From 19bf795a991afe489dc27257562c611858200173 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Fri, 18 Mar 2022 18:19:43 +0100
Subject: [PATCH] Add rules for blocking UDP / TCP Ports exern out.

---
 conf/main_ipv4.conf.sample  | 23 +++++++++++++++
 conf/main_ipv6.conf.sample  | 23 +++++++++++++++
 conf/post_decalrations.conf | 29 +++++++++++++++++++
 ip6t-firewall-gateway       | 55 ++++++++++++++++++++++++++++++++++++
 ipt-firewall-gateway        | 56 +++++++++++++++++++++++++++++++++++++
 5 files changed, 186 insertions(+)

diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample
index d5c9497..2138da4 100644
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@@ -37,6 +37,29 @@ block_upnp_traffic_out=true
 
 
 
+# =============
+# --- Block UDP Ports out
+# =============
+
+# - UDP Ports to block (only extern out)
+# -
+# - Comma separated list of udp ports
+# -
+block_udp_extern_out_ports=""
+
+
+# =============
+# --- Block TCP Ports out
+# =============
+
+# - TCP Ports to block (only extern out)
+# -
+# - Comma separated list of tcp ports
+# -
+block_tcp_extern_out_ports=""
+
+
+
 # =============
 # --- Interfaces not firewalled
 # =============
diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample
index f80887c..e576f53 100644
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@@ -37,6 +37,29 @@ block_upnp_traffic_out=true
 
 
 
+# =============
+# --- Block UDP Ports out
+# =============
+
+# - UDP Ports to block (only extern out)
+# -
+# - Comma separated list of udp ports
+# -
+block_udp_extern_out_ports=""
+
+
+# =============
+# --- Block TCP Ports out
+# =============
+
+# - TCP Ports to block (only extern out)
+# -
+# - Comma separated list of tcp ports
+# -
+block_tcp_extern_out_ports=""
+
+
+
 # =============
 # --- Interfaces not firewalled
 # =============
diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf
index 210478c..be23fe6 100644
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@@ -61,6 +61,35 @@ for _dev in $nat_devices ; do
    fi
 done
 
+# =============
+# --- Block UDP Ports out
+# =============
+
+declare -a block_udp_extern_out_port_arr=()
+CUR_IFS="$IFS"
+IFS=',' ; for _port in $block_udp_extern_out_ports ; do
+
+   block_udp_extern_out_port_arr+=("${_port}")
+
+done
+IFS="$CUR_IFS"
+
+
+# =============
+# --- Block TCP Ports out
+# =============
+
+declare -a block_tcp_extern_out_port_arr=()
+CUR_IFS="$IFS"
+IFS=',' ; for _port in $block_tcp_extern_out_ports ; do
+
+   block_tcp_extern_out_port_arr+=("${_port}")
+
+done
+IFS="$CUR_IFS"
+
+
+
 # ---
 # - VPN Interfaces
 # ---
diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway
index 50990a3..fea2869 100755
--- a/ip6t-firewall-gateway
+++ b/ip6t-firewall-gateway
@@ -396,6 +396,61 @@ else
 fi
 
 
+# ---
+# - Block UDP Ports out
+# ---
+
+echononl "\tBlock UDP Ports extern out.."  
+
+if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${block_udp_extern_out_port_arr[@]} ; do
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         $ip6t -A OUTPUT -o $_dev -p udp --dport $_port  -j DROP
+
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -o $_dev -p udp --dport $_port  -j DROP
+         fi
+
+      done
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - Block TCP Ports out
+# ---
+
+echononl "\tBlock TCP Ports extern out.."  
+
+if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${block_tcp_extern_out_port_arr[@]} ; do
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port  -j DROP
+
+         if $kernel_forward_between_interfaces ; then
+            $ip6t -A FORWARD -o $_dev -p tcp --dport $_port  -j DROP
+         fi
+
+      done
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+
 # ---
 # - Allow Forwarding certain private Addresses
 # ---
diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index f343110..5111ccb 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -717,6 +717,62 @@ else
 fi
 
 
+# ---
+# - Block UDP Ports out
+# ---
+
+echononl "\tBlock UDP Ports extern out.."  
+
+if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then
+   echo""
+
+   for _port in ${block_udp_extern_out_port_arr[@]} ; do
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         $ipt -A OUTPUT -o $_dev -p udp --dport $_port  -j DROP
+
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -o $_dev -p udp --dport $_port  -j DROP
+         fi
+
+      done
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - Block TCP Ports out
+# ---
+
+echononl "\tBlock TCP Ports extern out.."  
+
+if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then
+
+   for _port in ${block_tcp_extern_out_port_arr[@]} ; do
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         $ipt -A OUTPUT -o $_dev -p tcp --dport $_port  -j DROP
+
+         if $kernel_activate_forwarding ; then
+            $ipt -A FORWARD -o $_dev -p tcp --dport $_port  -j DROP
+         fi
+
+      done
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
+
 # ---
 # - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
 # ---