diff --git a/conf/default_basic_behavior.conf b/conf/default_basic_behavior.conf index 95ccb58..7670d5b 100644 --- a/conf/default_basic_behavior.conf +++ b/conf/default_basic_behavior.conf @@ -110,3 +110,103 @@ provide_mailservice_from_local=true # - create_iperf_rules=false + + +# ============= +# --- Router IPv4 +# ============= + +# - Set to "true" to secure/tune the kernel +# - +adjust_kernel_parameters=true + +# - Protection against several attacks +# - +protect_against_several_attacks=true + +# Protection against syn-flooding +# +drop_syn_flood=true + +# - I have to say that fragments scare me more than anything. +# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" +# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such +# - fragments is very OS-dependent (see this paper for details). +# - I am not going to trust any fragments. +# - Log fragments just to see if we get any, and deny them too +# - +# - !! 'drop_fragments' does not work within telekom mobile connections !! +# - +drop_fragments=false + +# drop new packages without syn flag +# +drop_new_not_sync=false + +# drop invalid packages +# +drop_invalid_state=true + +# drop packages with unusal flags +# +drop_invalid_flags=true + +# Refuse private addresses on extern interfaces +# +# Refuse packets claiming to be from a +# Class A private network +# Class B private network +# Class C private network +# loopback interface +# Class D multicast address +# Class E reserved IP address +# broadcast address +drop_spoofed=true + +# Don't allow spoofing from that server +# +drop_spoofed_out=true + +# Refusing packets claiming to be to the loopback interface protects against +# source quench, whereby a machine can be told to slow itself down by an icmp source +# quench to the loopback. +drop_ext_to_lo=true + + + +# ============= +# --- Router IPv6 +# ============= + + +# - Set to "true" to secure/tune the kernel +# - +adjust6_kernel_parameters=true + +# - Protection against several attacks +# - +protect6_against_several_attacks=true + +# Protection against syn-flooding +# +drop6_syn_flood=true + +# drop new packages without syn flag +# +drop6_new_not_sync=true + +# drop invalid packages +# +drop6_invalid_state=true + +# drop packages with unusal flags +# +drop6_invalid_flags=true + +# Refuse spoofed packets pretending to be from your IP address. +# +drop6_from_own_ip=true + +# Refuse private addresses on extern interfaces +# +drop6_spoofed=true diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 2138da4..f967df7 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1737,11 +1737,59 @@ not_wanted_ident=true # - Set to "true" to secure/tune the kernel # - -adjust_kernel_parameters=true +#adjust_kernel_parameters=true # - Protection against several attacks # - -protect_against_several_attacks=true +#protect_against_several_attacks=true + +# Protection against syn-flooding +# +#drop_syn_flood=false + +# - I have to say that fragments scare me more than anything. +# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" +# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such +# - fragments is very OS-dependent (see this paper for details). +# - I am not going to trust any fragments. +# - Log fragments just to see if we get any, and deny them too +# - +# - !! 'drop_fragments' does not work within telekom mobile connections !! +# - +#drop_fragments=true + +# drop new packages without syn flag +# +#drop_new_not_sync=true + +# drop invalid packages +# +#drop_invalid_state=true + +# drop packages with unusal flags +# +#drop_invalid_flags=true + +# Refuse private addresses on extern interfaces +# +# Refuse packets claiming to be from a +# Class A private network +# Class B private network +# Class C private network +# loopback interface +# Class D multicast address +# Class E reserved IP address +# broadcast address +#drop_spoofed=true + +# Don't allow spoofing from that server +# +#drop_spoofed_out=true + +# Refusing packets claiming to be to the loopback interface protects against +# source quench, whereby a machine can be told to slow itself down by an icmp source +# quench to the loopback. +#drop_ext_to_lo=true diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index e576f53..091d767 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -1680,11 +1680,35 @@ not_wanted_ident=true # - Set to "true" to secure/tune the kernel # - -adjust_kernel_parameters=true +#adjust6_kernel_parameters=true # - Protection against several attacks # - -protect_against_several_attacks=true +#protect6_against_several_attacks=true + +# Protection against syn-flooding +# +#drop6_syn_flood=false + +# drop new packages without syn flag +# +#drop6_new_not_sync=true + +# drop invalid packages +# +#drop6_invalid_state=true + +# drop packages with unusal flags +# +#drop6_invalid_flags=true + +# Refuse spoofed packets pretending to be from your IP address. +# +#drop6_from_own_ip=true + +# Refuse private addresses on extern interfaces +# +#drop6_spoofed=true diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index fea2869..f87441f 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -162,7 +162,7 @@ echo_done echononl "\tAdjust Kernel Parameters (Security/Tuning).." -if $adjust_kernel_parameters ; then +if $adjust6_kernel_parameters ; then # --- # - Deactivate Source Routed Packets @@ -474,27 +474,44 @@ fi # ------------- # --- Protections against several attacks / unwanted packages # ------------- -echo -echononl "\tProtections against several attacks / unwanted packages.." -if $protect_against_several_attacks ; then +if $protect6_against_several_attacks ; then + echo + if $terminal ; then + echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m" + else + echo "Protections against several attacks / unwanted packages...." + fi + echo # --- # - Protection against syn-flooding # --- - $ip6t -N syn-flood - $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN + echononl "\t Protection against syn-flooding.." + + if $drop6_syn_flood || $log_syn_flood ; then + $ip6t -N syn-flood + $ip6t -A INPUT -p tcp --syn -j syn_flood + $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN + fi if $log_syn_flood || $log_all ; then $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi - $ip6t -A syn-flood -j DROP + if $drop6_syn_flood ; then + $ip6t -A syn-flood -j DROP + echo_done + else + echo_skipped + fi # --- # - drop new packages without syn flag # --- + echononl "\t Drop Packages new but not sync.." + if $log_new_not_sync || $log_all ; then $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " @@ -502,10 +519,15 @@ if $protect_against_several_attacks ; then $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " fi fi - $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP - $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP + if $drop6_new_not_sync ; then + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP + fi + echo_done + else + echo_skipped fi @@ -513,15 +535,22 @@ if $protect_against_several_attacks ; then # - drop invalid packages # --- + echononl "\t Drop invalid packages.." + if $log_invalid_state || $log_all ; then $ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " fi fi - $ip6t -A INPUT -m state --state INVALID -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -m state --state INVALID -j DROP + if $drop6_invalid_state ; then + $ip6t -A INPUT -m state --state INVALID -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j DROP + fi + echo_done + else + echo_skipped fi @@ -529,8 +558,10 @@ if $protect_against_several_attacks ; then # - ungewöhnliche Flags verwerfen # --- - for _dev in ${ext_if_arr[@]} ; do - if $log_invalid_flags || $log_all ; then + echononl "\t Drop Packages with unusal flags .." + + if $log_invalid_flags || $log_all ; then + for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " @@ -539,22 +570,31 @@ if $protect_against_several_attacks ; then $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi - fi - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - fi - done + done + fi + if $drop6_invalid_flags; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi + done + echo_done + else + echo_skipped + fi # --- # - Refuse private addresses on extern interfaces # --- + echononl "\t Refuse spoofed packets pretending to be from your IP address.." + # - Refuse spoofed packets pretending to be from your IP address. if $log_spoofed || $log_all ; then for _ip in ${ext_ip_arr[@]} ; do @@ -564,43 +604,56 @@ if $protect_against_several_attacks ; then fi done fi - for _ip in ${ext_ip_arr[@]} ; do - $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP - if $kernel_forward_between_interfaces ; then - $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP - fi - done + + if $drop6_from_own_ip ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP + fi + done + echo_done + else + echo_skipped + fi + echononl "\t Drop private addresses on extern interfaces.." # - private Adressen auf externen interface verwerfen - for _dev in ${dsl_device_arr[@]} ; do - if $log_spoofed || $log_all ; then + if $log_spoofed || $log_all ; then + for _dev in ${dsl_device_arr[@]} ; do $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " fi - fi - $ip6t -A INPUT -i $_dev -s $ula_block -j DROP - $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP - $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP - fi + done + fi - # Don't allow spoofing from that server - $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP - $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP - $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP - fi - done - echo_done -else - echo_skipped -fi + if $drop6_spoofed ; then + for _dev in ${dsl_device_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s $ula_block -j DROP + $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP + fi + + # Don't allow spoofing from that server + $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP + fi + done + echo_done + else + echo_skipped + fi + +fi # if $protect6_against_several_attacks ; then # ------------- @@ -4355,11 +4408,13 @@ fi echononl "\t\tUbiquiti Unifi Controller Gateway IN" -if $local_unifi_controller_service ; then - for _dev in ${local_if_arr[@]} ; do +if $local_unifi_controller_service \ + && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then + + for _ip in ${unifi_ap_local_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -4381,30 +4436,26 @@ else fi -echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)" +echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then - if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then + $ip6t -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - - done - - fi - - if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then - - for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - - $ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - - done + if $kernel_activate_forwarding ; then + $ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + fi fi echo_done @@ -4426,14 +4477,12 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - - $ip6t -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done + # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. @@ -4441,19 +4490,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ if $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - - $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - - $ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - - $ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi done + # Rules already exists if 'local_unifi_controller_service = true' + # + if ! $local_unifi_controller_service ; then + $ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + fi + fi + echo_done else echo_skipped diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 5111ccb..1a0cee9 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -977,22 +977,36 @@ fi # ------------- # --- Protections against several attacks / unwanted packages # ------------- -echo -echononl "\tProtections against several attacks / unwanted packages.." if $protect_against_several_attacks ; then + echo + if $terminal ; then + echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m" + else + echo "Protections against several attacks / unwanted packages...." + fi + echo + # --- # - Protection against syn-flooding # --- - $ipt -N syn_flood - $ipt -A INPUT -p tcp --syn -j syn_flood - $ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN + echononl "\t Protection against syn-flooding.." + if $drop_syn_flood || $log_syn_flood ; then + $ipt -N syn_flood + $ipt -A INPUT -p tcp --syn -j syn_flood + $ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN + fi if $log_syn_flood || $log_all ; then $ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi - $ipt -A syn_flood -j DROP + if $drop_syn_flood ; then + $ipt -A syn_flood -j DROP + echo_done + else + echo_skipped + fi # --- @@ -1006,60 +1020,85 @@ if $protect_against_several_attacks ; then # I am not going to trust any fragments. # Log fragments just to see if we get any, and deny them too - for _dev in ${ext_if_arr[@]} ; do - if $log_fragments || $log_all ; then - $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " + echononl "\t Drop Fragments.." + + if $log_fragments || $log_all ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " + fi + done + fi + if $drop_fragments ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -f -j DROP if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " + $ipt -A FORWARD -i $_dev -f -j DROP fi - fi - $ipt -A INPUT -i $_dev -f -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j DROP - fi - done + done + echo_done + else + echo_skipped + fi # --- # - drop new packages without syn flag # --- - #if $log_new_not_sync || $log_all ; then - # $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - # $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - # if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " - # fi - #fi - #$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP - #$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP - #if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP - #fi + echononl "\t Drop Packages new but not sync.." + + if $log_new_not_sync || $log_all ; then + $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + fi + fi + if $drop_new_not_sync; then + $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + fi + echo_done + else + echo_skipped + fi # --- # - drop invalid packages # --- - #if $log_invalid_state || $log_all ; then - # $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " - # if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " - # fi - #fi - #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP - #if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP - #fi + echononl "\t Drop invalid packages.." + + if $log_invalid_state || $log_all ; then + $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " + fi + fi + if $drop_invalid_state ; then + $ipt -A INPUT -m conntrack --ctstate INVALID -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP + fi + echo_done + else + echo_skipped + fi # --- # - ungewöhnliche Flags verwerfen # --- - for _dev in ${ext_if_arr[@]} ; do - if $log_invalid_flags || $log_all ; then + echononl "\t Drop Packages with unusal flags .." + + if $log_invalid_flags || $log_all ; then + for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " @@ -1068,125 +1107,165 @@ if $protect_against_several_attacks ; then $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi - fi - $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - fi - done + done + fi + if $drop_invalid_flags ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi + done + echo_done + else + echo_skipped + fi # --- # - Refuse private addresses on extern interfaces # --- - # Refuse packets claiming to be from a - # Class A private network - # Class B private network - # Class C private network - # loopback interface - # Class D multicast address - # Class E reserved IP address - # broadcast address - for _dev in ${dsl_device_arr[@]} ; do + echononl "\t Refuse private addresses on extern interfaces (DSL).." + if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then + + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address if $log_spoofed || $log_all ; then - $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " - $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " - $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " - $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " - $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " - $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " - # - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " - $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " - $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " - $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " - fi + for _dev in ${dsl_device_arr[@]} ; do + $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " + $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " + $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " + $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " + $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " + # + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " + $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " + $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " + fi + done fi - # Refuse packets claiming to be from a Class A private network. - $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP - # Refuse packets claiming to be from a Class B private network. - $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP - # Retfuse packets claiming to be from a Class C private network. - $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP - # Refuse packets claiming to be from loopback interface. - $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP - # Refuse Class D multicast addresses. Multicast is illegal as a source address. - $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP - # Refuse Class E reserved IP addresses. - $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP - # Refuse broadcast address packets. - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP - if $kernel_activate_forwarding ; then - # Refuse packets claiming to be from a Class A private network. - $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP - # Refuse packets claiming to be from a Class B private network. - $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP - # Refuse packets claiming to be from a Class C private network. - $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP - # Refuse packets claiming to be from loopback interface. - $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP - # Refuse Class D multicast addresses. Multicast is illegal as a source address. - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP - # Refuse Class E reserved IP addresses. - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP - # Refuse broadcast address packets. - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + if $drop_spoofed ; then + for _dev in ${dsl_device_arr[@]} ; do + # Refuse packets claiming to be from a Class A private network. + $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP + # Retfuse packets claiming to be from a Class C private network. + $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP + if $kernel_activate_forwarding ; then + # Refuse packets claiming to be from a Class A private network. + $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP + # Refuse packets claiming to be from a Class C private network. + $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + fi + done + echo_done + else + echo_skipped fi - done + else + echo_skipped + fi # --- # - Refuse packets claiming to be to the loopback interface. # --- + echononl "\t Refuse packets claiming to be to the loopback interface.." + # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. - for _dev in ${ext_if_arr[@]} ; do - if $log_to_lo || $log_all ; then + if $log_to_lo || $log_all ; then + for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " fi - fi - $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP - fi - done + done + fi + if $drop_ext_to_lo ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP + fi + done + echo_done + else + echo_skipped + fi # --- # - Don't allow spoofing from that server # --- - for _dev in ${dsl_device_arr[@]} ; do - if $log_spoofed_out || $log_all ; then - $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: " - $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: " - $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: " - $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: " - fi - $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP - $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP - $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP - $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP - done + echononl "\t Don't allow spoofing out from that server.." - echo_done -else - echo_skipped -fi + if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then + + if $log_spoofed_out || $log_all ; then + for _dev in ${dsl_device_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: " + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: " + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: " + $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: " + done + fi + if $drop_spoofed_out ; then + for _dev in ${dsl_device_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP + done + echo_done + else + echo_skipped + fi + else + echo_skipped + fi + +fi # if $protect_against_several_attacks ; then # ------------- @@ -5109,12 +5188,14 @@ fi # --- -echononl "\t\tUbiquiti Unifi Controller Gateway IN" -if $local_unifi_controller_service ; then - for _dev in ${local_if_arr[@]} ; do +echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess" +if $local_unifi_controller_service \ + && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then - $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + for _ip in ${unifi_ap_local_ip_arr[@]} ; do + + $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done @@ -5136,30 +5217,26 @@ else fi -echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)" +echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then - if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then + $ipt -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - - done - - fi - - if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then - - for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do - - $ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - - done + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + fi fi echo_done @@ -5181,14 +5258,12 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT - - $ipt -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done + # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. @@ -5196,19 +5271,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - - $ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT - - $ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi done + # Rules already exists if 'local_unifi_controller_service = true' + # + if ! $local_unifi_controller_service ; then + $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT + + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT + fi + fi + echo_done else echo_skipped