diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 60582ec..5a7593a 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -245,13 +245,15 @@ if [ "$IPTABLES_MULTIPORT" ]; then auto|AUTO|Auto) if `${MODPROBE} ${NF_MULTIPORT} &>/dev/null`; then display_c YELLOW "Multiport successfully loaded." + IPTABLES_MULTIPORT="yes" else display_c RED "Multiport was not loaded successfully. Disabling." IPTABLES_MULTIPORT="no" fi ;; yes|YES|Yes) ${MODPROBE} ${NF_MULTIPORT} - display_c PURPLE "Multiport loading forced, not error checking." ;; + display_c PURPLE "Multiport loading forced, not error checking." + IPTABLES_MULTIPORT="yes" ;; *) IPTABLES_MULTIPORT="no" esac fi @@ -259,12 +261,29 @@ fi if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then display_c YELLOW "Adding allowed port: " N - if [ "$TCPPORTS" ]; then - for i in $TCPPORTS; do - echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " - $IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT - done + if [ $IPTABLES_MULTIPORT == "yes" ]; then + TCPPORTS=($TCPPORTS) + PORTS_COUNT=${#TCPPORTS[@]} + PORTS_COUNT_CURR=0 + while [ $PORTS_COUNT_CURR -lt $PORTS_COUNT ]; do + for ((y=$PORTS_COUNT_CURR; y <=(($PORTS_COUNT_CURR+((MULTI_MAX_PORTS-1)))); y++)); do + if [ ${TCPPORTS[$y]} ]; then + PORTS="$PORTS,${TCPPORTS[$y]}" + fi + done + echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,}" + ${IPTABLES} -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT" + unset PORTS + PORTS_COUNT_CURR=$y + done + unset y PORTS PORTS_COUNT_CURR PORTS_COUNT + else + for i in $TCPPORTS; do + echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " + $IPTABLES -A INPUT -p tcp --dport $i -j ACCEPT + done + fi fi if [ "$UDPPORTS" ]; then for i in $UDPPORTS; do @@ -545,14 +564,29 @@ if [ $IPV6 ]; then fi if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then display_c YELLOW "Adding allowed IPv6 port: " N - if [ "$IPV6TCP" ]; then - for i in $IPV6TCP; do - echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " - $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT + if [ $IPTABLES_MULTIPORT == "yes" ]; then + IPV6TCP=($IPV6TCP) + PORTS_COUNT=${#IPV6TCP[@]} + PORTS_COUNT_CURR=0 + while [ $PORTS_COUNT_CURR -lt $PORTS_COUNT ]; do + for ((y=$PORTS_COUNT_CURR; y <=(($PORTS_COUNT_CURR+((MULTI_MAX_PORTS-1)))); y++)); do + if [ ${IPV6TCP[$y]} ]; then + PORTS="$PORTS,${IPV6TCP[$y]}" + fi + done + echo -en "${PURPLE}Multiport-TCP${DEFAULT_COLOR}/${GREEN}${PORTS#,}" + ${IPTABLES} -A INPUT -p tcp -m multiport --dports ${PORTS#,} -j ACCEPT" + unset PORTS + PORTS_COUNT_CURR=$y done + unset y PORTS PORTS_COUNT_CURR PORTS_COUNT + else + for i in $IPV6TCP; do + echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " + $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT + done fi - if [ "$IPV6UDP" ]; then for i in $IPV6UDP; do echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " diff --git a/include/static b/include/static index 43bb34f..7e23681 100644 --- a/include/static +++ b/include/static @@ -49,5 +49,6 @@ MOD_U32="xt_u32" # Location of the ipv4 network conf in proc PROC_NET_IPV4="/proc/sys/net/ipv4/conf" -# Multiport module name for kernel - override in options -NF_MULTIPORT="xt_multiport" \ No newline at end of file +# Multiport options - override in options +NF_MULTIPORT="xt_multiport" +NF_MULTIPORT_MAX_PORTS="7" \ No newline at end of file diff --git a/options.default b/options.default index 01621f1..8d8bd96 100755 --- a/options.default +++ b/options.default @@ -42,11 +42,13 @@ MODPROBE=/sbin/modprobe # Multiport support? -# yes/no/auto (auto will try to detect if we support multiport or not, may not always work) +# yes/no/auto (auto will try to detect if we support multiport or not, +# may not always work but is recommended unless you have a reason otherwise) IPTABLES_MULTIPORT=auto -# Multiport module name for kernel - use to override defaults +# Multiport options - use to override defaults #NF_MULTIPORT="xt_multiport" +#NF_MULTIPORT_MAX_PORTS="7" # TCP/UDP/Protocol to allow TCPPORTS="20 21 22 53 80 113 123 443"