firewall/ipt-vserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add some comments for DNS rules.

Browse Source
This commit is contained in:
Christoph 2017-06-02 11:41:27 +02:00
parent ba47baa356
commit 6d2a9d8d8d
3 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.*.swp
ip6t-firewall-vserver.conf ip6t-firewall-vserver.conf
ipt-firewall-vserver.conf ipt-firewall-vserver.conf
BAK/* BAK/*

12
ip6t-firewall-vserver
View File

@ -583,17 +583,24 @@ done
# - Make nameservers rechable for all # - Make nameservers rechable for all
# - # -
for _ip in ${dns_server_ips[@]} ; do for _ip in ${dns_server_ips[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_forward_between_interfaces ; then if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
fi fi
if containsElement "$_ip" ${vserver_ips_arr[@]} ; then if containsElement "$_ip" ${vserver_ips_arr[@]} ; then
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
fi fi
done done
@ -601,6 +608,7 @@ done
if $local_dns_service ; then if $local_dns_service ; then
for _ip in ${host_ips_arr[@]} ; do for _ip in ${host_ips_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer # Zonetransfer
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT

13
ipt-firewall-vserver
View File

@ -760,17 +760,24 @@ done
# - Make nameservers rechable for all # - Make nameservers rechable for all
# - # -
for _ip in ${dns_server_ips[@]} ; do for _ip in ${dns_server_ips[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then
$ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
fi fi
if containsElement "$_ip" ${vserver_ips_arr[@]} ; then if containsElement "$_ip" ${vserver_ips_arr[@]} ; then
$ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
fi fi
done done
@ -778,8 +785,8 @@ done
if $local_dns_service ; then if $local_dns_service ; then
for _ip in ${host_ips_arr[@]} ; do for _ip in ${host_ips_arr[@]} ; do
$ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done done
fi fi