|
#!/bin/sh |
|
# |
|
# firewall.sh - Copyright (c) 2019-2021 - Olivier Poncet |
|
# |
|
# This program is free software: you can redistribute it and/or modify |
|
# it under the terms of the GNU General Public License as published by |
|
# the Free Software Foundation, either version 2 of the License, or |
|
# (at your option) any later version. |
|
# |
|
# This program is distributed in the hope that it will be useful, |
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
# GNU General Public License for more details. |
|
# |
|
# You should have received a copy of the GNU General Public License |
|
# along with this program. If not, see <http://www.gnu.org/licenses/> |
|
# |
|
|
|
# ---------------------------------------------------------------------------- |
|
# program options |
|
# ---------------------------------------------------------------------------- |
|
|
|
opt_script="${0}" |
|
opt_error='no' |
|
opt_usage='no' |
|
opt_proto='all' |
|
opt_list='no' |
|
|
|
# ---------------------------------------------------------------------------- |
|
# the network interfaces : eth0, eno1, ens18, enp3s0, etc ... |
|
# ---------------------------------------------------------------------------- |
|
|
|
wan0="${WAN0:-not-set}" |
|
lan1="${LAN1:-not-set}" |
|
lan2="${LAN2:-not-set}" |
|
|
|
# ---------------------------------------------------------------------------- |
|
# ip4tables & ip6tables |
|
# ---------------------------------------------------------------------------- |
|
|
|
ip4tables="${IP4TABLES:-not-found}" |
|
ip6tables="${IP6TABLES:-not-found}" |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv4 rules (ACCEPT, REJECT or DROP) |
|
# ---------------------------------------------------------------------------- |
|
|
|
DFLT_IPV4_INPUT_____TARGET='ACCEPT' |
|
DFLT_IPV4_FORWARD___TARGET='ACCEPT' |
|
DFLT_IPV4_OUTPUT____TARGET='ACCEPT' |
|
|
|
WAN0_IPV4_CONNTRACK_TARGET='ACCEPT' |
|
WAN0_IPV4_ICMP______TARGET='ACCEPT' |
|
WAN0_IPV4_SSH_______TARGET='ACCEPT' |
|
WAN0_IPV4_SMTP______TARGET='REJECT' |
|
WAN0_IPV4_HTTP______TARGET='REJECT' |
|
WAN0_IPV4_HTTPS_____TARGET='REJECT' |
|
WAN0_IPV4_DEFAULT___TARGET='DROP' |
|
|
|
LAN1_IPV4_CONNTRACK_TARGET='ACCEPT' |
|
LAN1_IPV4_ICMP______TARGET='ACCEPT' |
|
LAN1_IPV4_SSH_______TARGET='ACCEPT' |
|
LAN1_IPV4_DEFAULT___TARGET='DROP' |
|
|
|
LAN2_IPV4_CONNTRACK_TARGET='ACCEPT' |
|
LAN2_IPV4_ICMP______TARGET='ACCEPT' |
|
LAN2_IPV4_SSH_______TARGET='ACCEPT' |
|
LAN2_IPV4_DEFAULT___TARGET='DROP' |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv6 rules (ACCEPT, REJECT or DROP) |
|
# ---------------------------------------------------------------------------- |
|
|
|
DFLT_IPV6_INPUT_____TARGET='ACCEPT' |
|
DFLT_IPV6_FORWARD___TARGET='ACCEPT' |
|
DFLT_IPV6_OUTPUT____TARGET='ACCEPT' |
|
|
|
WAN0_IPV6_CONNTRACK_TARGET='ACCEPT' |
|
WAN0_IPV6_ICMP______TARGET='ACCEPT' |
|
WAN0_IPV6_SSH_______TARGET='ACCEPT' |
|
WAN0_IPV6_SMTP______TARGET='REJECT' |
|
WAN0_IPV6_HTTP______TARGET='REJECT' |
|
WAN0_IPV6_HTTPS_____TARGET='REJECT' |
|
WAN0_IPV6_DEFAULT___TARGET='DROP' |
|
|
|
LAN1_IPV6_CONNTRACK_TARGET='ACCEPT' |
|
LAN1_IPV6_ICMP______TARGET='ACCEPT' |
|
LAN1_IPV6_SSH_______TARGET='ACCEPT' |
|
LAN1_IPV6_DEFAULT___TARGET='DROP' |
|
|
|
LAN2_IPV6_CONNTRACK_TARGET='ACCEPT' |
|
LAN2_IPV6_ICMP______TARGET='ACCEPT' |
|
LAN2_IPV6_SSH_______TARGET='ACCEPT' |
|
LAN2_IPV6_DEFAULT___TARGET='DROP' |
|
|
|
# ---------------------------------------------------------------------------- |
|
# parse the command-line |
|
# ---------------------------------------------------------------------------- |
|
|
|
while [ "${#}" -gt '0' ] && [ "${opt_error}+${opt_usage}" = 'no+no' ] |
|
do |
|
case "${1}" in |
|
*=*) |
|
arg_value="$(expr "${1}" : '[^=]*=\(.*\)')" |
|
;; |
|
*) |
|
arg_value="" |
|
;; |
|
esac |
|
case "${1}" in |
|
--wan0=*) |
|
wan0="${arg_value}" |
|
;; |
|
--lan1=*) |
|
lan1="${arg_value}" |
|
;; |
|
--lan2=*) |
|
lan2="${arg_value}" |
|
;; |
|
--wan0-icmp=*) |
|
WAN0_IPV4_ICMP______TARGET="${arg_value}" |
|
WAN0_IPV6_ICMP______TARGET="${arg_value}" |
|
;; |
|
--wan0-ssh=*) |
|
WAN0_IPV4_SSH_______TARGET="${arg_value}" |
|
WAN0_IPV6_SSH_______TARGET="${arg_value}" |
|
;; |
|
--wan0-smtp=*) |
|
WAN0_IPV4_SMTP______TARGET="${arg_value}" |
|
WAN0_IPV6_SMTP______TARGET="${arg_value}" |
|
;; |
|
--wan0-http=*) |
|
WAN0_IPV4_HTTP______TARGET="${arg_value}" |
|
WAN0_IPV6_HTTP______TARGET="${arg_value}" |
|
;; |
|
--wan0-https=*) |
|
WAN0_IPV4_HTTPS_____TARGET="${arg_value}" |
|
WAN0_IPV6_HTTPS_____TARGET="${arg_value}" |
|
;; |
|
--wan0-default=*) |
|
WAN0_IPV4_DEFAULT___TARGET="${arg_value}" |
|
WAN0_IPV6_DEFAULT___TARGET="${arg_value}" |
|
;; |
|
--lan1-icmp=*) |
|
LAN1_IPV4_ICMP______TARGET="${arg_value}" |
|
LAN1_IPV6_ICMP______TARGET="${arg_value}" |
|
;; |
|
--lan1-ssh=*) |
|
LAN1_IPV4_SSH_______TARGET="${arg_value}" |
|
LAN1_IPV6_SSH_______TARGET="${arg_value}" |
|
;; |
|
--lan1-default=*) |
|
LAN1_IPV4_DEFAULT___TARGET="${arg_value}" |
|
LAN1_IPV6_DEFAULT___TARGET="${arg_value}" |
|
;; |
|
--lan2-icmp=*) |
|
LAN2_IPV4_ICMP______TARGET="${arg_value}" |
|
LAN2_IPV6_ICMP______TARGET="${arg_value}" |
|
;; |
|
--lan2-ssh=*) |
|
LAN2_IPV4_SSH_______TARGET="${arg_value}" |
|
LAN2_IPV6_SSH_______TARGET="${arg_value}" |
|
;; |
|
--lan2-default=*) |
|
LAN2_IPV4_DEFAULT___TARGET="${arg_value}" |
|
LAN2_IPV6_DEFAULT___TARGET="${arg_value}" |
|
;; |
|
--ipv4) |
|
opt_proto='ipv4' |
|
;; |
|
--ipv6) |
|
opt_proto='ipv6' |
|
;; |
|
--list) |
|
opt_list='yes' |
|
;; |
|
--help) |
|
opt_usage='yes' |
|
;; |
|
*) |
|
opt_error='yes' |
|
echo "Error: invalid argument ${1}" |
|
;; |
|
esac |
|
shift |
|
done |
|
|
|
# ---------------------------------------------------------------------------- |
|
# display usage if needed |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${opt_error}+${opt_usage}" != 'no+no' ] |
|
then |
|
cat << ____EOF |
|
Usage: $(basename "${opt_script}") [OPTIONS] |
|
|
|
Options: |
|
|
|
--wan0={network-interface} specifies the WAN0 network interface |
|
--lan1={network-interface} specifies the LAN1 network interface |
|
--lan2={network-interface} specifies the LAN2 network interface |
|
--wan0-icmp={target} ACCEPT, REJECT or DROP |
|
--wan0-ssh={target} ACCEPT, REJECT or DROP |
|
--wan0-smtp={target} ACCEPT, REJECT or DROP |
|
--wan0-http={target} ACCEPT, REJECT or DROP |
|
--wan0-https={target} ACCEPT, REJECT or DROP |
|
--wan0-default={target} ACCEPT, REJECT or DROP |
|
--lan1-icmp={target} ACCEPT, REJECT or DROP |
|
--lan1-ssh={target} ACCEPT, REJECT or DROP |
|
--lan1-default={target} ACCEPT, REJECT or DROP |
|
--lan2-icmp={target} ACCEPT, REJECT or DROP |
|
--lan2-ssh={target} ACCEPT, REJECT or DROP |
|
--lan2-default={target} ACCEPT, REJECT or DROP |
|
--ipv4 apply only IPv4 rules |
|
--ipv6 apply only IPv6 rules |
|
--list display the rules and exit |
|
--help display this help and exit |
|
|
|
Environment variables: |
|
|
|
WAN0 specifies the WAN0 interface |
|
LAN1 specifies the LAN1 interface |
|
LAN2 specifies the LAN2 interface |
|
|
|
IP4TABLES iptables for IPv4 rules (defaults to iptables) |
|
IP6TABLES iptables for IPv6 rules (defaults to ip6tables) |
|
|
|
____EOF |
|
exit 1 |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# display list if needed |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${opt_list}" != 'no' ] |
|
then |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv4' ] |
|
then |
|
cat << ________EOF |
|
DFLT_IPV4_INPUT = ${DFLT_IPV4_INPUT_____TARGET} |
|
DFLT_IPV4_FORWARD = ${DFLT_IPV4_FORWARD___TARGET} |
|
DFLT_IPV4_OUTPUT = ${DFLT_IPV4_OUTPUT____TARGET} |
|
________EOF |
|
if [ "${wan0:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
WAN0_IPV4_CONNTRACK = ${WAN0_IPV4_CONNTRACK_TARGET} |
|
WAN0_IPV4_ICMP = ${WAN0_IPV4_ICMP______TARGET} |
|
WAN0_IPV4_SSH = ${WAN0_IPV4_SSH_______TARGET} |
|
WAN0_IPV4_SMTP = ${WAN0_IPV4_SMTP______TARGET} |
|
WAN0_IPV4_HTTP = ${WAN0_IPV4_HTTP______TARGET} |
|
WAN0_IPV4_HTTPS = ${WAN0_IPV4_HTTPS_____TARGET} |
|
WAN0_IPV4_DEFAULT = ${WAN0_IPV4_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
if [ "${lan1:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
LAN1_IPV4_CONNTRACK = ${LAN1_IPV4_CONNTRACK_TARGET} |
|
LAN1_IPV4_ICMP = ${LAN1_IPV4_ICMP______TARGET} |
|
LAN1_IPV4_SSH = ${LAN1_IPV4_SSH_______TARGET} |
|
LAN1_IPV4_DEFAULT = ${LAN1_IPV4_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
if [ "${lan2:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
LAN2_IPV4_CONNTRACK = ${LAN2_IPV4_CONNTRACK_TARGET} |
|
LAN2_IPV4_ICMP = ${LAN2_IPV4_ICMP______TARGET} |
|
LAN2_IPV4_SSH = ${LAN2_IPV4_SSH_______TARGET} |
|
LAN2_IPV4_DEFAULT = ${LAN2_IPV4_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
fi |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv6' ] |
|
then |
|
cat << ________EOF |
|
DFLT_IPV6_INPUT = ${DFLT_IPV6_INPUT_____TARGET} |
|
DFLT_IPV6_FORWARD = ${DFLT_IPV6_FORWARD___TARGET} |
|
DFLT_IPV6_OUTPUT = ${DFLT_IPV6_OUTPUT____TARGET} |
|
________EOF |
|
if [ "${wan0:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
WAN0_IPV6_CONNTRACK = ${WAN0_IPV6_CONNTRACK_TARGET} |
|
WAN0_IPV6_ICMP = ${WAN0_IPV6_ICMP______TARGET} |
|
WAN0_IPV6_SSH = ${WAN0_IPV6_SSH_______TARGET} |
|
WAN0_IPV6_SMTP = ${WAN0_IPV6_SMTP______TARGET} |
|
WAN0_IPV6_HTTP = ${WAN0_IPV6_HTTP______TARGET} |
|
WAN0_IPV6_HTTPS = ${WAN0_IPV6_HTTPS_____TARGET} |
|
WAN0_IPV6_DEFAULT = ${WAN0_IPV6_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
if [ "${lan1:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
LAN1_IPV6_CONNTRACK = ${LAN1_IPV6_CONNTRACK_TARGET} |
|
LAN1_IPV6_ICMP = ${LAN1_IPV6_ICMP______TARGET} |
|
LAN1_IPV6_SSH = ${LAN1_IPV6_SSH_______TARGET} |
|
LAN1_IPV6_DEFAULT = ${LAN1_IPV6_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
if [ "${lan2:-not-set}" != 'not-set' ] |
|
then |
|
cat << ____________EOF |
|
LAN2_IPV6_CONNTRACK = ${LAN2_IPV6_CONNTRACK_TARGET} |
|
LAN2_IPV6_ICMP = ${LAN2_IPV6_ICMP______TARGET} |
|
LAN2_IPV6_SSH = ${LAN2_IPV6_SSH_______TARGET} |
|
LAN2_IPV6_DEFAULT = ${LAN2_IPV6_DEFAULT___TARGET} |
|
____________EOF |
|
fi |
|
fi |
|
exit 0 |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# looking for iptables and ip6tables if needed |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${ip4tables:-not-found}" = 'not-found' ] |
|
then |
|
ip4tables="$(which iptables || echo 'not-found')" |
|
fi |
|
|
|
if [ "${ip6tables:-not-found}" = 'not-found' ] |
|
then |
|
ip6tables="$(which ip6tables || echo 'not-found')" |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# sanity checks |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${ip4tables}" = 'not-found' ] |
|
then |
|
echo "*** iptables was not found ***" |
|
exit 1 |
|
fi |
|
|
|
if [ "${ip6tables}" = 'not-found' ] |
|
then |
|
echo "*** ip6tables was not found ***" |
|
exit 1 |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# interfaces checks |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${wan0:-not-set}" != 'not-set' ] && [ ! -d "/sys/class/net/${wan0}" ] |
|
then |
|
echo "*** ${wan0} does not exists ***" |
|
exit 1 |
|
fi |
|
|
|
if [ "${lan1:-not-set}" != 'not-set' ] && [ ! -d "/sys/class/net/${lan1}" ] |
|
then |
|
echo "*** ${lan1} does not exists ***" |
|
exit 1 |
|
fi |
|
|
|
if [ "${lan2:-not-set}" != 'not-set' ] && [ ! -d "/sys/class/net/${lan2}" ] |
|
then |
|
echo "*** ${lan2} does not exists ***" |
|
exit 1 |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv4 default policies |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv4' ] |
|
then |
|
${ip4tables} -t filter -F |
|
${ip4tables} -t filter -P INPUT "${DFLT_IPV4_INPUT_____TARGET}" |
|
${ip4tables} -t filter -P FORWARD "${DFLT_IPV4_FORWARD___TARGET}" |
|
${ip4tables} -t filter -P OUTPUT "${DFLT_IPV4_OUTPUT____TARGET}" |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv6 default policies |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv6' ] |
|
then |
|
${ip6tables} -t filter -F |
|
${ip6tables} -t filter -P INPUT "${DFLT_IPV6_INPUT_____TARGET}" |
|
${ip6tables} -t filter -P FORWARD "${DFLT_IPV6_FORWARD___TARGET}" |
|
${ip6tables} -t filter -P OUTPUT "${DFLT_IPV6_OUTPUT____TARGET}" |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv4 wan0 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${wan0}" != 'not-set' ] |
|
then |
|
${ip4tables} -X WAN0_INPUT > /dev/null 2>&1 |
|
${ip4tables} -N WAN0_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv4' ] |
|
then |
|
${ip4tables} -t filter -A INPUT -i "${wan0}" -j WAN0_INPUT |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p all -m state --state RELATED,ESTABLISHED -j "${WAN0_IPV4_CONNTRACK_TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p icmp -j "${WAN0_IPV4_ICMP______TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport ssh -j "${WAN0_IPV4_SSH_______TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport smtp -j "${WAN0_IPV4_SMTP______TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport http -j "${WAN0_IPV4_HTTP______TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport https -j "${WAN0_IPV4_HTTPS_____TARGET}" |
|
${ip4tables} -t filter -A WAN0_INPUT -i "${wan0}" -j "${WAN0_IPV4_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv6 wan0 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${wan0}" != 'not-set' ] |
|
then |
|
${ip6tables} -X WAN0_INPUT > /dev/null 2>&1 |
|
${ip6tables} -N WAN0_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv6' ] |
|
then |
|
${ip6tables} -t filter -A INPUT -i "${wan0}" -j WAN0_INPUT |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p all -m state --state RELATED,ESTABLISHED -j "${WAN0_IPV6_CONNTRACK_TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p icmp -j "${WAN0_IPV6_ICMP______TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport ssh -j "${WAN0_IPV6_SSH_______TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport smtp -j "${WAN0_IPV6_SMTP______TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport http -j "${WAN0_IPV6_HTTP______TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -p tcp --dport https -j "${WAN0_IPV6_HTTPS_____TARGET}" |
|
${ip6tables} -t filter -A WAN0_INPUT -i "${wan0}" -j "${WAN0_IPV6_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv4 lan1 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${lan1}" != 'not-set' ] |
|
then |
|
${ip4tables} -X LAN1_INPUT > /dev/null 2>&1 |
|
${ip4tables} -N LAN1_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv4' ] |
|
then |
|
${ip4tables} -t filter -A INPUT -i "${lan1}" -j LAN1_INPUT |
|
${ip4tables} -t filter -A LAN1_INPUT -i "${lan1}" -p all -m state --state RELATED,ESTABLISHED -j "${LAN1_IPV4_CONNTRACK_TARGET}" |
|
${ip4tables} -t filter -A LAN1_INPUT -i "${lan1}" -p icmp -j "${LAN1_IPV4_ICMP______TARGET}" |
|
${ip4tables} -t filter -A LAN1_INPUT -i "${lan1}" -p tcp --dport ssh -j "${LAN1_IPV4_SSH_______TARGET}" |
|
${ip4tables} -t filter -A LAN1_INPUT -i "${lan1}" -j "${LAN1_IPV4_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv6 lan1 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${lan1}" != 'not-set' ] |
|
then |
|
${ip6tables} -X LAN1_INPUT > /dev/null 2>&1 |
|
${ip6tables} -N LAN1_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv6' ] |
|
then |
|
${ip6tables} -t filter -A INPUT -i "${lan1}" -j LAN1_INPUT |
|
${ip6tables} -t filter -A LAN1_INPUT -i "${lan1}" -p all -m state --state RELATED,ESTABLISHED -j "${LAN1_IPV6_CONNTRACK_TARGET}" |
|
${ip6tables} -t filter -A LAN1_INPUT -i "${lan1}" -p icmp -j "${LAN1_IPV6_ICMP______TARGET}" |
|
${ip6tables} -t filter -A LAN1_INPUT -i "${lan1}" -p tcp --dport ssh -j "${LAN1_IPV6_SSH_______TARGET}" |
|
${ip6tables} -t filter -A LAN1_INPUT -i "${lan1}" -j "${LAN1_IPV6_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv4 lan2 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${lan2}" != 'not-set' ] |
|
then |
|
${ip4tables} -X LAN2_INPUT > /dev/null 2>&1 |
|
${ip4tables} -N LAN2_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv4' ] |
|
then |
|
${ip4tables} -t filter -A INPUT -i "${lan2}" -j LAN2_INPUT |
|
${ip4tables} -t filter -A LAN2_INPUT -i "${lan2}" -p all -m state --state RELATED,ESTABLISHED -j "${LAN2_IPV4_CONNTRACK_TARGET}" |
|
${ip4tables} -t filter -A LAN2_INPUT -i "${lan2}" -p icmp -j "${LAN2_IPV4_ICMP______TARGET}" |
|
${ip4tables} -t filter -A LAN2_INPUT -i "${lan2}" -p tcp --dport ssh -j "${LAN2_IPV4_SSH_______TARGET}" |
|
${ip4tables} -t filter -A LAN2_INPUT -i "${lan2}" -j "${LAN2_IPV4_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# IPv6 lan2 rules |
|
# ---------------------------------------------------------------------------- |
|
|
|
if [ "${lan2}" != 'not-set' ] |
|
then |
|
${ip6tables} -X LAN2_INPUT > /dev/null 2>&1 |
|
${ip6tables} -N LAN2_INPUT > /dev/null 2>&1 |
|
if [ "${opt_proto}" = 'all' ] || [ "${opt_proto}" = 'ipv6' ] |
|
then |
|
${ip6tables} -t filter -A INPUT -i "${lan2}" -j LAN2_INPUT |
|
${ip6tables} -t filter -A LAN2_INPUT -i "${lan2}" -p all -m state --state RELATED,ESTABLISHED -j "${LAN2_IPV6_CONNTRACK_TARGET}" |
|
${ip6tables} -t filter -A LAN2_INPUT -i "${lan2}" -p icmp -j "${LAN2_IPV6_ICMP______TARGET}" |
|
${ip6tables} -t filter -A LAN2_INPUT -i "${lan2}" -p tcp --dport ssh -j "${LAN2_IPV6_SSH_______TARGET}" |
|
${ip6tables} -t filter -A LAN2_INPUT -i "${lan2}" -j "${LAN2_IPV6_DEFAULT___TARGET}" |
|
fi |
|
fi |
|
|
|
# ---------------------------------------------------------------------------- |
|
# End-Of-File |
|
# ---------------------------------------------------------------------------- |