Adjust Rules concerning Unifi Controller. Add digfferent Parameters for block 'Protection against several attacks'.
This commit is contained in:
parent
19bf795a99
commit
783be30197
@ -110,3 +110,103 @@ provide_mailservice_from_local=true
|
||||
# -
|
||||
create_iperf_rules=false
|
||||
|
||||
|
||||
|
||||
# =============
|
||||
# --- Router IPv4
|
||||
# =============
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
drop_syn_flood=true
|
||||
|
||||
# - I have to say that fragments scare me more than anything.
|
||||
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||
# - fragments is very OS-dependent (see this paper for details).
|
||||
# - I am not going to trust any fragments.
|
||||
# - Log fragments just to see if we get any, and deny them too
|
||||
# -
|
||||
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||
# -
|
||||
drop_fragments=false
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
drop_new_not_sync=false
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
drop_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
drop_invalid_flags=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
drop_spoofed=true
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
#
|
||||
drop_spoofed_out=true
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
drop_ext_to_lo=true
|
||||
|
||||
|
||||
|
||||
# =============
|
||||
# --- Router IPv6
|
||||
# =============
|
||||
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust6_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect6_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
drop6_syn_flood=true
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
drop6_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
drop6_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
drop6_invalid_flags=true
|
||||
|
||||
# Refuse spoofed packets pretending to be from your IP address.
|
||||
#
|
||||
drop6_from_own_ip=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
drop6_spoofed=true
|
||||
|
||||
@ -1737,11 +1737,59 @@ not_wanted_ident=true
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
#adjust_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
#protect_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
#drop_syn_flood=false
|
||||
|
||||
# - I have to say that fragments scare me more than anything.
|
||||
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||
# - fragments is very OS-dependent (see this paper for details).
|
||||
# - I am not going to trust any fragments.
|
||||
# - Log fragments just to see if we get any, and deny them too
|
||||
# -
|
||||
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||
# -
|
||||
#drop_fragments=true
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
#drop_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
#drop_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
#drop_invalid_flags=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
#drop_spoofed=true
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
#
|
||||
#drop_spoofed_out=true
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
#drop_ext_to_lo=true
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1680,11 +1680,35 @@ not_wanted_ident=true
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
#adjust6_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
#protect6_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
#drop6_syn_flood=false
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
#drop6_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
#drop6_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
#drop6_invalid_flags=true
|
||||
|
||||
# Refuse spoofed packets pretending to be from your IP address.
|
||||
#
|
||||
#drop6_from_own_ip=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
#drop6_spoofed=true
|
||||
|
||||
|
||||
|
||||
|
||||
@ -162,7 +162,7 @@ echo_done
|
||||
|
||||
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
|
||||
|
||||
if $adjust_kernel_parameters ; then
|
||||
if $adjust6_kernel_parameters ; then
|
||||
|
||||
# ---
|
||||
# - Deactivate Source Routed Packets
|
||||
@ -474,27 +474,44 @@ fi
|
||||
# -------------
|
||||
# --- Protections against several attacks / unwanted packages
|
||||
# -------------
|
||||
echo
|
||||
echononl "\tProtections against several attacks / unwanted packages.."
|
||||
|
||||
if $protect_against_several_attacks ; then
|
||||
if $protect6_against_several_attacks ; then
|
||||
echo
|
||||
if $terminal ; then
|
||||
echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m"
|
||||
else
|
||||
echo "Protections against several attacks / unwanted packages...."
|
||||
fi
|
||||
echo
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# ---
|
||||
|
||||
$ip6t -N syn-flood
|
||||
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||
echononl "\t Protection against syn-flooding.."
|
||||
|
||||
if $drop6_syn_flood || $log_syn_flood ; then
|
||||
$ip6t -N syn-flood
|
||||
$ip6t -A INPUT -p tcp --syn -j syn_flood
|
||||
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||
fi
|
||||
if $log_syn_flood || $log_all ; then
|
||||
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
||||
fi
|
||||
$ip6t -A syn-flood -j DROP
|
||||
if $drop6_syn_flood ; then
|
||||
$ip6t -A syn-flood -j DROP
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - drop new packages without syn flag
|
||||
# ---
|
||||
|
||||
echononl "\t Drop Packages new but not sync.."
|
||||
|
||||
if $log_new_not_sync || $log_all ; then
|
||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
@ -502,10 +519,15 @@ if $protect_against_several_attacks ; then
|
||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||||
if $drop6_new_not_sync ; then
|
||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||||
fi
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
@ -513,15 +535,22 @@ if $protect_against_several_attacks ; then
|
||||
# - drop invalid packages
|
||||
# ---
|
||||
|
||||
echononl "\t Drop invalid packages.."
|
||||
|
||||
if $log_invalid_state || $log_all ; then
|
||||
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -m state --state INVALID -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
||||
if $drop6_invalid_state ; then
|
||||
$ip6t -A INPUT -m state --state INVALID -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
||||
fi
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
@ -529,8 +558,10 @@ if $protect_against_several_attacks ; then
|
||||
# - ungewöhnliche Flags verwerfen
|
||||
# ---
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
echononl "\t Drop Packages with unusal flags .."
|
||||
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
@ -539,22 +570,31 @@ if $protect_against_several_attacks ; then
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
if $drop6_invalid_flags; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Refuse private addresses on extern interfaces
|
||||
# ---
|
||||
|
||||
echononl "\t Refuse spoofed packets pretending to be from your IP address.."
|
||||
|
||||
# - Refuse spoofed packets pretending to be from your IP address.
|
||||
if $log_spoofed || $log_all ; then
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
@ -564,43 +604,56 @@ if $protect_against_several_attacks ; then
|
||||
fi
|
||||
done
|
||||
fi
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
if $drop6_from_own_ip ; then
|
||||
for _ip in ${ext_ip_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
echononl "\t Drop private addresses on extern interfaces.."
|
||||
# - private Adressen auf externen interface verwerfen
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
if $log_spoofed || $log_all ; then
|
||||
if $log_spoofed || $log_all ; then
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||
fi
|
||||
fi
|
||||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
if $drop6_spoofed ; then
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||||
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
fi # if $protect6_against_several_attacks ; then
|
||||
|
||||
|
||||
# -------------
|
||||
@ -4355,11 +4408,13 @@ fi
|
||||
|
||||
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
|
||||
if $local_unifi_controller_service ; then
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
|
||||
$ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
@ -4381,30 +4436,26 @@ else
|
||||
fi
|
||||
|
||||
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)"
|
||||
if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
|
||||
$ip6t -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
$ip6t -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
fi
|
||||
|
||||
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
|
||||
$ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
if $local_alias_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
echo_done
|
||||
@ -4426,14 +4477,12 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
|
||||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ip6t -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
|
||||
# - Note:
|
||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||
# - special rule.
|
||||
@ -4441,19 +4490,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||
if $local_alias_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
# Rules already exists if 'local_unifi_controller_service = true'
|
||||
#
|
||||
if ! $local_unifi_controller_service ; then
|
||||
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
if $local_alias_interfaces ; then
|
||||
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
|
||||
@ -977,22 +977,36 @@ fi
|
||||
# -------------
|
||||
# --- Protections against several attacks / unwanted packages
|
||||
# -------------
|
||||
echo
|
||||
echononl "\tProtections against several attacks / unwanted packages.."
|
||||
|
||||
if $protect_against_several_attacks ; then
|
||||
echo
|
||||
if $terminal ; then
|
||||
echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m"
|
||||
else
|
||||
echo "Protections against several attacks / unwanted packages...."
|
||||
fi
|
||||
echo
|
||||
|
||||
|
||||
# ---
|
||||
# - Protection against syn-flooding
|
||||
# ---
|
||||
|
||||
$ipt -N syn_flood
|
||||
$ipt -A INPUT -p tcp --syn -j syn_flood
|
||||
$ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
||||
echononl "\t Protection against syn-flooding.."
|
||||
if $drop_syn_flood || $log_syn_flood ; then
|
||||
$ipt -N syn_flood
|
||||
$ipt -A INPUT -p tcp --syn -j syn_flood
|
||||
$ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
||||
fi
|
||||
if $log_syn_flood || $log_all ; then
|
||||
$ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
||||
fi
|
||||
$ipt -A syn_flood -j DROP
|
||||
if $drop_syn_flood ; then
|
||||
$ipt -A syn_flood -j DROP
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
@ -1006,60 +1020,85 @@ if $protect_against_several_attacks ; then
|
||||
# I am not going to trust any fragments.
|
||||
# Log fragments just to see if we get any, and deny them too
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_fragments || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||
echononl "\t Drop Fragments.."
|
||||
|
||||
if $log_fragments || $log_all ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if $drop_fragments ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -f -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||
$ipt -A FORWARD -i $_dev -f -j DROP
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -f -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -f -j DROP
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - drop new packages without syn flag
|
||||
# ---
|
||||
|
||||
#if $log_new_not_sync || $log_all ; then
|
||||
# $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
# $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
# if $kernel_activate_forwarding ; then
|
||||
# $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
# fi
|
||||
#fi
|
||||
#$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
#$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
#if $kernel_activate_forwarding ; then
|
||||
# $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
#fi
|
||||
echononl "\t Drop Packages new but not sync.."
|
||||
|
||||
if $log_new_not_sync || $log_all ; then
|
||||
$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||
fi
|
||||
fi
|
||||
if $drop_new_not_sync; then
|
||||
$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||
fi
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - drop invalid packages
|
||||
# ---
|
||||
|
||||
#if $log_invalid_state || $log_all ; then
|
||||
# $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
# if $kernel_activate_forwarding ; then
|
||||
# $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
# fi
|
||||
#fi
|
||||
#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
#if $kernel_activate_forwarding ; then
|
||||
# $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
#fi
|
||||
echononl "\t Drop invalid packages.."
|
||||
|
||||
if $log_invalid_state || $log_all ; then
|
||||
$ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||
fi
|
||||
fi
|
||||
if $drop_invalid_state ; then
|
||||
$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
fi
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - ungewöhnliche Flags verwerfen
|
||||
# ---
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
echononl "\t Drop Packages with unusal flags .."
|
||||
|
||||
if $log_invalid_flags || $log_all ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
@ -1068,125 +1107,165 @@ if $protect_against_several_attacks ; then
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
if $drop_invalid_flags ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Refuse private addresses on extern interfaces
|
||||
# ---
|
||||
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
echononl "\t Refuse private addresses on extern interfaces (DSL).."
|
||||
if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
if $log_spoofed || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
||||
#
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
||||
fi
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
||||
#
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: "
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: "
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
||||
fi
|
||||
done
|
||||
fi
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
|
||||
# Retfuse packets claiming to be from a Class C private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
|
||||
# Refuse packets claiming to be from a Class C private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
|
||||
if $drop_spoofed ; then
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
|
||||
# Retfuse packets claiming to be from a Class C private network.
|
||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
# Refuse packets claiming to be from a Class A private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
|
||||
# Refuse packets claiming to be from a Class B private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
|
||||
# Refuse packets claiming to be from a Class C private network.
|
||||
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
|
||||
# Refuse packets claiming to be from loopback interface.
|
||||
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
|
||||
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
||||
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
|
||||
# Refuse Class E reserved IP addresses.
|
||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
|
||||
# Refuse broadcast address packets.
|
||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Refuse packets claiming to be to the loopback interface.
|
||||
# ---
|
||||
|
||||
echononl "\t Refuse packets claiming to be to the loopback interface.."
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_to_lo || $log_all ; then
|
||||
if $log_to_lo || $log_all ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
if $drop_ext_to_lo ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Don't allow spoofing from that server
|
||||
# ---
|
||||
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
if $log_spoofed_out || $log_all ; then
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: "
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: "
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: "
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: "
|
||||
fi
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
||||
done
|
||||
echononl "\t Don't allow spoofing out from that server.."
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
if $log_spoofed_out || $log_all ; then
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: "
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: "
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: "
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: "
|
||||
done
|
||||
fi
|
||||
if $drop_spoofed_out ; then
|
||||
for _dev in ${dsl_device_arr[@]} ; do
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
fi # if $protect_against_several_attacks ; then
|
||||
|
||||
|
||||
# -------------
|
||||
@ -5109,12 +5188,14 @@ fi
|
||||
# ---
|
||||
|
||||
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
|
||||
if $local_unifi_controller_service ; then
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess"
|
||||
if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
$ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
|
||||
$ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
@ -5136,30 +5217,26 @@ else
|
||||
fi
|
||||
|
||||
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
|
||||
echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)"
|
||||
if $local_unifi_controller_service \
|
||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||
|
||||
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
|
||||
$ipt -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
$ipt -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
fi
|
||||
|
||||
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
||||
|
||||
$ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
if $local_alias_interfaces ; then
|
||||
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
echo_done
|
||||
@ -5181,14 +5258,12 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
||||
for _dev in ${local_if_arr[@]} ; do
|
||||
|
||||
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ipt -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
done
|
||||
|
||||
|
||||
# - Note:
|
||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||
# - special rule.
|
||||
@ -5196,19 +5271,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||||
if $local_alias_interfaces ; then
|
||||
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
|
||||
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
# Rules already exists if 'local_unifi_controller_service = true'
|
||||
#
|
||||
if ! $local_unifi_controller_service ; then
|
||||
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
$ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
if $local_alias_interfaces ; then
|
||||
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
|
||||
Loading…
Reference in New Issue
Block a user