✨ allow blocking public addresses
This commit is contained in:
parent
3bee1ac760
commit
2c09305ec3
62
xynat
62
xynat
@ -190,6 +190,11 @@ xynat_ruleset_update_fwi(){
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# reject packets for blocked address(es)
|
||||
for a in ${arg_block[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||
done
|
||||
|
||||
# accept allowed local addresses
|
||||
for a in ${arg_allow[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
|
||||
@ -223,6 +228,11 @@ xynat_ruleset_update_fwo(){
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# reject packets for blocked address(es)
|
||||
for a in ${arg_block[*]:-}; do
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||
done
|
||||
|
||||
# accept allowed local addresses
|
||||
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
|
||||
@ -287,20 +297,22 @@ xynat_help(){
|
||||
echo "Usage: $0 [OPTIONS]"
|
||||
echo
|
||||
echo "Options:"
|
||||
echo " -a, --add - Add new firewall (default, fallback: MODE=start)"
|
||||
echo " -r, --remove - Remove existing firewall (fallback: MODE=stop)"
|
||||
echo " -a, --add - Add new firewall (default, fallback: MODE=start)"
|
||||
echo " -r, --remove - Remove existing firewall (fallback: MODE=stop)"
|
||||
echo
|
||||
echo " -i, --iface=iface - Interface name for virtual switch (required, fallback: IFACE)"
|
||||
echo " -s, --vm-address=ip - IP address of virtual machine (required)"
|
||||
echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT"
|
||||
echo " -i, --iface=iface - Interface name for virtual switch (required, fallback: IFACE)"
|
||||
echo " -s, --vm-address=ip - IP address of virtual machine (required)"
|
||||
echo " -p, --public-ip=ip - IP address to use for outgoing traffic and DNAT"
|
||||
echo
|
||||
echo " -w, --allow=ip-or-net - Allow address(es) for incomming and outgoing connections (multi-use allowed)"
|
||||
echo " -x, --allow-in=ip-or-net - Allow address(es) for incomming connections only (multi-use allowed)"
|
||||
echo " -y, --allow-host - Allow local host for incomming and outgoing connections"
|
||||
echo " -z, --allow-host-in - Allow local host for incomming connections only"
|
||||
echo " -b, --block=ip-or-net - Block address(es) for all connections (multi-use allowed)"
|
||||
echo
|
||||
echo " -h, --help - Display this help message and exit"
|
||||
echo " -v, --version - Display version information and exit"
|
||||
echo " -w, --allow=ip-or-net - Allow local address(es) for all connections (multi-use allowed)"
|
||||
echo " -x, --allow-in=ip-or-net - Allow local address(es) for incomming connections only (multi-use allowed)"
|
||||
echo " -y, --allow-host - Allow local host for all connections"
|
||||
echo " -z, --allow-host-in - Allow local host for incomming connections only"
|
||||
echo
|
||||
echo " -h, --help - Display this help message and exit"
|
||||
echo " -v, --version - Display version information and exit"
|
||||
}
|
||||
|
||||
|
||||
@ -361,6 +373,20 @@ xynat_validate_public_ip(){
|
||||
|
||||
|
||||
|
||||
#
|
||||
# VALIDATOR: `block`.
|
||||
#
|
||||
xynat_validate_block(){
|
||||
for a in $1; do
|
||||
## VALIDATE SYNTAX ##
|
||||
if [[ ! "$a" =~ $regex_ip_or_net ]]; then
|
||||
log_error "Malformed ip address or subnet in blocklist: '$a'"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
|
||||
#
|
||||
# VALIDATOR: `allow`.
|
||||
#
|
||||
@ -468,6 +494,17 @@ while [[ "$#" -gt 0 ]]; do
|
||||
else log_error "Value expected for parameter 'public-ip'"; fi; shift
|
||||
;;
|
||||
|
||||
# block
|
||||
-b|--block|-b=*|--block=*)
|
||||
if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
|
||||
arg_block=(${arg_block[@]:-""} "$(echo $1 | sed -E "s/^[a-z\-]+=(.*)$/\1/g")")
|
||||
shift; continue; fi
|
||||
|
||||
shift; if [[ $# -gt 0 ]]; then
|
||||
arg_block=(${arg_block[@]:-""} "$1")
|
||||
else log_error "Value expected for parameter 'block'"; fi; shift
|
||||
;;
|
||||
|
||||
# allow
|
||||
-w|--allow|-w=*|--allow=*)
|
||||
if [[ "$1" =~ ^[a-z\-]+=(.+)$ ]]; then
|
||||
@ -544,6 +581,9 @@ if [[ "${arg_public_ip:+x}" ]]; then
|
||||
xynat_validate_public_ip "$arg_public_ip"
|
||||
fi
|
||||
|
||||
# block
|
||||
xynat_validate_block "${arg_block[*]:-""}"
|
||||
|
||||
# allow
|
||||
xynat_validate_allow "${arg_allow[*]:-""}"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user