✨ implement missing features
This commit is contained in:
parent
977c758950
commit
a045181710
79
xynat
79
xynat
@ -136,6 +136,16 @@ xynat_ruleset_update_in(){
|
||||
|
||||
|
||||
## ADD RULES ##
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_IN" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# maybe allow host access
|
||||
if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
|
||||
iptables -A "${chain_id}_IN" -j RETURN
|
||||
elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||
iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
||||
fi
|
||||
|
||||
# reject all packets
|
||||
iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
|
||||
|
||||
@ -154,8 +164,16 @@ xynat_ruleset_update_out(){
|
||||
|
||||
|
||||
## ADD RULES ##
|
||||
# allow icmp messages
|
||||
iptables -A "${chain_id}_OUT" -p icmp -j RETURN
|
||||
# allow related icmp messages
|
||||
iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j RETURN
|
||||
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# maybe allow host access
|
||||
if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||
iptables -A "${chain_id}_OUT" -j RETURN
|
||||
fi
|
||||
|
||||
# reject all other packets
|
||||
iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
|
||||
@ -179,12 +197,12 @@ xynat_ruleset_update_fwi(){
|
||||
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# ignore allowed local addresses
|
||||
for a in ${arg_allow:-""}; do
|
||||
for a in ${arg_allow[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j RETURN
|
||||
done
|
||||
|
||||
# ignore allowed incomming local addresses
|
||||
for a in ${arg_allow_in:-""}; do
|
||||
for a in ${arg_allow_in[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
||||
done
|
||||
|
||||
@ -212,7 +230,7 @@ xynat_ruleset_update_fwo(){
|
||||
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# ignore allowed local addresses
|
||||
for a in ${arg_allow:-""} ${arg_allow_in:-""}; do
|
||||
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j RETURN
|
||||
done
|
||||
|
||||
@ -236,11 +254,10 @@ xynat_ruleset_update_ni(){
|
||||
|
||||
|
||||
## ADD RULES ##
|
||||
# filter for vm public ip
|
||||
iptables -t nat -A "${chain_id}_NI" ! -d "$arg_public_ip" -j RETURN # TODO
|
||||
|
||||
# translate destination address (forward to vm)
|
||||
iptables -t nat -A "${chain_id}_NI" -j DNAT --to-destination "$arg_vm_address"
|
||||
if [[ "${arg_public_ip:+x}" ]]; then
|
||||
iptables -t nat -A "${chain_id}_NI" -d "$arg_public_ip" -j DNAT --to-destination "$arg_vm_address"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -257,8 +274,12 @@ xynat_ruleset_update_no(){
|
||||
# filter for vm ip address
|
||||
iptables -t nat -A "${chain_id}_NO" ! -s "$arg_vm_address" -j RETURN
|
||||
|
||||
# translate source address (forward to internet)
|
||||
iptables -t nat -A "${chain_id}_NO" -j SNAT --to-source "$arg_public_ip" # TODO
|
||||
# translate source address/port (forward to internet)
|
||||
if [[ "${arg_public_ip:+x}" ]]; then
|
||||
iptables -t nat -A "${chain_id}_NO" -j SNAT --to-source "$arg_public_ip"
|
||||
else
|
||||
iptables -t nat -A "${chain_id}_NO" -j MASQUERADE
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@ -300,25 +321,6 @@ xynat_version(){
|
||||
|
||||
|
||||
|
||||
#
|
||||
# VALIDATOR: `iface`.
|
||||
#
|
||||
xynat_validate_iface(){
|
||||
## CHECK IF VALID NAME ##
|
||||
local iface_list="$(xynat_iface_list)"
|
||||
local found="no"
|
||||
for i in $iface_list; do
|
||||
if [[ "$i" == "$1" ]]; then
|
||||
found="yes"
|
||||
fi
|
||||
done
|
||||
if [[ "$found" != "yes" ]]; then
|
||||
log_warn "Unknown iface name '$1'"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
#
|
||||
# VALIDATOR: `vm-address`.
|
||||
#
|
||||
@ -539,13 +541,14 @@ if [[ -z "${arg_iface:+x}" ]]; then
|
||||
if [[ -z "${IFACE:+x}" ]]; then log_error "Missing required argument 'iface'; See '$0 --help' for usage information"; fi
|
||||
arg_iface="$IFACE"
|
||||
fi
|
||||
xynat_validate_iface "$arg_iface"
|
||||
|
||||
# vm-address
|
||||
if [[ -z "${arg_vm_address:+x}" ]]; then
|
||||
log_error "Missing required argument 'vm-address'; See '$0 --help' for usage information"
|
||||
if [[ "$arg_mode" != "remove" ]]; then
|
||||
if [[ -z "${arg_vm_address:+x}" ]]; then
|
||||
log_error "Missing required argument 'vm-address'; See '$0 --help' for usage information"
|
||||
fi
|
||||
xynat_validate_vm_address "$arg_vm_address"
|
||||
fi
|
||||
xynat_validate_vm_address "$arg_vm_address"
|
||||
|
||||
# public-ip
|
||||
if [[ "${arg_public_ip:+x}" ]]; then
|
||||
@ -582,11 +585,3 @@ case "$arg_mode" in
|
||||
log_error "Invalid mode '$arg_mode'"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# TODO: Refine icmp filter to only allow related packets
|
||||
# TODO: Wire up public-ip being empty (SNAT/DNAT)
|
||||
# TODO: Wire up allow-host and allow-host-in
|
||||
|
||||
Loading…
Reference in New Issue
Block a user