diff --git a/xynat b/xynat index dbcfe60..ef90124 100755 --- a/xynat +++ b/xynat @@ -190,6 +190,11 @@ xynat_ruleset_update_fwi(){ # enforce correct vm address iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited + # reject packets for blocked address(es) + for a in ${arg_block[*]:-}; do + iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable + done + # accept allowed local addresses for a in ${arg_allow[*]:-}; do iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT @@ -223,6 +228,11 @@ xynat_ruleset_update_fwo(){ # enforce correct vm address iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited + # reject packets for blocked address(es) + for a in ${arg_block[*]:-}; do + iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable + done + # accept allowed local addresses for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT @@ -287,20 +297,22 @@ xynat_help(){ echo "Usage: $0 [OPTIONS]" echo echo "Options:" - echo " -a, --add - Add new firewall (default, fallback: MODE=start)" - echo " -r, --remove - Remove existing firewall (fallback: MODE=stop)" + echo " -a, --add - Add new firewall (default, fallback: MODE=start)" + echo " -r, --remove - Remove existing firewall (fallback: MODE=stop)" echo - echo " -i, --iface=iface - Interface name for virtual switch (required, fallback: IFACE)" - echo " -s, --vm-address=ip - IP address of virtual machine (required)" - echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT" + echo " -i, --iface=iface - Interface name for virtual switch (required, fallback: IFACE)" + echo " -s, --vm-address=ip - IP address of virtual machine (required)" + echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT" echo - echo " -w, --allow=ip-or-net - Allow address(es) for incomming and outgoing connections (multi-use allowed)" - echo " -x, --allow-in=ip-or-net - Allow address(es) for incomming connections only (multi-use allowed)" - echo " -y, --allow-host - Allow local host for incomming and outgoing connections" - echo " -z, --allow-host-in - Allow local host for incomming connections only" + echo " -b, --block=ip-or-net - Block address(es) for all connections (multi-use allowed)" echo - echo " -h, --help - Display this help message and exit" - echo " -v, --version - Display version information and exit" + echo " -w, --allow=ip-or-net - Allow local address(es) for all connections (multi-use allowed)" + echo " -x, --allow-in=ip-or-net - Allow local address(es) for incomming connections only (multi-use allowed)" + echo " -y, --allow-host - Allow local host for all connections" + echo " -z, --allow-host-in - Allow local host for incomming connections only" + echo + echo " -h, --help - Display this help message and exit" + echo " -v, --version - Display version information and exit" } @@ -361,6 +373,20 @@ xynat_validate_public_ip(){ +# +# VALIDATOR: `block`. +# +xynat_validate_block(){ + for a in $1; do + ## VALIDATE SYNTAX ## + if [[ ! "$a" =~ $regex_ip_or_net ]]; then + log_error "Malformed ip address or subnet in blocklist: '$a'" + fi + done +} + + + # # VALIDATOR: `allow`. # @@ -468,6 +494,17 @@ while [[ "$#" -gt 0 ]]; do else log_error "Value expected for parameter 'public-ip'"; fi; shift ;; + # block + -b|--block|-b=*|--block=*) + if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then + arg_block=(${arg_block[@]:-""} "$(echo $1 | sed -E "s/^[a-z\-]+=(.*)$/\1/g")") + shift; continue; fi + + shift; if [[ $# -gt 0 ]]; then + arg_block=(${arg_block[@]:-""} "$1") + else log_error "Value expected for parameter 'block'"; fi; shift + ;; + # allow -w|--allow|-w=*|--allow=*) if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then @@ -544,6 +581,9 @@ if [[ "${arg_public_ip:+x}" ]]; then xynat_validate_public_ip "$arg_public_ip" fi +# block +xynat_validate_block "${arg_block[*]:-""}" + # allow xynat_validate_allow "${arg_allow[*]:-""}"