Browse Source

More code to support ipv* allowed files

bbruns 7 years ago
parent
commit
026185195b
3 changed files with 63 additions and 0 deletions
  1. 51
    0
      bin/firewall-sosdg
  2. 7
    0
      conf/ipv6-allowed.default
  3. 5
    0
      options.default

+ 51
- 0
bin/firewall-sosdg View File

@@ -943,6 +943,57 @@ fi
943 943
 		display_c YELLOW "Loading custom IPv6 allowed port rules..."
944 944
 		. "$BASEDIR/include/ipv6_custom_allowedports"
945 945
 	fi
946
+	
947
+	if [ "$IPV6_ALLOWED" ]; then
948
+	display_c YELLOW "Adding allowed IPv6 IPs and ports... "
949
+	for i in `grep -v "\#" $IPV6_ALLOWED`; do
950
+		if [[ "$i" =~ "|" ]]; then
951
+			IFS_OLD=${IFS};IFS=\|
952
+			ADVALLOWIP=($i)
953
+			IFS=${IFS_OLD}
954
+			SRCIF=${ADVALLOWIP[0]}
955
+			SRCIP=${ADVALLOWIP[1]}
956
+			SRCPORT=${ADVALLOWIP[2]}
957
+			DSTIF=${ADVALLOWIP[3]}
958
+			DSTIP=${ADVALLOWIP[4]}
959
+			DSTPORT=${ADVALLOWIP[5]}
960
+			DIRECTION=${ADVALLOWIP[6]}
961
+			PROTO=${ADVALLOWIP[7]}
962
+			if [ "$SRCIF" ]; then
963
+				SRCIF="-i ${SRCIF} "
964
+			fi
965
+			if [ "$SRCIP" ]; then
966
+				SRCIP="-s ${SRCIP} "
967
+			fi
968
+			if [ "$SRCPORT" ]; then
969
+				SRCPORT="--sport ${SRCPORT/-/:} "
970
+			fi
971
+			if [ "$DSTIF" ]; then
972
+				DSTIF="-o ${DSTIF} "
973
+			fi
974
+			if [ "$DSTIP" ]; then
975
+				DSTIP="-d ${DSTIP} "
976
+			fi
977
+			if [ "$DSTPORT" ]; then
978
+				DSTPORT="--dport ${DSTPORT/-/:} "
979
+			fi
980
+			if [ "$PROTO" ]; then
981
+				case $PROTO in
982
+					TCP|tcp) PROTO="-p tcp";;
983
+					UDP|udp) PROTO="-p udp";;
984
+					*) PROTO="-p ${PROTO}";;
985
+				esac
986
+			fi
987
+			case $DIRECTION in
988
+				IN) DIRECTION="INPUT" ;;
989
+				OUT) DIRECTION="OUTPUT" ;;
990
+				FWD) DIRECTION="FORWARD" ;;
991
+				*) DIRECTION="INPUT" ;;
992
+			esac
993
+			${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
994
+		fi
995
+	done
996
+  fi
946 997
 	if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
947 998
 		display_c YELLOW "Adding allowed IPv6 port: " N
948 999
 		if [ "$IPV6_TCPPORTS" ]; then

+ 7
- 0
conf/ipv6-allowed.default View File

@@ -0,0 +1,7 @@
1
+# List of IPs to allow
2
+# One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
3
+#		<SRC IF>|<SRC IP>|<SRC PORT RNG>|<DST IF>|<DST IP>|<DST PORT RNG>|<IN/OUT/FWD>|<PROTO>
4
+# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG> 
5
+# if you want to apply to all ports/interfaces/etc
6
+# Example:
7
+#  eth1|::1|80|eth0|2001::1|20-21|IN|TCP

+ 5
- 0
options.default View File

@@ -238,6 +238,11 @@ IPV6_PFORWARD=DROP
238 238
 #IPV6_TCPPORTS=$TCPPORTS
239 239
 #IPV6_UDPPORTS=$UDPPORTS
240 240
 
241
+# Allowed IPv6 IPs and ports
242
+# this is a more advanced form of IPV6_TCPPORTS and IPV6_UDPPORTS,
243
+# and will eventually replace it
244
+#IPV6_ALLOWED=$BASEDIR/conf/ipv6-allowed
245
+
241 246
 # IPv6 range to forward
242 247
 #IPV6_FORWARDRANGE=""
243 248