From 3056ae4d19ba04887cbdb9ab83872ae204b71477 Mon Sep 17 00:00:00 2001 From: bbruns Date: Tue, 22 Feb 2011 18:43:58 +0000 Subject: [PATCH] Code for IPV4_ALLOWED --- ChangeLog | 2 ++ bin/firewall-sosdg | 52 ++++++++++++++++++++++++++++++++++++++- conf/ipv4-allowed.default | 8 ++++++ options.default | 5 ++++ 4 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 conf/ipv4-allowed.default diff --git a/ChangeLog b/ChangeLog index 85bf423..9779fe0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - Fix location of ipv6 fi statement, moved to end of ipv6 rules - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options to control them. Note the difference between BLOCKINCOMING and the PINPUT variable + - Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed. + - IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS 0.9.12 - Brielle Bruns - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 46afd7b..7ba97b6 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -393,7 +393,57 @@ if [ "$IPTABLES_MULTIPORT" ]; then *) IPTABLES_MULTIPORT="no" esac fi - + +if [ "$IPV4_ALLOWED" ]; then + display_c YELLOW "Adding allowed IPs and ports... " + for i in `grep -v "\#" $IPV4_ALLOWED`; do + if [[ "$i" =~ "|" ]]; then + IFS_OLD=${IFS};IFS=\| + ADVALLOWIP=($i) + IFS=${IFS_OLD} + SRCIF=${ADVALLOWIP[0]} + SRCIP=${ADVALLOWIP[1]} + SRCPORT=${ADVALLOWIP[2]} + DSTIF=${ADVALLOWIP[3]} + DSTIP=${ADVALLOWIP[4]} + DSTPORT=${ADVALLOWIP[5]} + DIRECTION=${ADVALLOWIP[6]} + PROTO=${ADVALLOWIP[7]} + if [ "$SRCIF" ]; then + SRCIF="-i ${SRCIF} " + fi + if [ "$SRCIP" ]; then + SRCIP="-s ${SRCIP} " + fi + if [ "$SRCPORT" ]; then + SRCPORT="--sport ${SRCPORT/-/:} " + fi + if [ "$DSTIF" ]; then + DSTIF="-o ${DSTIF} " + fi + if [ "$DSTIP" ]; then + DSTIP="-d ${DSTIP} " + fi + if [ "$DSTPORT" ]; then + DSTPORT="--dport ${DSTPORT/-/:} " + fi + if [ "$PROTO" ]; then + case $PROTO in + TCP|tcp) PROTO="-p tcp";; + UDP|udp) PROTO="-p udp";; + *) PROTO="-p ${PROTO}";; + esac + fi + case $DIRECTION in + IN) DIRECTION="INPUT" ;; + OUT) DIRECTION="OUTPUT" ;; + FWD) DIRECTION="FORWARD" ;; + *) DIRECTION="INPUT" ;; + esac + ${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT + fi + done +fi if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then display_c YELLOW "Adding allowed port: " N diff --git a/conf/ipv4-allowed.default b/conf/ipv4-allowed.default new file mode 100644 index 0000000..3477b75 --- /dev/null +++ b/conf/ipv4-allowed.default @@ -0,0 +1,8 @@ +# List of IPs to allow +# One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8) +# ||||||| +# One can leave out +# if you want to apply to all ports/interfaces/etc +# Example: +# - Allow SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP +# eth1|192.168.0.5|80|eth0|192.168.1.10|20-21|IN|TCP diff --git a/options.default b/options.default index b8f7ace..6156aba 100755 --- a/options.default +++ b/options.default @@ -119,6 +119,11 @@ TRUSTEDIP="127.0.0.1" # use otherwise. DONTTRACK="127.0.0.1" +# Allowed IPs and ports +# this is a more advanced form of TCPPORTS and UDPPORTS, +# and will eventually replace it +#IPV4_ALLOWED=$BASEDIR/conf/ipv4-allowed + # Intercept IPv4 packets for use in a transparent proxy #IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept