Added acl/filtering functionality

master
bbruns@gmail.com 2014-04-05 17:26:08 +00:00
родитель 8a2f231043
Коммит 861f2721f1
9 изменённых файлов: 83 добавлений и 8 удалений

Просмотреть файл

@ -7,6 +7,7 @@
- MSS Clamping (IPv4/IPv6) - 3/30/2014
- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
- Easy Block functionality (IPv4/IPv6) - 3/31/2014
- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com>

Просмотреть файл

@ -171,6 +171,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
fi
@ -189,5 +190,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
fi

Просмотреть файл

@ -44,4 +44,11 @@ ResolvConfv4File="/etc/resolv.conf"
# complex ACLs
# Config file: ipv4/easyblock.conf
# Values: no | yes (default)
Enablev4EasyBlock="yes"
Enablev4EasyBlock="yes"
# Enable IPv4 filtering rules
# This allows you to define complex access control list /
# filtering rules.
# Config file: ipv4/acl.conf
# Values: no | yes (default)
Enablev4Filtering="yes"

20
etc/ipv4/acl.conf Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Filters / Access Control List
# Use this file to set up more complex access control lists.
# Use tabs or single space to separate
#
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#
# Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP)
# Interface: Optional ( interface name, aka eth0 )
# Src Address: Optional ( source of traffic )
# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
# Dst Address: Optional ( destination of traffic )
# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#IN ACCEPT eth0 10.0.0.1 22 - - tcp
#IN DROP - - - - 22 tcp

Просмотреть файл

@ -11,7 +11,7 @@
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<direction> <interface> <address> <port> <protocol>
#IN eth0 10.0.0.1 22 tcp
#IN - - 22 tcp
#<dir> <interface> <address> <port> <protocol>
#IN eth0 10.0.0.1 22 tcp
#IN - - 22 tcp

Просмотреть файл

@ -44,4 +44,11 @@ ResolvConfv6File="/etc/resolv.conf"
# complex ACLs
# Config file: ipv6/easyblock.conf
# Values: no | yes (default)
Enablev6EasyBlock="yes"
Enablev6EasyBlock="yes"
# Enable IPv6 filtering rules
# This allows you to define complex access control list /
# filtering rules.
# Config file: ipv6/acl.conf
# Values: no | yes (default)
Enablev6Filtering="yes"

20
etc/ipv6/acl.conf Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# Filters / Access Control List
# Use this file to set up more complex access control lists.
# Use tabs or single space to separate
#
# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#
# Direction: Required ( IN | OUT )
# Action: Required (ACCEPT | DROP)
# Interface: Optional ( interface name, aka eth0 )
# Src Address: Optional ( source of traffic )
# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
# Dst Address: Optional ( destination of traffic )
# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
#IN ACCEPT eth0 2002:dead:beef::/64 22 - - tcp
#IN DROP - - - - 22 tcp

Просмотреть файл

@ -11,6 +11,6 @@
# Protocol: Optional, Required if port is specified ( tcp | udp )
# You can use '-' for optional fields
#============================================================
#<direction> <interface> <address> <port> <protocol>
#IN eth0 2002:dead:beef::/64 22 tcp
#IN - - 22 tcp
#<direction> <interface> <address> <port> <protocol>
#IN eth0 2002:dead:beef::/64 22 tcp
#IN - - 22 tcp

Просмотреть файл

@ -272,4 +272,22 @@ function enable_easyblock {
done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}
function enable_filtering {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
while read -r direction interface address port protocol; do
done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}