master
parent
d0ee1bcfbb
commit
8a72b5b9cd
|
@ -38,6 +38,12 @@ source "${FWCONFIGDIR}/chains.conf"
|
||||||
source "${FWCONFIGDIR}/ipv4.conf"
|
source "${FWCONFIGDIR}/ipv4.conf"
|
||||||
source "${FWCONFIGDIR}/ipv6.conf"
|
source "${FWCONFIGDIR}/ipv6.conf"
|
||||||
|
|
||||||
|
# The local.conf file can be used to override any of the above files without having to worry
|
||||||
|
# about changes being overwritten when upgrading. Mostly useful for people who use a package
|
||||||
|
# manager.
|
||||||
|
[[ -e "{FWCONFIGDIR}/local.conf" ]] && source "{FWCONFIGDIR}/local.conf"
|
||||||
|
|
||||||
|
|
||||||
# We require at least bash v3 or later at this point given some of the more complex
|
# We require at least bash v3 or later at this point given some of the more complex
|
||||||
# operations we do to make the firewall script work.
|
# operations we do to make the firewall script work.
|
||||||
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
if (( ${BASH_VERSINFO[0]} <= "2" )); then
|
||||||
|
|
|
@ -232,12 +232,21 @@ function allow_dnsclient_manual {
|
||||||
esac
|
esac
|
||||||
DNS_SERVERS="$2"
|
DNS_SERVERS="$2"
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
|
||||||
|
use_conntrack="no"
|
||||||
|
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
|
||||||
|
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
|
||||||
for i in ${DNS_SERVERS}; do
|
for i in ${DNS_SERVERS}; do
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
|
if [[ ${use_conntrack} == "yes" ]]; then
|
||||||
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
|
||||||
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
|
||||||
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
|
||||||
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
else
|
||||||
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
|
||||||
|
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||||
|
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||||
|
#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
|
||||||
|
#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue