Advanced blocking added

ChangeLog

@@ -6,6 +6,9 @@
 	- Cleanups
 	- No longer display list of blocked IPs, considering if they are
 	  as long as my list is, they'll take 4 pages to display...
+	- New block file format, much more capable now, thanks to
+	  an hour or two of improving my bash scripting skills to the
+	  point where I can do more complex breakdowns of formats
 
 0.9.7 - Brielle Bruns <bruns@2mbit.com>
 	- Support for marking packets, uses new config file and

bin/firewall-sosdg

@@ -139,8 +139,54 @@ if [ $BLOCKEDIP ]; then
 	display_c YELLOW "Adding blocked IPs... "
 	for i in `grep -v "\#" $BLOCKEDIP`; do
 		#echo -n "$i "
-		$IPTABLES -A INPUT -s $i -j DROP
+		if [[ "$i" =~ ":" ]]; then
-		$IPTABLES -A OUTPUT -d $i -j DROP
+			IFS_OLD=${IFS};IFS=:
+			ADVBLKIP=($BLOCK)
+			IFS=${IFS_OLD}
+			SRCIF=${ADVBLKIP[0]}
+			SRCIP=${ADVBLKIP[1]}
+			SRCPORT=${ADVBLKIP[2]}
+			DSTIF=${ADVBLKIP[3]}
+			DSTIP=${ADVBLKIP[4]}
+			DSTPORT=${ADVBLKIP[5]}
+			DIRECTION=${ADVBLKIP[6]}
+			PROTO=${ADVBLKIP[7]}
+			if [ "$SRCIF" ]; then
+				SRCIF="-i ${SRCIF} "
+			fi
+			if [ "$SRCIP" ]; then
+				SRCIP="-s ${SRCIP} "
+			fi
+			if [ "$SRCPORT" ]; then
+				SRCPORT="--sport ${SRCPORT/-/:} "
+			fi
+			if [ "$DSTIF" ]; then
+				DSTIF="-o ${DSTIF} "
+			fi
+			if [ "$DSTIP" ]; then
+				DSTIP="-d ${DSTIP} "
+			fi
+			if [ "$DSTPORT" ]; then
+				DSTPORT="--dport ${DSTPORT/-/:} "
+			fi
+			if [ "$PROTO" ]; then
+				case $PROTO in
+					TCP|tcp) PROTO="-p tcp";;
+					UDP|udp) PROTO="-p udp";;
+					*) PROTO="-p ${PROTO}";;
+				esac
+			fi
+			case $DIRECTION in
+				IN) DIRECTION="INPUT" ;;
+				OUT) DIRECTION="OUTPUT" ;;
+				FWD) DIRECTION="FORWARD" ;;
+				*) DIRECTION="INPUT" ;;
+			esac
+			${IPTABLES} -A ${DIRECTION} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} ${PROTO} -j DROP"
+		else
+			$IPTABLES -A INPUT -s $i -j DROP
+			$IPTABLES -A OUTPUT -d $i -j DROP
+		fi
 	done
 fi
 
@@ -385,7 +431,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_portforward" ]; then
 	. "$BASEDIR/include/ipv4_custom_portforward"
 fi
 
-if [ $PORTFW ] && [ $NAT ]; then
+if [ "$PORTFW" ] && [ "$NAT" ]; then
 	display_c YELLOW "Adding port forward for:"
 	for i in `grep -v "\#" $PORTFW`; do
 		PORTADD=( ${i//:/ } )

blocked.default

@@ -1 +0,0 @@
-# List of IPs to block outright

ipv4-blocked.default

@@ -0,0 +1,10 @@
+# List of IPs to block outright
+# Two formats:
+# 1) One IP or range per line
+# 2) One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8)
+#		<SRC IF>:<SRC IP>:<SRC PORT RNG>:<DST IF>:<DST IP>:<DST PORT RNG>:<IN/OUT/FWD>:<PROTO>
+# One can leave out <SRC IF> <SRC IP> <SRC PORT RNG> <DST IF> <DST IP> <DST PORT RNG> 
+# if you want to apply to all ports/interfaces/etc
+# Example:
+# - Block SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP
+#  eth1:192.168.0.5:80:eth0:192.168.1.10:20-21:IN:TCP

options.default

@@ -89,9 +89,11 @@ HACK_IPV4="NS-IN-DDOS"
 #NAT_RANGE=
 
 # IP Ranges to block all traffic incoming/outgoing
-BLOCKEDIP=$BASEDIR/blocked
+# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
+BLOCKEDIP=$BASEDIR/ipv4-blocked
 
 # Block outgoing traffic on these TCP/UDP ports
+# Obsoleted: Use BLOCKEDIP above in new format.  Going away in 1.0
 #BLOCKTCPPORTS="6881"
 #BLOCKUDPPORTS="6881"