Added services files
bbruns
parent
6f02247422
commit
45101a1fb8
|
|
@ -47,6 +47,13 @@ ResolvConfv4File="/etc/resolv.conf"
|
||||||
# Values: space separated IP list of DNS servers
|
# Values: space separated IP list of DNS servers
|
||||||
#DNSClientManualv4Servers=""
|
#DNSClientManualv4Servers=""
|
||||||
|
|
||||||
|
# Enable the Services access list
|
||||||
|
# This allows you to define services on the local
|
||||||
|
# machine that you want to be accessible to the world.
|
||||||
|
# Config file: ipv4/services.conf
|
||||||
|
# Values: no | yes (default)
|
||||||
|
Enablev4Services="yes"
|
||||||
|
|
||||||
# Enable the EasyBlock access list
|
# Enable the EasyBlock access list
|
||||||
# This is a simple/easy way to block traffic in or out,
|
# This is a simple/easy way to block traffic in or out,
|
||||||
# no complex options. Use the Filter options for more
|
# no complex options. Use the Filter options for more
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Allowed Service Rules
|
||||||
|
# Use this file to set up which services you wish for the world to have
|
||||||
|
# access to on your machine.
|
||||||
|
# Use tabs or single space to separate
|
||||||
|
#
|
||||||
|
# <service> <protocol> <interface> <address> <srcaddress>
|
||||||
|
#
|
||||||
|
# Service: Required ( single or list of comma separated ports/services )
|
||||||
|
# Protocol: Required ( tcp or udp )
|
||||||
|
# Interface: Optional ( interface of incoming connection )
|
||||||
|
# Address: Optional ( address of incoming connection )
|
||||||
|
# Source Address: Optional ( address to allow connections from )
|
||||||
|
# You can use '-' for optional fields
|
||||||
|
#============================================================
|
||||||
|
#<service> <protocol> <interface> <address> <srcaddress>
|
||||||
|
#http tcp eth0 192.168.1.1 192.168.1.0/24
|
||||||
|
ssh,http,https tcp - - -
|
||||||
|
|
||||||
|
|
@ -47,6 +47,13 @@ ResolvConfv6File="/etc/resolv.conf"
|
||||||
# Values: space separated IP list of DNS servers
|
# Values: space separated IP list of DNS servers
|
||||||
#DNSClientManualv6Servers=""
|
#DNSClientManualv6Servers=""
|
||||||
|
|
||||||
|
# Enable the Services access list
|
||||||
|
# This allows you to define services on the local
|
||||||
|
# machine that you want to be accessible to the world.
|
||||||
|
# Config file: ipv6/services.conf
|
||||||
|
# Values: no | yes (default)
|
||||||
|
Enablev6Services="yes"
|
||||||
|
|
||||||
# Enable the EasyBlock access list
|
# Enable the EasyBlock access list
|
||||||
# This is a simple/easy way to block traffic in or out,
|
# This is a simple/easy way to block traffic in or out,
|
||||||
# no complex options. Use the Filter options for more
|
# no complex options. Use the Filter options for more
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Allowed Service Rules
|
||||||
|
# Use this file to set up which services you wish for the world to have
|
||||||
|
# access to on your machine.
|
||||||
|
# Use tabs or single space to separate
|
||||||
|
#
|
||||||
|
# <service> <protocol> <interface> <address> <srcaddress>
|
||||||
|
#
|
||||||
|
# Service: Required ( single or list of comma separated ports/services )
|
||||||
|
# Protocol: Required ( tcp or udp )
|
||||||
|
# Interface: Optional ( interface of incoming connection )
|
||||||
|
# Address: Optional ( address of incoming connection )
|
||||||
|
# Source Address: Optional ( address to allow connections from )
|
||||||
|
# You can use '-' for optional fields
|
||||||
|
#============================================================
|
||||||
|
#<service> <protocol> <interface> <address> <srcaddress>
|
||||||
|
#http tcp eth0 fc00::1 fc00::/64
|
||||||
|
ssh,http,https tcp - - -
|
||||||
|
|
||||||
|
|
@ -309,8 +309,8 @@ function enable_filtering {
|
||||||
[[ ${direction} = "" ]] && continue
|
[[ ${direction} = "" ]] && continue
|
||||||
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
|
([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
|
||||||
&& ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
&& ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
||||||
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
|
([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
|
||||||
&& ${display} RED "acl.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
&& ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}" && continue
|
||||||
|
|
||||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||||
|
|
@ -322,6 +322,7 @@ function enable_filtering {
|
||||||
[[ ${direction} == "OUT" ]] && chain="${OutFilter}"
|
[[ ${direction} == "OUT" ]] && chain="${OutFilter}"
|
||||||
[[ ${direction} == "IN" ]] && chain="${InFilter}"
|
[[ ${direction} == "IN" ]] && chain="${InFilter}"
|
||||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||||
|
[[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
|
||||||
|
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
|
||||||
|
|
||||||
|
|
@ -450,27 +451,31 @@ function enable_services {
|
||||||
use_conntrack="no"
|
use_conntrack="no"
|
||||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
|
||||||
while read -r service protocol interface srcaddress; do
|
while read -r service protocol interface address srcaddress; do
|
||||||
|
multiport="no"
|
||||||
[[ ${service} = \#* ]] && continue
|
[[ ${service} = \#* ]] && continue
|
||||||
[[ ${service} = "" ]] && continue
|
[[ ${service} = "" ]] && continue
|
||||||
[[ ${service} == "-" ]] \
|
[[ ${service} == "-" ]] \
|
||||||
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
|
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||||
[[ ${protocol} == "-" ]] \
|
[[ ${protocol} == "-" ]] \
|
||||||
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${srcaddress}" && continue
|
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||||
|
[[ ${service} =~ "," ]] && multiport="yes"
|
||||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||||
[[ ${service} != "-" ]] && service="--dport ${service}"
|
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
|
||||||
|
([[ ${service != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
|
||||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||||
[[ ${interface} != "-" ]] && interface="-i ${interface}"
|
[[ ${interface} != "-" ]] && interface="-i ${interface}"
|
||||||
|
[[ ${address} != "-" ]] && srcaddress="-d ${address}"
|
||||||
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
||||||
|
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${srcaddress}"
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
|
||||||
|
|
||||||
# Blank variables that we're not going to use.
|
# Blank variables that we're not going to use.
|
||||||
[[ ${interface} == "-" ]] && interface=""
|
[[ ${interface} == "-" ]] && interface=""
|
||||||
|
[[ ${address} == "-" ]] && address=""
|
||||||
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
[[ ${srcaddress} == "-" ]] && srcaddress=""
|
||||||
|
|
||||||
${VER_IPTABLES} -A ${InFilter} ${interface} ${address} ${protocol} ${port} ${conntrack_state} -j ACCEPT
|
${VER_IPTABLES} -A ${InFilter} ${service} ${protocol} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
|
||||||
|
|
||||||
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
|
done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue