From 4ade3866341842cbf829d675c6271493360a3957 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 11 Feb 2023 15:15:10 +0100 Subject: [PATCH] Add MAC address filterimh for gamin devices --- conf/main_ipv4.conf.sample | 12 + conf/main_ipv6.conf.sample | 12 + conf/post_decalrations.conf | 7 + ip6t-firewall-gateway | 431 +++++++++++++++++++---------------- ipt-firewall-gateway | 432 ++++++++++++++++++++---------------- 5 files changed, 517 insertions(+), 377 deletions(-) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index bbaf8d9..c8a9711 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1612,6 +1612,18 @@ allow_remote_mac_src_addresses="" +# ============= +# - MAC Address Filtering Gaming Devices +# ============= + +# - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks +# - +# - Blank separated list +# - +gameming_device_mac_addresses="" + + + # ============= # --- Basic behavior - overwrites settings from 'default_basic_behavior.conf' # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 16f4a6e..1183b24 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -1524,6 +1524,18 @@ allow_remote_mac_src_addresses="" +# ============= +# - MAC Address Filtering Gaming Devices +# ============= + +# - MAC adresses here are only allowed connect to internet but NOT to loacl services and networks +# - +# - Blank separated list +# - +gameming_device_mac_addresses="" + + + # ============= # --- Basic behavior # ============= diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index e73d153..1397688 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -1832,3 +1832,10 @@ for _mac in $allow_remote_mac_src_addresses ; do allow_remote_mac_src_address_arr+=("$_mac") done +# --- +# - MAC Address Filtering Gaming Devices +# --- +declare -a gameming_device_mac_address_arr=() +for _mac in $gameming_device_mac_addresses ; do + gameming_device_mac_address_arr+=("$_mac") +done diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d0218cc..4864eac 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -836,6 +836,214 @@ $ip6t -A OUTPUT -o lo -j ACCEPT echo_done +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ip6t -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +$ip6t -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + for _local_dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + for _local_dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + +echo "" + +# --- +# - DHCP +# --- + +echononl "\t\tLocal DHCP Client" + +if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_client_interfaces_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp -m udp --dport 546 -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m udp --dport 547 -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +echononl "\t\tDHCP Service (local network only)" + +if $local_dhcp_service ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-request -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + + $ip6t -A INPUT -p udp -i $_dev --sport 546 --dport 547 -j ACCEPT + $ip6t -A OUTPUT -p udp -o $_dev --sport 547 --dport 546 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DHCP Failover +# --- + +echononl "\t\tDHCP Failover Server" +if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dhcp_failover_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + # - forward from virtual mashine(s) + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - DNS Service Gateway +# --- + +echononl "\t\tDNS Service Gateway" + +# - Local Nameservice +# - +if $local_dns_service ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + + # - Allow requests from local networks + # - + for _dev in ${local_if_arr[@]} ; do + # - in + $ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + # - Zonetransfere (uses tcp/53) + # + for _ip in ${dns_server_ips[@]} ; do + # - out + # - + # - local master (here) gets request for a zone from slave ($_ip) + $ip6t -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - in + # - + # - local slave (here) requests zone from master ($_ip) + $ip6t -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - DNS Services at local Network +# --- + +echononl "\t\tDNS Service local Network" + +# - Make nameservers at the local network area rechable for all +# - +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + + for _ip in ${dns_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +echo "" + + # --- # - Allow all Traffic from source mac-address # --- @@ -900,52 +1108,53 @@ else fi +echo "" + + # --- -# - Already established connections +# - Allow remote Traffic for Gaming devices # --- -echononl "\tAccept already established connections.." +echononl "\tAllow remote Traffic OUT for Gaming devices" -$ip6t -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -$ip6t -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if [[ ${#gameming_device_mac_address_arr[@]} -gt 0 ]] ; then + for _mac in ${gameming_device_mac_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_forward_between_interfaces ; then + if ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + fi + done + done + echo_done +else + echo_skipped fi -echo_done # --- -# - Permit all traffic through VPN lines +# - Deny Traffic to other local networks for Gaming devices # --- -echononl "\tPermit all traffic through VPN lines.." -for _vpn_if in ${vpn_if_arr[@]} ; do - $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - for _local_dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + +echononl "\tDeny Traffic to other local networks for Gaming devices" + +if [[ ${#gameming_device_mac_address_arr[@]} -gt 0 ]] ; then + for _mac in ${gameming_device_mac_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j DROP + fi done - fi -done -echo_done + done + echo_done +else + echo_skipped +fi -# --- -# - Permit all traffic through WireGuard lines -# --- -echononl "\tPermit all traffic through WireGuard lines.." -for _wg_if in ${wg_if_arr[@]} ; do - $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - for _local_dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT - done - fi -done -echo_done - +echo "" # --- @@ -1630,162 +1839,6 @@ fi # --- -# --- -# - DHCP -# --- - -echononl "\t\tLocal DHCP Client" - -if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then - for _dev in ${dhcp_client_interfaces_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p udp -m udp --dport 546 -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp -m udp --dport 547 -j ACCEPT - done - - echo_done -else - echo_skipped -fi - - -echononl "\t\tDHCP Service (local network only)" - -if $local_dhcp_service ; then - for _dev in ${local_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT - $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT - $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-request -j ACCEPT - $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-reply -j ACCEPT - - $ip6t -A INPUT -p udp -i $_dev --sport 546 --dport 547 -j ACCEPT - $ip6t -A OUTPUT -p udp -o $_dev --sport 547 --dport 546 -j ACCEPT - done - echo_done -else - echo_skipped -fi - - -# --- -# - DHCP Failover -# --- - -echononl "\t\tDHCP Failover Server" -if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${dhcp_failover_server_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT - done - echo_done -else - echo_skipped -fi - - -# --- -# - DNS out only -# --- - -echononl "\t\tDNS out only" - -# - Nameservers on the INET must be reachable for the local recursiv nameserver -# - but also for all others -# - -for _dev in ${ext_if_arr[@]} ; do - # - out from local and virtual mashine(s) - $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - - # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - # - forward from virtual mashine(s) - $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - fi -done - -echo_done - - -# --- -# - DNS Service Gateway -# --- - -echononl "\t\tDNS Service Gateway" - -# - Local Nameservice -# - -if $local_dns_service ; then - - # dns requests - # - # Note: - # If the total size of the DNS record is larger than 512 bytes, - # it will be sent over TCP, not UDP. - # - - # - Allow requests from local networks - # - - for _dev in ${local_if_arr[@]} ; do - # - in - $ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - - # - Zonetransfere (uses tcp/53) - # - for _ip in ${dns_server_ips[@]} ; do - # - out - # - - # - local master (here) gets request for a zone from slave ($_ip) - $ip6t -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT - - # - in - # - - # - local slave (here) requests zone from master ($_ip) - $ip6t -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - - echo_done -else - echo_skipped -fi - - -# --- -# - DNS Services at local Network -# --- - -echononl "\t\tDNS Service local Network" - -# - Make nameservers at the local network area rechable for all -# - -if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then - - # dns requests - # - # Note: - # If the total size of the DNS record is larger than 512 bytes, - # it will be sent over TCP, not UDP. - # - - for _ip in ${dns_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - fi - done - - echo_done -else - echo_skipped -fi - - # --- # - SSH out only diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index ed1f546..85487da 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1471,6 +1471,216 @@ $ipt -A OUTPUT -o lo -j ACCEPT echo_done +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +$ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +fi + +echo_done + + +echo "" + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + +# --- +# - Permit all traffic through WireGuard lines +# --- +echononl "\tPermit all traffic through WireGuard lines.." +for _wg_if in ${wg_if_arr[@]} ; do + $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + +echo "" + + +# --- +# - DHCP +# --- + +echononl "\tLocal DHCP Client" + +if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_client_interfaces_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +echononl "\tDHCP" + +if $local_dhcp_service ; then + # - Allow requests from intern networks + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DHCP Failover +# --- + +echononl "\tDHCP Failover Server" +if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dhcp_failover_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DNS out only +# --- + +echononl "\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + # - forward from virtual mashine(s) + $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - DNS Service Gateway +# --- + +echononl "\tDNS Service Gateway" + +# - Local Nameservice +# - +if $local_dns_service ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + + # - Allow requests from local networks + # - + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + # - Zonetransfere (uses tcp/53) + # + for _ip in ${dns_server_ips[@]} ; do + # - out + # - + # - local master (here) gets request for a zone from slave ($_ip) + $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - in + # - + # - local slave (here) requests zone from master ($_ip) + $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - DNS Services at local Network +# --- + +echononl "\tDNS Service local Network" + +# - Make nameservers at the local network area rechable for all +# - +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + + for _ip in ${dns_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +echo "" + + # --- # - Allow all Traffic from source mac-address # --- @@ -1520,7 +1730,6 @@ fi echononl "\tAllow remote Traffic from MAC Source-Address" - if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then for _mac in ${allow_remote_mac_src_address_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do @@ -1535,52 +1744,53 @@ else fi +echo "" + + # --- -# - Already established connections +# - Allow remote Traffic for Gaming devices # --- -echononl "\tAccept already established connections.." +echononl "\tAllow remote Traffic OUT for Gaming devices" -$ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -$ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if [[ ${#gameming_device_mac_address_arr[@]} -gt 0 ]] ; then + for _mac in ${gameming_device_mac_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + if ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + fi + done + done + echo_done +else + echo_skipped fi -echo_done # --- -# - Permit all traffic through VPN lines +# - Deny Traffic to other local networks for Gaming devices # --- -echononl "\tPermit all traffic through VPN lines.." -for _vpn_if in ${vpn_if_arr[@]} ; do - $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding ; then - for _local_dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + +echononl "\tDeny Traffic to other local networks for Gaming devices" + +if [[ ${#gameming_device_mac_address_arr[@]} -gt 0 ]] ; then + for _mac in ${gameming_device_mac_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j DROP + fi done - fi -done -echo_done + done + echo_done +else + echo_skipped +fi -# --- -# - Permit all traffic through WireGuard lines -# --- -echononl "\tPermit all traffic through WireGuard lines.." -for _wg_if in ${wg_if_arr[@]} ; do - $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding ; then - for _local_dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT - done - fi -done -echo_done - +echo "" # --- @@ -2373,160 +2583,6 @@ else fi -# --- -# - DHCP -# --- - -echononl "\t\tLocal DHCP Client" - -if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then - for _dev in ${dhcp_client_interfaces_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT - $ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT - done - - echo_done -else - echo_skipped -fi - - -echononl "\t\tDHCP" - -if $local_dhcp_service ; then - # - Allow requests from intern networks - for _dev in ${local_if_arr[@]} ; do - # - in - $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT - # - out - $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT - done - echo_done -else - echo_skipped -fi - - -# --- -# - DHCP Failover -# --- - -echononl "\t\tDHCP Failover Server" -if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${dhcp_failover_server_ip_arr[@]} ; do - $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT - done - echo_done -else - echo_skipped -fi - - -# --- -# - DNS out only -# --- - -echononl "\t\tDNS out only" - -# - Nameservers on the INET must be reachable for the local recursiv nameserver -# - but also for all others -# - -for _dev in ${ext_if_arr[@]} ; do - # - out from local and virtual mashine(s) - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - - # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - # - forward from virtual mashine(s) - $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT - fi -done - -echo_done - - -# --- -# - DNS Service Gateway -# --- - -echononl "\t\tDNS Service Gateway" - -# - Local Nameservice -# - -if $local_dns_service ; then - - # dns requests - # - # Note: - # If the total size of the DNS record is larger than 512 bytes, - # it will be sent over TCP, not UDP. - # - - # - Allow requests from local networks - # - - for _dev in ${local_if_arr[@]} ; do - # - in - $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - - # - Zonetransfere (uses tcp/53) - # - for _ip in ${dns_server_ips[@]} ; do - # - out - # - - # - local master (here) gets request for a zone from slave ($_ip) - $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT - - # - in - # - - # - local slave (here) requests zone from master ($_ip) - $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - - echo_done -else - echo_skipped -fi - - -# --- -# - DNS Services at local Network -# --- - -echononl "\t\tDNS Service local Network" - -# - Make nameservers at the local network area rechable for all -# - -if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then - - # dns requests - # - # Note: - # If the total size of the DNS record is larger than 512 bytes, - # it will be sent over TCP, not UDP. - # - - for _ip in ${dns_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT - done - fi - done - - echo_done -else - echo_skipped -fi - - # --- # - SSH out only