Add ipt-server role with firewall configuration and management
- Created handlers for reloading systemd and restarting firewall services. - Implemented tasks to ensure the existence of configuration directories and files. - Deployed host-specific and shared configuration files using templates. - Added scripts for managing IPv4 and IPv6 firewalls. - Configured systemd service units for ipt-firewall and ip6t-firewall. - Enabled and started firewall services on system boot.
This commit is contained in:
@@ -0,0 +1,36 @@
|
||||
# - IPv4 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
|
||||
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
|
||||
# - network/nn CIDR notation like 1.2.3.0/27
|
||||
# - network/netmask notaions like 1.2.3.0/255.255.255.0
|
||||
# - network/partial_netmask like 1.2.3.4/255
|
||||
# -
|
||||
# - Note:
|
||||
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 79.171.81.0/24
|
||||
# - 79.171.81.0/255.255.255.0
|
||||
# - 79.171.81.0/255.255.255
|
||||
# - 79.171.81
|
||||
|
||||
# CHINANET-JS
|
||||
222.184.0.0/13
|
||||
61.160.0.0/16
|
||||
|
||||
# CHINANET-GX
|
||||
116.8.0.0/14
|
||||
|
||||
# BAIDU-HK - Hong Kong
|
||||
103.235.44.0/22
|
||||
# UNICOM-HE - China Unicom Hebei province network
|
||||
110.240.0.0/12
|
||||
# CMNET - China Mobile Communications Corporation
|
||||
39.128.0.0/10
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
# - IPv6 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
|
||||
# -
|
||||
# -
|
||||
# - Note:
|
||||
# - - If no mask is given mask will be set to '64'
|
||||
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - 2a01:30:0:13:5054:ff::1
|
||||
# - 2a01:30:0:13:5054:ff::1/56
|
||||
|
||||
@@ -0,0 +1,157 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# -------------
|
||||
# --- Default Parameter / Options
|
||||
# -------------
|
||||
|
||||
default_per_IP_connection_limit=111
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Default Ports for Services out
|
||||
# -------------
|
||||
|
||||
standard_checkmk_port=6556
|
||||
standard_cpan_wait_port=1404
|
||||
standard_dns_port=53
|
||||
standard_ftp_port=21
|
||||
standard_ftp_data_port=20
|
||||
standard_git_port=9418
|
||||
standard_hbci_port=3000
|
||||
standard_http_port=80
|
||||
standard_https_port=443
|
||||
standard_ident_port=113
|
||||
standard_ipp_port=631
|
||||
standard_cups_port=$standard_ipp_port
|
||||
standard_irc_port=6667
|
||||
standard_jabber_port=5222
|
||||
standard_ldap_port=389
|
||||
standard_ldaps_port=636
|
||||
standard_mdns_port=5353
|
||||
standard_mndp_port=5678
|
||||
standard_mumble_port=64738
|
||||
standard_munin_port=4949
|
||||
standard_mysql_port=3306
|
||||
standard_ntp_port=123
|
||||
standard_pgp_keyserver_port=11371
|
||||
standard_print_port=9100
|
||||
standard_print_raw_port=515
|
||||
standard_remote_console_port=5900
|
||||
standard_silc_port=706
|
||||
standard_smtp_port=25
|
||||
standard_snmp_port=161
|
||||
standard_snmp_trap_port=162
|
||||
standard_ssh_port=22
|
||||
standard_telnet_port=23
|
||||
standard_tftp_udp_port=69
|
||||
standard_timeserver_port=37
|
||||
standard_vpn_port=1194
|
||||
standard_wireguard_port=51820
|
||||
standard_whois_port=43
|
||||
standard_xymon_port=1984
|
||||
|
||||
# - Prometheus services
|
||||
# -
|
||||
standard_prometheus_ports="9100,9256"
|
||||
|
||||
# - Mattermost (MM) Service
|
||||
# -
|
||||
stansard_mattermost_udp_ports_in="8443"
|
||||
stansard_mattermost_udp_ports_out="3478"
|
||||
|
||||
# - IPsec - Internet Security Association and
|
||||
# - Key Management Protocol
|
||||
standard_isakmp_port=500
|
||||
standard_ipsec_nat_t=4500
|
||||
|
||||
|
||||
# - Comma separated lists
|
||||
# -
|
||||
standard_http_ports="80,443"
|
||||
standard_mailuser_ports="587,465,110,995,143,993"
|
||||
|
||||
# - Dovecot Service
|
||||
# -
|
||||
dovecot_external_auth_port="44444"
|
||||
|
||||
# - Jitsi Video Conference Service
|
||||
# -
|
||||
standard_jitsi_tcp_ports="$standard_http_ports"
|
||||
standard_jitsi_udp_port_range="10000:20000"
|
||||
default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
|
||||
|
||||
# - Jibri Service
|
||||
# -
|
||||
default_jibri_out_port=5222
|
||||
# default_outbound_streaming_tcp_ports
|
||||
#
|
||||
# - outbound port 1935/TCP : outbound streaming over RTMP to most
|
||||
# streaming providers such as YouTube Live, Vimeo or Twitch
|
||||
#
|
||||
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
|
||||
# Live (port 1935 is also used for RTMP streaming to LinkedIn)
|
||||
#
|
||||
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
|
||||
# RTMPS to LinkedIn Live
|
||||
#
|
||||
# - outbound port 443/TCP (HTTPS) : used for authentication with the
|
||||
# built-in providers such as YouTube Live, Facebook Live, Ustream,
|
||||
# Livestream, and Twitch
|
||||
#
|
||||
# - outbound port 53/UDP (DNS) used for DNS lookups converting
|
||||
# hostnames to IP addresses
|
||||
#
|
||||
default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
|
||||
|
||||
|
||||
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
||||
# -
|
||||
standard_turn_service_ports="3478:3479,5349:5350"
|
||||
standard_turn_service_udp_ports="49152:65535"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Predefined Ports
|
||||
# -------------
|
||||
|
||||
# - unpriviligierte Ports
|
||||
# -
|
||||
unprivports="1024:65535"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some IPv4-Address Configuration
|
||||
# -------------
|
||||
|
||||
# - Loopback
|
||||
loopback_ipv4="127.0.0.0/8"
|
||||
|
||||
# - Private Networks
|
||||
priv_class_a="10.0.0.0/8"
|
||||
priv_class_b="172.16.0.0/12"
|
||||
priv_class_c="192.168.0.0/16"
|
||||
|
||||
link_local_rfc_5735="169.254.0.0/16"
|
||||
|
||||
test_net_1_rfc_5735="192.0.2.0/24"
|
||||
this_net_rfc_5735="0.0.0.0/8"
|
||||
|
||||
# - Multicast Addresse
|
||||
class_d_multicast="224.0.0.0/3"
|
||||
|
||||
# Reserved Addresse
|
||||
class_e_reserved="240.0.0.0/5"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some IPv6-Address Configuration
|
||||
# -------------
|
||||
|
||||
# unique local address (ULA) - private address block
|
||||
ula_block="fc00::/7"
|
||||
link_local_unicast_block="fe80::/10"
|
||||
multicast_ipv6="ff00::/8"
|
||||
|
||||
# - Loopback
|
||||
loopback_ipv6="::1/128"
|
||||
|
||||
@@ -0,0 +1,268 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# - Set firewall command (either iptables or ip6tables)
|
||||
#
|
||||
if [[ -x "${ip6t}" ]] ; then
|
||||
fw_command="${ip6t}"
|
||||
elif [[ -x "${ipt}" ]] ; then
|
||||
fw_command="${ipt}"
|
||||
fi
|
||||
|
||||
# -------------
|
||||
# --- Some functions
|
||||
# -------------
|
||||
|
||||
echononl(){
|
||||
echo X\\c > /tmp/shprompt$$
|
||||
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
|
||||
echo -e -n "$*\\c" 1>&2
|
||||
else
|
||||
echo -e -n "$*" 1>&2
|
||||
fi
|
||||
rm /tmp/shprompt$$
|
||||
}
|
||||
echo_done() {
|
||||
echo -e "\033[75G[ \033[32mdone\033[m ]"
|
||||
}
|
||||
echo_ok() {
|
||||
echo -e "\033[75G[ \033[32mok\033[m ]"
|
||||
}
|
||||
echo_warning() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
|
||||
}
|
||||
echo_failed(){
|
||||
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
|
||||
}
|
||||
echo_skipped() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
|
||||
}
|
||||
|
||||
|
||||
fatal (){
|
||||
echo ""
|
||||
echo -e "fatal Error: $*"
|
||||
echo ""
|
||||
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
|
||||
echo ""
|
||||
exit 1
|
||||
}
|
||||
|
||||
error(){
|
||||
echo ""
|
||||
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
warn (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
info (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
## - Check if a given array (parameter 2) contains a given string (parameter 1)
|
||||
## -
|
||||
containsElement () {
|
||||
local e
|
||||
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
|
||||
return 1
|
||||
}
|
||||
|
||||
is_number() {
|
||||
|
||||
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
|
||||
|
||||
# - also possible
|
||||
# -
|
||||
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
|
||||
#return $([[ ! -z "${1##*[!0-9]*}" ]])
|
||||
}
|
||||
|
||||
trim() {
|
||||
local var="$*"
|
||||
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
|
||||
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
|
||||
echo -n "$var"
|
||||
}
|
||||
|
||||
|
||||
is_container() {
|
||||
command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
# -------------
|
||||
# - IPv6 handling
|
||||
# -------------
|
||||
|
||||
ENABLE_IPV6="auto" # auto | yes | no
|
||||
IPV6_ACTIVE=0
|
||||
|
||||
ipv6_sysctl_enabled() {
|
||||
sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
|
||||
}
|
||||
|
||||
has_ipv6_addr() {
|
||||
ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
|
||||
}
|
||||
|
||||
detect_ipv6() {
|
||||
case "$ENABLE_IPV6" in
|
||||
yes) return 0 ;;
|
||||
no) return 1 ;;
|
||||
auto) ipv6_sysctl_enabled ;;
|
||||
*) return 1 ;;
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
# -------------
|
||||
# - Network Device Stuff
|
||||
# -------------
|
||||
|
||||
# get virtual ethernet interfaces and the master of the given bridge
|
||||
#
|
||||
get_vth_ports() {
|
||||
local br="$1"
|
||||
# lists virtual interfaces (veth*)) and the master interface of the given bridge
|
||||
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
|
||||
}
|
||||
|
||||
# -------------
|
||||
# - Fail2ban
|
||||
# -------------
|
||||
|
||||
FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
|
||||
FAIL2BAN_WAS_RUNNING=false
|
||||
fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
|
||||
has_fail2ban() {
|
||||
command -v fail2ban-client >/dev/null 2>&1
|
||||
}
|
||||
|
||||
fail2ban_running() {
|
||||
systemctl is-active --quiet fail2ban >/dev/null 2>&1
|
||||
}
|
||||
|
||||
# -------------
|
||||
# - Debian 12/13 compatibility helpers (best effort)
|
||||
# -------------
|
||||
ensure_mod() {
|
||||
|
||||
# ---
|
||||
# Load a kernel module if possible (no hard failure).
|
||||
# NOTE: In containers module loading is not possible; modules must be loaded on the host.
|
||||
# ---
|
||||
|
||||
local m="$1"
|
||||
|
||||
# Already loaded?
|
||||
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Skip in containers/guests without module loading capability
|
||||
#
|
||||
is_container && return 0
|
||||
|
||||
# Best effort modprobe
|
||||
/sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
|
||||
}
|
||||
|
||||
# --- Feature detection helpers (Debian 12/13 + containers)
|
||||
module_loaded() {
|
||||
lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
|
||||
}
|
||||
|
||||
can_use_recent() {
|
||||
# xt_recent is the kernel module behind "-m recent"
|
||||
# In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
|
||||
module_loaded xt_recent && return 0
|
||||
[ -d /proc/net/xt_recent ] && return 0
|
||||
# As a last resort, ask iptables to parse the match (works if userspace has it)
|
||||
"$ipt" -m recent -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_hashlimit() {
|
||||
# xt_hashlimit is the kernel module behind "-m hashlimit"
|
||||
module_loaded xt_hashlimit && return 0
|
||||
[ -d /proc/net/xt_hashlimit ] && return 0
|
||||
"${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_connlimit() {
|
||||
# xt_connlimit is the kernel module behind "-m connlimit"
|
||||
module_loaded xt_connlimit && return 0
|
||||
"${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_owner() {
|
||||
# xt_owner is the kernel module behind "-m owner"
|
||||
module_loaded xt_owner && return 0
|
||||
"${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_ct_target() {
|
||||
# Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
|
||||
"${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_helper_match() {
|
||||
# Check if helper match exists
|
||||
"${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
can_use_nft() {
|
||||
command -v nft >/dev/null 2>&1 && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
setup_ftp_conntrack_helper_output() {
|
||||
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
|
||||
if can_use_ct_target ; then
|
||||
"${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
|
||||
return 0
|
||||
fi
|
||||
|
||||
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
|
||||
if can_use_nft ; then
|
||||
# Best-effort; may fail in containers without CAP_NET_ADMIN
|
||||
nft add table ip fwhelper >/dev/null 2>&1 || true
|
||||
nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
|
||||
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
|
||||
nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
|
||||
fi
|
||||
|
||||
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
|
||||
return 1
|
||||
}
|
||||
|
||||
setup_ftp_conntrack_helper_prerouting() {
|
||||
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
|
||||
if can_use_ct_target ; then
|
||||
"$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
|
||||
return 0
|
||||
fi
|
||||
|
||||
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
|
||||
if can_use_nft ; then
|
||||
nft add table ip fwhelper >/dev/null 2>&1 || true
|
||||
nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
|
||||
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
|
||||
nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
|
||||
fi
|
||||
|
||||
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
|
||||
return 1
|
||||
}
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 11"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_private_network_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_forwarding_priv_ip=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv4 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
||||
@@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 12"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_private_network_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_forwarding_priv_ip=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv6 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
||||
|
||||
@@ -0,0 +1,621 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -----------
|
||||
# --- Define Arrays
|
||||
# -----------
|
||||
|
||||
# ---
|
||||
# NAT (Masquerade) Network interfaces
|
||||
# ---
|
||||
|
||||
declare -a nat_device_arr=()
|
||||
for _dev in $nat_devices ; do
|
||||
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
|
||||
nat_device_arr+=("$_dev")
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# IP Addresses LX Guest System
|
||||
# ---
|
||||
|
||||
declare -a lxc_guest_ip_arr=()
|
||||
for _ip in $lxc_guest_ips ; do
|
||||
lxc_guest_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# local Interfaces
|
||||
# ---
|
||||
|
||||
declare -a local_ip_arr=()
|
||||
for _ip in $local_ips ; do
|
||||
local_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses to log
|
||||
# ---
|
||||
declare -a log_ip_arr
|
||||
for _ip in $log_ips ; do
|
||||
log_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - LOG CGI script Traffic out
|
||||
# ---
|
||||
declare -a cgi_script_user_arr=()
|
||||
for _user in $cgi_script_users ; do
|
||||
cgi_script_user_arr+=($_user)
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP-Addresses (Host, Guests (VServer, LX_Container)
|
||||
# ---
|
||||
declare -a ext_ip_arr
|
||||
for _ip in $ext_ips ; do
|
||||
host_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Extern Interfaces
|
||||
# ---
|
||||
declare -a ext_if_arr
|
||||
for _dev in $ext_ifs ; do
|
||||
ext_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Interfaces
|
||||
# ---
|
||||
declare -a vpn_if_arr
|
||||
for _dev in $vpn_ifs ; do
|
||||
vpn_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - WireGuard Interfaces
|
||||
# ---
|
||||
declare -a wg_if_arr
|
||||
for _dev in $wg_ifs ; do
|
||||
wg_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Local Network Interfaces
|
||||
# ---
|
||||
declare -a local_if_arr
|
||||
for _dev in $local_ifs ; do
|
||||
local_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces completly blocked
|
||||
# ---
|
||||
declare -a blocked_if_arr
|
||||
for _dev in $blocked_ifs ; do
|
||||
blocked_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces not firewalled
|
||||
# ---
|
||||
declare -a unprotected_if_arr
|
||||
for _dev in $unprotected_ifs ; do
|
||||
unprotected_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Servive to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_service_to_net_arr
|
||||
for _val in $restrict_local_service_to_net ; do
|
||||
restrict_local_service_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Network to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_net_to_net_arr
|
||||
for _val in $restrict_local_net_to_net ; do
|
||||
restrict_local_net_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern Service
|
||||
# ---
|
||||
declare -a allow_ext_service_arr
|
||||
for _val in $allow_ext_service ; do
|
||||
allow_ext_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern IP-Address/Network
|
||||
# ---
|
||||
declare -a allow_ext_net_arr
|
||||
for _net in $allow_ext_net ; do
|
||||
allow_ext_net_arr+=("$_net")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow (non-standard) local Services
|
||||
# ---
|
||||
declare -a allow_local_service_arr
|
||||
for _val in $allow_local_service ; do
|
||||
allow_local_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow (non-standard) local Services from specified network
|
||||
# ---
|
||||
declare -a allow_local_service_from_network_arr
|
||||
for _service in $allow_local_service_from_networks ; do
|
||||
allow_local_service_from_network_arr+=("$_service")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Generally block ports
|
||||
# ---
|
||||
declare -a block_tcp_port_arr
|
||||
for _port in $block_tcp_ports ; do
|
||||
block_tcp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
declare -a block_udp_port_arr
|
||||
for _port in $block_udp_ports ; do
|
||||
block_udp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Private IPs / IP-Ranges allowed to forward
|
||||
# ---
|
||||
declare -a forward_private_ip_arr
|
||||
for _ip in $forward_private_ips ; do
|
||||
forward_private_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces DHCP Service
|
||||
# ---
|
||||
declare -a dhcp_server_if_arr
|
||||
for _dev in $dhcp_server_ifs ; do
|
||||
dhcp_server_if_arr+=($_dev)
|
||||
done
|
||||
declare -a dhcp_client_if_arr
|
||||
for _dev in $dhcp_client_ifs ; do
|
||||
dhcp_client_if_arr+=($_dev)
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses DNS Server
|
||||
# ---
|
||||
# - local
|
||||
declare -a dns_server_ip_arr
|
||||
for _ip in $dns_server_ips ; do
|
||||
dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_dns_server_ip_arr
|
||||
for _ip in $forward_dns_server_ips ; do
|
||||
forward_dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Netwoks allowed access to local DNS Resolver
|
||||
# ---
|
||||
declare -a resolver_allowed_network_arr
|
||||
for _net in $resolver_allowed_networks ; do
|
||||
resolver_allowed_network_arr+=("$_net")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses VPN Server
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_server_ip_arr
|
||||
for _ip in $vpn_server_ips ; do
|
||||
vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_vpn_server_ip_arr
|
||||
for _ip in $forward_vpn_server_ips ; do
|
||||
forward_vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses WireGuard Service
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_server_ip_arr
|
||||
for _ip in $wireguard_server_ips ; do
|
||||
wireguard_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_wireguard_server_ip_arr
|
||||
for _ip in $forward_wireguard_server_ips ; do
|
||||
forward_wireguard_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses SSH Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ssh_server_ip_arr
|
||||
for _ip in $ssh_server_ips ; do
|
||||
ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ssh_server_ip_arr
|
||||
for _ip in $forward_ssh_server_ips ; do
|
||||
forward_ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses HTTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a http_server_ip_arr
|
||||
for _ip in $http_server_ips ; do
|
||||
http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_http_server_ip_arr
|
||||
for _ip in $forward_http_server_ips ; do
|
||||
forward_http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses MatterMost Service
|
||||
# ---
|
||||
# local
|
||||
declare -a mm_server_ip_arr
|
||||
for _ip in $mm_server_ips ; do
|
||||
mm_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mm_server_ip_arr
|
||||
for _ip in $forward_mm_server_ips ; do
|
||||
forward_mm_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses FTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ftp_server_ip_arr
|
||||
for _ip in $ftp_server_ips ; do
|
||||
ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ftp_server_ip_arr
|
||||
for _ip in $forward_ftp_server_ips ; do
|
||||
forward_ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail SMTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a smtpd_ips_arr
|
||||
for _ip in $smtpd_ips ; do
|
||||
smtpd_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_smtpd_ip_arr
|
||||
for _ip in $forward_smtpd_ips ; do
|
||||
forward_smtpd_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# Additional SMTP Listen Ports
|
||||
# ---
|
||||
declare -a smtpd_additional_listen_port_arr
|
||||
for _port in $smtpd_additional_listen_ports ; do
|
||||
smtpd_additional_listen_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# Additional SMTP Outgoing Ports
|
||||
# ---
|
||||
declare -a smtpd_additional_outgoung_port_arr
|
||||
for _port in $smtpd_additional_outgoung_ports ; do
|
||||
smtpd_additional_outgoung_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses XMPP Service (Jabber - Prosody)
|
||||
# ---
|
||||
declare -a xmpp_server_ip_arr
|
||||
for _ip in $xmpp_server_ips ; do
|
||||
xmpp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
declare -a forward_xmpp_server_ip_arr
|
||||
for _ip in $forward_xmpp_server_ips ; do
|
||||
forward_xmpp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - XMPP Remote Dovecote Out Service
|
||||
# ---
|
||||
declare -a xmmp_remote_out_service_arr
|
||||
for _val in $xmmp_remote_out_services ; do
|
||||
xmmp_remote_out_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail Services (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_server_ips_arr
|
||||
for _ip in $mail_server_ips ; do
|
||||
mail_server_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_server_ip_arr
|
||||
for _ip in $forward_mail_server_ips ; do
|
||||
forward_mail_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail client (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_client_ips_arr
|
||||
for _ip in $mail_client_ips ; do
|
||||
mail_client_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_client_ip_arr
|
||||
for _ip in $forward_mail_client_ips ; do
|
||||
forward_mail_client_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - (local) Dovecot auth service
|
||||
# ---
|
||||
declare -a dovecot_auth_allowed_network_arr
|
||||
for _ip in $dovecot_auth_allowed_networks ; do
|
||||
dovecot_auth_allowed_network_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Mumble Server
|
||||
# ---
|
||||
# local
|
||||
declare -a mumble_server_ip_arr
|
||||
for _ip in $mumble_server_ips ; do
|
||||
mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mumble_server_ip_arr
|
||||
for _ip in $forward_mumble_server_ips ; do
|
||||
forward_mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Jitsi Video Conferencing Server
|
||||
# ---
|
||||
declare -a jitsi_server_ip_arr
|
||||
for _ip in $jitsi_server_ips ; do
|
||||
jitsi_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_jitsi_server_ip_arr
|
||||
for _ip in $forward_jitsi_server_ips ; do
|
||||
forward_jitsi_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Remote Jibri Server
|
||||
# ---
|
||||
declare -a jitsi_jibri_remote_ip_arr
|
||||
for _ip in $jitsi_jibri_remote_ips ; do
|
||||
jitsi_jibri_remote_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Jibri Recording / Streaming Server
|
||||
# ---
|
||||
declare -a jibri_server_ip_arr
|
||||
for _ip in $jibri_server_ips ; do
|
||||
jibri_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_jibri_server_ip_arr
|
||||
for _ip in $forward_jibri_server_ips ; do
|
||||
forward_jibri_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
||||
# ---
|
||||
# local
|
||||
declare -a nc_turn_server_ip_arr
|
||||
for _ip in $nc_turn_server_ips ; do
|
||||
nc_turn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_nc_turn_server_ip_arr
|
||||
for _ip in $forward_nc_turn_server_ips ; do
|
||||
forward_nc_turn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Telephone Systems
|
||||
# ---
|
||||
declare -a tel_sys_ip_arr
|
||||
for _ip in $tel_sys_ips ; do
|
||||
tel_sys_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Prometheus Monitoring - local Server
|
||||
# ---
|
||||
declare -a prometheus_local_server_ip_arr
|
||||
for _ip in $prometheus_local_server_ips ; do
|
||||
prometheus_local_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Prometheus Monitoring - local Client
|
||||
# ---
|
||||
declare -a prometheus_local_client_ip_arr
|
||||
for _ip in $prometheus_local_client_ips; do
|
||||
prometheus_local_client_ip_arr+=("$_ip")
|
||||
done
|
||||
declare -a prometheus_remote_server_ip_arr
|
||||
for _ip in $prometheus_remote_server_ips ; do
|
||||
prometheus_remote_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - IP Addresses Munin
|
||||
# ---
|
||||
# local
|
||||
declare -a munin_server_ip_arr
|
||||
for _ip in $munin_server_ips ; do
|
||||
munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_munin_server_ip_arr
|
||||
for _ip in $forward_munin_server_ips ; do
|
||||
forward_munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses XyMon
|
||||
# ---
|
||||
declare -a xymon_server_ip_arr
|
||||
for _ip in $xymon_server_ips ; do
|
||||
xymon_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Rsync Out
|
||||
# ---
|
||||
# local
|
||||
declare -a rsync_out_ip_arr
|
||||
for _ip in $rsync_out_ips ; do
|
||||
rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_rsync_out_ip_arr
|
||||
for _ip in $forward_rsync_out_ips ; do
|
||||
forward_rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - SSH Ports
|
||||
# ---
|
||||
declare -a ssh_port_arr
|
||||
for _port in $ssh_ports ; do
|
||||
ssh_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - XMPP Service (Jabber - Prosody)
|
||||
# ---
|
||||
declare -a xmmp_tcp_in_port_arr
|
||||
for _port in $xmmp_tcp_in_ports ; do
|
||||
xmmp_tcp_in_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
declare -a xmmp_tcp_out_port_arr
|
||||
for _port in $xmmp_tcp_out_ports ; do
|
||||
xmmp_tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Ports
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_port_arr
|
||||
for _port in $vpn_ports ; do
|
||||
vpn_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Wireguard Ports (local Service)
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_server_port_arr
|
||||
for _port in $wireguard_server_ports ; do
|
||||
wireguard_server_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Wireguard out Ports
|
||||
# ---
|
||||
# local
|
||||
declare -a wireguard_out_port_port_arr
|
||||
for _port in $wireguard_out_ports ; do
|
||||
wireguard_out_port_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Rsync Out Ports
|
||||
# --
|
||||
declare -a rsync_port_arr
|
||||
for _port in $rsync_ports ; do
|
||||
rsync_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Special TCP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a tcp_out_port_arr
|
||||
for _port in $tcp_out_ports ; do
|
||||
tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_tcp_out_port_arr
|
||||
for _port in $forward_tcp_out_ports ; do
|
||||
forward_tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Special UDP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a udp_out_port_arr
|
||||
for _port in $udp_out_ports ; do
|
||||
udp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_udp_out_port_arr
|
||||
for _port in $forward_udp_out_ports ; do
|
||||
forward_udp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Portforwrds TCP
|
||||
# ---
|
||||
declare -a portforward_tcp_arr
|
||||
for _str in $portforward_tcp ; do
|
||||
portforward_tcp_arr+=("$_str")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Portforwrds UDP
|
||||
# ---
|
||||
declare -a portforward_udp_arr
|
||||
for _str in $portforward_udp ; do
|
||||
portforward_udp_arr+=("$_str")
|
||||
done
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=IPv6 Firewall with ip6tables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/sbin/ip6t-firewall-server start
|
||||
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=IPv4 Firewall with iptables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/sbin/ipt-firewall-server start
|
||||
ExecStop=/usr/local/sbin/ipt-firewall-server stop
|
||||
User=root
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
+2952
File diff suppressed because it is too large
Load Diff
+3178
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user