Added acl/filtering functionality

2014-04-05 17:26:08 +00:00 · 2014-04-05 17:26:08 +00:00 · 861f2721f1
parent 8a2f231043
commit 861f2721f1
9 changed files with 83 additions and 8 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@
 		- MSS Clamping (IPv4/IPv6) - 3/30/2014
 		- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
 		- Easy Block functionality (IPv4/IPv6) - 3/31/2014
+		- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
 		
 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
 1.1 - Brielle Bruns <bruns@2mbit.com>
--- a/bin/srfirewall
+++ b/bin/srfirewall
@ -171,6 +171,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
 	[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
 	[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
+	[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
 	
 fi

@ -189,5 +190,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
 	[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
 	[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
+	[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
 fi

--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@ -45,3 +45,10 @@ ResolvConfv4File="/etc/resolv.conf"
 # Config file: ipv4/easyblock.conf
 # Values: no | yes (default)
 Enablev4EasyBlock="yes"
+
+# Enable IPv4 filtering rules
+# This allows you to define complex access control list /
+# filtering rules.
+# Config file: ipv4/acl.conf
+# Values: no | yes (default)
+Enablev4Filtering="yes"
--- a/etc/ipv4/acl.conf
+++ b/etc/ipv4/acl.conf
@ -0,0 +1,20 @@
+# Filters / Access Control List
+# Use this file to set up more complex access control lists.
+# Use tabs or single space to separate
+#
+# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
+#
+# Direction: Required ( IN | OUT )
+# Action: Required (ACCEPT | DROP)
+# Interface: Optional ( interface name, aka eth0 )
+# Src Address: Optional ( source of traffic )
+# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
+# Dst Address: Optional ( destination of traffic )
+# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
+# Protocol: Optional, Required if port is specified ( tcp | udp )
+# You can use '-' for optional fields
+#============================================================
+#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
+#IN ACCEPT eth0 10.0.0.1 22	- -	tcp
+#IN DROP - - - - 22 tcp
+
--- a/etc/ipv4/easyblock.conf
+++ b/etc/ipv4/easyblock.conf
@ -11,7 +11,7 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
-#<direction>	<interface>	<address>		<port> <protocol>
-#IN		eth0		10.0.0.1		22	tcp
-#IN		-		-			22	tcp
+#<dir> <interface> <address> <port> <protocol>
+#IN eth0 10.0.0.1 22 tcp
+#IN - - 22 tcp

--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@ -45,3 +45,10 @@ ResolvConfv6File="/etc/resolv.conf"
 # Config file: ipv6/easyblock.conf
 # Values: no | yes (default)
 Enablev6EasyBlock="yes"
+
+# Enable IPv6 filtering rules
+# This allows you to define complex access control list /
+# filtering rules.
+# Config file: ipv6/acl.conf
+# Values: no | yes (default)
+Enablev6Filtering="yes"
--- a/etc/ipv6/acl.conf
+++ b/etc/ipv6/acl.conf
@ -0,0 +1,20 @@
+# Filters / Access Control List
+# Use this file to set up more complex access control lists.
+# Use tabs or single space to separate
+#
+# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
+#
+# Direction: Required ( IN | OUT )
+# Action: Required (ACCEPT | DROP)
+# Interface: Optional ( interface name, aka eth0 )
+# Src Address: Optional ( source of traffic )
+# Src Port: Optional ( source port, 1 - 65535, Requires Protocol )
+# Dst Address: Optional ( destination of traffic )
+# Dst Port: Optional ( destination port, 1 - 65535, Requires Protocol )
+# Protocol: Optional, Required if port is specified ( tcp | udp )
+# You can use '-' for optional fields
+#============================================================
+#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol>
+#IN ACCEPT eth0 2002:dead:beef::/64 22	- -	tcp
+#IN DROP - - - - 22 tcp
+
--- a/etc/ipv6/easyblock.conf
+++ b/etc/ipv6/easyblock.conf
@ -11,6 +11,6 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # You can use '-' for optional fields
 #============================================================
-#<direction>	<interface>	<address>		<port> <protocol>
-#IN		eth0		2002:dead:beef::/64	22	tcp
-#IN		-		-			22	tcp
+#<direction> <interface> <address> <port> <protocol>
+#IN eth0 2002:dead:beef::/64 22 tcp
+#IN - - 22 tcp
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@ -273,3 +273,21 @@ function enable_easyblock {
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
 }
+
+function enable_filtering {
+	IP_VERSION=$1
+		case $IP_VERSION in
+		ipv6) VER_IPTABLES=${IP6TABLES};
+				IPVER="6" ;;
+		ipv4|*) VER_IPTABLES=${IPTABLES}
+				IPVER="4" ;;
+	esac
+	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
+	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
+		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
+		while read -r direction interface address port protocol; do
+	
+		done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
+		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
+	fi
+}