WIP - IPv6 Handleing for output authorisation
This commit is contained in:
parent
c31288f318
commit
79c1790564
95
minifirewall
Normal file → Executable file
95
minifirewall
Normal file → Executable file
|
@ -369,52 +369,111 @@ start() {
|
|||
|
||||
# DNS authorizations
|
||||
for src in ${DNSSERVEURS}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${src} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 53 --match state --state NEW -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT6} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${src} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 53 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${src} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 53 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# HTTP (TCP/80) authorizations
|
||||
for src in ${HTTPSITES}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# HTTPS (TCP/443) authorizations
|
||||
for src in ${HTTPSSITES}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# FTP (so complex protocol...) authorizations
|
||||
for src in ${FTPSITES}; do
|
||||
# requests on Control connection
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
# requests on Control connection
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
${IPT6} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
# requests on Control connection
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP port-mode on Data Connection
|
||||
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
# FTP passive-mode on Data Connection
|
||||
# WARNING, this allow all connections on TCP ports > 1024
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# SSH authorizations
|
||||
for src in ${SSHOK}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 22 -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 22 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# SMTP authorizations
|
||||
for src in ${SMTPOK}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# secure SMTP (TCP/465 et TCP/587) authorizations
|
||||
for src in ${SMTPSECUREOK}; do
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT6} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${src} -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# NTP authorizations
|
||||
for src in ${NTPOK}; do
|
||||
${IPT} -A INPUT -p udp --sport 123 -s ${src} -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 123 --match state --state NEW -j ACCEPT
|
||||
|
||||
if is_ipv6 ${src}; then
|
||||
if is_ipv6_enabled; then
|
||||
${IPT6} -A INPUT -p udp --sport 123 -s ${src} -j ACCEPT
|
||||
${IPT6} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 123 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
else
|
||||
${IPT} -A INPUT -p udp --sport 123 -s ${src} -j ACCEPT
|
||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${src} --dport 123 --match state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
# Proxy (Squid)
|
||||
|
|
|
@ -47,35 +47,35 @@ SERVICESTCP3='5666'
|
|||
SERVICESUDP3=''
|
||||
|
||||
|
||||
# Standard output IPv4 access restrictions
|
||||
# Standard output IPv4/IPv6 access restrictions
|
||||
##########################################
|
||||
|
||||
# DNS authorizations
|
||||
# (if you have local DNS server, set 0.0.0.0/0)
|
||||
DNSSERVEURS='0.0.0.0/0'
|
||||
DNSSERVEURS='0.0.0.0/0 ::/0'
|
||||
|
||||
# HTTP authorizations
|
||||
# (you can use DNS names but set cron to reload minifirewall regularly)
|
||||
# (if you have HTTP proxy, set 0.0.0.0/0)
|
||||
HTTPSITES='0.0.0.0/0'
|
||||
HTTPSITES='0.0.0.0/0 ::/0'
|
||||
|
||||
# HTTPS authorizations
|
||||
HTTPSSITES='0.0.0.0/0'
|
||||
HTTPSSITES='0.0.0.0/0 ::/0'
|
||||
|
||||
# FTP authorizations
|
||||
FTPSITES=''
|
||||
|
||||
# SSH authorizations
|
||||
SSHOK='0.0.0.0/0'
|
||||
SSHOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# SMTP authorizations
|
||||
SMTPOK='0.0.0.0/0'
|
||||
SMTPOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# SMTP secure authorizations (ports TCP/465 and TCP/587)
|
||||
SMTPSECUREOK=''
|
||||
|
||||
# NTP authorizations
|
||||
NTPOK='0.0.0.0/0'
|
||||
NTPOK='0.0.0.0/0 ::/0'
|
||||
|
||||
# Proxy (Squid)
|
||||
PROXY='off'
|
||||
|
|
Loading…
Reference in a new issue