Added acl/filtering functionality

7 years ago · 861f2721f1
--- a/+ 1
+++ b/+ 1
@@ -7,6 +7,7 @@
 		- MSS Clamping (IPv4/IPv6) - 3/30/2014
 		- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
 		- Easy Block functionality (IPv4/IPv6) - 3/31/2014
 		- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
 		
 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
 1.1 - Brielle Bruns <bruns@2mbit.com>
--- a/bin/srfirewall
+++ b/bin/srfirewall
@@ -171,6 +171,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
 	[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
 	[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
 	[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
 	
 fi

@@ -189,5 +190,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
 	[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
 	[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
 	[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
 fi

--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@@ -44,4 +44,11 @@ ResolvConfv4File="/etc/resolv.conf"
 # complex ACLs
 # Config file: ipv4/easyblock.conf
 # Values: no | yes (default)
 Enablev4EasyBlock="yes"
 Enablev4EasyBlock="yes"

 # Enable IPv4 filtering rules
 # This allows you to define complex access control list /
 # filtering rules.
 # Config file: ipv4/acl.conf
 # Values: no | yes (default)
 Enablev4Filtering="yes"
--- a/etc/ipv4/acl.conf
+++ b/etc/ipv4/acl.conf
@@ -0,0 +1,20 @@
 # Filters / Access Control List
 # Use this file to set up more complex access control lists.
 # Use tabs or single space to separate
 #
 # <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
 #
 # Direction: Required ( IN | OUT )
 # Action: Required (ACCEPT | DROP)
 # Interface: Optional ( interface name, aka eth0 )
 # Src Address: Optional ( source of traffic )
 # Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
 # Dst Address: Optional ( destination of traffic )
 # Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
 #<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
 #IN ACCEPT eth0 10.0.0.1 22	- -	tcp
 #IN DROP - - - - 22 tcp

--- a/etc/ipv4/easyblock.conf
+++ b/etc/ipv4/easyblock.conf
@@ -11,7 +11,7 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
 #<direction>	<interface>	<address>		<port> <protocol>
 #IN		eth0		10.0.0.1		22	tcp
 #IN		-		-			22	tcp
 #<dir> <interface> <address> <port> <protocol>
 #IN eth0 10.0.0.1 22 tcp
 #IN - - 22 tcp

--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@@ -44,4 +44,11 @@ ResolvConfv6File="/etc/resolv.conf"
 # complex ACLs
 # Config file: ipv6/easyblock.conf
 # Values: no | yes (default)
 Enablev6EasyBlock="yes"
 Enablev6EasyBlock="yes"

 # Enable IPv6 filtering rules
 # This allows you to define complex access control list /
 # filtering rules.
 # Config file: ipv6/acl.conf
 # Values: no | yes (default)
 Enablev6Filtering="yes"
--- a/etc/ipv6/acl.conf
+++ b/etc/ipv6/acl.conf
@@ -0,0 +1,20 @@
 # Filters / Access Control List
 # Use this file to set up more complex access control lists.
 # Use tabs or single space to separate
 #
 # <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
 #
 # Direction: Required ( IN | OUT )
 # Action: Required (ACCEPT | DROP)
 # Interface: Optional ( interface name, aka eth0 )
 # Src Address: Optional ( source of traffic )
 # Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
 # Dst Address: Optional ( destination of traffic )
 # Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
 #<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
 #IN ACCEPT eth0 2002:dead:beef::/64 22	- -	tcp
 #IN DROP - - - - 22 tcp

--- a/etc/ipv6/easyblock.conf
+++ b/etc/ipv6/easyblock.conf
@@ -11,6 +11,6 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
 #<direction>	<interface>	<address>		<port> <protocol>
 #IN		eth0		2002:dead:beef::/64	22	tcp
 #IN		-		-			22	tcp
 #<direction> <interface> <address> <port> <protocol>
 #IN eth0 2002:dead:beef::/64 22 tcp
 #IN - - 22 tcp
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -272,4 +272,22 @@ function enable_easyblock {
 		done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
 }

 function enable_filtering {
 	IP_VERSION=$1
 		case $IP_VERSION in
 		ipv6) VER_IPTABLES=${IP6TABLES};
 				IPVER="6" ;;
 		ipv4|*) VER_IPTABLES=${IPTABLES}
 				IPVER="4" ;;
 	esac
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
 		while read -r direction interface address port protocol; do
 	
 		done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
 }