More code to support ipv* allowed files

master
bbruns 12 years ago
parent 3056ae4d19
commit 026185195b
  1. 51
      bin/firewall-sosdg
  2. 7
      conf/ipv6-allowed.default
  3. 5
      options.default

@ -943,6 +943,57 @@ fi
display_c YELLOW "Loading custom IPv6 allowed port rules..."
. "$BASEDIR/include/ipv6_custom_allowedports"
fi
if [ "$IPV6_ALLOWED" ]; then
display_c YELLOW "Adding allowed IPv6 IPs and ports... "
for i in `grep -v "\#" $IPV6_ALLOWED`; do
if [[ "$i" =~ "|" ]]; then
IFS_OLD=${IFS};IFS=\|
ADVALLOWIP=($i)
IFS=${IFS_OLD}
SRCIF=${ADVALLOWIP[0]}
SRCIP=${ADVALLOWIP[1]}
SRCPORT=${ADVALLOWIP[2]}
DSTIF=${ADVALLOWIP[3]}
DSTIP=${ADVALLOWIP[4]}
DSTPORT=${ADVALLOWIP[5]}
DIRECTION=${ADVALLOWIP[6]}
PROTO=${ADVALLOWIP[7]}
if [ "$SRCIF" ]; then
SRCIF="-i ${SRCIF} "
fi
if [ "$SRCIP" ]; then
SRCIP="-s ${SRCIP} "
fi
if [ "$SRCPORT" ]; then
SRCPORT="--sport ${SRCPORT/-/:} "
fi
if [ "$DSTIF" ]; then
DSTIF="-o ${DSTIF} "
fi
if [ "$DSTIP" ]; then
DSTIP="-d ${DSTIP} "
fi
if [ "$DSTPORT" ]; then
DSTPORT="--dport ${DSTPORT/-/:} "
fi
if [ "$PROTO" ]; then
case $PROTO in
TCP|tcp) PROTO="-p tcp";;
UDP|udp) PROTO="-p udp";;
*) PROTO="-p ${PROTO}";;
esac
fi
case $DIRECTION in
IN) DIRECTION="INPUT" ;;
OUT) DIRECTION="OUTPUT" ;;
FWD) DIRECTION="FORWARD" ;;
*) DIRECTION="INPUT" ;;
esac
${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
fi
done
fi
if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
display_c YELLOW "Adding allowed IPv6 port: " N
if [ "$IPV6_TCPPORTS" ]; then

@ -0,0 +1,7 @@
# List of IPs to allow
# One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
# <SRC IF>|<SRC IP>|<SRC PORT RNG>|<DST IF>|<DST IP>|<DST PORT RNG>|<IN/OUT/FWD>|<PROTO>
# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG>
# if you want to apply to all ports/interfaces/etc
# Example:
# eth1|::1|80|eth0|2001::1|20-21|IN|TCP

@ -238,6 +238,11 @@ IPV6_PFORWARD=DROP
#IPV6_TCPPORTS=$TCPPORTS
#IPV6_UDPPORTS=$UDPPORTS
# Allowed IPv6 IPs and ports
# this is a more advanced form of IPV6_TCPPORTS and IPV6_UDPPORTS,
# and will eventually replace it
#IPV6_ALLOWED=$BASEDIR/conf/ipv6-allowed
# IPv6 range to forward
#IPV6_FORWARDRANGE=""

Loading…
Cancel
Save