From 45101a1fb8b46c900bf2b34fcf4d70f5125d71ca Mon Sep 17 00:00:00 2001 From: bbruns Date: Sun, 6 Apr 2014 17:06:11 +0000 Subject: [PATCH] Added services files --- etc/ipv4.conf | 7 +++++++ etc/ipv4/service.conf | 18 ++++++++++++++++++ etc/ipv6.conf | 7 +++++++ etc/ipv6/service.conf | 18 ++++++++++++++++++ lib/iptables.inc | 23 ++++++++++++++--------- 5 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 etc/ipv4/service.conf create mode 100644 etc/ipv6/service.conf diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 76559eb..e3c9733 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -47,6 +47,13 @@ ResolvConfv4File="/etc/resolv.conf" # Values: space separated IP list of DNS servers #DNSClientManualv4Servers="" +# Enable the Services access list +# This allows you to define services on the local +# machine that you want to be accessible to the world. +# Config file: ipv4/services.conf +# Values: no | yes (default) +Enablev4Services="yes" + # Enable the EasyBlock access list # This is a simple/easy way to block traffic in or out, # no complex options. Use the Filter options for more diff --git a/etc/ipv4/service.conf b/etc/ipv4/service.conf new file mode 100644 index 0000000..28398fd --- /dev/null +++ b/etc/ipv4/service.conf @@ -0,0 +1,18 @@ +# Allowed Service Rules +# Use this file to set up which services you wish for the world to have +# access to on your machine. +# Use tabs or single space to separate +# +#
+# +# Service: Required ( single or list of comma separated ports/services ) +# Protocol: Required ( tcp or udp ) +# Interface: Optional ( interface of incoming connection ) +# Address: Optional ( address of incoming connection ) +# Source Address: Optional ( address to allow connections from ) +# You can use '-' for optional fields +#============================================================ +#
+#http tcp eth0 192.168.1.1 192.168.1.0/24 +ssh,http,https tcp - - - + diff --git a/etc/ipv6.conf b/etc/ipv6.conf index a9789ec..3ced607 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -47,6 +47,13 @@ ResolvConfv6File="/etc/resolv.conf" # Values: space separated IP list of DNS servers #DNSClientManualv6Servers="" +# Enable the Services access list +# This allows you to define services on the local +# machine that you want to be accessible to the world. +# Config file: ipv6/services.conf +# Values: no | yes (default) +Enablev6Services="yes" + # Enable the EasyBlock access list # This is a simple/easy way to block traffic in or out, # no complex options. Use the Filter options for more diff --git a/etc/ipv6/service.conf b/etc/ipv6/service.conf new file mode 100644 index 0000000..03af8e2 --- /dev/null +++ b/etc/ipv6/service.conf @@ -0,0 +1,18 @@ +# Allowed Service Rules +# Use this file to set up which services you wish for the world to have +# access to on your machine. +# Use tabs or single space to separate +# +#
+# +# Service: Required ( single or list of comma separated ports/services ) +# Protocol: Required ( tcp or udp ) +# Interface: Optional ( interface of incoming connection ) +# Address: Optional ( address of incoming connection ) +# Source Address: Optional ( address to allow connections from ) +# You can use '-' for optional fields +#============================================================ +#
+#http tcp eth0 fc00::1 fc00::/64 +ssh,http,https tcp - - - + diff --git a/lib/iptables.inc b/lib/iptables.inc index 3918404..efaa38b 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -309,8 +309,8 @@ function enable_filtering { [[ ${direction} = "" ]] && continue ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \ && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue - ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \ - && ${display} RED "acl.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue + ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \ + && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue # Do some creative work with variables to make building the iptables rules fairly painless [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}" @@ -322,6 +322,7 @@ function enable_filtering { [[ ${direction} == "OUT" ]] && chain="${OutFilter}" [[ ${direction} == "IN" ]] && chain="${InFilter}" [[ ${protocol} != "-" ]] && protocol="-p ${protocol}" + [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" @@ -450,27 +451,31 @@ function enable_services { use_conntrack="no" ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW" ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW" - while read -r service protocol interface srcaddress; do + while read -r service protocol interface address srcaddress; do + multiport="no" [[ ${service} = \#* ]] && continue [[ ${service} = "" ]] && continue [[ ${service} == "-" ]] \ - && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue + && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue [[ ${protocol} == "-" ]] \ - && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue - + && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue + [[ ${service} =~ "," ]] && multiport="yes" # Do some creative work with variables to make building the iptables rules fairly painless - [[ ${service} != "-" ]] && service="--dport ${service}" + ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}" + ([[ ${service != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}" [[ ${protocol} != "-" ]] && protocol="-p ${protocol}" [[ ${interface} != "-" ]] && interface="-i ${interface}" + [[ ${address} != "-" ]] && srcaddress="-d ${address}" [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}" - ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${srcaddress}" + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}" # Blank variables that we're not going to use. [[ ${interface} == "-" ]] && interface="" + [[ ${address} == "-" ]] && address="" [[ ${srcaddress} == "-" ]] && srcaddress="" - ${VER_IPTABLES} -A ${InFilter} ${interface} ${address} ${protocol} ${port} ${conntrack_state} -j ACCEPT + ${VER_IPTABLES} -A ${InFilter} ${service} ${protocol} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"