Add Jitsi Video Conference Service out only.

2020-03-18 00:15:28 +01:00 · 2020-03-18 00:15:28 +01:00 · 1eeb01411e
commit 1eeb01411e
parent b995c6c4e1
5 changed files with 123 additions and 2 deletions
--- a/conf/default_ports.conf
+++ b/conf/default_ports.conf
@ -49,6 +49,10 @@ standard_ipsec_nat_t=4500
 standard_http_ports="80,443"
 standard_mailuser_ports="587,465,110,995,143,993"

+# - Jitsi Video Conference Service
+# -
+standard_jitsi_tcp_ports="$standard_http_ports"
+standard_jitsi_udp_port_range="10000:20000"

 # -------------
 # --- Predefined Ports
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -800,6 +800,27 @@ snmp_trap_port="$standard_snmp_trap_port"
 mumble_ports="64738"


+# ======
+# - Jitsi Video Conference Service
+# ======
+
+# - Jitsi Video Conference Service Gateway
+# -
+# - NOT YET IMPLEMENTED
+# -
+local_jitsi_video_conference_service=false
+
+# - Jitsi Video Conference Service Ports
+# -
+# - TCP 80:    Webinterface. 
+# - TCP 443:   Webinterface (SSL) 
+# -
+# - UDP 10000-20000:   Virtual Media for Remote Console
+# -
+jitsi_tcp_ports="$standard_http_ports"
+jitsi_udp_ports="10000:20000"
+
+
 # ======
 # - XyMon Service
 # ======
@ -1257,7 +1278,8 @@ allow_irc_request_out=true
 allow_mysql_request_out=true
 allow_ipmi_request_out=true
 allow_remote_console_request_out=true
-allow_mumble_out=true
+allow_mumble_request_out=true
+allow_jitsi_video_conference_out=true

 allow_samba_requests_out=true

--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -769,6 +769,32 @@ snmp_trap_port="$standard_snmp_trap_port"
 mumble_ports="64738"


+# ======
+# - Jitsi Video Conference Service
+# ======
+
+# - Jitsi Video Conference Service Gateway
+# -
+# - NOT YET IMPLEMENTED
+# -
+local_jitsi_video_conference_service=false
+
+
+# - Jitsi Video Conference Service only out
+# -
+# - Ports:
+# -
+# - TCP 80:    Webinterface. 
+# - TCP 443:   Webinterface (SSL) 
+# -
+# - UDP 10000-20000:   Virtual Media for Remote Console
+# -
+# - comma separated list
+# -
+jitsi_tcp_ports="$standard_http_ports"
+jitsi_udp_port_range="10000:20000"
+
+
 # ======
 # - XyMon Service
 # ======
@ -1195,7 +1221,8 @@ allow_irc_request_out=true
 allow_mysql_request_out=true
 allow_ipmi_request_out=true
 allow_remote_console_request_out=true
-allow_mumble_out=true
+allow_mumble_request_out=true
+allow_jitsi_video_conference_out=true

 allow_samba_requests_out=true

--- a/34
+++ b/34
@ -2858,6 +2858,40 @@ else
 fi


+# ---
+# - Jitsi Video Conference Service out only
+# ---
+
+echononl "\t\tJitsi Video Conference Service out only"
+
+if $allow_jitsi_video_conference_out ; then
+   for _dev in ${ext_if_arr[@]} ; do
+
+      $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
+         $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
+      fi
+
+      if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
+         $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      fi
+      $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
+
+
+      if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
+         if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
+            $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+         fi
+         $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
+      fi
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - PGP Keyserver out only
 # ---
--- a/34
+++ b/34
@ -3568,6 +3568,40 @@ else
 fi


+# ---
+# - Jitsi Video Conference Service out only
+# ---
+
+echononl "\t\tJitsi Video Conference Service out only"
+
+if $allow_jitsi_video_conference_out ; then
+   for _dev in ${ext_if_arr[@]} ; do
+
+      $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
+         $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
+      fi
+
+      if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
+         $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+      fi
+      $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
+
+
+      if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
+         if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
+            $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
+         fi
+         $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
+      fi
+
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - PGP Keyserver out only
 # ---