bbruns@gmail.com 2014-03-30 19:36:55 +00:00
parent 9062c1a6c7
commit 8e9f9638ad
4 changed files with 30 additions and 3 deletions

View File

@ -150,6 +150,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4 [ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4 [ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4 [ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 ${DNSClientManualv4Servers}
fi fi
# Do IPv6 IPTables Rules # Do IPv6 IPTables Rules
@ -158,12 +159,13 @@ if [ "${EnableIPv6}" == "yes" ]; then
iptables_rules_flush ipv6 iptables_rules_flush ipv6
# Create the chain sets we'll need and the ones that can be # Create the chain sets we'll need and the ones that can be
# customized by users in their custom rules # customized by users in their custom rules
setup_iptables_chains ipv6 setup_iptables_chains ipv6
[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6 [ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6 [ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6 [ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 ${DNSClientManualv6Servers}
fi fi

View File

@ -33,5 +33,7 @@ Enablev4MSSClamp="yes"
DNSClientUsev4ResolvConf="yes" DNSClientUsev4ResolvConf="yes"
ResolvConfv4File="/etc/resolv.conf" ResolvConfv4File="/etc/resolv.conf"
# Uncomment below if you set above to no. # Uncomment below if you set above to no. You can still manually define your servers
# here if you want. Useful at times.
# Values: space separated IP list of DNS servers
#DNSClientManualv4Servers="" #DNSClientManualv4Servers=""

View File

@ -33,5 +33,7 @@ Enablev6MSSClamp="yes"
DNSClientUsev6ResolvConf="yes" DNSClientUsev6ResolvConf="yes"
ResolvConfv6File="/etc/resolv.conf" ResolvConfv6File="/etc/resolv.conf"
# Uncomment below if you set above to no. # Uncomment below if you set above to no. You can still manually define your servers
# here if you want. Useful at times.
# Values: space separated IP list of DNS servers
#DNSClientManualv6Servers="" #DNSClientManualv6Servers=""

View File

@ -206,4 +206,25 @@ function allow_resolvconf_servers {
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT ${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT ${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
done < "${ResolvConfFile}" done < "${ResolvConfFile}"
${debug} ${DebugColor} "${FUNCNAME}: done"
}
function allow_dnsclient_manual {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
DNS_SERVERS="$2-"
${debug} ${DebugColor} "${FUNCNAME}: loading"
for i in ${DNS_SERVERS}; do
${debug} ${DebugColor} "${FUNCNAME}: Added ${i} to DNS client trusted list"
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
done
${debug} ${DebugColor} "${FUNCNAME}: done"
} }