✨ allow blocking public addresses

2024-08-16 19:49:36 +02:00 · 2024-08-16 19:49:36 +02:00 · 2c09305ec3
commit 2c09305ec3
parent 3bee1ac760
1 changed files with 51 additions and 11 deletions
--- a/62
+++ b/62
@ -190,6 +190,11 @@ xynat_ruleset_update_fwi(){
 	# enforce correct vm address
 	iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
+	# reject packets for blocked address(es)
+	for a in ${arg_block[*]:-}; do
+		iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
+	done
+	
 	# accept allowed local addresses
 	for a in ${arg_allow[*]:-}; do
 		iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
@ -223,6 +228,11 @@ xynat_ruleset_update_fwo(){
 	# enforce correct vm address
 	iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
 	
+	# reject packets for blocked address(es)
+	for a in ${arg_block[*]:-}; do
+		iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
+	done
+	
 	# accept allowed local addresses
 	for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
 		iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
@ -287,20 +297,22 @@ xynat_help(){
 	echo "Usage: $0 [OPTIONS]"
 	echo
 	echo "Options:"
-	echo "    -a, --add                 - Add new firewall                                          (default, fallback: MODE=start)"
-	echo "    -r, --remove              - Remove existing firewall                                  (fallback: MODE=stop)"
+	echo "    -a, --add                  - Add new firewall                                        (default, fallback: MODE=start)"
+	echo "    -r, --remove               - Remove existing firewall                                (fallback: MODE=stop)"
 	echo
-	echo "    -i, --iface=iface         - Interface name for virtual switch                         (required, fallback: IFACE)"
-	echo "    -s, --vm-address=ip       - IP address of virtual machine                             (required)"
-	echo "    -p, --public-ip=ip        - IP address to use for outgoing traffic and DNAT"
+	echo "    -i, --iface=iface          - Interface name for virtual switch                       (required, fallback: IFACE)"
+	echo "    -s, --vm-address=ip        - IP address of virtual machine                           (required)"
+	echo "    -p, --public-ip=ip         - IP address to use for outgoing traffic and DNAT"
 	echo
-	echo "    -w, --allow=ip-or-net     - Allow address(es) for incomming and outgoing connections  (multi-use allowed)"
-	echo "    -x, --allow-in=ip-or-net  - Allow address(es) for incomming connections only          (multi-use allowed)"
-	echo "    -y, --allow-host          - Allow local host for incomming and outgoing connections"
-	echo "    -z, --allow-host-in       - Allow local host for incomming connections only"
+	echo "    -b, --block=ip-or-net      - Block address(es) for all connections                   (multi-use allowed)"
 	echo
-	echo "    -h, --help                - Display this help message and exit"
-	echo "    -v, --version             - Display version information and exit"
+	echo "    -w, --allow=ip-or-net      - Allow local address(es) for all connections             (multi-use allowed)"
+	echo "    -x, --allow-in=ip-or-net   - Allow local address(es) for incomming connections only  (multi-use allowed)"
+	echo "    -y, --allow-host           - Allow local host for all connections"
+	echo "    -z, --allow-host-in        - Allow local host for incomming connections only"
+	echo
+	echo "    -h, --help                 - Display this help message and exit"
+	echo "    -v, --version              - Display version information and exit"
 }


@ -361,6 +373,20 @@ xynat_validate_public_ip(){



+#
+# VALIDATOR: `block`.
+#
+xynat_validate_block(){
+	for a in $1; do
+		## VALIDATE SYNTAX ##
+		if [[ ! "$a" =~ $regex_ip_or_net ]]; then
+			log_error "Malformed ip address or subnet in blocklist: '$a'"
+		fi
+	done
+}
+
+
+
 #
 # VALIDATOR: `allow`.
 #
@ -468,6 +494,17 @@ while [[ "$#" -gt 0 ]]; do
 			else log_error "Value expected for parameter 'public-ip'"; fi; shift
 		;;
 		
+		# block
+		-b|--block|-b=*|--block=*)
+			if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
+				arg_block=(${arg_block[@]:-""} "$(echo $1 | sed -E "s/^[a-z\-]+=(.*)$/\1/g")")
+			shift; continue; fi
+			
+			shift; if [[ $# -gt 0 ]]; then
+				arg_block=(${arg_block[@]:-""} "$1")
+			else log_error "Value expected for parameter 'block'"; fi; shift
+		;;
+		
 		# allow
 		-w|--allow|-w=*|--allow=*)
 			if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
@ -544,6 +581,9 @@ if [[ "${arg_public_ip:+x}" ]]; then
 	xynat_validate_public_ip "$arg_public_ip"
 fi

+# block
+xynat_validate_block "${arg_block[*]:-""}"
+
 # allow
 xynat_validate_allow "${arg_allow[*]:-""}"