From e190e321d000c21e89f6a8fa9f101dac6926f246 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Mon, 31 Mar 2014 23:37:38 +0000 Subject: [PATCH] --- ChangeLog | 1 + bin/srfirewall | 3 +++ etc/ipv4.conf | 10 +++++++++- etc/ipv6.conf | 10 +++++++++- lib/iptables.inc | 39 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 61 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2366b48..1ed80f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ - Basic functionality implemented: - Trusted IP source (IPv4/IPv6) - 3/30/2014 - MSS Clamping (IPv4/IPv6) - 3/30/2014 + - Trusted DNS server as client (IPv4/IPv6) - 3/30/2014 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= 1.1 - Brielle Bruns diff --git a/bin/srfirewall b/bin/srfirewall index 9c8888b..1ef6136 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -151,6 +151,8 @@ if [ "${EnableIPv4}" == "yes" ]; then [ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4 [ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4 [ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}" + [ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4 + fi # Do IPv6 IPTables Rules @@ -167,5 +169,6 @@ if [ "${EnableIPv6}" == "yes" ]; then [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 [ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6 [ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}" + [ "${Enablev6EasyBlock" == "yes" ] && enable_easyblock ipv6 fi diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 6ebc894..1519b95 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -36,4 +36,12 @@ ResolvConfv4File="/etc/resolv.conf" # Uncomment below if you set above to no. You can still manually define your servers # here if you want. Useful at times. # Values: space separated IP list of DNS servers -#DNSClientManualv4Servers="" \ No newline at end of file +#DNSClientManualv4Servers="" + +# Enable the EasyBlock access list +# This is a simple/easy way to block traffic in or out, +# no complex options. Use the Filter options for more +# complex ACLs +# Config file: ipv4/easyblock.conf +# Values: no | yes (default) +Enablev4EasyBlock="yes" \ No newline at end of file diff --git a/etc/ipv6.conf b/etc/ipv6.conf index 4306ffa..c3066dd 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -36,4 +36,12 @@ ResolvConfv6File="/etc/resolv.conf" # Uncomment below if you set above to no. You can still manually define your servers # here if you want. Useful at times. # Values: space separated IP list of DNS servers -#DNSClientManualv6Servers="" \ No newline at end of file +#DNSClientManualv6Servers="" + +# Enable the EasyBlock access list +# This is a simple/easy way to block traffic in or out, +# no complex options. Use the Filter options for more +# complex ACLs +# Config file: ipv6/easyblock.conf +# Values: no | yes (default) +Enablev6EasyBlock="yes" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index f8be683..e3c31f9 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -200,6 +200,7 @@ function allow_resolvconf_servers { [[ ${type} != "nameserver" ]] && continue # If we see a : in the server variable, we are most likely dealing with an ipv6 address ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue + ([[ ${server} !~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue ${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list" ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT @@ -227,4 +228,42 @@ function allow_dnsclient_manual { ${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT done ${debug} ${DebugColor} "${FUNCNAME}: done" +} + +function enable_easyblock { + IP_VERSION=$1 + case $IP_VERSION in + ipv6) VER_IPTABLES=${IP6TABLES}; + IPVER="6" ;; + ipv4|*) VER_IPTABLES=${IPTABLES} + IPVER="4" ;; + esac + ${debug} ${DebugColor} "${FUNCNAME}: loading" + if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then + ${debug} ${DebugColor} "${FUNCNAME}: read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful" + while read -r direction interface address port; do + [[ ${direction} = \#* ]] && continue + + # Do some creative work with variables to make building the iptables rules fairly painless + [[ ${port} != "-" ]] && port="--dport ${port}" + ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]] && address="-s ${address}" + ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]] && address="-d ${address}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]] && interface="-i ${interface}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]] && interface="-o ${interface}" + [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}" + [[ ${direction} == "IN" ]] && chain="${InEasyBlock}" + + ${debug} ${DebugColor} "${FUNCNAME}: Read: ${direction} ${interface} ${address} ${port}" + + # Blank variables that we're not going to use. + [[ ${interface} == "-" ]] && interface="" + [[ ${port} == "-" ]] && port="" + [[ ${address} == "-" ]] && address="" + + + ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${port} + done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" + + ${debug} ${DebugColor} "${FUNCNAME}: done" + } \ No newline at end of file