From 35504323b60c6f90214a1e6a75873fa05643a320 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sun, 30 Mar 2014 16:53:31 +0000 Subject: [PATCH] --- bin/srfirewall | 2 ++ etc/ipv4.conf | 4 ++++ etc/ipv6.conf | 13 ++++++++++++- lib/iptables.inc | 22 ++++++++++++++++++++++ 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/bin/srfirewall b/bin/srfirewall index 9c156ad..3bcee55 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -142,6 +142,7 @@ if [ "${EnableIPv4}" == "yes" ]; then setup_iptables_chains ipv4 if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi + if [ "${EnableTrustedv4Hosts}" == "yes" ]; then allow_trusted_hosts ipv4; fi fi # Do IPv4 IPTables Rules @@ -154,5 +155,6 @@ if [ "${EnableIPv6}" == "yes" ]; then setup_iptables_chains ipv6 if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi + if [ "${EnableTrustedv6Hosts}" == "yes" ]; then allow_trusted_hosts ipv6; fi fi diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 51e01f1..7640139 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -10,6 +10,10 @@ AllowAllv4Loopback="yes" # Very early on rules to allow for trusted machines to access # this machine. Rather important and helps keep you from getting # locked out should the firewalling rules go bad. +# +# IMPORTANT: Hosts put in the trusted file will have complete +# and unfettered access to the host, ignoring all other rules. +# # Config file is located in ipv4/trusted.conf # Values: no | yes (default) EnableTrustedv4Hosts="yes" \ No newline at end of file diff --git a/etc/ipv6.conf b/etc/ipv6.conf index 94d6d51..9f54b6d 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -5,4 +5,15 @@ # Good idea to keep this turned on, but if you so wish to, # you can disable it here. # Values: no | yes (default) -AllowAllv6Loopback="yes" \ No newline at end of file +AllowAllv6Loopback="yes" + +# Very early on rules to allow for trusted machines to access +# this machine. Rather important and helps keep you from getting +# locked out should the firewalling rules go bad. +# +# IMPORTANT: Hosts put in the trusted file will have complete +# and unfettered access to the host, ignoring all other rules. +# +# Config file is located in ipv6/trusted.conf +# Values: no | yes (default) +EnableTrustedv6Hosts="yes" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index b9cef0d..141d65d 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -131,4 +131,26 @@ function allow_all_loopback { ${debug} ${DebugColor} "allow_all_loopback: loaded" ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT +} + +function allow_trusted_hosts { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + ${debug} ${DebugColor} "allow_trusted_hosts: loading" + if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then + for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do + ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT + ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT + done + ${debug} ${DebugColor} "allow_trusted_hosts: done" + else + ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" + ${display} RED "Error: can not load trusted hosts file." + ${debug} ${DebugColor} "allow_trusted_hosts: failed" + fi } \ No newline at end of file