Default policy support, which I believe makes this release Alpha 1 quality
parent
6dfe77b118
commit
d71e8794c6
|
@ -175,6 +175,10 @@ if [ "${EnableIPv4}" == "yes" ]; then
|
||||||
|
|
||||||
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
|
[[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4
|
||||||
[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
|
[[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4
|
||||||
|
Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT}
|
||||||
|
Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT}
|
||||||
|
Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT}
|
||||||
|
default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy}
|
||||||
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
|
[[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4
|
||||||
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
|
([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \
|
||||||
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
|
&& enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}"
|
||||||
|
@ -200,6 +204,10 @@ if [ "${EnableIPv6}" == "yes" ]; then
|
||||||
|
|
||||||
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
|
[[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6
|
||||||
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
|
[[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6
|
||||||
|
Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT}
|
||||||
|
Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT}
|
||||||
|
Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT}
|
||||||
|
default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy}
|
||||||
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
|
[[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6
|
||||||
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
|
([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \
|
||||||
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
|
&& enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}"
|
||||||
|
|
|
@ -95,4 +95,14 @@ Enablev4NAT="yes"
|
||||||
# external access to internal machines
|
# external access to internal machines
|
||||||
# Config file: ipv4/portfw.conf
|
# Config file: ipv4/portfw.conf
|
||||||
# Values: no | yes (default)
|
# Values: no | yes (default)
|
||||||
Enablev4PortForwarding="yes"
|
Enablev4PortForwarding="yes"
|
||||||
|
|
||||||
|
# Default policy for filtering rules
|
||||||
|
# netfilter/iptables has a default policy that can be set, such as
|
||||||
|
# DROP all unless it is explicitly allowed via rules.
|
||||||
|
# Values: ACCEPT (default) | DROP
|
||||||
|
# Please note if you do not specify policies, they will default to
|
||||||
|
# ACCEPT, which may not be what you want.
|
||||||
|
Defaultv4InPolicy="ACCEPT"
|
||||||
|
Defaultv4OutPolicy="ACCEPT"
|
||||||
|
Defaultv4FwdPolicy="ACCEPT"
|
|
@ -95,4 +95,14 @@ Enablev6NAT="yes"
|
||||||
# external access to internal machines
|
# external access to internal machines
|
||||||
# Config file: ipv6/portfw.conf
|
# Config file: ipv6/portfw.conf
|
||||||
# Values: no | yes (default)
|
# Values: no | yes (default)
|
||||||
Enablev6PortForwarding="yes"
|
Enablev6PortForwarding="yes"
|
||||||
|
|
||||||
|
# Default policy for filtering rules
|
||||||
|
# netfilter/iptables has a default policy that can be set, such as
|
||||||
|
# DROP all unless it is explicitly allowed via rules.
|
||||||
|
# Values: ACCEPT (default) | DROP
|
||||||
|
# Please note if you do not specify policies, they will default to
|
||||||
|
# ACCEPT, which may not be what you want.
|
||||||
|
Defaultv6InPolicy="ACCEPT"
|
||||||
|
Defaultv6OutPolicy="ACCEPT"
|
||||||
|
Defaultv6FwdPolicy="ACCEPT"
|
|
@ -30,6 +30,9 @@ function iptables_rules_flush {
|
||||||
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
|
||||||
esac
|
esac
|
||||||
${display} GREEN "Flushing ${IP_VERSION} rules..."
|
${display} GREEN "Flushing ${IP_VERSION} rules..."
|
||||||
|
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
|
||||||
|
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
|
||||||
|
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
|
||||||
${VER_IPTABLES} -F &>/dev/null
|
${VER_IPTABLES} -F &>/dev/null
|
||||||
${VER_IPTABLES} -X &>/dev/null
|
${VER_IPTABLES} -X &>/dev/null
|
||||||
${VER_IPTABLES} -F INPUT &>/dev/null
|
${VER_IPTABLES} -F INPUT &>/dev/null
|
||||||
|
@ -39,9 +42,6 @@ function iptables_rules_flush {
|
||||||
${VER_IPTABLES} -t nat -X &>/dev/null
|
${VER_IPTABLES} -t nat -X &>/dev/null
|
||||||
${VER_IPTABLES} -t mangle -F &>/dev/null
|
${VER_IPTABLES} -t mangle -F &>/dev/null
|
||||||
${VER_IPTABLES} -t mangle -X &>/dev/null
|
${VER_IPTABLES} -t mangle -X &>/dev/null
|
||||||
${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
|
|
||||||
${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
|
|
||||||
${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
|
|
||||||
#for i in `cat $TABLE_NAMES`; do
|
#for i in `cat $TABLE_NAMES`; do
|
||||||
# ${VER_IPTABLES} -F -t $i &>/dev/null
|
# ${VER_IPTABLES} -F -t $i &>/dev/null
|
||||||
#done
|
#done
|
||||||
|
@ -51,17 +51,19 @@ function iptables_rules_flush {
|
||||||
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
|
# iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
|
||||||
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
|
# Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
|
||||||
# If no policy given, assume ACCEPT
|
# If no policy given, assume ACCEPT
|
||||||
function iptables_policy_reset {
|
function default_policy_set {
|
||||||
IP_VERSION=$1
|
IP_VERSION=$1
|
||||||
SET_POLICY=${2=ACCEPT}
|
INPOLICY=${2=ACCEPT}
|
||||||
|
OUTPOLICY=${3=ACCEPT}
|
||||||
|
FWDPOLICY=${4=ACCEPT}
|
||||||
case $IP_VERSION in
|
case $IP_VERSION in
|
||||||
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
ipv6) VER_IPTABLES=${IP6TABLES} ;;
|
||||||
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
ipv4|*) VER_IPTABLES=${IPTABLES} ;;
|
||||||
esac
|
esac
|
||||||
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..."
|
||||||
${VER_IPTABLES} --policy INPUT ${SET_POLICY}
|
${VER_IPTABLES} --policy INPUT ${INPOLICY}
|
||||||
${VER_IPTABLES} --policy OUTPUT ${SET_POLICY}
|
${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
|
||||||
${VER_IPTABLES} --policy FORWARD ${SET_POLICY}
|
${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
|
||||||
}
|
}
|
||||||
|
|
||||||
# setup_iptables_chains (ipv4|ipv6)
|
# setup_iptables_chains (ipv4|ipv6)
|
||||||
|
|
Loading…
Reference in New Issue