firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for gaming.

Browse Source
This commit is contained in:
Christoph 2022-02-09 15:13:22 +01:00
parent 5c02b40a7c
commit 64b991f599
9 changed files with 579 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
conf/default_basic_behavior.conf Normal file
View File

@ -0,0 +1,108 @@
#!/usr/bin/env bash
# =============
# --- Basic behavior
# =============
# ---
# - Services allowed out to the world wide web
# ---
allow_ssh_request_out=true
allow_http_request_out=true
allow_smtp_request_out=true
allow_mail_request_out=true
allow_ftp_request_out=true
allow_tftp_request_out=true
allow_ntp_request_out=true
allow_timeserver_request_out=true
allow_pgpserver_request_out=true
allow_telnet_request_out=true
allow_whois_request_out=true
allow_cpan_wait_request_out=true
allow_hbci_request_out=true
allow_jabber_request_out=true
allow_silc_request_out=true
allow_irc_request_out=true
allow_mysql_request_out=true
allow_ipmi_request_out=true
allow_remote_console_request_out=true
allow_mumble_request_out=true
allow_outbound_streaming=true
allow_echo360_video_streaming=true
allow_bigbluebutton_video_conference_out=true
allow_ms_skype_teams_out=true
allow_webex_video_conference_out=true
allow_zoom_video_conference_out=true
allow_jitsi_video_conference_out=true
allow_alfaview_video_conference_out=true
allow_nc_talk_out=true
allow_samba_requests_out=true
allow_vpn_out=true
# WireGuard
#
allow_wg_out=true
allow_cisco_vpn_out=true
# Gaming
#
# Playstation (PS), Xbox, FiFa
#
allow_game_xbox_one_out=false
allow_game_xbox_360_out=false
allow_game_ps3_out=false
allow_game_ps4_out=false
allow_game_fifa21_out=false
# ---
# - Services allowed between local networks
# ---
# - These Parameters are only considered, if traffic
# - between local networks are not permitted, thats
# - if 'permit_between_local_networks=false' (see below).
# -
allow_ssh_between_local_nets=true
allow_samba_between_local_nets=false
allow_ldap_between_local_nets=false
allow_printing_between_local_nets=true
allow_scanning_between_local_nets=true
# ---
# - Other Parameters
# ---
# - Permit internet access to all machines at local network
# - Does not include this server itself
# -
permit_local_net_to_inet=false
# - Do not block any traffic between local machines
# -
permit_between_local_networks=false
# - Do not block any ICMP traffic
# -
permit_all_icmp_traffic=true
# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
# -
# - Maybe useful for testing purpose with telnet or openssl
# -
provide_mailservice_from_local=true
# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
# -
create_iperf_rules=false

20
conf/default_ipv4.conf Normal file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env bash
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
# - Multicast Addresse
class_d_multicast="224.0.0.0/4"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"

13
conf/default_ipv6.conf Normal file
View File

@ -0,0 +1,13 @@
#!/usr/bin/env bash
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
# - Loopback
loopback_ipv6="::1/128"

70
conf/default_ports.conf
View File

@ -304,6 +304,46 @@ standard_nc_turn_ports="3478,3479,5349,5350"
standard_nc_turn_udp_ports="49152:65535" standard_nc_turn_udp_ports="49152:65535"
# - Game Ports
# -
# - Playstation (PS), Xbox, FiFa21
# -
# - Xbox 360:
# - TCP: 53, 80, 3074
# - UDP: 53, 88, 3074
# -
# - Xbox One:
# - TCP: 53, 80, 3074
# - UDP: 53, 88, 500, 3074, 3544, 4500
# -
# - PS3:
# - TCP: 80, 443, 3478, 3479, 3480, 5223, 8080
# - UDP: 3074, 3478, 3479, 3658
# -
# - PS4:
# - TCP: 80, 443, 465, 983, 1935, 3478-3480, 5223, 10070-10080
# - UDP: 3074, 3478, 3479
# -
# - Fifa 21:
# - TCP: 1935, 3478-3480, 3659, 10000-10099, 42127
# - UDP: 3074, 3478-3479, 3659, 6000
# -
standard_game_xbox_one_tcp_ports="53,80,3074"
standard_game_xbox_one_udp_ports="53,88,500,3074,3544,4500"
standard_game_xbox_360_tcp_ports="53,80,3074"
standard_game_xbox_360_udp_ports="53,80,3074"
standard_game_ps3_tcp_ports="80,443,3478,3479,3480,5223,8080"
standard_game_ps3_udp_ports="3074,3478,3479,3658"
standard_game_ps4_tcp_ports="80,443,465,983,1935,3478,3479,3480,5223,10070-10080 "
standard_game_ps4_udp_ports="3074,3478,3479"
standard_game_fifa21_tcp_ports="1935, 3478,3479,3480,3659,10000-10069,10070-10080,10081-10099,42127"
standard_game_fifa21_udp_ports="3074,3478-3479,3659,6000"
# ------------- # -------------
# --- Predefined Ports # --- Predefined Ports
# ------------- # -------------
@ -312,33 +352,3 @@ standard_nc_turn_udp_ports="49152:65535"
# - # -
unprivports="1024:65535" unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
# - Multicast Addresse
class_d_multicast="224.0.0.0/4"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
# - Loopback
loopback_ipv6="::1/128"

170
conf/main_ipv4.conf.sample
View File

@ -535,6 +535,10 @@ declare -A vpn_server_dmz_arr
# - # -
vpn_local_net_ports="1194" vpn_local_net_ports="1194"
# Remote VPN ports
#
vpn_out_ports="$standard_vpn_port"
# ====== # ======
# - WireGuard Service # - WireGuard Service
@ -565,6 +569,18 @@ declare -A wg_server_dmz_arr
# - # -
wg_local_net_ports="$standard_wg_port" wg_local_net_ports="$standard_wg_port"
# Remote WireGuard Ports
#
wg_out_ports="$standard_wg_port"
# ======
# - Cisco VPN
# ======
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# ====== # ======
# - DHCP Service # - DHCP Service
@ -1548,102 +1564,6 @@ portforward_udp=""
# =============
# --- Basic behavior
# =============
# ===
# = Services allowed out to the world wide web
# ===
allow_ssh_request_out=true
allow_http_request_out=true
allow_smtp_request_out=true
allow_mail_request_out=true
allow_ftp_request_out=true
allow_tftp_request_out=true
allow_ntp_request_out=true
allow_timeserver_request_out=true
allow_pgpserver_request_out=true
allow_telnet_request_out=true
allow_whois_request_out=true
allow_cpan_wait_request_out=true
allow_hbci_request_out=true
allow_jabber_request_out=true
allow_silc_request_out=true
allow_irc_request_out=true
allow_mysql_request_out=true
allow_ipmi_request_out=true
allow_remote_console_request_out=true
allow_mumble_request_out=true
allow_outbound_streaming=true
allow_echo360_video_streaming=true
allow_bigbluebutton_video_conference_out=true
allow_ms_skype_teams_out=true
allow_webex_video_conference_out=true
allow_zoom_video_conference_out=true
allow_jitsi_video_conference_out=true
allow_alfaview_video_conference_out=true
allow_nc_talk_out=true
allow_samba_requests_out=true
allow_vpn_out=true
vpn_out_ports="1194 1195 1196"
# WireGuard
#
allow_wg_out=true
wg_out_ports="$standard_wg_port"
allow_cisco_vpn_out=true
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# ===
# = Services allowed between local networks
# ===
# - These Parameters are only considered, if traffic
# - between local networks are not permitted, thats
# - if 'permit_between_local_networks=false' (see below).
# -
allow_ssh_between_local_nets=true
allow_samba_between_local_nets=false
allow_ldap_between_local_nets=false
allow_printing_between_local_nets=true
allow_scanning_between_local_nets=true
# ===
# = Other Parameters
# ===
# - Permit internet access to all machines at local network
# - Does not include this server itself
# -
permit_local_net_to_inet=false
# - Do not block any traffic between local machines
# -
permit_between_local_networks=false
# - Do not block any ICMP traffic
# -
permit_all_icmp_traffic=true
# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
# -
# - Maybe useful for testing purpose with telnet or openssl
# -
provide_mailservice_from_local=true
# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
# -
create_iperf_rules=false
# ============= # =============
@ -1672,6 +1592,64 @@ allow_remote_mac_src_addresses=""
# =============
# --- Basic behavior - overwrites settings from 'default_basic_behavior.conf'
# =============
# ---
# - Services allowed out to the world wide web
# ---
#allow_samba_requests_out=true
# ---
# - Services allowed between local networks
# ---
# - These Parameters are only considered, if traffic
# - between local networks are not permitted, thats
# - if 'permit_between_local_networks=false' (see below).
# -
#allow_ssh_between_local_nets=true
#allow_samba_between_local_nets=false
#allow_ldap_between_local_nets=false
#allow_printing_between_local_nets=true
#allow_scanning_between_local_nets=true
# ---
# - Other Parameters
# ---
# - Permit internet access to all machines at local network
# - Does not include this server itself
# -
#permit_local_net_to_inet=false
# - Do not block any traffic between local machines
# -
#permit_between_local_networks=false
# - Do not block any ICMP traffic
# -
#permit_all_icmp_traffic=true
# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
# -
# - Maybe useful for testing purpose with telnet or openssl
# -
#provide_mailservice_from_local=true
# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
# -
#create_iperf_rules=false
# ============= # =============
# --- Block IP's / IP-Ranges # --- Block IP's / IP-Ranges
# ============= # =============

21
conf/main_ipv6.conf.sample
View File

@ -520,6 +520,10 @@ declare -A vpn_server_dmz_arr
# - # -
vpn_local_net_ports="1194" vpn_local_net_ports="1194"
# Remote VPN ports
#
vpn_out_ports="$standard_vpn_port"
# ====== # ======
# - WireGuard Service # - WireGuard Service
@ -550,6 +554,18 @@ declare -A wg_server_dmz_arr
# - # -
wg_local_net_ports="$standard_wg_port" wg_local_net_ports="$standard_wg_port"
# Remote WireGuard Ports
#
wg_out_ports="$standard_wg_port"
# ======
# - Cisco VPN
# ======
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# ====== # ======
# - DHCP Service # - DHCP Service
@ -1501,15 +1517,12 @@ allow_nc_talk_out=true
allow_samba_requests_out=true allow_samba_requests_out=true
allow_vpn_out=true allow_vpn_out=true
vpn_out_ports="1194 1195 1196"
# WireGuard # WireGuard
# #
allow_wg_out=true allow_wg_out=true
wg_out_ports="$standard_wg_port"
allow_cisco_vpn_out=true allow_cisco_vpn_out=true
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# === # ===

190
conf/post_decalrations.conf
View File

@ -546,6 +546,9 @@ for _port in $vpn_local_net_ports ; do
vpn_local_net_port_arr+=("$_port") vpn_local_net_port_arr+=("$_port")
done done
declare -a vpn_out_port_arr declare -a vpn_out_port_arr
if [[ -z "$vpn_out_ports" ]] ; then
vpn_out_ports="$standard_vpn_port"
fi
for _port in $vpn_out_ports ; do for _port in $vpn_out_ports ; do
vpn_out_port_arr+=("$_port") vpn_out_port_arr+=("$_port")
done done
@ -608,6 +611,21 @@ done
# --- # ---
# - Turn/Stun Ports # - Turn/Stun Ports
# --- # ---
if $allow_outbound_streaming \
|| $allow_echo360_video_streaming \
|| $allow_bigbluebutton_video_conference_out \
|| $allow_ms_skype_teams_out \
|| $allow_webex_video_conference_out \
|| $allow_zoom_video_conference_out \
|| $allow_jitsi_video_conference_out \
|| $allow_alfaview_video_conference_out \
|| $allow_nc_talk_out ; then
allow_stun_turn_service_out=true
else
allow_stun_turn_service_out=false
fi
declare -a standard_turn_service_port_arr declare -a standard_turn_service_port_arr
CUR_IFS="$IFS" CUR_IFS="$IFS"
IFS=',' ; for _port in $standard_turn_service_ports ; do IFS=',' ; for _port in $standard_turn_service_ports ; do
@ -750,6 +768,178 @@ IFS="$CUR_IFS"
# ---
# Gaming
# ---
if $allow_game_xbox_one_out \
|| $allow_game_xbox_360_out \
|| $allow_game_ps3_out \
|| $allow_game_ps4_out \
|| $allow_game_fifa21_out ; then
$allow_gaming_out=true
else
$allow_gaming_out=false
fi
declare -a game_ports_udp_arr
if $allow_game_xbox_360_out ; then
IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then
continue
else
game_ports_udp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_xbox_one_udp_ports ; then
IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then
continue
else
game_ports_udp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_ps3_udp_ports ; then
IFS=',' ; for _port in $standard_game_ps3_udp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then
continue
else
game_ports_udp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_ps4_udp_ports ; then
IFS=',' ; for _port in $standard_game_ps4_udp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then
continue
else
game_ports_udp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_fifa21_udp_ports ; then
IFS=',' ; for _port in $standard_game_fifa21_udp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then
continue
else
game_ports_udp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
allow_stun_turn_service_out allow_stun_turn_service_out
declare -a game_ports_tcp_arr
if $allow_game_xbox_360_out ; then
IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then
continue
elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then
continue
else
game_ports_tcp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_xbox_one_tcp_ports ; then
IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then
continue
elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then
continue
else
game_ports_tcp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_ps3_tcp_ports ; then
IFS=',' ; for _port in $standard_game_ps3_tcp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then
continue
elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then
continue
else
game_ports_tcp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_ps4_tcp_ports ; then
IFS=',' ; for _port in $standard_game_ps4_tcp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then
continue
elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then
continue
else
game_ports_tcp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
if $standard_game_fifa21_tcp_ports ; then
IFS=',' ; for _port in $standard_game_fifa21_tcp_ports ; do
if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr}" ; then
continue
elif [[ "$_port" = "$standard_dns_port" ]] ; then
continue
elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then
continue
elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then
continue
else
game_ports_tcp_arr+==("$_port")
fi
done
IFS="$CUR_IFS"
fi
# --- # ---
# - IPMI # - IPMI

67
ip6t-firewall-gateway
View File

@ -25,6 +25,8 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_default_ips=${ipt_conf_dir}/default_ipv6.conf
conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
@ -81,12 +83,24 @@ else
source $conf_default_ports source $conf_default_ports
fi fi
if [[ ! -f "$conf_default_ips" ]]; then
fatal "Missing configuration for default_ips - file '$conf_default_ips'"
else
source $conf_default_ips
fi
if [[ ! -f "$conf_interfaces" ]]; then if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'" fatal "Missing interface configurations - file '$conf_interfaces'"
else else
source $conf_interfaces source $conf_interfaces
fi fi
if [[ ! -f "$conf_default_basic_behavior" ]]; then
fatal "Missing interface configurations - file '$conf_default_basic_behavior'"
else
source $conf_default_basic_behavior
fi
if [[ ! -f "$conf_main" ]]; then if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'" fatal "Missing main configurations - file '$conf_main'"
else else
@ -3116,15 +3130,7 @@ fi
echononl "\t\tTurn/Stun Service" echononl "\t\tTurn/Stun Service"
if $allow_outbound_streaming \ if $allow_stun_turn_service_out ; then
|| $allow_echo360_video_streaming \
|| $allow_bigbluebutton_video_conference_out \
|| $allow_webex_video_conference_out \
|| $allow_ms_skype_teams_out \
|| $allow_zoom_video_conference_out \
|| $allow_jitsi_video_conference_out \
|| $allow_alfaview_video_conference_out \
|| $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${standard_turn_service_port_arr[@]} ; do for _port in ${standard_turn_service_port_arr[@]} ; do
@ -4496,6 +4502,49 @@ fi
# ---
# - Gaming
# ---
echo ""
echononl "\t\tGaming UDP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_udp_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tGaming TCP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_tcp_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ------------- # -------------
# --- Portforwarding # --- Portforwarding
# ------------- # -------------

68
ipt-firewall-gateway
View File

@ -25,6 +25,8 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_default_ips=${ipt_conf_dir}/default_ipv4.conf
conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
@ -81,12 +83,24 @@ else
source $conf_default_ports source $conf_default_ports
fi fi
if [[ ! -f "$conf_default_ips" ]]; then
fatal "Missing configuration for default_ips - file '$conf_default_ips'"
else
source $conf_default_ips
fi
if [[ ! -f "$conf_interfaces" ]]; then if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'" fatal "Missing interface configurations - file '$conf_interfaces'"
else else
source $conf_interfaces source $conf_interfaces
fi fi
if [[ ! -f "$conf_default_basic_behavior" ]]; then
fatal "Missing interface configurations - file '$conf_default_basic_behavior'"
else
source $conf_default_basic_behavior
fi
if [[ ! -f "$conf_main" ]]; then if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'" fatal "Missing main configurations - file '$conf_main'"
else else
@ -3870,15 +3884,7 @@ fi
echononl "\t\tTurn/Stun Service" echononl "\t\tTurn/Stun Service"
if $allow_outbound_streaming \ if $allow_stun_turn_service_out ; then
|| $allow_echo360_video_streaming \
|| $allow_bigbluebutton_video_conference_out \
|| $allow_ms_skype_teams_out \
|| $allow_webex_video_conference_out \
|| $allow_zoom_video_conference_out \
|| $allow_jitsi_video_conference_out \
|| $allow_alfaview_video_conference_out \
|| $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${standard_turn_service_port_arr[@]} ; do for _port in ${standard_turn_service_port_arr[@]} ; do
@ -5251,6 +5257,50 @@ fi
# ---
# - Gaming
# ---
echo ""
echononl "\t\tGaming UDP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_udp_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tGaming TCP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_tcp_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ------------- # -------------
# --- Portforwarding # --- Portforwarding
# ------------- # -------------