diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index afda1ba..ab10b7b 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -135,7 +135,7 @@ if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then . "$BASEDIR/include/ipv4_custom_blockip" fi -if [ $BLOCKEDIP ]; then +if [ "$BLOCKEDIP" ]; then display_c YELLOW "Adding blocked IPs... " for i in `grep -v "\#" $BLOCKEDIP`; do #echo -n "$i " @@ -562,6 +562,65 @@ if [ $IPV6 ]; then $IP6TABLES -A OUTPUT -d $i -j ACCEPT done reset_color + + if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then + display_c YELLOW "Loading custom ip block rules..." + . "$BASEDIR/include/ipv4_custom_blockip" +fi + +if [ "$BLOCKEDIPV6" ]; then + display_c YELLOW "Adding blocked IPv6 addresses... " + for i in `grep -v "\#" $BLOCKEDIPV6`; do + if [[ "$i" =~ "|" ]]; then + IFS_OLD=${IFS};IFS=\| + ADVBLKIP=($i) + IFS=${IFS_OLD} + SRCIF=${ADVBLKIP[0]} + SRCIP=${ADVBLKIP[1]} + SRCPORT=${ADVBLKIP[2]} + DSTIF=${ADVBLKIP[3]} + DSTIP=${ADVBLKIP[4]} + DSTPORT=${ADVBLKIP[5]} + DIRECTION=${ADVBLKIP[6]} + PROTO=${ADVBLKIP[7]} + if [ "$SRCIF" ]; then + SRCIF="-i ${SRCIF} " + fi + if [ "$SRCIP" ]; then + SRCIP="-s ${SRCIP} " + fi + if [ "$SRCPORT" ]; then + SRCPORT="--sport ${SRCPORT/-/:} " + fi + if [ "$DSTIF" ]; then + DSTIF="-o ${DSTIF} " + fi + if [ "$DSTIP" ]; then + DSTIP="-d ${DSTIP} " + fi + if [ "$DSTPORT" ]; then + DSTPORT="--dport ${DSTPORT/-/:} " + fi + if [ "$PROTO" ]; then + case $PROTO in + TCP|tcp) PROTO="-p tcp";; + UDP|udp) PROTO="-p udp";; + *) PROTO="-p ${PROTO}";; + esac + fi + case $DIRECTION in + IN) DIRECTION="INPUT" ;; + OUT) DIRECTION="OUTPUT" ;; + FWD) DIRECTION="FORWARD" ;; + *) DIRECTION="INPUT" ;; + esac + ${IP6TABLES} -A ${DIRECTION} ${PROTO} ${SRCIF} ${SRCIP} ${SRCPORT} ${DSTIF} ${DSTIP} ${DSTPORT} -j DROP + else + $IP6TABLES -A INPUT -s $i -j DROP + $IP6TABLES -A OUTPUT -d $i -j DROP + fi + done +fi if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then display_c YELLOW "Loading custom IPv6 MSS Clamp rules..." diff --git a/ipv6-blocked.default b/ipv6-blocked.default new file mode 100644 index 0000000..42132f7 --- /dev/null +++ b/ipv6-blocked.default @@ -0,0 +1,12 @@ +# List of IPs to block outright +# Two formats: +# 1) One IP or range per line +# 2) One ip or range per line with added specific IN/OUT/FWD and TCP/UDP port (added in 0.9.8) +# ||||||| +# One can leave out +# if you want to apply to all ports/interfaces/etc +# Example: +# - Block SRC of eth1 192.168.0.5:80 from contacting DST eth0 192.168.1.10:20 through 21, TCP +# eth1|::1|80|eth0|2001::1|20-21|IN|TCP +# Useful ones that I use at home are| +#||6881-6999|||OUT|TCP diff --git a/options.default b/options.default index b2fdf21..17d0525 100755 --- a/options.default +++ b/options.default @@ -130,6 +130,9 @@ IPV6BLOCKINCOMING=1 # Useful if clients do not have proper ipv6 firewalls. #IPV6ROUTEDCLIENTBLOCK=1 +# IPv6 Ranges to block all traffic incoming/outgoing +#BLOCKEDIPV6=$BASEDIR/ipv6-blocked + # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on # it may be used eventually.