master
bbruns@gmail.com
parent
4f6b6772bf
commit
4c8d5ab520
|
|
@ -1,9 +1,10 @@
|
|||
2.00 Alpha 1
|
||||
- Complete code rewrite and restructure to solve some long standing issues with v1
|
||||
- Separate out functions into support files for easier grouping of what they do
|
||||
- Make more compatible with debian filesystem layout, including separating out into
|
||||
/etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and
|
||||
/usr/lib/firewall-sosdg for include/functions/etc that don't belong in config
|
||||
- Make more compatible with multiple disto file layouts
|
||||
- Basic functionality implemented:
|
||||
- Trusted IP source (IPv4/IPv6) - 3/30/2014
|
||||
- MSS Clamping (IPv4/IPv6) - 3/30/2014
|
||||
|
||||
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
|
||||
1.1 - Brielle Bruns <bruns@2mbit.com>
|
||||
|
|
|
|||
|
|
@ -149,6 +149,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
|
|||
[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
|
||||
[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
|
||||
[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
|
||||
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
|
||||
fi
|
||||
|
||||
# Do IPv6 IPTables Rules
|
||||
|
|
@ -163,5 +164,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
|
|||
[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
|
||||
[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
|
||||
[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
|
||||
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -21,4 +21,17 @@ EnableTrustedv4Hosts="yes"
|
|||
# Enable MSS clamping to work around MTU size issues
|
||||
# on network links such as PPPoE and wireless
|
||||
# Config file: ipv4/mss-clamp.conf
|
||||
Enablev4MSSClamp="yes"
|
||||
# Values: no | yes (default)
|
||||
Enablev4MSSClamp="yes"
|
||||
|
||||
# Use /etc/resolv.conf as source for DNS servers that we communicate
|
||||
# with as a client. If you turn this off (recommended if on static IP),
|
||||
# then you will need to manually define the DNS servers you use.
|
||||
# Without conntrack rules allowing established/related, DNS traffic may
|
||||
# be blocked and cause issues.
|
||||
# Values: no | yes (default)
|
||||
DNSClientUsev4ResolvConf="yes"
|
||||
ResolvConfv4File="/etc/resolv.conf"
|
||||
|
||||
# Uncomment below if you set above to no.
|
||||
#DNSClientManualv4Servers=""
|
||||
|
|
@ -21,4 +21,17 @@ EnableTrustedv6Hosts="yes"
|
|||
# Enable MSS clamping to work around MTU size issues
|
||||
# on network links such as PPPoE and wireless
|
||||
# Config file: ipv6/mss-clamp.conf
|
||||
Enablev6MSSClamp="yes"
|
||||
# Values: no | yes (default)
|
||||
Enablev6MSSClamp="yes"
|
||||
|
||||
# Use /etc/resolv.conf as source for DNS servers that we communicate
|
||||
# with as a client. If you turn this off (recommended if on static IP),
|
||||
# then you will need to manually define the DNS servers you use.
|
||||
# Without conntrack rules allowing established/related, DNS traffic may
|
||||
# be blocked and cause issues.
|
||||
# Values: no | yes (default)
|
||||
DNSClientUsev6ResolvConf="yes"
|
||||
ResolvConfv6File="/etc/resolv.conf"
|
||||
|
||||
# Uncomment below if you set above to no.
|
||||
#DNSClientManualv6Servers=""
|
||||
|
|
@ -182,4 +182,28 @@ function enable_mss_clamp {
|
|||
${display} RED "Error: can not load mss clamp file."
|
||||
${debug} ${DebugColor} "${FUNCNAME}: failed"
|
||||
fi
|
||||
}
|
||||
|
||||
function allow_resolvconf_servers {
|
||||
IP_VERSION=$1
|
||||
case $IP_VERSION in
|
||||
ipv6) VER_IPTABLES=${IP6TABLES};
|
||||
IPVER="6" ;;
|
||||
ipv4|*) VER_IPTABLES=${IPTABLES}
|
||||
IPVER="4" ;;
|
||||
esac
|
||||
${debug} ${DebugColor} "${FUNCNAME}: loading"
|
||||
[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
|
||||
[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
|
||||
${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf"
|
||||
while read -r type server; do
|
||||
[[ ${type} != "nameserver" ]] && continue
|
||||
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
|
||||
([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
|
||||
${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||
done < "${ResolvConfFile}"
|
||||
}
|
||||
Loading…
Reference in New Issue