bbruns@gmail.com 2014-04-06 16:22:42 +00:00
parent d0ee1bcfbb
commit 8a72b5b9cd
2 changed files with 20 additions and 5 deletions

View File

@ -38,6 +38,12 @@ source "${FWCONFIGDIR}/chains.conf"
source "${FWCONFIGDIR}/ipv4.conf" source "${FWCONFIGDIR}/ipv4.conf"
source "${FWCONFIGDIR}/ipv6.conf" source "${FWCONFIGDIR}/ipv6.conf"
# The local.conf file can be used to override any of the above files without having to worry
# about changes being overwritten when upgrading. Mostly useful for people who use a package
# manager.
[[ -e "{FWCONFIGDIR}/local.conf" ]] && source "{FWCONFIGDIR}/local.conf"
# We require at least bash v3 or later at this point given some of the more complex # We require at least bash v3 or later at this point given some of the more complex
# operations we do to make the firewall script work. # operations we do to make the firewall script work.
if (( ${BASH_VERSINFO[0]} <= "2" )); then if (( ${BASH_VERSINFO[0]} <= "2" )); then

View File

@ -232,12 +232,21 @@ function allow_dnsclient_manual {
esac esac
DNS_SERVERS="$2" DNS_SERVERS="$2"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
use_conntrack="no"
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
for i in ${DNS_SERVERS}; do for i in ${DNS_SERVERS}; do
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list" if [[ ${use_conntrack} == "yes" ]]; then
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT else
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
fi
done done
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
} }