From 8622cee761a48951ba2966d017f01dca56fa41f5 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 13 Mar 2026 13:39:09 +0100 Subject: [PATCH] Forgot updateting firewall scripts. --- ip6t-firewall-gateway | 144 ++++++++++++++++++++---------- ipt-firewall-gateway | 197 ++++++++++++++++++++++++++---------------- 2 files changed, 218 insertions(+), 123 deletions(-) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 688e78b..963f2df 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -185,7 +185,7 @@ if $adjust6_kernel_parameters ; then else echo_skipped -fi +fi @@ -321,7 +321,7 @@ $ip6t -A OUTPUT -o lo -j ACCEPT echo_done -echo +echo @@ -422,7 +422,7 @@ fi # - Block UDP Ports out # --- -echononl "\tBlock UDP Ports extern out.." +echononl "\tBlock UDP Ports extern out.." if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then @@ -449,7 +449,7 @@ fi # - Block TCP Ports out # --- -echononl "\tBlock TCP Ports extern out.." +echononl "\tBlock TCP Ports extern out.." if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then @@ -720,7 +720,7 @@ echo # - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu' # - echononl "\tForward to suricata IPS (inline Mode)" -if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then +if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then $ip6t -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3 echo_done else @@ -734,8 +734,8 @@ echo # --- iPerf # ------------- -# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. -# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." @@ -774,7 +774,7 @@ for _dev in ${local_if_arr[@]} ; do done fi if $not_wanted_ident ; then - $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset + $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do $ip6t -A INPUT -i $_dev -p tcp --dport $_port -j DROP @@ -1127,10 +1127,10 @@ echononl "\tDNS Service Gateway" # - if $local_dns_service ; then - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # @@ -1143,7 +1143,7 @@ if $local_dns_service ; then done # - Zonetransfere (uses tcp/53) - # + # for _ip in ${dns_server_ips[@]} ; do # - out # - @@ -1157,7 +1157,7 @@ if $local_dns_service ; then done echo_done -else +else echo_skipped fi @@ -1172,10 +1172,10 @@ echononl "\tDNS Service local Network" # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # @@ -1212,7 +1212,7 @@ if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -1234,7 +1234,7 @@ if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -1255,7 +1255,7 @@ if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -1526,7 +1526,7 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ done done - + echo_done else echo_skipped @@ -1627,7 +1627,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ fi fi done - + echo_done else echo_skipped @@ -1848,7 +1848,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ fi fi done - + echo_done else echo_skipped @@ -1918,7 +1918,7 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then $ip6t -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT fi fi - + done @@ -1953,7 +1953,7 @@ if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then $ip6t -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT fi fi - + done @@ -2012,7 +2012,7 @@ if $kernel_forward_between_interfaces ; then for _dev_2 in ${local_if_arr[@]} ; do # - Notice: - # - In case of routing multiple netwoks on the same interface or + # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - @@ -2214,7 +2214,7 @@ if $allow_ssh_between_local_nets ; then if ! $permit_between_local_networks ; then # - Notice: - # - In case of routing multiple netwoks on the same interface or + # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - @@ -2529,7 +2529,7 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then - http_port_arr=(${http_ports//,/ }) + http_port_arr=(${http_ports//,/ }) for _ip in "${!http_server_dmz_arr[@]}"; do # - Skip if no interface is given @@ -2699,7 +2699,7 @@ if $allow_mail_request_out && ! $permit_local_net_to_inet ; then # - # - Not needed from local machine. But for testing pupose (i.e. telnet ) # - - # - + # - for _dev in ${ext_if_arr[@]} ; do if $provide_mailservice_from_local ; then # - Note! @@ -2803,7 +2803,7 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then - mail_port_arr=(${mail_user_ports//,/ }) + mail_port_arr=(${mail_user_ports//,/ }) mail_port_arr+=("$mail_smtp_port") for _ip in "${!mail_server_dmz_arr[@]}"; do @@ -3012,7 +3012,7 @@ if $local_ftp_service ; then # - (Re)define helper # - # - !! Note: !! - # - for both, local FTP server (ftp_server_ip_arr) + # - for both, local FTP server (ftp_server_ip_arr) # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - if ! $ftp_helper_prerouting_defined ; then @@ -3033,7 +3033,7 @@ if $local_ftp_service ; then # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \ -m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT @@ -3111,7 +3111,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i fi done - + echo_done else echo_skipped @@ -3166,7 +3166,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - From extern - if $kernel_forward_between_interfaces ; then + if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT fi @@ -3205,7 +3205,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th else echo_skipped fi - + # --- # - TFTF Service out only @@ -3258,7 +3258,7 @@ if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then done if $kernel_forward_between_interfaces ; then - + for _port in ${samba_udp_port_arr[@]} ; do $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -3406,6 +3406,51 @@ else fi +# --- +# - MS SQL Datenbank Services +# --- + +echononl "\t\tMS SQL Datenbank Services only local Networks" + +if [[ ${#ms_sql_server_local_ip_arr[@]} -gt 0 ]]; then + for _ip in ${ms_sql_server_local_ip_arr[@]} ; do + + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + + echo_done +else + echo_skipped +fi + + + # --- # - LDAP Service only out # --- @@ -3603,8 +3648,8 @@ fi # - CPAN Wait only out # --- -# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on -# - a WAIT server. It connects to a WAIT server using a simple protocoll +# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on +# - a WAIT server. It connects to a WAIT server using a simple protocoll # - resembling NNTP as described in RFC977. echononl "\t\tCPAN Wait only out" @@ -3644,7 +3689,7 @@ fi # --- -# - Jabber only out +# - Jabber only out # --- echononl "\t\tJabber only out" @@ -3666,7 +3711,7 @@ fi # --- -# - Silc only out +# - Silc only out # --- echononl "\t\tSilc only out" @@ -3686,7 +3731,7 @@ fi # --- -# - IRC (Internet Relay Chat) only out +# - IRC (Internet Relay Chat) only out # --- echononl "\t\tIRC only out" @@ -3797,7 +3842,7 @@ if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${rm_server_ip_arr[@]} ; do $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT @@ -4390,7 +4435,7 @@ fi # --- -# - Rsyncd (only Out) Gateway +# - Rsyncd (only Out) Gateway # --- echononl "\t\tRsyncd (only OUT) Gateway" @@ -4428,7 +4473,7 @@ if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_n if $local_alias_interfaces ; then $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT - fi + fi done done done @@ -4436,7 +4481,7 @@ if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_n echo_done else echo_skipped -fi +fi @@ -4585,7 +4630,7 @@ echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_forward_between_interfaces \ && ! $permit_between_local_networks \ - && $allow_scanning_between_local_nets ; then + && $allow_scanning_between_local_nets ; then for _ip in ${brother_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP @@ -4614,7 +4659,7 @@ echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local N if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_forward_between_interfaces \ && ! $permit_between_local_networks \ - && $allow_scanning_between_local_nets ; then + && $allow_scanning_between_local_nets ; then for _ip in ${epson_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP @@ -4650,6 +4695,9 @@ echononl "\t\tOther local Services" if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _val in ${other_service_arr[@]} ; do IFS=',' read -a _val_arr <<< "${_val}" + + $ip6t -A OUTPUT -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + for _dev in ${local_if_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -4838,7 +4886,7 @@ if $local_unifi_controller_service \ $ip6t -A INPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A INPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding ; then + if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT @@ -4989,7 +5037,7 @@ if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then for _port in ${ipmi_tcp_port_arr[@]} ; do $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _port in ${ipmi_udp_port_arr[@]} ; do $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT @@ -5192,7 +5240,7 @@ if $allow_gaming_out && ! $permit_local_net_to_inet ; then # - Rule is needed if (local) interface aliases in use (like eth0:1) # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then $ip6t -A FORWARD -p tcp -o $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -i $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT fi @@ -5344,7 +5392,7 @@ if $log_rejected || $log_all ; then $ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " $ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " $ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " - #$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + #$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " #$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " #$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " echo_done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 37eae90..8b72afa 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -140,10 +140,10 @@ echo # --- Activate IP Forwarding # ------------- -## - IP Forwarding aktivieren/deaktivieren. +## - IP Forwarding aktivieren/deaktivieren. ## - -## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. -## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, +## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. +## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, ## - weil hiermit auch andere (de)aktiviert werden. ## - if $kernel_activate_forwarding ; then @@ -201,13 +201,13 @@ if $adjust_kernel_parameters ; then fi ## - Ignore Broadcast Pings - ## - + ## - if $kernel_ignore_broadcast_ping ; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ## - Deactivate Source Routed Packets - ## - + ## - if $kernel_deactivate_source_route ; then for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do echo 0 > $asr @@ -449,7 +449,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then ## - $tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null $ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null - $ipt -t mangle -F MYSHAPER-OUT + $ipt -t mangle -F MYSHAPER-OUT $ipt -t mangle -X MYSHAPER-OUT @@ -457,9 +457,9 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then $tc qdisc add dev $TC_DEV root handle 1:0 htb default 26 # add main rate limit class(es) - $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit + $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit - # create fair-share-classes, descending priority + # create fair-share-classes, descending priority $tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0 $tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1 $tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2 @@ -469,7 +469,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then $tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6 - # attach qdisc to leaf classes + # attach qdisc to leaf classes # # here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. @@ -518,7 +518,7 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then $ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 $ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN - # mark 21 - high prio 1 + # mark 21 - high prio 1 # - DNS Service $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN @@ -536,11 +536,11 @@ if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then # mark 23 - prio 3 # - OpenVPN - $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN - $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN # mark 24 - prio 4 @@ -579,7 +579,7 @@ echononl "\tProvide (Telekom) Internet TV" if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then - # - Telekom VDSL - Rules for IPTV + # - Telekom VDSL - Rules for IPTV # - $ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT #$ipt -A INPUT -i $tv_local_if -p igmp -j DROP @@ -612,7 +612,7 @@ if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then #$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT $ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT $ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT - + echo_done else echo_skipped @@ -765,7 +765,7 @@ fi # - Block UDP Ports out # --- -echononl "\tBlock UDP Ports extern out.." +echononl "\tBlock UDP Ports extern out.." if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then echo"" @@ -793,7 +793,7 @@ fi # - Block TCP Ports out # --- -echononl "\tBlock TCP Ports extern out.." +echononl "\tBlock TCP Ports extern out.." if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then @@ -834,7 +834,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then is_valid_mask=true ipv4="" mask="" - + # Ignore comment lines # [[ $_line =~ ^[[:space:]]{0,}# ]] && continue @@ -867,13 +867,13 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then # Its not a vaild mask number, but naybe a valit netmask. - # + # test_netmask=true else if [[ $_mask -gt 32 ]]; then # Its not a vaild cidr number, but naybe a valit netmask. - # + # test_netmask=true else @@ -907,7 +907,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then else mask="${octet}" fi - + else is_valid_mask=false fi @@ -956,7 +956,7 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then else ipv4="${octet}" fi - + else is_valid_ipv4=false fi @@ -1177,7 +1177,7 @@ if $protect_against_several_attacks ; then echononl "\t Refuse private addresses on extern interfaces (DSL).." if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then - # Refuse packets claiming to be from a + # Refuse packets claiming to be from a # Class A private network # Class B private network # Class C private network @@ -1354,7 +1354,7 @@ echo # - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu' # - echononl "\tForward to suricata IPS (inline Mode)" -if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then +if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then $ipt -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3 echo_done else @@ -1368,8 +1368,8 @@ echo # --- iPerf # ------------- -# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. -# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." @@ -1408,7 +1408,7 @@ for _dev in ${local_if_arr[@]} ; do done fi if $not_wanted_ident ; then - $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP @@ -1549,7 +1549,7 @@ $ipt -A INPUT -s $_net done echo_done - + else echo_skipped fi @@ -1603,11 +1603,11 @@ if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then for _ip in "${gateway_ipv4_address_arr[@]}" ; do - $ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT - - done + + done done @@ -1789,10 +1789,10 @@ echononl "\tDNS Service Gateway" # - if $local_dns_service ; then - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # @@ -1805,7 +1805,7 @@ if $local_dns_service ; then done # - Zonetransfere (uses tcp/53) - # + # for _ip in ${dns_server_ips[@]} ; do # - out # - @@ -1819,7 +1819,7 @@ if $local_dns_service ; then done echo_done -else +else echo_skipped fi @@ -1834,10 +1834,10 @@ echononl "\tDNS Service local Network" # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # @@ -1874,7 +1874,7 @@ if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -1896,7 +1896,7 @@ if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -1916,7 +1916,7 @@ if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi - done + done done echo_done else @@ -2216,7 +2216,7 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ else echo_skipped fi - + else echo_skipped fi @@ -2356,7 +2356,7 @@ if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ fi fi done - + echo_done else echo_skipped @@ -2572,7 +2572,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ else _ports="${_val_arr[2]}" fi - + $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} \ -m multiport --dports ${_ports} -m conntrack --ctstate NEW -j ACCEPT @@ -2587,7 +2587,7 @@ if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ fi fi done - + echo_done else echo_skipped @@ -2656,7 +2656,7 @@ if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then $ipt -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_port} --tcp-flag ACK ACK -j ACCEPT fi fi - + done @@ -2690,7 +2690,7 @@ if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then $ipt -A FORWARD -p tcp -d $_net --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT fi - + done @@ -2757,7 +2757,7 @@ if $kernel_activate_forwarding ; then for _dev_2 in ${local_if_arr[@]} ; do # - Notice: - # - In case of routing multiple netwoks on the same interface or + # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - @@ -2985,7 +2985,7 @@ if $allow_ssh_between_local_nets ; then if ! $permit_between_local_networks ; then # - Notice: - # - In case of routing multiple netwoks on the same interface or + # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - @@ -3313,7 +3313,7 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then - http_port_arr=(${http_ports//,/ }) + http_port_arr=(${http_ports//,/ }) for _ip in "${!http_server_dmz_arr[@]}"; do # - Skip if no interface is given @@ -3482,7 +3482,7 @@ if $local_smtp_service ; then else echo_skipped fi - + # --- @@ -3496,7 +3496,7 @@ if $allow_mail_request_out && ! $permit_local_net_to_inet ; then # - # - Not needed from local machine. But for testing pupose (i.e. telnet ) # - - # - + # - for _dev in ${ext_if_arr[@]} ; do if $provide_mailservice_from_local ; then # - Note! @@ -3598,7 +3598,7 @@ unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then - mail_port_arr=(${mail_user_ports//,/ }) + mail_port_arr=(${mail_user_ports//,/ }) mail_port_arr+=("$mail_smtp_port") for _ip in "${!mail_server_dmz_arr[@]}"; do @@ -3811,7 +3811,7 @@ if $local_ftp_service ; then # - (Re)define helper # - # - !! Note: !! - # - for both, local FTP server (ftp_server_ip_arr) + # - for both, local FTP server (ftp_server_ip_arr) # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - if ! $ftp_helper_prerouting_defined ; then @@ -3832,7 +3832,7 @@ if $local_ftp_service ; then # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \ -m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT @@ -3910,7 +3910,7 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwardi fi done - + echo_done else echo_skipped @@ -3967,7 +3967,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - From extern - if $kernel_activate_forwarding ; then + if $kernel_activate_forwarding ; then $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line @@ -4014,7 +4014,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th else echo_skipped fi - + # --- # - TFTF Service out only @@ -4067,7 +4067,7 @@ if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then done if $kernel_activate_forwarding ; then - + for _port in ${samba_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -4232,6 +4232,50 @@ else fi +# --- +# - MS SQL Datenbank Services +# --- + +echononl "\t\tMS SQL Datenbank Services only local Networks" + +if [[ ${#ms_sql_server_local_ip_arr[@]} -gt 0 ]]; then + for _ip in ${ms_sql_server_local_ip_arr[@]} ; do + + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ms_sql_m_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ms_sql_s_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + + echo_done +else + echo_skipped +fi + + # --- # - LDAP Service only out # --- @@ -4249,7 +4293,7 @@ if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then done if $kernel_activate_forwarding ; then - + for _port in ${ldap_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -4430,8 +4474,8 @@ fi # - CPAN Wait only out # --- -# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on -# - a WAIT server. It connects to a WAIT server using a simple protocoll +# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on +# - a WAIT server. It connects to a WAIT server using a simple protocoll # - resembling NNTP as described in RFC977. echononl "\t\tCPAN Wait only out" @@ -4471,7 +4515,7 @@ fi # --- -# - Jabber only out +# - Jabber only out # --- echononl "\t\tJabber only out" @@ -4493,7 +4537,7 @@ fi # --- -# - Silc only out +# - Silc only out # --- echononl "\t\tSilc only out" @@ -4513,7 +4557,7 @@ fi # --- -# - IRC (Internet Relay Chat) only out +# - IRC (Internet Relay Chat) only out # --- echononl "\t\tIRC only out" @@ -4624,7 +4668,7 @@ if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${rm_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT @@ -4716,7 +4760,7 @@ if [[ ${#rds_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${rds_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $rds_server_tcp_port -m conntrack --ctstate NEW -j ACCEPT - + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -p tcp -d $_ip --dport $rds_server_tcp_port -m conntrack --ctstate NEW -j ACCEPT @@ -4840,7 +4884,7 @@ if $allow_outbound_streaming ; then $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi @@ -5250,7 +5294,7 @@ fi # --- -# - Rsyncd (only Out) Gateway +# - Rsyncd (only Out) Gateway # --- echononl "\t\tRsyncd (only OUT) Gateway" @@ -5406,7 +5450,7 @@ echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks" if [[ ${#printer_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ - && ! $allow_printing_between_local_nets ; then + && ! $allow_printing_between_local_nets ; then for _ip in ${printer_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT @@ -5444,7 +5488,7 @@ echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ - && $allow_scanning_between_local_nets ; then + && $allow_scanning_between_local_nets ; then for _ip in ${brother_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP @@ -5473,7 +5517,7 @@ echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local N if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ - && $allow_scanning_between_local_nets ; then + && $allow_scanning_between_local_nets ; then for _ip in ${epson_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP @@ -5507,6 +5551,9 @@ echononl "\t\tOther local Services" if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in ${other_service_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" + + $ipt -A OUTPUT -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT @@ -5779,7 +5826,7 @@ if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then done if $kernel_activate_forwarding ; then - + for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -5812,7 +5859,7 @@ if $allow_ipmi_request_in ; then done if $kernel_activate_forwarding ; then - + for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done @@ -5826,7 +5873,7 @@ if $allow_ipmi_request_in ; then echo_done else echo_skipped -fi +fi # --- @@ -5844,7 +5891,7 @@ if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT @@ -6197,7 +6244,7 @@ if $log_rejected || $log_all ; then $ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " $ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " $ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " - #$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + #$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " #$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " #$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " echo_done