✨ allow blocking public addresses
This commit is contained in:
parent
3bee1ac760
commit
2c09305ec3
46
xynat
46
xynat
@ -190,6 +190,11 @@ xynat_ruleset_update_fwi(){
|
|||||||
# enforce correct vm address
|
# enforce correct vm address
|
||||||
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
|
||||||
|
# reject packets for blocked address(es)
|
||||||
|
for a in ${arg_block[*]:-}; do
|
||||||
|
iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||||
|
done
|
||||||
|
|
||||||
# accept allowed local addresses
|
# accept allowed local addresses
|
||||||
for a in ${arg_allow[*]:-}; do
|
for a in ${arg_allow[*]:-}; do
|
||||||
iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
|
iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
|
||||||
@ -223,6 +228,11 @@ xynat_ruleset_update_fwo(){
|
|||||||
# enforce correct vm address
|
# enforce correct vm address
|
||||||
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
|
||||||
|
# reject packets for blocked address(es)
|
||||||
|
for a in ${arg_block[*]:-}; do
|
||||||
|
iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||||
|
done
|
||||||
|
|
||||||
# accept allowed local addresses
|
# accept allowed local addresses
|
||||||
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
||||||
iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
|
iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
|
||||||
@ -294,9 +304,11 @@ xynat_help(){
|
|||||||
echo " -s, --vm-address=ip - IP address of virtual machine (required)"
|
echo " -s, --vm-address=ip - IP address of virtual machine (required)"
|
||||||
echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT"
|
echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT"
|
||||||
echo
|
echo
|
||||||
echo " -w, --allow=ip-or-net - Allow address(es) for incomming and outgoing connections (multi-use allowed)"
|
echo " -b, --block=ip-or-net - Block address(es) for all connections (multi-use allowed)"
|
||||||
echo " -x, --allow-in=ip-or-net - Allow address(es) for incomming connections only (multi-use allowed)"
|
echo
|
||||||
echo " -y, --allow-host - Allow local host for incomming and outgoing connections"
|
echo " -w, --allow=ip-or-net - Allow local address(es) for all connections (multi-use allowed)"
|
||||||
|
echo " -x, --allow-in=ip-or-net - Allow local address(es) for incomming connections only (multi-use allowed)"
|
||||||
|
echo " -y, --allow-host - Allow local host for all connections"
|
||||||
echo " -z, --allow-host-in - Allow local host for incomming connections only"
|
echo " -z, --allow-host-in - Allow local host for incomming connections only"
|
||||||
echo
|
echo
|
||||||
echo " -h, --help - Display this help message and exit"
|
echo " -h, --help - Display this help message and exit"
|
||||||
@ -361,6 +373,20 @@ xynat_validate_public_ip(){
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# VALIDATOR: `block`.
|
||||||
|
#
|
||||||
|
xynat_validate_block(){
|
||||||
|
for a in $1; do
|
||||||
|
## VALIDATE SYNTAX ##
|
||||||
|
if [[ ! "$a" =~ $regex_ip_or_net ]]; then
|
||||||
|
log_error "Malformed ip address or subnet in blocklist: '$a'"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# VALIDATOR: `allow`.
|
# VALIDATOR: `allow`.
|
||||||
#
|
#
|
||||||
@ -468,6 +494,17 @@ while [[ "$#" -gt 0 ]]; do
|
|||||||
else log_error "Value expected for parameter 'public-ip'"; fi; shift
|
else log_error "Value expected for parameter 'public-ip'"; fi; shift
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
# block
|
||||||
|
-b|--block|-b=*|--block=*)
|
||||||
|
if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
|
||||||
|
arg_block=(${arg_block[@]:-""} "$(echo $1 | sed -E "s/^[a-z\-]+=(.*)$/\1/g")")
|
||||||
|
shift; continue; fi
|
||||||
|
|
||||||
|
shift; if [[ $# -gt 0 ]]; then
|
||||||
|
arg_block=(${arg_block[@]:-""} "$1")
|
||||||
|
else log_error "Value expected for parameter 'block'"; fi; shift
|
||||||
|
;;
|
||||||
|
|
||||||
# allow
|
# allow
|
||||||
-w|--allow|-w=*|--allow=*)
|
-w|--allow|-w=*|--allow=*)
|
||||||
if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
|
if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
|
||||||
@ -544,6 +581,9 @@ if [[ "${arg_public_ip:+x}" ]]; then
|
|||||||
xynat_validate_public_ip "$arg_public_ip"
|
xynat_validate_public_ip "$arg_public_ip"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# block
|
||||||
|
xynat_validate_block "${arg_block[*]:-""}"
|
||||||
|
|
||||||
# allow
|
# allow
|
||||||
xynat_validate_allow "${arg_allow[*]:-""}"
|
xynat_validate_allow "${arg_allow[*]:-""}"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user