firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Forgot updateting firewall scripts.

Browse Source
This commit is contained in:
Christoph
2026-03-13 13:39:09 +01:00
parent 816673e601
commit 8622cee761
2 changed files with 218 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
ip6t-firewall-gateway
View File

@@ -185,7 +185,7 @@ if $adjust6_kernel_parameters ; then
else
echo_skipped
fi
fi
@@ -321,7 +321,7 @@ $ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
echo
echo
@@ -422,7 +422,7 @@ fi
# - Block UDP Ports out
# ---
echononl "\tBlock UDP Ports extern out.."
echononl "\tBlock UDP Ports extern out.."
if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then
@@ -449,7 +449,7 @@ fi
# - Block TCP Ports out
# ---
echononl "\tBlock TCP Ports extern out.."
echononl "\tBlock TCP Ports extern out.."
if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then
@@ -720,7 +720,7 @@ echo
# - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu'
# -
echononl "\tForward to suricata IPS (inline Mode)"
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then
$ip6t -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3
echo_done
else
@@ -734,8 +734,8 @@ echo
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@@ -774,7 +774,7 @@ for _dev in ${local_if_arr[@]} ; do
done
fi
if $not_wanted_ident ; then
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
fi
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j DROP
@@ -1127,10 +1127,10 @@ echononl "\tDNS Service Gateway"
# -
if $local_dns_service ; then
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
@@ -1143,7 +1143,7 @@ if $local_dns_service ; then
done
# - Zonetransfere (uses tcp/53)
#
#
for _ip in ${dns_server_ips[@]} ; do
# - out
# -
@@ -1157,7 +1157,7 @@ if $local_dns_service ; then
done
echo_done
else
else
echo_skipped
fi
@@ -1172,10 +1172,10 @@ echononl "\tDNS Service local Network"
# -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
@@ -1212,7 +1212,7 @@ if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -1234,7 +1234,7 @@ if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -1255,7 +1255,7 @@ if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -1526,7 +1526,7 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
done
done
echo_done
else
echo_skipped
@@ -1627,7 +1627,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
fi
fi
done
echo_done
else
echo_skipped
@@ -1848,7 +1848,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
fi
fi
done
echo_done
else
echo_skipped
@@ -1918,7 +1918,7 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then
$ip6t -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
@@ -1953,7 +1953,7 @@ if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then
$ip6t -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
@@ -2012,7 +2012,7 @@ if $kernel_forward_between_interfaces ; then
for _dev_2 in ${local_if_arr[@]} ; do
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
@@ -2214,7 +2214,7 @@ if $allow_ssh_between_local_nets ; then
if ! $permit_between_local_networks ; then
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
@@ -2529,7 +2529,7 @@ unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
http_port_arr=(${http_ports//,/ })
http_port_arr=(${http_ports//,/ })
for _ip in "${!http_server_dmz_arr[@]}"; do
# - Skip if no interface is given
@@ -2699,7 +2699,7 @@ if $allow_mail_request_out && ! $permit_local_net_to_inet ; then
# -
# - Not needed from local machine. But for testing pupose (i.e. telnet <port>)
# -
# -
# -
for _dev in ${ext_if_arr[@]} ; do
if $provide_mailservice_from_local ; then
# - Note!
@@ -2803,7 +2803,7 @@ unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
mail_port_arr=(${mail_user_ports//,/ })
mail_port_arr=(${mail_user_ports//,/ })
mail_port_arr+=("$mail_smtp_port")
for _ip in "${!mail_server_dmz_arr[@]}"; do
@@ -3012,7 +3012,7 @@ if $local_ftp_service ; then
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
# -
if ! $ftp_helper_prerouting_defined ; then
@@ -3033,7 +3033,7 @@ if $local_ftp_service ; then
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
-m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT
@@ -3111,7 +3111,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i
fi
done
echo_done
else
echo_skipped
@@ -3166,7 +3166,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# - From extern
if $kernel_forward_between_interfaces ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
fi
@@ -3205,7 +3205,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th
else
echo_skipped
fi
# ---
# - TFTF Service out only
@@ -3258,7 +3258,7 @@ if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then
done
if $kernel_forward_between_interfaces ; then
for _port in ${samba_udp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
@@ -3406,6 +3406,51 @@ else
fi
# ---
# - MS SQL Datenbank Services
# ---
echononl "\t\tMS SQL Datenbank Services only local Networks"
if [[ ${#ms_sql_server_local_ip_arr[@]} -gt 0 ]]; then
for _ip in ${ms_sql_server_local_ip_arr[@]} ; do
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - LDAP Service only out
# ---
@@ -3603,8 +3648,8 @@ fi
# - CPAN Wait only out
# ---
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
# - a WAIT server. It connects to a WAIT server using a simple protocoll
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
# - a WAIT server. It connects to a WAIT server using a simple protocoll
# - resembling NNTP as described in RFC977.
echononl "\t\tCPAN Wait only out"
@@ -3644,7 +3689,7 @@ fi
# ---
# - Jabber only out
# - Jabber only out
# ---
echononl "\t\tJabber only out"
@@ -3666,7 +3711,7 @@ fi
# ---
# - Silc only out
# - Silc only out
# ---
echononl "\t\tSilc only out"
@@ -3686,7 +3731,7 @@ fi
# ---
# - IRC (Internet Relay Chat) only out
# - IRC (Internet Relay Chat) only out
# ---
echononl "\t\tIRC only out"
@@ -3797,7 +3842,7 @@ if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${rm_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
@@ -4390,7 +4435,7 @@ fi
# ---
# - Rsyncd (only Out) Gateway
# - Rsyncd (only Out) Gateway
# ---
echononl "\t\tRsyncd (only OUT) Gateway"
@@ -4428,7 +4473,7 @@ if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_n
if $local_alias_interfaces ; then
$ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
done
done
@@ -4436,7 +4481,7 @@ if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_n
echo_done
else
echo_skipped
fi
fi
@@ -4585,7 +4630,7 @@ echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks"
if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
&& $allow_scanning_between_local_nets ; then
for _ip in ${brother_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
@@ -4614,7 +4659,7 @@ echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local N
if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
&& $allow_scanning_between_local_nets ; then
for _ip in ${epson_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
@@ -4650,6 +4695,9 @@ echononl "\t\tOther local Services"
if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _val in ${other_service_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A OUTPUT -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
@@ -4838,7 +4886,7 @@ if $local_unifi_controller_service \
$ip6t -A INPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
@@ -4989,7 +5037,7 @@ if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
@@ -5192,7 +5240,7 @@ if $allow_gaming_out && ! $permit_local_net_to_inet ; then
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_activate_forwarding && $local_alias_interfaces ; then
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -o $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -i $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
@@ -5344,7 +5392,7 @@ if $log_rejected || $log_all ; then
$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
#$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
echo_done

197
ipt-firewall-gateway
View File

@@ -140,10 +140,10 @@ echo
# --- Activate IP Forwarding
# -------------
## - IP Forwarding aktivieren/deaktivieren.
## - IP Forwarding aktivieren/deaktivieren.
## -
## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen.
## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen,
## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen.
## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen,
## - weil hiermit auch andere (de)aktiviert werden.
## -
if $kernel_activate_forwarding ; then
@@ -201,13 +201,13 @@ if $adjust_kernel_parameters ; then
fi
## - Ignore Broadcast Pings
## -
## -
if $kernel_ignore_broadcast_ping ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Deactivate Source Routed Packets
## -
## -
if $kernel_deactivate_source_route ; then
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $asr
@@ -449,7 +449,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then
## -
$tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null
$ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null
$ipt -t mangle -F MYSHAPER-OUT
$ipt -t mangle -F MYSHAPER-OUT
$ipt -t mangle -X MYSHAPER-OUT
@@ -457,9 +457,9 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then
$tc qdisc add dev $TC_DEV root handle 1:0 htb default 26
# add main rate limit class(es)
$tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit
$tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit
# create fair-share-classes, descending priority
# create fair-share-classes, descending priority
$tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0
$tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1
$tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2
@@ -469,7 +469,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then
$tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6
# attach qdisc to leaf classes
# attach qdisc to leaf classes
#
# here we at SFQ to each priority class. SFQ insures that
# within each class connections will be treated (almost) fairly.
@@ -518,7 +518,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then
$ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20
$ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN
# mark 21 - high prio 1
# mark 21 - high prio 1
# - DNS Service
$ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21
$ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN
@@ -536,11 +536,11 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then
# mark 23 - prio 3
# - OpenVPN
$ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23
$ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23
$ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN
$ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23
$ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN
$ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23
$ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23
$ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN
# mark 24 - prio 4
@@ -579,7 +579,7 @@ echononl "\tProvide (Telekom) Internet TV"
if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then
# - Telekom VDSL - Rules for IPTV
# - Telekom VDSL - Rules for IPTV
# -
$ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT
#$ipt -A INPUT -i $tv_local_if -p igmp -j DROP
@@ -612,7 +612,7 @@ if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then
#$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT
$ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT
$ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT
echo_done
else
echo_skipped
@@ -765,7 +765,7 @@ fi
# - Block UDP Ports out
# ---
echononl "\tBlock UDP Ports extern out.."
echononl "\tBlock UDP Ports extern out.."
if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then
echo""
@@ -793,7 +793,7 @@ fi
# - Block TCP Ports out
# ---
echononl "\tBlock TCP Ports extern out.."
echononl "\tBlock TCP Ports extern out.."
if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then
@@ -834,7 +834,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
@@ -867,13 +867,13 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then
if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
#
test_netmask=true
else
if [[ $_mask -gt 32 ]]; then
# Its not a vaild cidr number, but naybe a valit netmask.
#
#
test_netmask=true
else
@@ -907,7 +907,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then
else
mask="${octet}"
fi
else
is_valid_mask=false
fi
@@ -956,7 +956,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then
else
ipv4="${octet}"
fi
else
is_valid_ipv4=false
fi
@@ -1177,7 +1177,7 @@ if $protect_against_several_attacks ; then
echononl "\t Refuse private addresses on extern interfaces (DSL).."
if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then
# Refuse packets claiming to be from a
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
@@ -1354,7 +1354,7 @@ echo
# - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu'
# -
echononl "\tForward to suricata IPS (inline Mode)"
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then
$ipt -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3
echo_done
else
@@ -1368,8 +1368,8 @@ echo
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@@ -1408,7 +1408,7 @@ for _dev in ${local_if_arr[@]} ; do
done
fi
if $not_wanted_ident ; then
$ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
$ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
fi
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP
@@ -1549,7 +1549,7 @@ $ipt -A INPUT -s $_net
done
echo_done
else
echo_skipped
fi
@@ -1603,11 +1603,11 @@ if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then
for _ip in "${gateway_ipv4_address_arr[@]}" ; do
$ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT
done
done
done
@@ -1789,10 +1789,10 @@ echononl "\tDNS Service Gateway"
# -
if $local_dns_service ; then
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
@@ -1805,7 +1805,7 @@ if $local_dns_service ; then
done
# - Zonetransfere (uses tcp/53)
#
#
for _ip in ${dns_server_ips[@]} ; do
# - out
# -
@@ -1819,7 +1819,7 @@ if $local_dns_service ; then
done
echo_done
else
else
echo_skipped
fi
@@ -1834,10 +1834,10 @@ echononl "\tDNS Service local Network"
# -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
@@ -1874,7 +1874,7 @@ if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -1896,7 +1896,7 @@ if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -1916,7 +1916,7 @@ if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
done
echo_done
else
@@ -2216,7 +2216,7 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
else
echo_skipped
fi
else
echo_skipped
fi
@@ -2356,7 +2356,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
fi
fi
done
echo_done
else
echo_skipped
@@ -2572,7 +2572,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
else
_ports="${_val_arr[2]}"
fi
$ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} \
-m multiport --dports ${_ports} -m conntrack --ctstate NEW -j ACCEPT
@@ -2587,7 +2587,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
fi
fi
done
echo_done
else
echo_skipped
@@ -2656,7 +2656,7 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then
$ipt -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
@@ -2690,7 +2690,7 @@ if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then
$ipt -A FORWARD -p tcp -d $_net --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT
fi
done
@@ -2757,7 +2757,7 @@ if $kernel_activate_forwarding ; then
for _dev_2 in ${local_if_arr[@]} ; do
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
@@ -2985,7 +2985,7 @@ if $allow_ssh_between_local_nets ; then
if ! $permit_between_local_networks ; then
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
@@ -3313,7 +3313,7 @@ unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
http_port_arr=(${http_ports//,/ })
http_port_arr=(${http_ports//,/ })
for _ip in "${!http_server_dmz_arr[@]}"; do
# - Skip if no interface is given
@@ -3482,7 +3482,7 @@ if $local_smtp_service ; then
else
echo_skipped
fi
# ---
@@ -3496,7 +3496,7 @@ if $allow_mail_request_out && ! $permit_local_net_to_inet ; then
# -
# - Not needed from local machine. But for testing pupose (i.e. telnet <port>)
# -
# -
# -
for _dev in ${ext_if_arr[@]} ; do
if $provide_mailservice_from_local ; then
# - Note!
@@ -3598,7 +3598,7 @@ unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
mail_port_arr=(${mail_user_ports//,/ })
mail_port_arr=(${mail_user_ports//,/ })
mail_port_arr+=("$mail_smtp_port")
for _ip in "${!mail_server_dmz_arr[@]}"; do
@@ -3811,7 +3811,7 @@ if $local_ftp_service ; then
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
# -
if ! $ftp_helper_prerouting_defined ; then
@@ -3832,7 +3832,7 @@ if $local_ftp_service ; then
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
-m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT
@@ -3910,7 +3910,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwardi
fi
done
echo_done
else
echo_skipped
@@ -3967,7 +3967,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th
$ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# - From extern
if $kernel_activate_forwarding ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# - Nat if interface is on a dsl line
@@ -4014,7 +4014,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th
else
echo_skipped
fi
# ---
# - TFTF Service out only
@@ -4067,7 +4067,7 @@ if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then
done
if $kernel_activate_forwarding ; then
for _port in ${samba_udp_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
@@ -4232,6 +4232,50 @@ else
fi
# ---
# - MS SQL Datenbank Services
# ---
echononl "\t\tMS SQL Datenbank Services only local Networks"
if [[ ${#ms_sql_server_local_ip_arr[@]} -gt 0 ]]; then
for _ip in ${ms_sql_server_local_ip_arr[@]} ; do
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
for _port in ${ms_sql_m_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ms_sql_s_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - LDAP Service only out
# ---
@@ -4249,7 +4293,7 @@ if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then
done
if $kernel_activate_forwarding ; then
for _port in ${ldap_udp_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
@@ -4430,8 +4474,8 @@ fi
# - CPAN Wait only out
# ---
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
# - a WAIT server. It connects to a WAIT server using a simple protocoll
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
# - a WAIT server. It connects to a WAIT server using a simple protocoll
# - resembling NNTP as described in RFC977.
echononl "\t\tCPAN Wait only out"
@@ -4471,7 +4515,7 @@ fi
# ---
# - Jabber only out
# - Jabber only out
# ---
echononl "\t\tJabber only out"
@@ -4493,7 +4537,7 @@ fi
# ---
# - Silc only out
# - Silc only out
# ---
echononl "\t\tSilc only out"
@@ -4513,7 +4557,7 @@ fi
# ---
# - IRC (Internet Relay Chat) only out
# - IRC (Internet Relay Chat) only out
# ---
echononl "\t\tIRC only out"
@@ -4624,7 +4668,7 @@ if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${rm_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
$ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
@@ -4716,7 +4760,7 @@ if [[ ${#rds_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${rds_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -d $_ip --dport $rds_server_tcp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
$ipt -A FORWARD -p tcp -d $_ip --dport $rds_server_tcp_port -m conntrack --ctstate NEW -j ACCEPT
@@ -4840,7 +4884,7 @@ if $allow_outbound_streaming ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
@@ -5250,7 +5294,7 @@ fi
# ---
# - Rsyncd (only Out) Gateway
# - Rsyncd (only Out) Gateway
# ---
echononl "\t\tRsyncd (only OUT) Gateway"
@@ -5406,7 +5450,7 @@ echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks"
if [[ ${#printer_ip_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding \
&& ! $permit_between_local_networks \
&& ! $allow_printing_between_local_nets ; then
&& ! $allow_printing_between_local_nets ; then
for _ip in ${printer_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
@@ -5444,7 +5488,7 @@ echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks"
if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
&& $allow_scanning_between_local_nets ; then
for _ip in ${brother_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
@@ -5473,7 +5517,7 @@ echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local N
if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
&& $allow_scanning_between_local_nets ; then
for _ip in ${epson_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
@@ -5507,6 +5551,9 @@ echononl "\t\tOther local Services"
if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _val in ${other_service_arr[@]} ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A OUTPUT -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
@@ -5779,7 +5826,7 @@ if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then
done
if $kernel_activate_forwarding ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
@@ -5812,7 +5859,7 @@ if $allow_ipmi_request_in ; then
done
if $kernel_activate_forwarding ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
@@ -5826,7 +5873,7 @@ if $allow_ipmi_request_in ; then
echo_done
else
echo_skipped
fi
fi
# ---
@@ -5844,7 +5891,7 @@ if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
@@ -6197,7 +6244,7 @@ if $log_rejected || $log_all ; then
$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
#$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
#$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
echo_done