Added services files

master
bbruns 2014-04-06 17:06:11 +00:00
commit 45101a1fb8
5 arquivos alterados com 64 adições e 9 exclusões

Ver arquivo

@ -47,6 +47,13 @@ ResolvConfv4File="/etc/resolv.conf"
# Values: space separated IP list of DNS servers
#DNSClientManualv4Servers=""
# Enable the Services access list
# This allows you to define services on the local
# machine that you want to be accessible to the world.
# Config file: ipv4/services.conf
# Values: no | yes (default)
Enablev4Services="yes"
# Enable the EasyBlock access list
# This is a simple/easy way to block traffic in or out,
# no complex options. Use the Filter options for more

18
etc/ipv4/service.conf Normal file
Ver arquivo

@ -0,0 +1,18 @@
# Allowed Service Rules
# Use this file to set up which services you wish for the world to have
# access to on your machine.
# Use tabs or single space to separate
#
# <service> <protocol> <interface> <address> <srcaddress>
#
# Service: Required ( single or list of comma separated ports/services )
# Protocol: Required ( tcp or udp )
# Interface: Optional ( interface of incoming connection )
# Address: Optional ( address of incoming connection )
# Source Address: Optional ( address to allow connections from )
# You can use '-' for optional fields
#============================================================
#<service> <protocol> <interface> <address> <srcaddress>
#http tcp eth0 192.168.1.1 192.168.1.0/24
ssh,http,https tcp - - -

Ver arquivo

@ -47,6 +47,13 @@ ResolvConfv6File="/etc/resolv.conf"
# Values: space separated IP list of DNS servers
#DNSClientManualv6Servers=""
# Enable the Services access list
# This allows you to define services on the local
# machine that you want to be accessible to the world.
# Config file: ipv6/services.conf
# Values: no | yes (default)
Enablev6Services="yes"
# Enable the EasyBlock access list
# This is a simple/easy way to block traffic in or out,
# no complex options. Use the Filter options for more

18
etc/ipv6/service.conf Normal file
Ver arquivo

@ -0,0 +1,18 @@
# Allowed Service Rules
# Use this file to set up which services you wish for the world to have
# access to on your machine.
# Use tabs or single space to separate
#
# <service> <protocol> <interface> <address> <srcaddress>
#
# Service: Required ( single or list of comma separated ports/services )
# Protocol: Required ( tcp or udp )
# Interface: Optional ( interface of incoming connection )
# Address: Optional ( address of incoming connection )
# Source Address: Optional ( address to allow connections from )
# You can use '-' for optional fields
#============================================================
#<service> <protocol> <interface> <address> <srcaddress>
#http tcp eth0 fc00::1 fc00::/64
ssh,http,https tcp - - -

Ver arquivo

@ -309,8 +309,8 @@ function enable_filtering {
[[ ${direction} = "" ]] && continue
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
&& ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
&& ${display} RED "acl.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
&& ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
# Do some creative work with variables to make building the iptables rules fairly painless
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
@ -322,6 +322,7 @@ function enable_filtering {
[[ ${direction} == "OUT" ]] && chain="${OutFilter}"
[[ ${direction} == "IN" ]] && chain="${InFilter}"
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
[[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
@ -450,27 +451,31 @@ function enable_services {
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
while read -r service protocol interface srcaddress; do
while read -r service protocol interface address srcaddress; do
multiport="no"
[[ ${service} = \#* ]] && continue
[[ ${service} = "" ]] && continue
[[ ${service} == "-" ]] \
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
[[ ${protocol} == "-" ]] \
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
[[ ${service} =~ "," ]] && multiport="yes"
# Do some creative work with variables to make building the iptables rules fairly painless
[[ ${service} != "-" ]] && service="--dport ${service}"
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
([[ ${service != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
[[ ${interface} != "-" ]] && interface="-i ${interface}"
[[ ${address} != "-" ]] && srcaddress="-d ${address}"
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${srcaddress}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
# Blank variables that we're not going to use.
[[ ${interface} == "-" ]] && interface=""
[[ ${address} == "-" ]] && address=""
[[ ${srcaddress} == "-" ]] && srcaddress=""
${VER_IPTABLES} -A ${InFilter} ${interface} ${address} ${protocol} ${port} ${conntrack_state} -j ACCEPT
${VER_IPTABLES} -A ${InFilter} ${service} ${protocol} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"