Added services files
parent
6f02247422
commit
45101a1fb8
|
@ -47,6 +47,13 @@ ResolvConfv4File="/etc/resolv.conf"
|
|||
# Values: space separated IP list of DNS servers
|
||||
#DNSClientManualv4Servers=""
|
||||
|
||||
# Enable the Services access list
|
||||
# This allows you to define services on the local
|
||||
# machine that you want to be accessible to the world.
|
||||
# Config file: ipv4/services.conf
|
||||
# Values: no | yes (default)
|
||||
Enablev4Services="yes"
|
||||
|
||||
# Enable the EasyBlock access list
|
||||
# This is a simple/easy way to block traffic in or out,
|
||||
# no complex options. Use the Filter options for more
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
# Allowed Service Rules
|
||||
# Use this file to set up which services you wish for the world to have
|
||||
# access to on your machine.
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <service> <protocol> <interface> <address> <srcaddress>
|
||||
#
|
||||
# Service: Required ( single or list of comma separated ports/services )
|
||||
# Protocol: Required ( tcp or udp )
|
||||
# Interface: Optional ( interface of incoming connection )
|
||||
# Address: Optional ( address of incoming connection )
|
||||
# Source Address: Optional ( address to allow connections from )
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<service> <protocol> <interface> <address> <srcaddress>
|
||||
#http tcp eth0 192.168.1.1 192.168.1.0/24
|
||||
ssh,http,https tcp - - -
|
||||
|
|
@ -47,6 +47,13 @@ ResolvConfv6File="/etc/resolv.conf"
|
|||
# Values: space separated IP list of DNS servers
|
||||
#DNSClientManualv6Servers=""
|
||||
|
||||
# Enable the Services access list
|
||||
# This allows you to define services on the local
|
||||
# machine that you want to be accessible to the world.
|
||||
# Config file: ipv6/services.conf
|
||||
# Values: no | yes (default)
|
||||
Enablev6Services="yes"
|
||||
|
||||
# Enable the EasyBlock access list
|
||||
# This is a simple/easy way to block traffic in or out,
|
||||
# no complex options. Use the Filter options for more
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
# Allowed Service Rules
|
||||
# Use this file to set up which services you wish for the world to have
|
||||
# access to on your machine.
|
||||
# Use tabs or single space to separate
|
||||
#
|
||||
# <service> <protocol> <interface> <address> <srcaddress>
|
||||
#
|
||||
# Service: Required ( single or list of comma separated ports/services )
|
||||
# Protocol: Required ( tcp or udp )
|
||||
# Interface: Optional ( interface of incoming connection )
|
||||
# Address: Optional ( address of incoming connection )
|
||||
# Source Address: Optional ( address to allow connections from )
|
||||
# You can use '-' for optional fields
|
||||
#============================================================
|
||||
#<service> <protocol> <interface> <address> <srcaddress>
|
||||
#http tcp eth0 fc00::1 fc00::/64
|
||||
ssh,http,https tcp - - -
|
||||
|
|
@ -309,8 +309,8 @@ function enable_filtering {
|
|||
[[ ${direction} = "" ]] && continue
|
||||
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
|
||||
&& ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
||||
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
|
||||
&& ${display} RED "acl.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
||||
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
|
||||
&& ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
||||
|
||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
|
@ -322,6 +322,7 @@ function enable_filtering {
|
|||
[[ ${direction} == "OUT" ]] && chain="${OutFilter}"
|
||||
[[ ${direction} == "IN" ]] && chain="${InFilter}"
|
||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||
[[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
|
||||
|
||||
|
@ -450,27 +451,31 @@ function enable_services {
|
|||
use_conntrack="no"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||
while read -r service protocol interface srcaddress; do
|
||||
while read -r service protocol interface address srcaddress; do
|
||||
multiport="no"
|
||||
[[ ${service} = \#* ]] && continue
|
||||
[[ ${service} = "" ]] && continue
|
||||
[[ ${service} == "-" ]] \
|
||||
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
|
||||
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${protocol} == "-" ]] \
|
||||
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
|
||||
|
||||
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${service} =~ "," ]] && multiport="yes"
|
||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||
[[ ${service} != "-" ]] && service="--dport ${service}"
|
||||
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
|
||||
([[ ${service != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
|
||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||
[[ ${interface} != "-" ]] && interface="-i ${interface}"
|
||||
[[ ${address} != "-" ]] && srcaddress="-d ${address}"
|
||||
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${srcaddress}"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
|
||||
|
||||
# Blank variables that we're not going to use.
|
||||
[[ ${interface} == "-" ]] && interface=""
|
||||
[[ ${address} == "-" ]] && address=""
|
||||
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
||||
|
||||
${VER_IPTABLES} -A ${InFilter} ${interface} ${address} ${protocol} ${port} ${conntrack_state} -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InFilter} ${service} ${protocol} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
|
||||
|
||||
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||
|
|
Loading…
Reference in New Issue