firewall/ipt-vserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add 'mail_client_ips', 'restrict_local_service_to_net', 'restrict_local_net_to_net'.

Browse Source
This commit is contained in:
Christoph
2017-07-18 15:30:23 +02:00
parent 6d2a9d8d8d
commit 8bbc845adf
4 changed files with 511 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
ip6t-firewall-vserver
View File

@ -10,6 +10,8 @@
# Short-Description: IPv6 Firewall
### END INIT INFO
CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-vserver.conf
# ------------- Load Kernel Modules -------------
#
@ -30,8 +32,15 @@ echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
source /etc/ipt-firewall/ip6t-firewall.conf
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# -------------
@ -512,6 +521,7 @@ echo_done
# - VPN
# ---
echononl "\tPermit all traffic through VPN lines.."
if $local_vpn_service ; then
echononl "\tPermit all traffic through VPN lines.."
for _port in ${local_vpn_port_arr[@]} ; do
@ -526,6 +536,97 @@ if $local_vpn_service ; then
fi
done
echo_done
else
echo_skipped
fi
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
_deny_service_arr=()
for _val in "${restrict_local_service_to_net_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
$ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD" "${_deny_service_arr[@]}" ; then
_deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD")
fi
else
$ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT" "${_deny_service_arr[@]}" ; then
_deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT")
fi
fi
done
done
for _val in "${_deny_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
done
echo_done
else
echo_skipped
fi
# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------
echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
$ip6t -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev},${_val_arr[1]},FORWARD" "${_deny_net_arr[@]}" ; then
_deny_net_arr+=("${_dev},${_val_arr[1]},FORWARD")
fi
else
$ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev},${_val_arr[1]},INPUT" "${_deny_net_arr[@]}" ; then
_deny_net_arr+=("${_dev},${_val_arr[1]},INPUT")
fi
fi
done
done
for _val in "${_deny_net_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
done
echo_done
else
echo_skipped
fi
@ -610,7 +711,6 @@ if $local_dns_service ; then
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done
fi
@ -648,7 +748,6 @@ echononl "\t\tSSH Service"
if $local_ssh_service ; then
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A INPUT -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
fi
@ -870,10 +969,10 @@ fi
# ---
# - Mail (POP/IMAP Server)
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---
echononl "\t\tMail (POP/IMAP Server)"
echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
@ -899,6 +998,33 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
$ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if $local_mail_service
echo_done
else
echo_skipped
fi
# ---
# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
# ---
echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
#
if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
else
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
fi
done
fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
echo_done
else
echo_skipped