diff --git a/conf/default_basic_behavior.conf b/conf/default_basic_behavior.conf new file mode 100644 index 0000000..5fa4a44 --- /dev/null +++ b/conf/default_basic_behavior.conf @@ -0,0 +1,108 @@ +#!/usr/bin/env bash + + +# ============= +# --- Basic behavior +# ============= + +# --- +# - Services allowed out to the world wide web +# --- + +allow_ssh_request_out=true +allow_http_request_out=true +allow_smtp_request_out=true +allow_mail_request_out=true +allow_ftp_request_out=true +allow_tftp_request_out=true +allow_ntp_request_out=true +allow_timeserver_request_out=true +allow_pgpserver_request_out=true +allow_telnet_request_out=true +allow_whois_request_out=true +allow_cpan_wait_request_out=true +allow_hbci_request_out=true +allow_jabber_request_out=true +allow_silc_request_out=true +allow_irc_request_out=true +allow_mysql_request_out=true +allow_ipmi_request_out=true +allow_remote_console_request_out=true +allow_mumble_request_out=true +allow_outbound_streaming=true +allow_echo360_video_streaming=true +allow_bigbluebutton_video_conference_out=true +allow_ms_skype_teams_out=true +allow_webex_video_conference_out=true +allow_zoom_video_conference_out=true +allow_jitsi_video_conference_out=true +allow_alfaview_video_conference_out=true +allow_nc_talk_out=true + +allow_samba_requests_out=true + +allow_vpn_out=true + +# WireGuard +# +allow_wg_out=true + +allow_cisco_vpn_out=true + + +# Gaming +# +# Playstation (PS), Xbox, FiFa +# +allow_game_xbox_one_out=false +allow_game_xbox_360_out=false +allow_game_ps3_out=false +allow_game_ps4_out=false +allow_game_fifa21_out=false + + + +# --- +# - Services allowed between local networks +# --- + +# - These Parameters are only considered, if traffic +# - between local networks are not permitted, thats +# - if 'permit_between_local_networks=false' (see below). +# - +allow_ssh_between_local_nets=true +allow_samba_between_local_nets=false +allow_ldap_between_local_nets=false +allow_printing_between_local_nets=true +allow_scanning_between_local_nets=true + + +# --- +# - Other Parameters +# --- + +# - Permit internet access to all machines at local network +# - Does not include this server itself +# - +permit_local_net_to_inet=false + +# - Do not block any traffic between local machines +# - +permit_between_local_networks=false + +# - Do not block any ICMP traffic +# - +permit_all_icmp_traffic=true + +# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. +# - +# - Maybe useful for testing purpose with telnet or openssl +# - +provide_mailservice_from_local=true + +# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. +# - +create_iperf_rules=false + diff --git a/conf/default_ipv4.conf b/conf/default_ipv4.conf new file mode 100644 index 0000000..bcea9d7 --- /dev/null +++ b/conf/default_ipv4.conf @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# ------------- +# --- Some IPv4-Address Configuration +# ------------- + +# - Loopback +loopback_ipv4="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + diff --git a/conf/default_ipv6.conf b/conf/default_ipv6.conf new file mode 100644 index 0000000..c299894 --- /dev/null +++ b/conf/default_ipv6.conf @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Some IPv6-Address Configuration +# ------------- + +# unique local address (ULA) - private address block +ula_block="fc00::/7" + +# - Loopback +loopback_ipv6="::1/128" + diff --git a/conf/default_ports.conf b/conf/default_ports.conf index ac06f0f..695c2e5 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -304,6 +304,46 @@ standard_nc_turn_ports="3478,3479,5349,5350" standard_nc_turn_udp_ports="49152:65535" +# - Game Ports +# - +# - Playstation (PS), Xbox, FiFa21 +# - +# - Xbox 360: +# - TCP: 53, 80, 3074 +# - UDP: 53, 88, 3074 +# - +# - Xbox One: +# - TCP: 53, 80, 3074 +# - UDP: 53, 88, 500, 3074, 3544, 4500 +# - +# - PS3: +# - TCP: 80, 443, 3478, 3479, 3480, 5223, 8080 +# - UDP: 3074, 3478, 3479, 3658 +# - +# - PS4: +# - TCP: 80, 443, 465, 983, 1935, 3478-3480, 5223, 10070-10080 +# - UDP: 3074, 3478, 3479 +# - +# - Fifa 21: +# - TCP: 1935, 3478-3480, 3659, 10000-10099, 42127 +# - UDP: 3074, 3478-3479, 3659, 6000 +# - +standard_game_xbox_one_tcp_ports="53,80,3074" +standard_game_xbox_one_udp_ports="53,88,500,3074,3544,4500" + +standard_game_xbox_360_tcp_ports="53,80,3074" +standard_game_xbox_360_udp_ports="53,80,3074" + +standard_game_ps3_tcp_ports="80,443,3478,3479,3480,5223,8080" +standard_game_ps3_udp_ports="3074,3478,3479,3658" + +standard_game_ps4_tcp_ports="80,443,465,983,1935,3478,3479,3480,5223,10070-10080 " +standard_game_ps4_udp_ports="3074,3478,3479" + +standard_game_fifa21_tcp_ports="1935, 3478,3479,3480,3659,10000-10069,10070-10080,10081-10099,42127" +standard_game_fifa21_udp_ports="3074,3478-3479,3659,6000" + + # ------------- # --- Predefined Ports # ------------- @@ -312,33 +352,3 @@ standard_nc_turn_udp_ports="49152:65535" # - unprivports="1024:65535" - -# ------------- -# --- Some IPv4-Address Configuration -# ------------- - -# - Loopback -loopback_ipv4="127.0.0.0/8" - -# - Private Networks -priv_class_a="10.0.0.0/8" -priv_class_b="172.16.0.0/12" -priv_class_c="192.168.0.0/16" - -# - Multicast Addresse -class_d_multicast="224.0.0.0/4" - -# Reserved Addresse -class_e_reserved="240.0.0.0/5" - - -# ------------- -# --- Some IPv6-Address Configuration -# ------------- - -# unique local address (ULA) - private address block -ula_block="fc00::/7" - -# - Loopback -loopback_ipv6="::1/128" - diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 02a29fd..81648c3 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -535,6 +535,10 @@ declare -A vpn_server_dmz_arr # - vpn_local_net_ports="1194" +# Remote VPN ports +# +vpn_out_ports="$standard_vpn_port" + # ====== # - WireGuard Service @@ -565,6 +569,18 @@ declare -A wg_server_dmz_arr # - wg_local_net_ports="$standard_wg_port" +# Remote WireGuard Ports +# +wg_out_ports="$standard_wg_port" + + +# ====== +# - Cisco VPN +# ====== + +cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" +cisco_vpn_out_protocol="esp" + # ====== # - DHCP Service @@ -1548,102 +1564,6 @@ portforward_udp="" -# ============= -# --- Basic behavior -# ============= - -# === -# = Services allowed out to the world wide web -# === - -allow_ssh_request_out=true -allow_http_request_out=true -allow_smtp_request_out=true -allow_mail_request_out=true -allow_ftp_request_out=true -allow_tftp_request_out=true -allow_ntp_request_out=true -allow_timeserver_request_out=true -allow_pgpserver_request_out=true -allow_telnet_request_out=true -allow_whois_request_out=true -allow_cpan_wait_request_out=true -allow_hbci_request_out=true -allow_jabber_request_out=true -allow_silc_request_out=true -allow_irc_request_out=true -allow_mysql_request_out=true -allow_ipmi_request_out=true -allow_remote_console_request_out=true -allow_mumble_request_out=true -allow_outbound_streaming=true -allow_echo360_video_streaming=true -allow_bigbluebutton_video_conference_out=true -allow_ms_skype_teams_out=true -allow_webex_video_conference_out=true -allow_zoom_video_conference_out=true -allow_jitsi_video_conference_out=true -allow_alfaview_video_conference_out=true -allow_nc_talk_out=true - -allow_samba_requests_out=true - -allow_vpn_out=true -vpn_out_ports="1194 1195 1196" -# WireGuard -# -allow_wg_out=true -wg_out_ports="$standard_wg_port" - -allow_cisco_vpn_out=true -cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" -cisco_vpn_out_protocol="esp" - - -# === -# = Services allowed between local networks -# === - -# - These Parameters are only considered, if traffic -# - between local networks are not permitted, thats -# - if 'permit_between_local_networks=false' (see below). -# - -allow_ssh_between_local_nets=true -allow_samba_between_local_nets=false -allow_ldap_between_local_nets=false -allow_printing_between_local_nets=true -allow_scanning_between_local_nets=true - - -# === -# = Other Parameters -# === - -# - Permit internet access to all machines at local network -# - Does not include this server itself -# - -permit_local_net_to_inet=false - -# - Do not block any traffic between local machines -# - -permit_between_local_networks=false - -# - Do not block any ICMP traffic -# - -permit_all_icmp_traffic=true - -# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. -# - -# - Maybe useful for testing purpose with telnet or openssl -# - -provide_mailservice_from_local=true - -# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. -# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, -# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. -# - -create_iperf_rules=false - # ============= @@ -1672,6 +1592,64 @@ allow_remote_mac_src_addresses="" +# ============= +# --- Basic behavior - overwrites settings from 'default_basic_behavior.conf' +# ============= + +# --- +# - Services allowed out to the world wide web +# --- + +#allow_samba_requests_out=true + + +# --- +# - Services allowed between local networks +# --- + +# - These Parameters are only considered, if traffic +# - between local networks are not permitted, thats +# - if 'permit_between_local_networks=false' (see below). +# - +#allow_ssh_between_local_nets=true +#allow_samba_between_local_nets=false +#allow_ldap_between_local_nets=false +#allow_printing_between_local_nets=true +#allow_scanning_between_local_nets=true + + +# --- +# - Other Parameters +# --- + +# - Permit internet access to all machines at local network +# - Does not include this server itself +# - +#permit_local_net_to_inet=false + +# - Do not block any traffic between local machines +# - +#permit_between_local_networks=false + +# - Do not block any ICMP traffic +# - +#permit_all_icmp_traffic=true + +# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. +# - +# - Maybe useful for testing purpose with telnet or openssl +# - +#provide_mailservice_from_local=true + +# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. +# - +#create_iperf_rules=false + + + + # ============= # --- Block IP's / IP-Ranges # ============= diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 0757603..9725389 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -520,6 +520,10 @@ declare -A vpn_server_dmz_arr # - vpn_local_net_ports="1194" +# Remote VPN ports +# +vpn_out_ports="$standard_vpn_port" + # ====== # - WireGuard Service @@ -550,6 +554,18 @@ declare -A wg_server_dmz_arr # - wg_local_net_ports="$standard_wg_port" +# Remote WireGuard Ports +# +wg_out_ports="$standard_wg_port" + + +# ====== +# - Cisco VPN +# ====== + +cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" +cisco_vpn_out_protocol="esp" + # ====== # - DHCP Service @@ -1501,15 +1517,12 @@ allow_nc_talk_out=true allow_samba_requests_out=true allow_vpn_out=true -vpn_out_ports="1194 1195 1196" + # WireGuard # allow_wg_out=true -wg_out_ports="$standard_wg_port" allow_cisco_vpn_out=true -cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t" -cisco_vpn_out_protocol="esp" # === diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 4b0e104..9fff191 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -546,6 +546,9 @@ for _port in $vpn_local_net_ports ; do vpn_local_net_port_arr+=("$_port") done declare -a vpn_out_port_arr +if [[ -z "$vpn_out_ports" ]] ; then + vpn_out_ports="$standard_vpn_port" +fi for _port in $vpn_out_ports ; do vpn_out_port_arr+=("$_port") done @@ -608,6 +611,21 @@ done # --- # - Turn/Stun Ports # --- +if $allow_outbound_streaming \ + || $allow_echo360_video_streaming \ + || $allow_bigbluebutton_video_conference_out \ + || $allow_ms_skype_teams_out \ + || $allow_webex_video_conference_out \ + || $allow_zoom_video_conference_out \ + || $allow_jitsi_video_conference_out \ + || $allow_alfaview_video_conference_out \ + || $allow_nc_talk_out ; then + + allow_stun_turn_service_out=true +else + allow_stun_turn_service_out=false +fi + declare -a standard_turn_service_port_arr CUR_IFS="$IFS" IFS=',' ; for _port in $standard_turn_service_ports ; do @@ -750,6 +768,178 @@ IFS="$CUR_IFS" +# --- +# Gaming +# --- +if $allow_game_xbox_one_out \ + || $allow_game_xbox_360_out \ + || $allow_game_ps3_out \ + || $allow_game_ps4_out \ + || $allow_game_fifa21_out ; then + + $allow_gaming_out=true +else + $allow_gaming_out=false +fi +declare -a game_ports_udp_arr +if $allow_game_xbox_360_out ; then + IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then + continue + else + game_ports_udp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_xbox_one_udp_ports ; then + IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then + continue + else + game_ports_udp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_ps3_udp_ports ; then + IFS=',' ; for _port in $standard_game_ps3_udp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then + continue + else + game_ports_udp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_ps4_udp_ports ; then + IFS=',' ; for _port in $standard_game_ps4_udp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then + continue + else + game_ports_udp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_fifa21_udp_ports ; then + IFS=',' ; for _port in $standard_game_fifa21_udp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then + continue + else + game_ports_udp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi + +allow_stun_turn_service_out allow_stun_turn_service_out + +declare -a game_ports_tcp_arr +if $allow_game_xbox_360_out ; then + IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + continue + elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then + continue + else + game_ports_tcp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_xbox_one_tcp_ports ; then + IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + continue + elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then + continue + else + game_ports_tcp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_ps3_tcp_ports ; then + IFS=',' ; for _port in $standard_game_ps3_tcp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + continue + elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then + continue + else + game_ports_tcp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_ps4_tcp_ports ; then + IFS=',' ; for _port in $standard_game_ps4_tcp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + continue + elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then + continue + else + game_ports_tcp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi +if $standard_game_fifa21_tcp_ports ; then + IFS=',' ; for _port in $standard_game_fifa21_tcp_ports ; do + if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then + continue + elif [[ "$_port" = "$standard_dns_port" ]] ; then + continue + elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + continue + elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then + continue + else + game_ports_tcp_arr+==("$_port") + fi + done + IFS="$CUR_IFS" +fi + + + + # --- # - IPMI diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 16d376c..2503d6f 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -25,6 +25,8 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf conf_logging=${ipt_conf_dir}/logging_ipv6.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_default_ips=${ipt_conf_dir}/default_ipv6.conf +conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf conf_main=${ipt_conf_dir}/main_ipv6.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf @@ -81,12 +83,24 @@ else source $conf_default_ports fi +if [[ ! -f "$conf_default_ips" ]]; then + fatal "Missing configuration for default_ips - file '$conf_default_ips'" +else + source $conf_default_ips +fi + if [[ ! -f "$conf_interfaces" ]]; then fatal "Missing interface configurations - file '$conf_interfaces'" else source $conf_interfaces fi +if [[ ! -f "$conf_default_basic_behavior" ]]; then + fatal "Missing interface configurations - file '$conf_default_basic_behavior'" +else + source $conf_default_basic_behavior +fi + if [[ ! -f "$conf_main" ]]; then fatal "Missing main configurations - file '$conf_main'" else @@ -3116,15 +3130,7 @@ fi echononl "\t\tTurn/Stun Service" -if $allow_outbound_streaming \ - || $allow_echo360_video_streaming \ - || $allow_bigbluebutton_video_conference_out \ - || $allow_webex_video_conference_out \ - || $allow_ms_skype_teams_out \ - || $allow_zoom_video_conference_out \ - || $allow_jitsi_video_conference_out \ - || $allow_alfaview_video_conference_out \ - || $allow_nc_talk_out ; then +if $allow_stun_turn_service_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${standard_turn_service_port_arr[@]} ; do @@ -4496,6 +4502,49 @@ fi +# --- +# - Gaming +# --- + +echo "" +echononl "\t\tGaming UDP Ports out" + +if $allow_gaming_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${game_ports_udp_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tGaming TCP Ports out" + +if $allow_gaming_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${game_ports_tcp_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + + # ------------- # --- Portforwarding # ------------- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index dc3827c..a01c1db 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -25,6 +25,8 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_default_ips=${ipt_conf_dir}/default_ipv4.conf +conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf conf_main=${ipt_conf_dir}/main_ipv4.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf @@ -81,12 +83,24 @@ else source $conf_default_ports fi +if [[ ! -f "$conf_default_ips" ]]; then + fatal "Missing configuration for default_ips - file '$conf_default_ips'" +else + source $conf_default_ips +fi + if [[ ! -f "$conf_interfaces" ]]; then fatal "Missing interface configurations - file '$conf_interfaces'" else source $conf_interfaces fi +if [[ ! -f "$conf_default_basic_behavior" ]]; then + fatal "Missing interface configurations - file '$conf_default_basic_behavior'" +else + source $conf_default_basic_behavior +fi + if [[ ! -f "$conf_main" ]]; then fatal "Missing main configurations - file '$conf_main'" else @@ -3870,15 +3884,7 @@ fi echononl "\t\tTurn/Stun Service" -if $allow_outbound_streaming \ - || $allow_echo360_video_streaming \ - || $allow_bigbluebutton_video_conference_out \ - || $allow_ms_skype_teams_out \ - || $allow_webex_video_conference_out \ - || $allow_zoom_video_conference_out \ - || $allow_jitsi_video_conference_out \ - || $allow_alfaview_video_conference_out \ - || $allow_nc_talk_out ; then +if $allow_stun_turn_service_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${standard_turn_service_port_arr[@]} ; do @@ -5251,6 +5257,50 @@ fi +# --- +# - Gaming +# --- + +echo "" +echononl "\t\tGaming UDP Ports out" + +if $allow_gaming_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${game_ports_udp_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tGaming TCP Ports out" + +if $allow_gaming_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${game_ports_tcp_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + done + + echo_done +else + echo_skipped +fi + + + # ------------- # --- Portforwarding # -------------