Browse Source

Added acl/filtering functionality

tags/v2.01a1
bbruns@gmail.com 7 years ago
parent
commit
861f2721f1
9 changed files with 83 additions and 8 deletions
  1. +1
    -0
      ChangeLog
  2. +2
    -0
      bin/srfirewall
  3. +8
    -1
      etc/ipv4.conf
  4. +20
    -0
      etc/ipv4/acl.conf
  5. +3
    -3
      etc/ipv4/easyblock.conf
  6. +8
    -1
      etc/ipv6.conf
  7. +20
    -0
      etc/ipv6/acl.conf
  8. +3
    -3
      etc/ipv6/easyblock.conf
  9. +18
    -0
      lib/iptables.inc

+ 1
- 0
ChangeLog View File

@@ -7,6 +7,7 @@
- MSS Clamping (IPv4/IPv6) - 3/30/2014
- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
- Easy Block functionality (IPv4/IPv6) - 3/31/2014
- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com>


+ 2
- 0
bin/srfirewall View File

@@ -171,6 +171,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
fi

@@ -189,5 +190,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
fi


+ 8
- 1
etc/ipv4.conf View File

@@ -44,4 +44,11 @@ ResolvConfv4File="/etc/resolv.conf"
# complex ACLs
# Config file: ipv4/easyblock.conf
# Values: no | yes (default)
Enablev4EasyBlock="yes"
Enablev4EasyBlock="yes"

# Enable IPv4 filtering rules
# This allows you to define complex access control list /
# filtering rules.
# Config file: ipv4/acl.conf
# Values: no | yes (default)
Enablev4Filtering="yes"

+ 20
- 0
etc/ipv4/acl.conf View File

@@ -0,0 +1,20 @@
# Filters / Access Control List
# Use this file to set up more complex access control lists.
# Use tabs or single space to separate
#
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#
# Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP)
# Interface: Optional ( interface name, aka eth0 )
# Src Address: Optional ( source of traffic )
# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
# Dst Address: Optional ( destination of traffic )
# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#IN ACCEPT eth0 10.0.0.1 22 - - tcp
#IN DROP - - - - 22 tcp


+ 3
- 3
etc/ipv4/easyblock.conf View File

@@ -11,7 +11,7 @@
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<direction> <interface> <address> <port> <protocol>
#IN eth0 10.0.0.1 22 tcp
#IN - - 22 tcp
#<dir> <interface> <address> <port> <protocol>
#IN eth0 10.0.0.1 22 tcp
#IN - - 22 tcp


+ 8
- 1
etc/ipv6.conf View File

@@ -44,4 +44,11 @@ ResolvConfv6File="/etc/resolv.conf"
# complex ACLs
# Config file: ipv6/easyblock.conf
# Values: no | yes (default)
Enablev6EasyBlock="yes"
Enablev6EasyBlock="yes"

# Enable IPv6 filtering rules
# This allows you to define complex access control list /
# filtering rules.
# Config file: ipv6/acl.conf
# Values: no | yes (default)
Enablev6Filtering="yes"

+ 20
- 0
etc/ipv6/acl.conf View File

@@ -0,0 +1,20 @@
# Filters / Access Control List
# Use this file to set up more complex access control lists.
# Use tabs or single space to separate
#
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#
# Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP)
# Interface: Optional ( interface name, aka eth0 )
# Src Address: Optional ( source of traffic )
# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
# Dst Address: Optional ( destination of traffic )
# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp
#IN DROP - - - - 22 tcp


+ 3
- 3
etc/ipv6/easyblock.conf View File

@@ -11,6 +11,6 @@
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<direction> <interface> <address> <port> <protocol>
#IN eth0 2002:dead:beef::/64 22 tcp
#IN - - 22 tcp
#<direction> <interface> <address> <port> <protocol>
#IN eth0 2002:dead:beef::/64 22 tcp
#IN - - 22 tcp

+ 18
- 0
lib/iptables.inc View File

@@ -272,4 +272,22 @@ function enable_easyblock {
done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

function enable_filtering {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
while read -r direction interface address port protocol; do
done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

Loading…
Cancel
Save