From 861f2721f1486e237d39170a85233a9edf909023 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sat, 5 Apr 2014 17:26:08 +0000 Subject: [PATCH] Added acl/filtering functionality --- ChangeLog | 1 + bin/srfirewall | 2 ++ etc/ipv4.conf | 9 ++++++++- etc/ipv4/acl.conf | 20 ++++++++++++++++++++ etc/ipv4/easyblock.conf | 6 +++--- etc/ipv6.conf | 9 ++++++++- etc/ipv6/acl.conf | 20 ++++++++++++++++++++ etc/ipv6/easyblock.conf | 6 +++--- lib/iptables.inc | 18 ++++++++++++++++++ 9 files changed, 83 insertions(+), 8 deletions(-) create mode 100644 etc/ipv4/acl.conf create mode 100644 etc/ipv6/acl.conf diff --git a/ChangeLog b/ChangeLog index 8772c2d..23ccc54 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ - MSS Clamping (IPv4/IPv6) - 3/30/2014 - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014 - Easy Block functionality (IPv4/IPv6) - 3/31/2014 + - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= 1.1 - Brielle Bruns diff --git a/bin/srfirewall b/bin/srfirewall index d32d3dc..5033c39 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -171,6 +171,7 @@ if [ "${EnableIPv4}" == "yes" ]; then [ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4 [ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}" [ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4 + [ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4 fi @@ -189,5 +190,6 @@ if [ "${EnableIPv6}" == "yes" ]; then [ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6 [ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}" [ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6 + [ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6 fi diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 1519b95..2578dde 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -44,4 +44,11 @@ ResolvConfv4File="/etc/resolv.conf" # complex ACLs # Config file: ipv4/easyblock.conf # Values: no | yes (default) -Enablev4EasyBlock="yes" \ No newline at end of file +Enablev4EasyBlock="yes" + +# Enable IPv4 filtering rules +# This allows you to define complex access control list / +# filtering rules. +# Config file: ipv4/acl.conf +# Values: no | yes (default) +Enablev4Filtering="yes" \ No newline at end of file diff --git a/etc/ipv4/acl.conf b/etc/ipv4/acl.conf new file mode 100644 index 0000000..775b6ba --- /dev/null +++ b/etc/ipv4/acl.conf @@ -0,0 +1,20 @@ +# Filters / Access Control List +# Use this file to set up more complex access control lists. +# Use tabs or single space to separate +# +# +# +# Direction: Required ( IN | OUT ) +# Action: Required (ACCEPT | DROP) +# Interface: Optional ( interface name, aka eth0 ) +# Src Address: Optional ( source of traffic ) +# Src Port: Optional ( source port, 1 - 65535, Requires Protocol ) +# Dst Address: Optional ( destination of traffic ) +# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol ) +# Protocol: Optional, Required if port is specified ( tcp | udp ) +# You can use '-' for optional fields +#============================================================ +# +#IN ACCEPT eth0 10.0.0.1 22 - - tcp +#IN DROP - - - - 22 tcp + diff --git a/etc/ipv4/easyblock.conf b/etc/ipv4/easyblock.conf index 781ea39..dd2dfa1 100644 --- a/etc/ipv4/easyblock.conf +++ b/etc/ipv4/easyblock.conf @@ -11,7 +11,7 @@ # Protocol: Optional, Required if port is specified ( tcp | udp ) # You can use '-' for optional fields #============================================================ -#
-#IN eth0 10.0.0.1 22 tcp -#IN - - 22 tcp +#
+#IN eth0 10.0.0.1 22 tcp +#IN - - 22 tcp diff --git a/etc/ipv6.conf b/etc/ipv6.conf index c3066dd..bc9ad6c 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -44,4 +44,11 @@ ResolvConfv6File="/etc/resolv.conf" # complex ACLs # Config file: ipv6/easyblock.conf # Values: no | yes (default) -Enablev6EasyBlock="yes" \ No newline at end of file +Enablev6EasyBlock="yes" + +# Enable IPv6 filtering rules +# This allows you to define complex access control list / +# filtering rules. +# Config file: ipv6/acl.conf +# Values: no | yes (default) +Enablev6Filtering="yes" \ No newline at end of file diff --git a/etc/ipv6/acl.conf b/etc/ipv6/acl.conf new file mode 100644 index 0000000..5c3734c --- /dev/null +++ b/etc/ipv6/acl.conf @@ -0,0 +1,20 @@ +# Filters / Access Control List +# Use this file to set up more complex access control lists. +# Use tabs or single space to separate +# +# +# +# Direction: Required ( IN | OUT ) +# Action: Required (ACCEPT | DROP) +# Interface: Optional ( interface name, aka eth0 ) +# Src Address: Optional ( source of traffic ) +# Src Port: Optional ( source port, 1 - 65535, Requires Protocol ) +# Dst Address: Optional ( destination of traffic ) +# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol ) +# Protocol: Optional, Required if port is specified ( tcp | udp ) +# You can use '-' for optional fields +#============================================================ +# +#IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp +#IN DROP - - - - 22 tcp + diff --git a/etc/ipv6/easyblock.conf b/etc/ipv6/easyblock.conf index f6867ef..d22309b 100644 --- a/etc/ipv6/easyblock.conf +++ b/etc/ipv6/easyblock.conf @@ -11,6 +11,6 @@ # Protocol: Optional, Required if port is specified ( tcp | udp ) # You can use '-' for optional fields #============================================================ -#
-#IN eth0 2002:dead:beef::/64 22 tcp -#IN - - 22 tcp +#
+#IN eth0 2002:dead:beef::/64 22 tcp +#IN - - 22 tcp diff --git a/lib/iptables.inc b/lib/iptables.inc index 4526ac4..df8af76 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -272,4 +272,22 @@ function enable_easyblock { done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" fi +} + +function enable_filtering { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" + if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful" + while read -r direction interface address port protocol; do + + done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" + fi } \ No newline at end of file