From 3e4d7f3f7b9dd2cfd5cfe866350b6619d45f00ff Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 19 Mar 2019 12:45:37 +0100 Subject: [PATCH] Add TCP/UDP Ports out - forgot firewall scripts --- ip6t-firewall-gateway | 245 ++++++++++++---------------------------- ipt-firewall-gateway | 253 ++++++++++++------------------------------ 2 files changed, 148 insertions(+), 350 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index eabc6b3..0c6e884 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2287,7 +2287,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i # - (1) # - - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftp6data_$i'. + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \ -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT @@ -2296,7 +2296,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT # - (2) - # - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). @@ -2323,11 +2323,11 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT fi - done + done - echo_done + echo_done else - echo_skipped + echo_skipped fi #echononl "\t\tFTP Service local Networks" @@ -2366,23 +2366,6 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then - - # - Used for different ftpdata recent lists 'ftp6data_dmz_$m' - # - - declare -i m=1 - - # - (Re)define helper - # - - if ! $ftp_helper_output_defined ; then - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp - ftp_helper_output_defined=true - fi - if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp - ftp_helper_prerouting_defined=true - fi - - IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" for _ip in "${!ftp_server_dmz_arr[@]}"; do @@ -2393,104 +2376,34 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th continue fi - # ===== - # - - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic - # - ====================================================== - # - - # - Workaround: - # - (1) add source ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear - # - (2) accept packets of the formaly created recent list 'ftp6data_$i! - # - - # ===== - - # --- - # - From gateway itself - # --- - - # - (1) - # - - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6data_$i'. - # - - $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftp6data_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update) - # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). - # - - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). - # - - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - - $ip6t -A OUTPUT -p tcp -d $_ip -m state --state NEW --dport 1024: \ - -m recent --name ftp6data_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections - # - - $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT - $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT - - - # --- - # - From extern - # --- - - if $kernel_activate_forwarding ; then - - # - (1) - # - - $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftp6data_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 1024: -m state --state NEW \ - -m recent --name ftp6data_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections - # - - $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 1024: -j ACCEPT - $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -o ${ftp_server_dmz_arr[$_ip]} -p tcp -s $_ip --dport 1024: -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + # - From extern + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT fi - - # --- - # - From intern - # --- - - if $kernel_activate_forwarding && ! $permit_between_local_networks ; then - + # - From intern + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do - - # - (1) - # - - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftp6data_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 1024: -m state --state NEW \ - -m recent --name ftp6data_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections - # - - $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -i $_dev -p tcp -d $_ip --dport 1024: -j ACCEPT - $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -o $_dev -p tcp -s $_ip --dport 1024: -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT done fi + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + + # - Control Port + $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT + + fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then @@ -2505,64 +2418,6 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th else echo_skipped fi - -#echononl "\t\tFTP Service DMZ" -#unset no_if_for_ip_arr -#declare -a no_if_for_ip_arr -# -#if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then -# IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" -# for _ip in "${!ftp_server_dmz_arr[@]}"; do -# -# # - Skip if no interface is given -# # - -# if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then -# no_if_for_ip_arr+=("$_ip") -# continue -# fi -# -# $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# -# # - From extern -# if $kernel_forward_between_interfaces ; then -# $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# fi -# -# # - From intern -# if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then -# for _dev in ${local_if_arr[@]} ; do -# $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# done -# fi -# -# # - Rule is needed if (local) interface aliases in use (like eth0:1) -# # - -# if $kernel_forward_between_interfaces && $local_alias_interfaces ; then -# -# # - Control Port -# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT -# $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT -# # - Data Port activ -# $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT -# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT -# # - Data Port passiv -# $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT -# -# fi -# done -# -# if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then -# echo_warning -# for _ip in ${no_if_for_ip_arr[@]} ; do -# warn "No Interface given for ip '$_ip'" -# done -# else -# echo_done -# fi -# -#else -# echo_skipped -#fi # --- @@ -3219,6 +3074,54 @@ else fi + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + # --- # - Other local Services # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index ecabe5a..4936776 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3005,11 +3005,11 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwardi $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT fi - done + done - echo_done + echo_done else - echo_skipped + echo_skipped fi @@ -3050,23 +3050,6 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then - - # - Used for different ftpdata recent lists 'ftpdata_dmz_$m' - # - - declare -i m=1 - - # - (Re)define helper - # - - if ! $ftp_helper_output_defined ; then - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp - ftp_helper_output_defined=true - fi - if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp - ftp_helper_prerouting_defined=true - fi - - IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" for _ip in "${!ftp_server_dmz_arr[@]}"; do @@ -3077,110 +3060,42 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th continue fi - # ===== - # - - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic - # - ====================================================== - # - - # - Workaround: - # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear - # - (2) accept packets of the formaly created recent list 'ftpdata_$i! - # - - # ===== - - # --- - # - From gateway itself - # --- - - # - (1) - # - - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. - # - - $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftpdata_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) - # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). - # - - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). - # - - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - - $ipt -A OUTPUT -p tcp -d $_ip -m state --state NEW --dport 1024: \ - -m recent --name ftpdata_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections - # - - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT - $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT - - - # --- - # - From extern - # --- + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + # - From extern if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT - # - (1) - # - - $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftpdata_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 1024: -m state --state NEW \ - -m recent --name ftpdata_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections + # - Nat if interface is on a dsl line # - - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 1024: -j ACCEPT - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -o ${ftp_server_dmz_arr[$_ip]} -p tcp -s $_ip --dport 1024: -j ACCEPT - - # - Finally we have to Nat the connection - # - - $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 - $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 - $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range \ - -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} + if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} + fi fi - - # --- - # - From intern - # --- - + # - From intern if $kernel_activate_forwarding && ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - - # - (1) - # - - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m state --state NEW \ - -m recent --name ftpdata_dmz_$m --rdest --set -j ACCEPT - - # - (2) - # - - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 1024: -m state --state NEW \ - -m recent --name ftpdata_dmz_$m --rdest --update --seconds 1800 --reap -j ACCEPT - - ((m++)) - - # - Accept (helper ftp) related connections - # - - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -i $_dev -p tcp -d $_ip --dport 1024: -j ACCEPT - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp \ - -o $_dev -p tcp -s $_ip --dport 1024: -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT done fi + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + + # - Control Port + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT + + fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then @@ -3195,72 +3110,6 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th else echo_skipped fi - -#echononl "\t\tFTP Service DMZ" -#unset no_if_for_ip_arr -#declare -a no_if_for_ip_arr -# -#if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then -# IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" -# for _ip in "${!ftp_server_dmz_arr[@]}"; do -# -# # - Skip if no interface is given -# # - -# if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then -# no_if_for_ip_arr+=("$_ip") -# continue -# fi -# -# $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# -# # - From extern -# if $kernel_activate_forwarding ; then -# $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# -# # - Nat if interface is on a dsl line -# # - -# #if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then -# $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 -# $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 -# $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} -# #fi -# fi -# -# # - From intern -# if $kernel_activate_forwarding && ! $permit_between_local_networks ; then -# for _dev in ${local_if_arr[@]} ; do -# $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT -# done -# fi -# -# # - Rule is needed if (local) interface aliases in use (like eth0:1) -# # - -# if $kernel_activate_forwarding && $local_alias_interfaces ; then -# -# # - Control Port -# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT -# $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT -# # - Data Port activ -# $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT -# $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT -# # - Data Port passiv -# $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT -# -# fi -# done -# -# if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then -# echo_warning -# for _ip in ${no_if_for_ip_arr[@]} ; do -# warn "No Interface given for ip '$_ip'" -# done -# else -# echo_done -# fi -# -#else -# echo_skipped -#fi # --- @@ -3935,6 +3784,52 @@ else fi +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + # --- # - Other local Services # ---