# Deactivate firewall frontends and ensure the firewall service is running
deactivate_frontends() {
printf "Disabling firewalld service\n"
- systemctl disable --now firewalld
+ systemctl disable --now firewalld 2>&1
printf "Disabling ufw service\n"
- systemctl disable --now ufw
+ systemctl disable --now ufw 2>&1
if [ "$FIREWALL" = "iptables" ]; then
printf "Enabling iptables service\n"
}
+hosts_v4() {
+ hostip=$(getent ahostsv4 "$1" | head -n1 | cut -d" " -f1)
+ if [ -n "$hostip" ]; then
+ printf "%s %s\n" "$hostip" "$1"
+ fi
+}
+
set_rule() {
+ # Split input into variables on ","
+ oIFS="$IFS"
+ IFS=","
+ set $1
+ IFS="$oIFS"
+
port="$1"
action="$2"
direction="$3"
protocol="tcp"
fi
+ # Check if a domain was provided instead of an ip
+ iptype="ip"
+ domain=0
+ case "$other_ip" in
+ *[a-z]*)
+ domain=1
+ #iphost=$(getent hosts "$other_ip" | cut -d" " -f1)
+ iphost=$(hosts_v4 "$other_ip" | cut -d" " -f1)
+ ;;
+ *)
+ iphost="$other_ip"
+ esac
+ case "$iphost" in
+ *:*)
+ iptype="ip6";
+ ;;
+ esac
+
port_1=""
port_2=""
other_match1=""
fi
fi
+ comment=""
+ if [ $domain -eq 1 ]; then
+ comment="-m comment --comment \"$other_ip\""
+ fi
+
+ iptables="iptables"
+ if [ $iptype = "ip6" ]; then
+ iptables="ip6tables"
+ fi
+
ip_action=$(printf "%s" "$action" | tr "[:lower:]" "[:upper:]")
- iptables -A $direction_1 $port_1 $other_match1 -j $ip_action
+ $iptables -A $direction_1 $port_1 $other_match1 -j $ip_action $comment
if [ "$ip_action" = "ACCEPT" ]; then
- iptables -A $direction_2 $port_2 --state ESTABLISHED,RELATED $other_match2 -j $ip_action
+ $iptables -A $direction_2 $port_2 --state ESTABLISHED,RELATED $other_match2 -j $ip_action $comment
fi
elif [ "$FIREWALL" = "nftables" ]; then
fi
if [ -n "$other_ip" ] && [ "$other_ip" != "_" ]; then
- iptype="ip"
- case "$other_ip" in
- *:*)
- iptype="ip6"
- ;;
- esac
if [ "$direction" = "in" ]; then
other_match1="$iptype saddr $other_ip"
other_match2="$iptype daddr $other_ip"
other_match2="$iptype saddr $other_ip"
fi
fi
+
+ comment=""
+ if [ $domain -eq 1 ]; then
+ comment="comment \"$other_ip\""
+ fi
+
action=$(printf "%s" "$action" | tr "[:upper:]" "[:lower:]")
- nft add rule inet filter $direction_1 $port_1 $other_match1 $action
+ nft add rule inet filter $direction_1 $port_1 $other_match1 $action $comment
if [ "$action" = "accept" ]; then
- nft add rule inet filter $direction_2 $port_2 ct state established,related $other_match2 $action
+ nft add rule inet filter $direction_2 $port_2 ct state established,related $other_match2 $action $comment
fi
fi
}
other_ip="$1"
if [ -n "$other_ip" ]; then
- set_rule "22" "accept" "in" "$other_ip"
+ set_rule "22,accept,in,$other_ip"
else
- set_rule "22" "accept" "in"
+ set_rule "22,accept,in"
fi
}
other_ip="$1"
if [ -n "$other_ip" ]; then
- set_rule "53" "accept" "out" "$other_ip" "udp"
+ set_rule "53,accept,out,$other_ip,udp"
else
- set_rule "53" "accept" "out" "_" "udp"
+ set_rule "53,accept,out,_,udp"
fi
}
# Set all firewall rules
for rule in $RULES; do
- rule=$(printf "%s" "$rule" | sed 's/,/ /g') # Split into arguments
set_rule $rule
done
projects / firewall-scripts.git / commitdiff