From 8e9f9638ad9b129a6d7918042f9675888358b258 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sun, 30 Mar 2014 19:36:55 +0000 Subject: [PATCH] --- bin/srfirewall | 4 +++- etc/ipv4.conf | 4 +++- etc/ipv6.conf | 4 +++- lib/iptables.inc | 21 +++++++++++++++++++++ 4 files changed, 30 insertions(+), 3 deletions(-) diff --git a/bin/srfirewall b/bin/srfirewall index 13e9963..591e6ad 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -150,6 +150,7 @@ if [ "${EnableIPv4}" == "yes" ]; then [ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4 [ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4 [ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4 + [ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 ${DNSClientManualv4Servers} fi # Do IPv6 IPTables Rules @@ -158,12 +159,13 @@ if [ "${EnableIPv6}" == "yes" ]; then iptables_rules_flush ipv6 # Create the chain sets we'll need and the ones that can be - # customized by users in their custom rules + # customized by users in their custom rules setup_iptables_chains ipv6 [ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6 [ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6 [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 [ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6 + [ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 ${DNSClientManualv6Servers} fi diff --git a/etc/ipv4.conf b/etc/ipv4.conf index e366490..6ebc894 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -33,5 +33,7 @@ Enablev4MSSClamp="yes" DNSClientUsev4ResolvConf="yes" ResolvConfv4File="/etc/resolv.conf" -# Uncomment below if you set above to no. +# Uncomment below if you set above to no. You can still manually define your servers +# here if you want. Useful at times. +# Values: space separated IP list of DNS servers #DNSClientManualv4Servers="" \ No newline at end of file diff --git a/etc/ipv6.conf b/etc/ipv6.conf index dc3f5c4..4306ffa 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -33,5 +33,7 @@ Enablev6MSSClamp="yes" DNSClientUsev6ResolvConf="yes" ResolvConfv6File="/etc/resolv.conf" -# Uncomment below if you set above to no. +# Uncomment below if you set above to no. You can still manually define your servers +# here if you want. Useful at times. +# Values: space separated IP list of DNS servers #DNSClientManualv6Servers="" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index 53b99d8..5c3c0e4 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -206,4 +206,25 @@ function allow_resolvconf_servers { ${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT ${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT done < "${ResolvConfFile}" + ${debug} ${DebugColor} "${FUNCNAME}: done" +} + +function allow_dnsclient_manual { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + DNS_SERVERS="$2-" + ${debug} ${DebugColor} "${FUNCNAME}: loading" + for i in ${DNS_SERVERS}; do + ${debug} ${DebugColor} "${FUNCNAME}: Added ${i} to DNS client trusted list" + ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT + ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT + ${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT + ${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT + done + ${debug} ${DebugColor} "${FUNCNAME}: done" } \ No newline at end of file