From: mivirl <> Date: Wed, 22 May 2024 14:38:59 +0000 (-0500) Subject: Allow specifying a domain instead of an ip X-Git-Url: http://mivirl.dev/git/?a=commitdiff_plain;h=9e805868b68156bc2ca18fa3b3a848247c31fed8;p=firewall-scripts.git Allow specifying a domain instead of an ip --- diff --git a/firewall.sh b/firewall.sh index ddefdcb..91f4bcc 100755 --- a/firewall.sh +++ b/firewall.sh @@ -70,9 +70,9 @@ detect_firewall() { # Deactivate firewall frontends and ensure the firewall service is running deactivate_frontends() { printf "Disabling firewalld service\n" - systemctl disable --now firewalld + systemctl disable --now firewalld 2>&1 printf "Disabling ufw service\n" - systemctl disable --now ufw + systemctl disable --now ufw 2>&1 if [ "$FIREWALL" = "iptables" ]; then printf "Enabling iptables service\n" @@ -150,7 +150,20 @@ persist_rules() { } +hosts_v4() { + hostip=$(getent ahostsv4 "$1" | head -n1 | cut -d" " -f1) + if [ -n "$hostip" ]; then + printf "%s %s\n" "$hostip" "$1" + fi +} + set_rule() { + # Split input into variables on "," + oIFS="$IFS" + IFS="," + set $1 + IFS="$oIFS" + port="$1" action="$2" direction="$3" @@ -161,6 +174,24 @@ set_rule() { protocol="tcp" fi + # Check if a domain was provided instead of an ip + iptype="ip" + domain=0 + case "$other_ip" in + *[a-z]*) + domain=1 + #iphost=$(getent hosts "$other_ip" | cut -d" " -f1) + iphost=$(hosts_v4 "$other_ip" | cut -d" " -f1) + ;; + *) + iphost="$other_ip" + esac + case "$iphost" in + *:*) + iptype="ip6"; + ;; + esac + port_1="" port_2="" other_match1="" @@ -195,10 +226,20 @@ set_rule() { fi fi + comment="" + if [ $domain -eq 1 ]; then + comment="-m comment --comment \"$other_ip\"" + fi + + iptables="iptables" + if [ $iptype = "ip6" ]; then + iptables="ip6tables" + fi + ip_action=$(printf "%s" "$action" | tr "[:lower:]" "[:upper:]") - iptables -A $direction_1 $port_1 $other_match1 -j $ip_action + $iptables -A $direction_1 $port_1 $other_match1 -j $ip_action $comment if [ "$ip_action" = "ACCEPT" ]; then - iptables -A $direction_2 $port_2 --state ESTABLISHED,RELATED $other_match2 -j $ip_action + $iptables -A $direction_2 $port_2 --state ESTABLISHED,RELATED $other_match2 -j $ip_action $comment fi elif [ "$FIREWALL" = "nftables" ]; then @@ -219,12 +260,6 @@ set_rule() { fi if [ -n "$other_ip" ] && [ "$other_ip" != "_" ]; then - iptype="ip" - case "$other_ip" in - *:*) - iptype="ip6" - ;; - esac if [ "$direction" = "in" ]; then other_match1="$iptype saddr $other_ip" other_match2="$iptype daddr $other_ip" @@ -233,10 +268,16 @@ set_rule() { other_match2="$iptype saddr $other_ip" fi fi + + comment="" + if [ $domain -eq 1 ]; then + comment="comment \"$other_ip\"" + fi + action=$(printf "%s" "$action" | tr "[:upper:]" "[:lower:]") - nft add rule inet filter $direction_1 $port_1 $other_match1 $action + nft add rule inet filter $direction_1 $port_1 $other_match1 $action $comment if [ "$action" = "accept" ]; then - nft add rule inet filter $direction_2 $port_2 ct state established,related $other_match2 $action + nft add rule inet filter $direction_2 $port_2 ct state established,related $other_match2 $action $comment fi fi } @@ -245,9 +286,9 @@ allow_ssh() { other_ip="$1" if [ -n "$other_ip" ]; then - set_rule "22" "accept" "in" "$other_ip" + set_rule "22,accept,in,$other_ip" else - set_rule "22" "accept" "in" + set_rule "22,accept,in" fi } @@ -255,9 +296,9 @@ allow_dns() { other_ip="$1" if [ -n "$other_ip" ]; then - set_rule "53" "accept" "out" "$other_ip" "udp" + set_rule "53,accept,out,$other_ip,udp" else - set_rule "53" "accept" "out" "_" "udp" + set_rule "53,accept,out,_,udp" fi } @@ -363,7 +404,6 @@ fi # Set all firewall rules for rule in $RULES; do - rule=$(printf "%s" "$rule" | sed 's/,/ /g') # Split into arguments set_rule $rule done