From 5a2c97702dda6cb3aa5e41d89318eea2db32ea8a Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sat, 5 Apr 2014 17:40:00 +0000 Subject: [PATCH] Actually remember to add code for support. Also, fix easyblock rules to actually drop rather then nothing. --- etc/ipv4/acl.conf | 2 +- lib/iptables.inc | 32 +++++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/etc/ipv4/acl.conf b/etc/ipv4/acl.conf index 775b6ba..4e5f65d 100644 --- a/etc/ipv4/acl.conf +++ b/etc/ipv4/acl.conf @@ -15,6 +15,6 @@ # You can use '-' for optional fields #============================================================ # -#IN ACCEPT eth0 10.0.0.1 22 - - tcp +#IN ACCEPT eth0 10.0.0.1 22 - - tcp #IN DROP - - - - 22 tcp diff --git a/lib/iptables.inc b/lib/iptables.inc index df8af76..63d4f17 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -267,7 +267,7 @@ function enable_easyblock { [[ ${address} == "-" ]] && address="" [[ ${protocol} == "-" ]] && protocol="" - ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} + ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" @@ -285,8 +285,34 @@ function enable_filtering { ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful" - while read -r direction interface address port protocol; do - + while read -r direction action interface srcaddress srcport dstaddress dstport protocol; do + [[ ${direction} = \#* ]] && continue + [[ ${direction} = "" ]] && continue + ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \ + && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${dstaddress} ${dstport} ${srcaddress} ${srcport} ${protocol}" && continue + + # Do some creative work with variables to make building the iptables rules fairly painless + [[ ${dstport} != "-" ]] && dstport="--dport ${dstport}" + [[ ${srcport} != "-" ]] && srcport="--sport ${srcport}" + [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}" + [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}" + [[ ${direction} == "OUT" ]] && chain="${OutFilter}" + [[ ${direction} == "IN" ]] && chain="${InFilter}" + [[ ${protocol} != "-" ]] && protocol="-p ${protocol}" + + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" + + # Blank variables that we're not going to use. + [[ ${interface} == "-" ]] && interface="" + [[ ${dstport} == "-" ]] && dstport="" + [[ ${srcport} == "-" ]] && srcport="" + [[ ${dstaddress} == "-" ]] && dstaddress="" + [[ ${srcaddress} == "-" ]] && srcaddress="" + [[ ${protocol} == "-" ]] && protocol="" + + ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${dstaddress} ${dstport} -j ${action} done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" fi