Adjust Rules concerning Unifi Controller. Add digfferent Parameters for block 'Protection against several attacks'.
This commit is contained in:
parent
19bf795a99
commit
783be30197
@ -110,3 +110,103 @@ provide_mailservice_from_local=true
|
|||||||
# -
|
# -
|
||||||
create_iperf_rules=false
|
create_iperf_rules=false
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# =============
|
||||||
|
# --- Router IPv4
|
||||||
|
# =============
|
||||||
|
|
||||||
|
# - Set to "true" to secure/tune the kernel
|
||||||
|
# -
|
||||||
|
adjust_kernel_parameters=true
|
||||||
|
|
||||||
|
# - Protection against several attacks
|
||||||
|
# -
|
||||||
|
protect_against_several_attacks=true
|
||||||
|
|
||||||
|
# Protection against syn-flooding
|
||||||
|
#
|
||||||
|
drop_syn_flood=true
|
||||||
|
|
||||||
|
# - I have to say that fragments scare me more than anything.
|
||||||
|
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||||
|
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||||
|
# - fragments is very OS-dependent (see this paper for details).
|
||||||
|
# - I am not going to trust any fragments.
|
||||||
|
# - Log fragments just to see if we get any, and deny them too
|
||||||
|
# -
|
||||||
|
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||||
|
# -
|
||||||
|
drop_fragments=false
|
||||||
|
|
||||||
|
# drop new packages without syn flag
|
||||||
|
#
|
||||||
|
drop_new_not_sync=false
|
||||||
|
|
||||||
|
# drop invalid packages
|
||||||
|
#
|
||||||
|
drop_invalid_state=true
|
||||||
|
|
||||||
|
# drop packages with unusal flags
|
||||||
|
#
|
||||||
|
drop_invalid_flags=true
|
||||||
|
|
||||||
|
# Refuse private addresses on extern interfaces
|
||||||
|
#
|
||||||
|
# Refuse packets claiming to be from a
|
||||||
|
# Class A private network
|
||||||
|
# Class B private network
|
||||||
|
# Class C private network
|
||||||
|
# loopback interface
|
||||||
|
# Class D multicast address
|
||||||
|
# Class E reserved IP address
|
||||||
|
# broadcast address
|
||||||
|
drop_spoofed=true
|
||||||
|
|
||||||
|
# Don't allow spoofing from that server
|
||||||
|
#
|
||||||
|
drop_spoofed_out=true
|
||||||
|
|
||||||
|
# Refusing packets claiming to be to the loopback interface protects against
|
||||||
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||||
|
# quench to the loopback.
|
||||||
|
drop_ext_to_lo=true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# =============
|
||||||
|
# --- Router IPv6
|
||||||
|
# =============
|
||||||
|
|
||||||
|
|
||||||
|
# - Set to "true" to secure/tune the kernel
|
||||||
|
# -
|
||||||
|
adjust6_kernel_parameters=true
|
||||||
|
|
||||||
|
# - Protection against several attacks
|
||||||
|
# -
|
||||||
|
protect6_against_several_attacks=true
|
||||||
|
|
||||||
|
# Protection against syn-flooding
|
||||||
|
#
|
||||||
|
drop6_syn_flood=true
|
||||||
|
|
||||||
|
# drop new packages without syn flag
|
||||||
|
#
|
||||||
|
drop6_new_not_sync=true
|
||||||
|
|
||||||
|
# drop invalid packages
|
||||||
|
#
|
||||||
|
drop6_invalid_state=true
|
||||||
|
|
||||||
|
# drop packages with unusal flags
|
||||||
|
#
|
||||||
|
drop6_invalid_flags=true
|
||||||
|
|
||||||
|
# Refuse spoofed packets pretending to be from your IP address.
|
||||||
|
#
|
||||||
|
drop6_from_own_ip=true
|
||||||
|
|
||||||
|
# Refuse private addresses on extern interfaces
|
||||||
|
#
|
||||||
|
drop6_spoofed=true
|
||||||
|
|||||||
@ -1737,11 +1737,59 @@ not_wanted_ident=true
|
|||||||
|
|
||||||
# - Set to "true" to secure/tune the kernel
|
# - Set to "true" to secure/tune the kernel
|
||||||
# -
|
# -
|
||||||
adjust_kernel_parameters=true
|
#adjust_kernel_parameters=true
|
||||||
|
|
||||||
# - Protection against several attacks
|
# - Protection against several attacks
|
||||||
# -
|
# -
|
||||||
protect_against_several_attacks=true
|
#protect_against_several_attacks=true
|
||||||
|
|
||||||
|
# Protection against syn-flooding
|
||||||
|
#
|
||||||
|
#drop_syn_flood=false
|
||||||
|
|
||||||
|
# - I have to say that fragments scare me more than anything.
|
||||||
|
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||||
|
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||||
|
# - fragments is very OS-dependent (see this paper for details).
|
||||||
|
# - I am not going to trust any fragments.
|
||||||
|
# - Log fragments just to see if we get any, and deny them too
|
||||||
|
# -
|
||||||
|
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||||
|
# -
|
||||||
|
#drop_fragments=true
|
||||||
|
|
||||||
|
# drop new packages without syn flag
|
||||||
|
#
|
||||||
|
#drop_new_not_sync=true
|
||||||
|
|
||||||
|
# drop invalid packages
|
||||||
|
#
|
||||||
|
#drop_invalid_state=true
|
||||||
|
|
||||||
|
# drop packages with unusal flags
|
||||||
|
#
|
||||||
|
#drop_invalid_flags=true
|
||||||
|
|
||||||
|
# Refuse private addresses on extern interfaces
|
||||||
|
#
|
||||||
|
# Refuse packets claiming to be from a
|
||||||
|
# Class A private network
|
||||||
|
# Class B private network
|
||||||
|
# Class C private network
|
||||||
|
# loopback interface
|
||||||
|
# Class D multicast address
|
||||||
|
# Class E reserved IP address
|
||||||
|
# broadcast address
|
||||||
|
#drop_spoofed=true
|
||||||
|
|
||||||
|
# Don't allow spoofing from that server
|
||||||
|
#
|
||||||
|
#drop_spoofed_out=true
|
||||||
|
|
||||||
|
# Refusing packets claiming to be to the loopback interface protects against
|
||||||
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||||
|
# quench to the loopback.
|
||||||
|
#drop_ext_to_lo=true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -1680,11 +1680,35 @@ not_wanted_ident=true
|
|||||||
|
|
||||||
# - Set to "true" to secure/tune the kernel
|
# - Set to "true" to secure/tune the kernel
|
||||||
# -
|
# -
|
||||||
adjust_kernel_parameters=true
|
#adjust6_kernel_parameters=true
|
||||||
|
|
||||||
# - Protection against several attacks
|
# - Protection against several attacks
|
||||||
# -
|
# -
|
||||||
protect_against_several_attacks=true
|
#protect6_against_several_attacks=true
|
||||||
|
|
||||||
|
# Protection against syn-flooding
|
||||||
|
#
|
||||||
|
#drop6_syn_flood=false
|
||||||
|
|
||||||
|
# drop new packages without syn flag
|
||||||
|
#
|
||||||
|
#drop6_new_not_sync=true
|
||||||
|
|
||||||
|
# drop invalid packages
|
||||||
|
#
|
||||||
|
#drop6_invalid_state=true
|
||||||
|
|
||||||
|
# drop packages with unusal flags
|
||||||
|
#
|
||||||
|
#drop6_invalid_flags=true
|
||||||
|
|
||||||
|
# Refuse spoofed packets pretending to be from your IP address.
|
||||||
|
#
|
||||||
|
#drop6_from_own_ip=true
|
||||||
|
|
||||||
|
# Refuse private addresses on extern interfaces
|
||||||
|
#
|
||||||
|
#drop6_spoofed=true
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -162,7 +162,7 @@ echo_done
|
|||||||
|
|
||||||
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
|
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
|
||||||
|
|
||||||
if $adjust_kernel_parameters ; then
|
if $adjust6_kernel_parameters ; then
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Deactivate Source Routed Packets
|
# - Deactivate Source Routed Packets
|
||||||
@ -474,27 +474,44 @@ fi
|
|||||||
# -------------
|
# -------------
|
||||||
# --- Protections against several attacks / unwanted packages
|
# --- Protections against several attacks / unwanted packages
|
||||||
# -------------
|
# -------------
|
||||||
echo
|
|
||||||
echononl "\tProtections against several attacks / unwanted packages.."
|
|
||||||
|
|
||||||
if $protect_against_several_attacks ; then
|
if $protect6_against_several_attacks ; then
|
||||||
|
echo
|
||||||
|
if $terminal ; then
|
||||||
|
echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m"
|
||||||
|
else
|
||||||
|
echo "Protections against several attacks / unwanted packages...."
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Protection against syn-flooding
|
# - Protection against syn-flooding
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Protection against syn-flooding.."
|
||||||
|
|
||||||
|
if $drop6_syn_flood || $log_syn_flood ; then
|
||||||
$ip6t -N syn-flood
|
$ip6t -N syn-flood
|
||||||
|
$ip6t -A INPUT -p tcp --syn -j syn_flood
|
||||||
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||||||
|
fi
|
||||||
if $log_syn_flood || $log_all ; then
|
if $log_syn_flood || $log_all ; then
|
||||||
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
||||||
fi
|
fi
|
||||||
|
if $drop6_syn_flood ; then
|
||||||
$ip6t -A syn-flood -j DROP
|
$ip6t -A syn-flood -j DROP
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - drop new packages without syn flag
|
# - drop new packages without syn flag
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Drop Packages new but not sync.."
|
||||||
|
|
||||||
if $log_new_not_sync || $log_all ; then
|
if $log_new_not_sync || $log_all ; then
|
||||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
@ -502,35 +519,49 @@ if $protect_against_several_attacks ; then
|
|||||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if $drop6_new_not_sync ; then
|
||||||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||||||
fi
|
fi
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - drop invalid packages
|
# - drop invalid packages
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Drop invalid packages.."
|
||||||
|
|
||||||
if $log_invalid_state || $log_all ; then
|
if $log_invalid_state || $log_all ; then
|
||||||
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if $drop6_invalid_state ; then
|
||||||
$ip6t -A INPUT -m state --state INVALID -j DROP
|
$ip6t -A INPUT -m state --state INVALID -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
||||||
fi
|
fi
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - ungewöhnliche Flags verwerfen
|
# - ungewöhnliche Flags verwerfen
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
echononl "\t Drop Packages with unusal flags .."
|
||||||
|
|
||||||
if $log_invalid_flags || $log_all ; then
|
if $log_invalid_flags || $log_all ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
@ -539,7 +570,10 @@ if $protect_against_several_attacks ; then
|
|||||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop6_invalid_flags; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
@ -549,12 +583,18 @@ if $protect_against_several_attacks ; then
|
|||||||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Refuse private addresses on extern interfaces
|
# - Refuse private addresses on extern interfaces
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Refuse spoofed packets pretending to be from your IP address.."
|
||||||
|
|
||||||
# - Refuse spoofed packets pretending to be from your IP address.
|
# - Refuse spoofed packets pretending to be from your IP address.
|
||||||
if $log_spoofed || $log_all ; then
|
if $log_spoofed || $log_all ; then
|
||||||
for _ip in ${ext_ip_arr[@]} ; do
|
for _ip in ${ext_ip_arr[@]} ; do
|
||||||
@ -564,24 +604,35 @@ if $protect_against_several_attacks ; then
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if $drop6_from_own_ip ; then
|
||||||
for _ip in ${ext_ip_arr[@]} ; do
|
for _ip in ${ext_ip_arr[@]} ; do
|
||||||
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
echononl "\t Drop private addresses on extern interfaces.."
|
||||||
# - private Adressen auf externen interface verwerfen
|
# - private Adressen auf externen interface verwerfen
|
||||||
for _dev in ${dsl_device_arr[@]} ; do
|
|
||||||
if $log_spoofed || $log_all ; then
|
if $log_spoofed || $log_all ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
|
||||||
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if $drop6_spoofed ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||||||
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
@ -602,6 +653,8 @@ else
|
|||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
fi # if $protect6_against_several_attacks ; then
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]})
|
# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]})
|
||||||
@ -4355,11 +4408,13 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
|
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
|
||||||
if $local_unifi_controller_service ; then
|
if $local_unifi_controller_service \
|
||||||
for _dev in ${local_if_arr[@]} ; do
|
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||||
|
|
||||||
$ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||||
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
$ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -4381,30 +4436,26 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
|
echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)"
|
||||||
if $local_unifi_controller_service \
|
if $local_unifi_controller_service \
|
||||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||||
|
|
||||||
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
|
$ip6t -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
$ip6t -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
if $kernel_activate_forwarding ; then
|
||||||
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
done
|
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then
|
|
||||||
|
|
||||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
|
||||||
|
|
||||||
$ip6t -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
done
|
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
@ -4429,11 +4480,9 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
|||||||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ip6t -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
# - Note:
|
# - Note:
|
||||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||||
# - special rule.
|
# - special rule.
|
||||||
@ -4441,19 +4490,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
|||||||
if $local_alias_interfaces ; then
|
if $local_alias_interfaces ; then
|
||||||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
|
||||||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
|
|
||||||
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
|
|
||||||
$ip6t -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ip6t -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Rules already exists if 'local_unifi_controller_service = true'
|
||||||
|
#
|
||||||
|
if ! $local_unifi_controller_service ; then
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
|
|||||||
@ -977,22 +977,36 @@ fi
|
|||||||
# -------------
|
# -------------
|
||||||
# --- Protections against several attacks / unwanted packages
|
# --- Protections against several attacks / unwanted packages
|
||||||
# -------------
|
# -------------
|
||||||
echo
|
|
||||||
echononl "\tProtections against several attacks / unwanted packages.."
|
|
||||||
|
|
||||||
if $protect_against_several_attacks ; then
|
if $protect_against_several_attacks ; then
|
||||||
|
echo
|
||||||
|
if $terminal ; then
|
||||||
|
echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m"
|
||||||
|
else
|
||||||
|
echo "Protections against several attacks / unwanted packages...."
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Protection against syn-flooding
|
# - Protection against syn-flooding
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Protection against syn-flooding.."
|
||||||
|
if $drop_syn_flood || $log_syn_flood ; then
|
||||||
$ipt -N syn_flood
|
$ipt -N syn_flood
|
||||||
$ipt -A INPUT -p tcp --syn -j syn_flood
|
$ipt -A INPUT -p tcp --syn -j syn_flood
|
||||||
$ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
$ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
||||||
|
fi
|
||||||
if $log_syn_flood || $log_all ; then
|
if $log_syn_flood || $log_all ; then
|
||||||
$ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
$ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
|
||||||
fi
|
fi
|
||||||
|
if $drop_syn_flood ; then
|
||||||
$ipt -A syn_flood -j DROP
|
$ipt -A syn_flood -j DROP
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
@ -1006,60 +1020,85 @@ if $protect_against_several_attacks ; then
|
|||||||
# I am not going to trust any fragments.
|
# I am not going to trust any fragments.
|
||||||
# Log fragments just to see if we get any, and deny them too
|
# Log fragments just to see if we get any, and deny them too
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
echononl "\t Drop Fragments.."
|
||||||
|
|
||||||
if $log_fragments || $log_all ; then
|
if $log_fragments || $log_all ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop_fragments ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -f -j DROP
|
$ipt -A INPUT -i $_dev -f -j DROP
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -f -j DROP
|
$ipt -A FORWARD -i $_dev -f -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - drop new packages without syn flag
|
# - drop new packages without syn flag
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
#if $log_new_not_sync || $log_all ; then
|
echononl "\t Drop Packages new but not sync.."
|
||||||
# $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
|
||||||
# $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
if $log_new_not_sync || $log_all ; then
|
||||||
# if $kernel_activate_forwarding ; then
|
$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
# $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
# fi
|
if $kernel_activate_forwarding ; then
|
||||||
#fi
|
$ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
|
||||||
#$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
fi
|
||||||
#$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
fi
|
||||||
#if $kernel_activate_forwarding ; then
|
if $drop_new_not_sync; then
|
||||||
# $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||||
#fi
|
$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||||
|
if $kernel_activate_forwarding ; then
|
||||||
|
$ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
||||||
|
fi
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - drop invalid packages
|
# - drop invalid packages
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
#if $log_invalid_state || $log_all ; then
|
echononl "\t Drop invalid packages.."
|
||||||
# $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
|
||||||
# if $kernel_activate_forwarding ; then
|
if $log_invalid_state || $log_all ; then
|
||||||
# $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
$ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||||
# fi
|
if $kernel_activate_forwarding ; then
|
||||||
#fi
|
$ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
|
||||||
#$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
fi
|
||||||
#if $kernel_activate_forwarding ; then
|
fi
|
||||||
# $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
if $drop_invalid_state ; then
|
||||||
#fi
|
$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
if $kernel_activate_forwarding ; then
|
||||||
|
$ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||||
|
fi
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - ungewöhnliche Flags verwerfen
|
# - ungewöhnliche Flags verwerfen
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
echononl "\t Drop Packages with unusal flags .."
|
||||||
|
|
||||||
if $log_invalid_flags || $log_all ; then
|
if $log_invalid_flags || $log_all ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
@ -1068,7 +1107,10 @@ if $protect_against_several_attacks ; then
|
|||||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop_invalid_flags ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
@ -1078,12 +1120,19 @@ if $protect_against_several_attacks ; then
|
|||||||
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Refuse private addresses on extern interfaces
|
# - Refuse private addresses on extern interfaces
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Refuse private addresses on extern interfaces (DSL).."
|
||||||
|
if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
# Refuse packets claiming to be from a
|
# Refuse packets claiming to be from a
|
||||||
# Class A private network
|
# Class A private network
|
||||||
# Class B private network
|
# Class B private network
|
||||||
@ -1092,8 +1141,8 @@ if $protect_against_several_attacks ; then
|
|||||||
# Class D multicast address
|
# Class D multicast address
|
||||||
# Class E reserved IP address
|
# Class E reserved IP address
|
||||||
# broadcast address
|
# broadcast address
|
||||||
for _dev in ${dsl_device_arr[@]} ; do
|
|
||||||
if $log_spoofed || $log_all ; then
|
if $log_spoofed || $log_all ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: "
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: "
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: "
|
||||||
@ -1111,7 +1160,10 @@ if $protect_against_several_attacks ; then
|
|||||||
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: "
|
||||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop_spoofed ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
# Refuse packets claiming to be from a Class A private network.
|
# Refuse packets claiming to be from a Class A private network.
|
||||||
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
|
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
|
||||||
# Refuse packets claiming to be from a Class B private network.
|
# Refuse packets claiming to be from a Class B private network.
|
||||||
@ -1143,50 +1195,77 @@ if $protect_against_several_attacks ; then
|
|||||||
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
|
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Refuse packets claiming to be to the loopback interface.
|
# - Refuse packets claiming to be to the loopback interface.
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
echononl "\t Refuse packets claiming to be to the loopback interface.."
|
||||||
|
|
||||||
# Refusing packets claiming to be to the loopback interface protects against
|
# Refusing packets claiming to be to the loopback interface protects against
|
||||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||||
# quench to the loopback.
|
# quench to the loopback.
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
|
||||||
if $log_to_lo || $log_all ; then
|
if $log_to_lo || $log_all ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: "
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop_ext_to_lo ; then
|
||||||
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
echo_done
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Don't allow spoofing from that server
|
# - Don't allow spoofing from that server
|
||||||
# ---
|
# ---
|
||||||
|
|
||||||
for _dev in ${dsl_device_arr[@]} ; do
|
echononl "\t Don't allow spoofing out from that server.."
|
||||||
|
|
||||||
|
if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
if $log_spoofed_out || $log_all ; then
|
if $log_spoofed_out || $log_all ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: "
|
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: "
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: "
|
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: "
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: "
|
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: "
|
||||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: "
|
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: "
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
if $drop_spoofed_out ; then
|
||||||
|
for _dev in ${dsl_device_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
|
||||||
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
|
||||||
done
|
done
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
echo_skipped
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi # if $protect_against_several_attacks ; then
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
@ -5109,12 +5188,14 @@ fi
|
|||||||
# ---
|
# ---
|
||||||
|
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
|
echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess"
|
||||||
if $local_unifi_controller_service ; then
|
if $local_unifi_controller_service \
|
||||||
for _dev in ${local_if_arr[@]} ; do
|
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||||
|
|
||||||
$ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
for _ip in ${unifi_ap_local_ip_arr[@]} ; do
|
||||||
$ipt -A INPUT -p udp -i $_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
$ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -5136,30 +5217,26 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echononl "\t\tUbiquiti Unifi Controller Gateway - OUT (to Unifi APs)"
|
echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)"
|
||||||
if $local_unifi_controller_service \
|
if $local_unifi_controller_service \
|
||||||
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
|
||||||
|
|
||||||
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
|
$ipt -A OUTPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A OUTPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
$ipt -A INPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A INPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
done
|
$ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ; then
|
|
||||||
|
|
||||||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
|
||||||
|
|
||||||
$ipt -A OUTPUT -p tcp -d $_ip_ap -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
done
|
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
@ -5184,11 +5261,9 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
|||||||
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
$ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
$ipt -A FORWARD -i $_dev -p tcp -s $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
$ipt -A FORWARD -i $_dev -p udp -s $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
# - Note:
|
# - Note:
|
||||||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||||||
# - special rule.
|
# - special rule.
|
||||||
@ -5196,19 +5271,25 @@ if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
|||||||
if $local_alias_interfaces ; then
|
if $local_alias_interfaces ; then
|
||||||
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
|
||||||
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
|
|
||||||
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
|
|
||||||
$ipt -A FORWARD -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
$ipt -A FORWARD -p udp -s $_ip_ctl -m multiport --sports $unifi_udp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Rules already exists if 'local_unifi_controller_service = true'
|
||||||
|
#
|
||||||
|
if ! $local_unifi_controller_service ; then
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
if $local_alias_interfaces ; then
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
$ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user