brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

master
bbruns@gmail.com 2014-04-05 23:15:19 +00:00
parent a4640001b7
commit bde9efd92b
2 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -10,7 +10,8 @@
- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014 - ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
- NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014 - NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
- IPv6 NAT/NETMAP is untested, have no internal use for it, let me know if works/doesnt - IPv6 NAT/NETMAP is untested, have no internal use for it, let me know if works/doesnt
- Forwarding functionality (IPv4/IPv6) - 4/5/2014
- Deps on Enablev(4|6)ConnectionTracking for NAT functionality
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com> 1.1 - Brielle Bruns <bruns@2mbit.com>

20
lib/iptables.inc
View File

@ -194,20 +194,30 @@ function allow_resolvconf_servers {
IPVER="4" ;; IPVER="4" ;;
esac esac
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}" [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}" [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
while read -r type server; do while read -r type server; do
[[ ${type} != "nameserver" ]] && continue [[ ${type} != "nameserver" ]] && continue
[[ ${type} = "" ]] && continue [[ ${type} = "" ]] && continue
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
use_conntrack="no"
(([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
(([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
if [[ ${use_conntrack} == "yes"]]; then
${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
else
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
fi
done < "${ResolvConfFile}" done < "${ResolvConfFile}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
} }