brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Code for IPV4_ALLOWED

master
bbruns 2011-02-22 18:43:58 +00:00
parent b5d3a8cc26
commit 3056ae4d19
4 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -2,6 +2,8 @@
- Fix location of ipv6 fi statement, moved to end of ipv6 rules - Fix location of ipv6 fi statement, moved to end of ipv6 rules
- Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options - Add default policy rules and IPV{4|6}_P{INPUT|OUTPUT|FORWARD} options
to control them. Note the difference between BLOCKINCOMING and the PINPUT variable to control them. Note the difference between BLOCKINCOMING and the PINPUT variable
- Oops, looks like my state match of allowing NEW was undoing the incoming blocks. Fixed.
- IPV4_ALLOWED and IPV6_ALLOWED which will eventually replace TCPPORTS and UDPPORTS
0.9.12 - Brielle Bruns <bruns@2mbit.com> 0.9.12 - Brielle Bruns <bruns@2mbit.com>
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to

52
bin/firewall-sosdg
View File

@ -393,7 +393,57 @@ if [ "$IPTABLES_MULTIPORT" ]; then
*) IPTABLES_MULTIPORT="no" *) IPTABLES_MULTIPORT="no"
esac esac
fi fi
if [ "$IPV4_ALLOWED" ]; then
display_c YELLOW "Adding allowed IPs and ports... "
for i in `grep -v "\#" $IPV4_ALLOWED`; do
if [[ "$i" =~ "|" ]]; then
IFS_OLD=${IFS};IFS=\|
ADVALLOWIP=($i)
IFS=${IFS_OLD}
SRCIF=${ADVALLOWIP[0]}
SRCIP=${ADVALLOWIP[1]}
SRCPORT=${ADVALLOWIP[2]}
DSTIF=${ADVALLOWIP[3]}
DSTIP=${ADVALLOWIP[4]}
DSTPORT=${ADVALLOWIP[5]}
DIRECTION=${ADVALLOWIP[6]}
PROTO=${ADVALLOWIP[7]}
if [ "$SRCIF" ]; then
SRCIF="-i ${SRCIF} "
fi
if [ "$SRCIP" ]; then
SRCIP="-s ${SRCIP} "
fi
if [ "$SRCPORT" ]; then
SRCPORT="--sport ${SRCPORT/-/:} "
fi
if [ "$DSTIF" ]; then
DSTIF="-o ${DSTIF} "
fi
if [ "$DSTIP" ]; then
DSTIP="-d ${DSTIP} "
fi
if [ "$DSTPORT" ]; then
DSTPORT="--dport ${DSTPORT/-/:} "
fi
if [ "$PROTO" ]; then
case $PROTO in
TCP|tcp) PROTO="-p tcp";;
UDP|udp) PROTO="-p udp";;
*) PROTO="-p ${PROTO}";;
esac
fi
case $DIRECTION in
IN) DIRECTION="INPUT" ;;
OUT) DIRECTION="OUTPUT" ;;
FWD) DIRECTION="FORWARD" ;;
*) DIRECTION="INPUT" ;;
esac
${IPTABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j ACCEPT
fi
done
fi
if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then if [ "$TCPPORTS" ] || [ "$UDPPORTS" ]; then
display_c YELLOW "Adding allowed port: " N display_c YELLOW "Adding allowed port: " N

8
conf/ipv4-allowed.default Normal file
View File

@ -0,0 +1,8 @@
# List of IPs to allow
# One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
# <SRC IF>|<SRC IP>|<SRC PORT RNG>|<DST IF>|<DST IP>|<DST PORT RNG>|<IN/OUT/FWD>|<PROTO>
# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG>
# if you want to apply to all ports/interfaces/etc
# Example:
# - Allow SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP
# eth1|192.168.0.5|80|eth0|192.168.1.10|20-21|IN|TCP

5
options.default
View File

@ -119,6 +119,11 @@ TRUSTEDIP="127.0.0.1"
# use otherwise. # use otherwise.
DONTTRACK="127.0.0.1" DONTTRACK="127.0.0.1"
# Allowed IPs and ports
# this is a more advanced form of TCPPORTS and UDPPORTS,
# and will eventually replace it
#IPV4_ALLOWED=$BASEDIR/conf/ipv4-allowed
# Intercept IPv4 packets for use in a transparent proxy # Intercept IPv4 packets for use in a transparent proxy
#IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept #IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept