ip6t-firewall-server.conf.sample | 82 +++++++++++++++++++++++++++++++ ipt-firewall-server | 62 ++++++++++++++++++++++- ipt-firewall-server.conf.sample | 84 +++++++++++++++++++++++++++++++- 4 files changed, 286 insertions(+), 2 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index b0a1f96..8769d2f 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -756,6 +756,66 @@ echo echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" +# ------------- +# ---- Allow extern Service +# ------------- + +echononl "\t\tAllow extern Service" + +if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_ext_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +echononl "\t\tAllow extern IP-Address/Network" + +if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _net in "${allow_ext_net_arr[@]}" ; do + $ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +echononl "\t\tAllow (non-standard) local Services" + +if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + # --- # - DHCP # --- diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample index 4fc97af..43eb660 100644 --- a/ip6t-firewall-server.conf.sample +++ b/ip6t-firewall-server.conf.sample @@ -236,6 +236,64 @@ restrict_local_service_to_net="" restrict_local_net_to_net="" +# ------------- +# ---- Allow extern Service +# ------------- + +# - allow_ext_service +# - +# - allow_ext_service=",, [,, [ .. +# - +# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' +# - are allowed +# - +# - Example: +# - allow_ext_service=" +# - 2a01:4f8:221:3b4e::247,8443,tcp +# - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp +# - " +# - +# - Blank separated list +# - +allow_ext_service="" + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +# - allow_ext_net +# - +# - allow_ext_net=" [ [ ..! +# - +# - Allow all traffic to the given extern network/ip-address. +# - +# - Example: +# - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c" +# - +# - Blank separated list +# - +allow_ext_net="" + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +# - allow_local_service +# - +# - allow_local_service=": [: [.." +# - +# - Allow all traffic to given local service +# - +# - Example: +# - allow_local_service="8443:tcp 8080:tcp" +# - +# - Blank separated list +# - +allow_local_service="" + + # ------------- # --- Services local Network # ------------- @@ -495,6 +553,30 @@ for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done +# --- +# - Allow extern Service +# --- +declare -a allow_ext_service_arr +for _val in $allow_ext_service ; do + allow_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern IP-Address/Network +# --- +declare -a allow_ext_net_arr +for _net in $allow_ext_net ; do + allow_ext_net_arr+=("$_net") +done + +# --- +# - Allow (non-standard) local Services +# --- +declare -a allow_local_service_arr +for _val in $allow_local_service ; do + allow_local_service_arr+=("$_val") +done + # --- # - Generally block ports # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index 13551be..3278bec 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -967,7 +967,7 @@ echo # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- -echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +echononl "\tRestrict local Service to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then _deny_service_arr=() @@ -1038,6 +1038,66 @@ echo echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" +# ------------- +# ---- Allow extern Service +# ------------- + +echononl "\t\tAllow extern Service" + +if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_ext_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +echononl "\t\tAllow extern IP-Address/Network" + +if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _net in "${allow_ext_net_arr[@]}" ; do + $ipt -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +echononl "\t\tAllow (non-standard) local Services" + +if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + # --- # - DHCP # --- diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample index 5e9d12b..5c2dd4f 100644 --- a/ipt-firewall-server.conf.sample +++ b/ipt-firewall-server.conf.sample @@ -35,7 +35,7 @@ log_blocked=false log_unprotected=false log_prohibited=false log_voip=false -log_rejected=true +log_rejected=false log_ssh=false @@ -239,6 +239,64 @@ restrict_local_service_to_net="" restrict_local_net_to_net="" +# ------------- +# ---- Allow extern Service +# ------------- + +# - allow_ext_service +# - +# - allow_ext_service=":: [:: [ .. +# - +# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' +# - are allowed +# - +# - Example: +# - allow_ext_service=" +# - 80.152.216.128:9998:tcp +# - 80.152.216.128:8443:tcp +# - " +# - +# - Blank separated list +# - +allow_ext_service="" + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +# - allow_ext_net +# - +# - allow_ext_net=" [ [ ..! +# - +# - Allow all traffic to the given extern network/ip-address. +# - +# - Example: +# - allow_ext_net="80.152.216.128 84.140.157.102" +# - +# - Blank separated list +# - +allow_ext_net="" + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +# - allow_local_service +# - +# - allow_local_service=" [: [.." +# - +# - Allow all traffic to given local service +# - +# - Example: +# - allow_local_service="8443:tcp 8080:tcp" +# - +# - Blank separated list +# - +allow_local_service="" + + # ------------- # --- Services local Network # ------------- @@ -579,6 +637,30 @@ for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done +# --- +# - Allow extern Service +# --- +declare -a allow_ext_service_arr +for _val in $allow_ext_service ; do + allow_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern IP-Address/Network +# --- +declare -a allow_ext_net_arr +for _net in $allow_ext_net ; do + allow_ext_net_arr+=("$_net") +done + +# --- +# - Allow (non-standard) local Services +# --- +declare -a allow_local_service_arr +for _val in $allow_local_service ; do + allow_local_service_arr+=("$_val") +done + # --- # - Generally block ports # ---