From c10647e763b68c4a1b84004ff015fd0c4d2d558d Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 24 Feb 2017 04:13:22 +0100 Subject: [PATCH] Initial import --- .gitignore | 4 + conf/default_ports.conf | 36 + conf/include_functions.conf | 113 + conf/interfaces.conf | 41 + conf/interfaces_ipv4.conf.sample | 41 + conf/interfaces_ipv6.conf.sample | 45 + conf/load_modules_ipv4.conf | 36 + conf/load_modules_ipv6.conf | 9 + conf/logging_ipv4.conf | 40 + conf/logging_ipv6.conf | 40 + conf/main_ipv4.conf.sample | 1120 ++++++++++ conf/main_ipv6.conf.sample | 1019 +++++++++ conf/post_decalrations.conf | 418 ++++ ip6t-firewall-gateway | 3113 ++++++++++++++++++++++++++ ipt-firewall-gateway | 3539 ++++++++++++++++++++++++++++++ 15 files changed, 9614 insertions(+) create mode 100644 .gitignore create mode 100644 conf/default_ports.conf create mode 100644 conf/include_functions.conf create mode 100644 conf/interfaces.conf create mode 100644 conf/interfaces_ipv4.conf.sample create mode 100644 conf/interfaces_ipv6.conf.sample create mode 100644 conf/load_modules_ipv4.conf create mode 100644 conf/load_modules_ipv6.conf create mode 100644 conf/logging_ipv4.conf create mode 100644 conf/logging_ipv6.conf create mode 100644 conf/main_ipv4.conf.sample create mode 100644 conf/main_ipv6.conf.sample create mode 100644 conf/post_decalrations.conf create mode 100755 ip6t-firewall-gateway create mode 100755 ipt-firewall-gateway diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6f2b3ea --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +conf/interfaces_ipv4.conf +conf/interfaces_ipv6.conf +conf/main_ipv4.conf +conf/main_ipv6.conf diff --git a/conf/default_ports.conf b/conf/default_ports.conf new file mode 100644 index 0000000..24fcd65 --- /dev/null +++ b/conf/default_ports.conf @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Ports for Services out +# ============= + +standard_ident_port=113 +standard_silc_port=706 +standard_irc_port=6667 +standard_jabber_port=5222 +standard_smtp_port=25 +standard_ssh_port=22 +standard_http_port=80 +standard_https_port=443 +standard_ftp_port=21 +standard_tftp_udp_port=69 +standard_ntp_port=123 +standard_timeserver_port=37 +standard_pgp_keyserver_port=11371 +standard_telnet_port=23 +standard_whois_port=43 +standard_cpan_wait_port=1404 +standard_hbci_port=3000 +standard_mysql_port=3306 +standard_ipp_port=631 +standard_cups_port=$standard_ipp_port +standard_print_raw_port=515 +standard_print_port=9100 +standard_remote_console_port=5900 + + +# - Comma separated lists +# - +standard_http_ports="80,443" +standard_mailuser_ports="587,465,110,995,143,993" + diff --git a/conf/include_functions.conf b/conf/include_functions.conf new file mode 100644 index 0000000..9bb5205 --- /dev/null +++ b/conf/include_functions.conf @@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +# ============= +# --- Some functions +# ============= + +# - Is this script running on terminal ? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} +echo_done() { + if $terminal ; then + echo -e "\033[75G[ \033[32mdone\033[m ]" + else + echo " [ done ]" + fi +} +echo_ok() { + if $terminal ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + else + echo " [ ok ]" + fi +} +echo_warning() { + if $terminal ; then + echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" + else + echo " [ warning ]" + fi +} +echo_failed(){ + if $terminal ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + else + echo ' [ failed! ]' + fi +} +echo_skipped() { + if $terminal ; then + echo -e "\033[75G[ \033[37mskipped\033[m ]" + else + echo " [ skipped ]" + fi +} + + +fatal (){ + echo "" + echo "" + if $terminal ; then + echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m" + echo "" + echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m" + else + echo "fatal: $*" + echo "Firewall Script will be interrupted.." + fi + echo "" + exit 1 +} + +error(){ + echo "" + if $terminal ; then + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + else + echo "Error: $*" + fi + echo "" +} + +warn (){ + echo "" + if $terminal ; then + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + else + echo "Warning: $*" + fi + echo "" +} + +info (){ + echo "" + if $terminal ; then + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + else + echo "Info: $*" + fi + echo "" +} + +## - Check if a given array (parameter 2) contains a given string (parameter 1) +## - +containsElement () { + local e + for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done + return 1 +} + diff --git a/conf/interfaces.conf b/conf/interfaces.conf new file mode 100644 index 0000000..da06193 --- /dev/null +++ b/conf/interfaces.conf @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Network Interfaces / Ip-Adresses / Ports +# ============= + +# - Extern Interfaces DSL Lines +# - (blank separated list) +ext_if_dsl_1="ppp-ckubu" +ext_if_dsl_2="" +ext_if_dsl_3="" +ext_if_dsl_4="" + +ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4" + +# - Extern Interfaces Static Lines +# - (blank separated list) +ext_if_static_1="eth2" +ext_if_static_2="" +ext_if_static_3="" + +ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" + +# - VPN Interfaces +# - (blank separated list) +vpn_ifs="tun+" + +# - Local Interfaces +local_if_1="eth0" +local_if_2="eth1" +local_if_3="" +local_if_4="" +local_if_5="" +local_if_6="" +local_if_7="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" + +# - Are local alias interfaces like eth0:0 defined" +# - +local_alias_interfaces=true diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample new file mode 100644 index 0000000..478911d --- /dev/null +++ b/conf/interfaces_ipv4.conf.sample @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Network Interfaces / Ip-Adresses / Ports +# ============= + +# - Extern Interfaces DSL Lines +# - (blank separated list) +ext_if_dsl_1="" +ext_if_dsl_2="" +ext_if_dsl_3="" +ext_if_dsl_4="" + +ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4" + +# - Extern Interfaces Static Lines +# - (blank separated list) +ext_if_static_1="" +ext_if_static_2="" +ext_if_static_3="" + +ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" + +# - VPN Interfaces +# - (blank separated list) +vpn_ifs="tun+" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" +local_if_4="" +local_if_5="" +local_if_6="" +local_if_7="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" + +# - Are local alias interfaces like eth0:0 defined" +# - +local_alias_interfaces=true diff --git a/conf/interfaces_ipv6.conf.sample b/conf/interfaces_ipv6.conf.sample new file mode 100644 index 0000000..b306637 --- /dev/null +++ b/conf/interfaces_ipv6.conf.sample @@ -0,0 +1,45 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Network Interfaces / Ip-Adresses / Ports +# ============= + +# - Extern Interfaces DSL Lines +# - (blank separated list) +ext_if_dsl_1="" +ext_if_dsl_2="" +ext_if_dsl_3="" +ext_if_dsl_4="" + +ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4" + +# - Extern Interfaces Static Lines +# - (blank separated list) +# - +# - Example: +# - ext_if_static_1="sixxs" +# - +ext_if_static_1="" +ext_if_static_2="" +ext_if_static_3="" + +ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" + +# - VPN Interfaces +# - (blank separated list) +vpn_ifs="tun+" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" +local_if_4="" +local_if_5="" +local_if_6="" +local_if_7="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" + +# - Are local alias interfaces like eth0:0 defined" +# - +local_alias_interfaces=true diff --git a/conf/load_modules_ipv4.conf b/conf/load_modules_ipv4.conf new file mode 100644 index 0000000..bc383f0 --- /dev/null +++ b/conf/load_modules_ipv4.conf @@ -0,0 +1,36 @@ +# ============= +# - Load Kernel Modules +# ============= + +# - Note:! +# - Since Kernel 4.7 the automatic conntrack helper assignment +# - is disabled by default (net.netfilter.nf_conntrack_helper = 0). +# - Enable it by setting this variable in file /etc/sysctl.conf: +# - +# - net.netfilter.nf_conntrack_helper = 1 +# - +# - Reboot or type "sysctl -p" + + +ip_tables + +iptable_nat +iptable_filter +iptable_mangle +iptable_raw + +# - Load base modules for tracking +# - +nf_conntrack +nf_nat + +# - Load module for FTP Connection tracking and NAT +# - +nf_conntrack_ftp +nf_nat_ftp + +# - Load modules for SIP VOIP +# - +nf_conntrack_sip +nf_nat_sip + diff --git a/conf/load_modules_ipv6.conf b/conf/load_modules_ipv6.conf new file mode 100644 index 0000000..2c55689 --- /dev/null +++ b/conf/load_modules_ipv6.conf @@ -0,0 +1,9 @@ +# ============= +# - Load Kernel Modules +# ============= + +ip6_tables +ip6table_filter +ip6t_REJECT + +ip6table_mangle diff --git a/conf/logging_ipv4.conf b/conf/logging_ipv4.conf new file mode 100644 index 0000000..e653972 --- /dev/null +++ b/conf/logging_ipv4.conf @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +# ============= +# --- Logging +# ============= + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=false + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv4:" + + +# --- +# - Log all traffic for givven ip address +# --- + +log_ips="" diff --git a/conf/logging_ipv6.conf b/conf/logging_ipv6.conf new file mode 100644 index 0000000..a024215 --- /dev/null +++ b/conf/logging_ipv6.conf @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +# ============= +# --- Logging +# ============= + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=false + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv6:" + + +# --- +# - Log all traffic for givven ip address +# --- + +log_ips="" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample new file mode 100644 index 0000000..207e773 --- /dev/null +++ b/conf/main_ipv4.conf.sample @@ -0,0 +1,1120 @@ +#!/usr/bin/env bash + +## --------------------------------------------------------- +## --- Main Configurations Ipv4 Firewall Script ipt-firewall +## --------------------------------------------------------- + +# --- +# - IPv4 Addresses Gateway +# --- +declare -a gateway_ipv4_address_arr +read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2) + + +# ============= +# --- Interfaces completly blocked +# ============= + +# - Interfaces to block (note: they will all be blocked) +# - +# - For Example: eth1 is used for DSL Line, that becomes an extra +# - interface (ppp-light). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - +blocked_ifs="" + + + +# ============= +# --- Interfaces not firewalled +# ============= + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +# - Here: the static line castle stockhausen +# - +unprotected_ifs="" + + + +# ============= +# --- Networks not firewalled through extern interfaces +# ============= + +# - Allow these networks any access to the internet. +# - +# - Blank separated list of networks +# - +any_access_to_inet_networks="" + + + +# ============= +# - Allow local services from given local networks +# ============= + +# - allow_local_net_to_local_service +# - +# - allow_local_net_to_local_service="local-net:local-service:port:protocol" +# - +# - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Use this parameter to (only) give some local netwoks access to special local +# - services (but not for all local networks as you can configure later). +# - +# - If you plan to separate local networks (see parameter 'separate_local_networks'), but +# - to allow these networks some special local services, you can also use this parameter. +# - +# - Example: +# - allow access from 10.113.0.0/16 to https service at 192.168.10.1 +# - allow access from 10.113.0.0/16 to https service at 192.168.10.13 +# - +# - allow_local_net_to_local_service="10.113.0.0/16:192.168.10.1:$standard_https_port:tcp +# - 10.113.0.0/16192.168.10.13:$standard_https_port:tcp" +# - +# - Blank separated list +# - +allow_local_net_to_local_service="" + + + +# ============= +# - Allow local ip address from given local network +# ============= + +# - allow_local_net_to_local_ip +# - +# - All traffic from the given network to the given ip address is allowed +# - +# - Example: +# - allow_local_net_to_local_ip="10.113.0.0/16:192.168.10.1 +# - 10.113.0.0/16:192.168.10.13" +# - +# - Blank separated list +# - +allow_local_net_to_local_ip="" + + + +# ============= +# - Allow local ip address from given local interface +# ============= + +# - allow_local_if_to_local_ip +# - +# - All traffic from the given network interface to the given ip address is allowed +# - +# - Example: +# - allow_local_if_to_local_ip="${local_if_1}:192.168.10.1 +# - ${local_if_2}:192.168.10.13" +# - +# - Blank separated list +# - +allow_local_if_to_local_ip="" + + + +# ============= +# --- Separate local Networks +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="10.113.1.0/24 10.113.2.0/24" +# - +# - Blank separated list +# - +separate_local_networks="" + + + +# ============= +# --- Separate local Interfaces +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="$local_if_1 $local_if_2" +# - +separate_local_ifs="" + + + +# ============= +# --- Traffic Shaping +# ============= + +TRAFFIC_SHAPING=false + +RATE_UP=10000 +LIMIT_UP=$(expr $RATE_UP / 100 \* 85) + +LIMIT_CLASS=$(expr $LIMIT_UP / 7) + +RTP_PORTS_START=49152 +RTP_PORTS_END=49408 +SIP_PORT_REMOTE=5060 +SIP_PORT_LOCAL=5067 +SIP_LOCAL_IP=192.168.63.240 +STUN_PORTS=3478 + +TC_DEV=$ext_if_dsl_1 + + + +# ============= +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ============= + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + + +# ============= +# --- Services local machine / local networksa +# ============= + +# ====== +# - IPv6 over IPv4 (SixXS) +# ====== + +local_sixxs_service=false +tic_server=tic.sixxs.net +six_pop_server=deham01.sixxs.net + + +# ====== +# - VPN Service +# ====== + +# - VPN Service on Gateway? +local_vpn_service=true +vpn_gw_ports="1194 1195 1196" + +# - VPN Services DMZ (reachable also from WAN) +# - +# - vpn_server_dmz_arr=[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - vpn_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A vpn_server_dmz_arr + +# - Local VPN Ports +# - +# - Blank separated list +vpn_local_net_ports="1194" + + +# ====== +# - DHCP Service +# ====== + +# - DHCP Server Gateway +# - +local_dhcp_service=true + +# - Are DHCP Failover Servers present? +# - +# - Balnk separated list +# - +dhcp_failover_server_ips="" + +dhcp_failover_port=647 + + +# ====== +# - DNS Service +# ====== + +# - DNS Service Gateway +# - +local_dns_service=true + +# - DNS Server local Networks +# - +# - Blank separated list +# - +dns_server_ips="" + + +# ====== +# - SSH +# ====== + +# - SSH Service Gateway +# - +local_ssh_service=true + + +# - SSH Services DMZ (reachable also from WAN) +# - +# - ssh_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one service on a certain port. +# - +# - ssh_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - ssh_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A ssh_server_dmz_arr + + +# - SSH Ports used on Gateway and also local machines +# - +# - blank separated list +# - +ssh_ports="22" + + +# ====== +# - HTTP(S) Service +# ====== + +# - HTTP(S) Service Gateway +# - +local_http_service=false + + +# - HTTP(S) Services only locale Networks +# - +# - Blank separated list +# - +http_server_only_local_ips="" + + +# - HTTP(S) Services DMZ (reachable also from WAN) +# - +# - http_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one service on a certain port. +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) +# - +# - http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - http_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - WebServer Luna: 192.168.63.20 (ppp-ckubu = $ext_if_dsl_1) +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_server_dmz_arr + + +# - HTTPS Services DMZ only port 443 (reachable also from WAN) +# - +# - http__ssl_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) +# - +# - http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_ssl_server_dmz_arr + + +# - HTTP(S) Ports +# - +# - comma separated list +# - +http_ports="$standard_http_ports" + + +# ====== +# - Mail Services +# ====== + +# - Mailserver (SMTP(POP/IMAP) Gateway +# - +# - NOT YET IMPLEMENTED +# - +local_mail_service=false + + +# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks +# - +# - comma separated list +# - +mail_server_only_local_ips="" + + +# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN) +# - +# - mail_server_dmz_arr[]= +# - +# - Multiple declarations are possible +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - +# - mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - +declare -A mail_server_dmz_arr + + +# - Mail client ports (smtps/pop(s)/imap(s) +# - +# - comma separated list +# - +mail_user_ports="$standard_mailuser_ports" + + +# - Mail Server (local Networks) SMTP Port +# - +mail_smtp_port="$standard_smtp_port" + + +# ====== +# - FTP Service +# ====== + +# - FTP Service Gateway +# - +local_ftp_service=false + +# - FTP Server at local Networks +# - +# - comma separated list +# - +ftp_server_only_local_ips="" + +# - FTP Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - ftp_server_dmz_arr[]= +# - ftp_passive_port_range= +# - +declare -A ftp_server_dmz_arr +#ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 +ftp_passive_port_range="50000:50400" + +# - FTP Ports +# - +# - Hard scriptetd: +# - FTP Control Port: 21 +# - FTP Data Port: 20 + + +# ====== +# - TFTP Service Gateway +# ====== + +# - TFTP Server Gateway (Port udp 69) +local_tftp_service=false + +# - TFTP Server at local Networks +# - +tftp_server_ips="" + +# - TFTF Ports +# - +# - Note: its udp ! +# - +tftp_udp_port=69 + + +# ====== +# - LDAP Service +# ====== + +# - Is this a LDAP Server ? +# - +local_ldap_service=false + +# - LDAP Service local Networks +# - +# - Ports: 389 udp +# - 389 tcp +# - +# - Ports LDAP SSL: 636 tcp +# - +ldap_server_local_ips="" +ldap_udp_ports="389" +ldap_tcp_ports="389 636" + + +# ====== +# - Samba Service +# ====== + +# - Samba Server Gateway +# - +local_samba_service=false + +# - Samba Service +# - +# - Ports: 137,138 udp +# - 139,445 tcp +# - +samba_udp_ports="137:138" +samba_tcp_ports="137 138 139 445" + +# - Samba Service local networks +# - +samba_server_local_ips="" + +# - Samba Service DMZ +# - +# - samba_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - Multiple settins of this parameter is possible +# - +declare -A samba_server_dmz_arr + + +# ====== +# - NTP Service +# ====== + +# - NTP Service Gateway +# - +local_ntp_service=true + + +# ====== +# - SNMP Service +# ====== + +# - SNMP services local Networks +# - +snmp_server_ips="" + +# - SNMP Port +# - +snmp_port="161" + + +# ====== +# - Mumble Service +# ====== + +# - NOT YET IMPLEMENTED + +# - Mumble ports +mumble_ports="64738" + + +# ====== +# - XyMon Service +# ====== + +# - XyMon Service Gateway (usually TCP port 1984) +# - +local_xymon_server=false + +# - XyMon Service (usually TCP port 1984) +# - +# - Comma separated list of ip's +# - +xymon_server_ips="" +local_xymon_client="" + +# - XyMon Ports +# - +xymon_port=1984 + + +# ====== +# - Munin Service +# ====== + +# - Munin Service Gateway (usually TCP port 4949) +# - +local_munin_server=false + + +# - If 'local_munin_server=' provide service also to inet? +# - +provide_munin_service_to_inet=true +munin_remote_port="4949" + + +# - Munin Server local Networks (usually TCP port 4949) +# - +# - Blank separated list +munin_local_server_ips="" + + +# - Munin Remote Server +# - +# - Note: +# - The munin server himself initiates the connection to the concerning clients. +# - In case of natted (local) networks you have to also nat the incomming +# - requests from munin server. +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - munin_local_client_ip_arr[]= +# - +#munin_remote_server="83.223.86.163" +munin_remote_server="" +declare -A munin_local_client_ip_arr +#munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 + +# - Munin Port +# - +munin_local_port=4949 + + +# ====== +# - PowerChut Network Shutdown (PCNS) +# ====== + +# - PCNS local Services +# - +pcns_server_ips="" + +# - local USV +# - +usv_ip="" + +# - PCNS Ports +# - +# - Webinterface (https): tcp 6547 +# - Connection usv: tcp/udp 3052 +# - +pcns_tcp_port=3052 +pcns_udp_port=3052 +pcns_web_port=6547 + + +# ====== +# - Remote Console (VNC Service) +# ====== + +# - VNC Service local network +# +# - Blank separated list +# - +rm_server_ips="" + +# - VNC Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - rm_server_dmz_arr[]= +# - +declare -A rm_server_dmz_arr +#rm_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 + +# - Remote Console (VNC) Port +# - +remote_console_port=5900 + + +# ====== +# - Ubiquiti Unifi +# ====== + +# - Notice: +# - The Accesspoint IP is not needed (i think so), because the +# - AP uses port 8080 for cummunication with the controller, and +# - this port will be configured with the rules concerning the +# - controllers. +# - +# - again: setting unifi_ap_local_ips is not needed +#unifi_ap_local_ips="192.168.64.50" + +unifi_controller_gateway_ips="" +unify_controller_local_net_ips="" +unify_controller_ports="8080,8443" + +provide_hotspot=true +hotspot_ports="8880,8843" + + +# ====== +# - IPMI Tools +# ====== + +# - IPMI Tools local Networks +# - +# - Blank seoarated list +# - +ipmi_server_ips="" + +# - IPMI Tools Port +# - +# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) +# - TCP 623: Virtual Media for Remote Console +# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." +# - +ipmi_udp_port=623 +ipmi_tcp_ports="623 3520" + + +# ============= +# - Rsync Out for given src ip-addresses +# ============= + +# - Rsync Protocol +# - +# - The given server address (from local network) can access rsyncd at (any) remote machine +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +rsync_ports="873" + +# - rsync out from this machine? +# - +local_rsync_out=false + + + +# ============= +# - Printer +# ============= + +# - IP Addresses Printer +# - +# - Blank separated list +# - +printer_ips="" + + + +# ============= +# --- Scanner +# ============= + +# ====== +# - Brother (brscan) +# ====== + +# - IP Adresses Brother Scanner +# - +# - Blank seoarated list +# - +brother_scanner_ips="" +brscan_port=54921 + + + +# ============= +# --- Telefon Systems +# ============= + +# - IP Adresses Telephone Systems (Telefonanlagen) +# - +# - Dont't foregt to add ip-adresses also to http(s) service if the +# - systems provide webinterfaces! +# - +tele_sys_ips="" +tele_sys_remote_sip_server_port=5060 +tele_sys_local_sip_server_port=5067 +allow_between_tele_systems=false + +VOIP_PORTS="69 5000:5099 7775 32000:32512" +# - TFTP=69 (used from telephones getting their connection data / firmwareupdate ) +# - RTP_PORTS= UDP i.e. 5000:5099 or here +# - RTP_PORTS_END=5099 +#SIP_PORT_REMOTE=5060 +#SIP_PORT_LOCAL=5067 +#SIP_LOCAL_IP=192.168.63.240 +#STUN_PORTS=3478 +udp_voip_ports="7775 5000:5099" + + +# ===== +# - Telekom Internet TV (Entertain) +# ===== + +telekom_internet_tv=false +tv_ip="192.168.63.5" +tv_extern_if="eth2.8" +tv_local_if="$local_if_1" + + + +# ====== +# - Other local Services +# ====== + +# - You can configure further local services here. +# - +# - other_services=":: [:: [.." +# - +# - Blank seperated list +# - +other_services="" + + +# ============= +# --- Masuqerading +# ============= + +# - Masquerade TCP Connections +# - +# - masquerade_tcp_con="::: [::..]" +# - +# - Example: +# - +# - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} +# - 10.0.0.0/8:192.168.62.244:443:${local_if_1}" +# - +# - 192.168.64.55: Repeater TP-Link TL-WA850RE +# - +masquerade_tcp_cons="192.168.63.0/24:192.168.64.55:80:${local_if_1}" + + +# ============= +# --- Portforwarding +# ============= + +# - Portforwarding TCP +# - +# - portforward_tcp=":::" +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_tcp="$ext_if_dsl_1:9997:192.168.52.25:22 +# - $ext_if_dsl_1:9998:192.168.53.24:22" +# - +# - Blank separated list +# - +portforward_tcp="" + + +# - Portforwarding UDP +# - +# - portforward_udp=":::" +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_udp="$ext_if_dsl_1:1094:192.168.52.25:1094 +# - $ext_if_dsl_1:9999:192.168.53.24:1095" +# - +# - Blank separated list +# - +portforward_udp="" + + + +# ============= +# --- Basic behavior +# ============= + +# === +# = Services allowed out to the world wide web +# === + +allow_ssh_request_out=true +allow_http_request_out=true +allow_smtp_request_out=true +allow_mail_request_out=true +allow_ftp_request_out=true +allow_tftp_request_out=true +allow_ntp_request_out=true +allow_timeserver_request_out=true +allow_pgpserver_request_out=true +allow_telnet_request_out=true +allow_whois_request_out=true +allow_cpan_wait_request_out=true +allow_hbci_request_out=true +allow_jabber_request_out=true +allow_silc_request_out=true +allow_irc_request_out=true +allow_mysql_request_out=true +allow_ipmi_request_out=true +allow_remote_console_request_out=true + +allow_samba_requests_out=true + +allow_vpn_out=true +vpn_out_ports="1194 1195 1196" + + +# === +# = Services allowed between local networks +# === + +# - These Parameters are only considered, if traffic +# - between local networks are not permitted, thats +# - if 'permit_between_local_networks=false' (see below). +# - +allow_ssh_between_local_nets=true +allow_samba_between_local_nets=false +allow_ldap_between_local_nets=false +allow_printing_between_local_nets=true +allow_scanning_between_local_nets=true + + +# === +# = Other Parameters +# === + +# - Permit internet access to all machines at local network +# - Does not include this server itself +# - +permit_local_net_to_inet=false + +# - Do not block any traffic between local machines +# - +permit_between_local_networks=false + +# - Do not block any ICMP traffic +# - +permit_all_icmp_traffic=true + +# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. +# - +# - Maybe useful for testing purpose with telnet or openssl +# - +provide_mailservice_from_local=true + +# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. +# - +create_iperf_rules=false + + + +# ============= +# - MAC Address Filtering +# ============= + +# - MAC Addreses alowed to all destinations (gateway, remote, local networks) +# - +# - Blank separated list +# - +allow_all_mac_src_addresses="" + +# - MAC Addreses alowed to local networks (gateway, local networks) +# - +# - Blank separated list +# - +allow_local_mac_src_addresses="" + + +# - MAC Addreses alowed to remote networks +# - +# - Blank separated list +# - +allow_remote_mac_src_addresses="" + + + + +# ============= +# --- Block IP's / IP-Ranges +# ============= + +# - 222.184.0.0/13 CHINANET-JS +# - 61.160.0.0/16 - CHINANET-JS +# - 116.8.0.0/14 CHINANET-GX +# - +blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" + + +# ============= +# --- Block Ports on extern Interfaces +# ============= + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 135 631" +block_udp_ports="111" +if ! $allow_samba_requests_out ; then + block_tcp_ports="$block_udp_ports 137:139 445" + block_udp_ports="$block_udp_ports 137:139" +fi + +block_ident=true + + +# ============= +# - Packets not wanted on gateway on local Interfaces +# ============= + +not_wanted_on_gw_tcp_ports="111 113 135 631" +not_wanted_on_gw_udp_ports="111 631" +if ! $local_samba_service ; then + not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445" + not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139" +fi + +not_wanted_ident=true + + +# ============= +# --- Router +# ============= + +# - Set to "true" to secure/tune the kernel +# - +adjust_kernel_parameters=true + +# - Protection against several attacks +# - +protect_against_several_attacks=true + + + +# ============= +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ============= + +# - Activate forwarding +# - +# - Enable/disable forwarding to and between interfaces +# - +kernel_activate_forwarding=true + +# - Activate kernel support for dynamic IP adresses +# - (not needed in case of static IP) +# - +# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt +# - +# - The values for the ip_dynaddr sysctl are [*]: +# - +# - 1: To enable: +# - 2: To enable verbosity: +# - 4: To enable RST-provoking: +# - 8: To enable asymetric routing work-around [**] +# - +# - [*] At boot, by default no address rewriting is attempted. +# - [**] This code is currently totaly untested. +# - +# - Flags can be combined by adding them. Common settings +# - would be: +# - +# - To enable rewriting in quiet mode: +# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable rewriting in verbose mode: +# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable quiet RST-provoking mode (1+4): +# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr +# - ... +# - +kernel_support_dynaddr=true +dynaddr_flag="5" + +# - Reduce DoS'ing ability by reducing timeouts +# - +kernel_reduce_timeouts=true + +# - Hardening TCP/IP Stack Against SYN Floods +# - +# - Enable syn cookies prevents against the common 'syn flood attack' +# - +kernel_tcp_syncookies=true + +# - Protection against ICMP bogus error responses +# - +kernel_protect_against_icmp_bogus_messages=true + +# - Ignore Broadcast Pings +# - +kernel_ignore_broadcast_ping=true + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - Note: IP TV requires sending ICMP redirects. So if IP TV is provided, this +# - Parameter will be set to "false" +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + +# - Activate Reverse Path Filtering (Antispoofing) +# - +# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen +# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, +# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat +# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für +# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle +# - nicht voll funktionsfähig ist. +# - +kernel_activate_rp_filter=true + +# - Logging of spoofed (source routed" and "redirect") packets +# - +kernel_log_martians=false + + + +# ============= +# --- Some further Ports/IP-Address Configuration +# ============= + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# - Loopback +loopback="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample new file mode 100644 index 0000000..453bc3b --- /dev/null +++ b/conf/main_ipv6.conf.sample @@ -0,0 +1,1019 @@ +#!/usr/bin/env bash + +## --------------------------------------------------------- +## --- Main Configurations Ipv6 Firewall Script ipt-firewall +## --------------------------------------------------------- + +# --- +# - IPv6 Addresses Gateway +# --- +declare -a gateway_ipv6_address_arr +read -a gateway_ipv6_address_arr <<<$(ifconfig | grep "inet6-Ad" | awk '{print$2}'| cut -d'/' -f1) + + +# ============= +# --- Interfaces completly blocked +# ============= + +# - Interfaces to block (note: they will all be blocked) +# - +# - For Example: eth2 is used for DSL Line, that becomes an extra +# - interface (ppp-light). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - +blocked_ifs="" + + + +# ============= +# --- Interfaces not firewalled +# ============= + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +# - Here: the static line castle stockhausen +# - +unprotected_ifs="" + + + +# ============= +# --- Networks not firewalled through extern interfaces +# ============= + +# - Allow these networks any access to the internet. +# - +# - Blank separated list of networks +# - +any_access_to_inet_networks="" + + + +# ============= +# - Allow local services from given local networks +# ============= + +# - allow_local_net_to_local_service +# - +# - allow_local_net_to_local_service="local-net,local-service,port,protocol" +# - +# - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Use this parameter to (only) give some local netwoks access to special local +# - services (but not for all local networks as you can configure later). +# - +# - If you plan to separate local networks (see parameter 'separate_local_networks'), but +# - to allow these networks some special local services, you can also use this parameter. +# - +# - Example: +# - allow access from 2001:6f8:107e:64::/64 to https service at 2001:6f8:107e:63::20 +# - allow access from 2001:6f8:107e:64::/64 to ssh service at 2001:6f8:107e:63::20 +# - +# - allow_local_net_to_local_service="2001:6f8:107e:64::/64,2001:6f8:107e:63::20,$standard_https_port,tcp +# - 2001:6f8:107e:64::/64,2001:6f8:107e:63::20,$standard_ssh_port,tcp" +# - +# - Blank separated list +# - +allow_local_net_to_local_service="" + + + +# ============= +# - Allow local ip address from given local network +# ============= + +# - allow_local_net_to_local_ip +# - +# - All traffic from the given network to the given ip address is allowed +# - +# - Example: +# - allow_local_net_to_local_ip="2001:6f8:107e:64::/64,2001:6f8:107e:63::20 +# - 2001:6f8:107e:64::/64,2001:6f8:107e:63::10" +# - +# - Blank separated list +# - +allow_local_net_to_local_ip="" + + + +# ============= +# - Allow local ip address from given local interface +# ============= + +# - allow_local_if_to_local_ip +# - +# - All traffic from the given network interface to the given ip address is allowed +# - +# - Example: +# - allow_local_if_to_local_ip="${local_if_1},2001:6f8:107e:63::20 +# - ${local_if_2},2001:6f8:107e:63::20" +# - +# - Blank separated list +# - +allow_local_if_to_local_ip="" + + + +# ============= +# --- Separate local Networks +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="2001:6f8:107e:63::/64 2001:6f8:107e:64::/64" +# - +# - Blank separated list +# - +separate_local_networks="" + + + +# ============= +# --- Separate local Interfaces +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="$local_if_1 $local_if_2" +# - +separate_local_ifs="" + + + +# ============= +# --- Traffic Shaping +# ============= + +TRAFFIC_SHAPING=false + +RATE_UP=10000 +LIMIT_UP=$(expr $RATE_UP / 100 \* 85) + +LIMIT_CLASS=$(expr $LIMIT_UP / 7) + +RTP_PORTS_START=49152 +RTP_PORTS_END=49408 +SIP_PORT_REMOTE=5060 +SIP_PORT_LOCAL=5067 +SIP_LOCAL_IP="2001:6f8:107e:63::240" +STUN_PORTS=3478 + +TC_DEV=$ext_if_static_1 + + + +# ============= +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ============= + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + + +# ============= +# --- Services local machine / local networksa +# ============= + +# ====== +# - IPv4 over IPv4 +# ====== + + +# ====== +# - VPN Service +# ====== + +# - VPN Service on Gateway? +local_vpn_service=true +vpn_gw_ports="1194 1195 1196" + +# - VPN Services DMZ (reachable also from WAN) +# - +# - http_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - vpn_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 +# - vpn_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A vpn_server_dmz_arr + +# - Local VPN Ports +# - +# - Blank separated list +vpn_local_net_ports="1194" + + +# ====== +# - DHCP Service +# ====== + +# - DHCP Server Gateway +# - +local_dhcp_service=true + +# - Are DHCP Failover Servers present? +# - +# - Balnk separated list +# - +dhcp_failover_server_ips="" + +dhcp_failover_port=647 + + +# ====== +# - DNS Service +# ====== + +# - DNS Service Gateway +local_dns_service=true + +# - DNS Server local Networks +# - +# - Blank separated list +dns_server_ips="" + + +# ====== +# - SSH +# ====== + +# - SSH Service Gateway +# - +local_ssh_service=true + + +# - SSH Services DMZ (reachable also from WAN) +# - +# - ssh_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one service on a certain port. +# - +# - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 +# - ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A ssh_server_dmz_arr +ssh_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 + + +# - SSH Ports +# - +# - blank separated list +# - +ssh_ports="22" + + +# ====== +# - HTTP(S) Service +# ====== + +# - HTTP(S) Service Gateway +# - +local_http_service=false + + +# - HTTP(S) Services only locale Networks +# - +# - Blank separated list +# - +http_server_only_local_ips="" + + +# - HTTP(S) Services DMZ (reachable also from WAN) +# - +# - http_server_dmz_arr[]= +# - +# - Example: +# - +# - http_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 +# - http_server_dmz_arr[2001:6f8:107e:63::90]=$ext_if_static_1 +# - +# - WebServer Luna: 2001:6f8:107e:63::20 (ppp-ckubu = $ext_if_dsl_1) +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_server_dmz_arr + + +# - HTTPS Services DMZ only port 443 (reachable also from WAN) +# - +# - http_ssl_server_dmz_arr[]= +# - +# - +# - http_ssl_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static1 +# - http_ssl_server_dmz_arr[2001:6f8:107e:64::90]=$ext_if_static_2 +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_ssl_server_dmz_arr + + +# - HTTP(S) Ports +# - +# - comma separated list +# - +http_ports="80,443" + + +# ====== +# - Mail Services +# ====== + +# - Mailserver (SMTP(POP/IMAP) Gateway +# - +# - NOT YET IMPLEMENTED +# - +#local_mail_service=false + + +# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks +# - +# - comma separated list +# - +mail_server_only_local_ips="" + + +# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN) +# - +# - mail_server_dmz_arr[]= +# - +# - Multiple declarations are possible +# - +# - Example: +# - Mail Server: 2001:6f8:107e:63::20 incomming on ppp-st ($ext_if_static_1) +# - +# - mail_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 +# - +declare -A mail_server_dmz_arr + + +# - Mail client ports (smtps/pop(s)/imap(s) +# - +# - comma separated list +# - +mail_user_ports="587,465,110,995,143,993" + + +# - Mail Server (local Networks) SMTP Port +# - +mail_smtp_port="$standard_smtp_port" + + +# ====== +# - FTP Service +# ====== + +# - FTP Service Gateway +# - +local_ftp_service=false + +# - FTP Server at local Networks +# - +# - comma separated list +# - +ftp_server_only_local_ips="" + +# - FTP Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - ftp_server_dmz_arr[]= +# - ftp_passive_port_range= +# - +declare -A ftp_server_dmz_arr +#ftp_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_static_1 +ftp_passive_port_range="50000:50400" + +# - FTP Ports +# - +# - Hard scriptetd: +# - FTP Control Port: 21 +# - FTP Data Port: 20 + + +# ====== +# - TFTP Service Gateway +# ====== + +# - TFTP Server Gateway (Port udp 69) +local_tftp_service=false + +# - TFTP Server at local Networks +# - +tftp_server_ips="" + +# - TFTF Ports +# - +# - Note: its udp ! +# - +tftp_udp_port=69 + + +# ====== +# - LDAP Service +# ====== + +# - Is this a LDAP Server ? +# - +local_ldap_service=false + +# - LDAP Service local Networks +# - +# - Ports: 389 udp +# - 389 tcp +# - +# - Ports LDAP SSL: 636 tcp +# - +ldap_server_local_ips="" +ldap_udp_ports="389" +ldap_tcp_ports="389 636" + + +# ====== +# - Samba Service +# ====== + +# - Samba Server Gateway +# - +local_samba_service=false + +# - Samba Service +# - +# - Ports: 137,138 udp +# - 139,445 tcp +# - +samba_udp_ports="137:138" +samba_tcp_ports="137 138 139 445" + +# - Samba Service local networks +# - +samba_server_local_ips="" + +# - Samba Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - samba_server_dmz_arr[]= +# - +# - Multiple settins of this parameter is possible +# - +declare -A samba_server_dmz_arr + + +# ====== +# - NTP Service +# ====== + +# - NTP Service Gateway +# - +local_ntp_service=true + + +# ====== +# - SNMP Service +# ====== + +# - SNMP services local Networks +# - +snmp_server_ips="" + +# - SNMP Port +# - +snmp_port="161" + + +# ====== +# - Mumble Service +# ====== + +# - NOT YET IMPLEMENTED + +# - Mumble ports +mumble_ports="64738" + + +# ====== +# - XyMon Service +# ====== + +# - XyMon Service Gateway (usually TCP port 1984) +# - +local_xymon_server=false + +# - XyMon Service (usually TCP port 1984) +# - +# - Blank separated list of ip's +# - +xymon_server_ips="" +local_xymon_client="" + +# - XyMon Ports +# - +xymon_port=1984 + + +# ====== +# - Munin Service +# ====== + +# - Munin Service Gateway (usually TCP port 4949) +# - +local_munin_server=false + + +# - If 'local_munin_server=' provide service also to inet? +# - +provide_munin_service_to_inet=false +munin_remote_port="4949" + + +# - Munin Server local Networks (usually TCP port 4949) +# - +# - Blank separated list +# - +munin_local_server_ips="" + + +# - Munin Remote Server +# - +# - Note: +# - The munin server himself initiates the connection to the concerning clients. +# - In case of natted (local) networks you have to also nat the incomming +# - requests from munin server. +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - munin_local_client_ip_arr[]= +# - +# - Multiple settins of this parameter is possible +# - +#munin_remote_server="2a01:30:1fff:a::163" +munin_remote_server="" +declare -A munin_local_client_ip_arr +#munin_local_client_ip_arr[2001:6f8:107e:63::20]=$ext_if_dsl_1 + +# - Munin Port +# - +munin_local_port=4949 + + +# ====== +# - PowerChut Network Shutdown (PCNS) +# ====== + +# - PCNS local Services +# - +pcns_server_ips="" + +# - local USV +# - +usv_ip="" + +# - PCNS Ports +# - +# - Webinterface (https): tcp 6547 +# - Connection usv: tcp/udp 3052 +# - +pcns_tcp_port=3052 +pcns_udp_port=3052 +pcns_web_port=6547 + + +# ====== +# - Remote Console (VNC Service) +# ====== + +# - VNC Service local network +# +# - Blank separated list +# - +rm_server_ips="" + +# - VNC Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - rm_server_dmz_arr[]= +# - +# - Multiple settins of this parameter is possible +# - +declare -A rm_server_dmz_arr + +# - Remote Console (VNC) Port +# - +remote_console_port=5900 + + +# ====== +# - Ubiquiti Unifi +# ====== + +# - Notice: +# - The Accesspoint IP is not needed (i think so), because the +# - AP uses port 8080 for cummunication with the controller, and +# - this port will be configured with the rules concerning the +# - controllers. +# - +# - again: setting unifi_ap_local_ips is not needed +#unifi_ap_local_ips="2001:6f8:107e:64::50" + +unifi_controller_gateway_ips="" +unify_controller_local_net_ips="" +unify_controller_ports="8080,8443" + +provide_hotspot=true +hotspot_ports="8880,8843" + + +# ====== +# - IPMI Tools +# ====== + +# - IPMI Tools local Networks +# - +# - Blank seoarated list +# - +ipmi_server_ips="" + +# - IPMI Tools Port +# - +# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) +# - TCP 623: Virtual Media for Remote Console +# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." +# - +ipmi_udp_port=623 +ipmi_tcp_ports="623 3520" + + +# ============= +# - Rsync Out for given src ip-addresses +# ============= + +# - Rsync Protocol +# - +# - The given server address (from local network) can access rsyncd at (any) remote machine +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +rsync_ports="873" + +# - rsync out from this machine? +# - +local_rsync_out=false + + + +# ============= +# - Printer +# ============= + +# - IP Addresses Printer +# - +# - Blank separated list +# - +printer_ips="" + + + +# ============= +# --- Scanner +# ============= + +# ====== +# - Brother (brscan) +# ====== + +# - IP Adresses Brother Scanner +# - +# - Blank seoarated list +# - +brother_scanner_ips="" +brscan_port=54921 + + + +# ============= +# --- Telefon Systems +# ============= + +# - IP Adresses Telephone Systems (Telefonanlagen) +# - +# - Dont't foregt to add ip-adresses also to http(s) service if the +# - systems provide webinterfaces! +# - +tele_sys_ips="" +tele_sys_remote_sip_server_port=5060 +tele_sys_local_sip_server_port=5067 +allow_between_tele_systems=false + +VOIP_PORTS="69 5000:5099 7775 32000:32512" +# - TFTP=69 (used from telephones getting their connection data / firmwareupdate ) +# - RTP_PORTS= UDP i.e. 5000:5099 or here +# - RTP_PORTS_END=5099 +#SIP_PORT_REMOTE=5060 +#SIP_PORT_LOCAL=5067 +#SIP_LOCAL_IP=192.168.63.240 +#STUN_PORTS=3478 +udp_voip_ports="7775 5000:5099" + + +# ===== +# - Telekom Internet TV (Entertain) +# ===== + +telekom_internet_tv=false +tv_ip="2001:6f8:107e:63::5" +tv_extern_if="eth2.8" +tv_local_if="$local_if_1" + + + +# ====== +# - Other local Services +# ====== + +# - You can configure further local services here. +# - +# - other_services=",, [,, [.." +# - +# - Blank seperated list +# - +other_services="" + + +# ============= +# --- Destination NAT +# ============= + + +# ============= +# --- Portforwarding +# ============= + +# - Portforwarding TCP +# - +# - portforward_tcp=",,," +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_tcp="$ext_if_static_1,9997,2001:6f8:107e:63::20,22 +# - $ext_if_static_1,9998,2001:6f8:107e:63::90,22" +# - +# - Blank separated list +# - +portforward_tcp="" + + +# - Portforwarding UDP +# - +# - portforward_udp=",,," +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_udp="$ext_if_static_1,1094,2001:6f8,107e:63::90,1094 +# - $ext_if_static_1,9999,2001:6f8,107e:63::90,1095" +# - +# - Blank separated list +# - +portforward_udp="" + + + +# ============= +# --- Basic behavior +# ============= + +# === +# = Services allowed out to the world wide web +# === + +allow_ssh_request_out=true +allow_http_request_out=true +allow_smtp_request_out=true +allow_mail_request_out=true +allow_ftp_request_out=true +allow_tftp_request_out=true +allow_ntp_request_out=true +allow_timeserver_request_out=true +allow_pgpserver_request_out=true +allow_telnet_request_out=true +allow_whois_request_out=true +allow_cpan_wait_request_out=true +allow_hbci_request_out=true +allow_jabber_request_out=true +allow_silc_request_out=true +allow_irc_request_out=true +allow_mysql_request_out=true +allow_ipmi_request_out=true +allow_remote_console_request_out=true + +allow_samba_requests_out=true + +allow_vpn_out=true +vpn_out_ports="1194 1195 1196" + + +# === +# = Services allowed between local networks +# === + +# - These Parameters are only considered, if traffic +# - between local networks are not permitted, thats +# - if 'permit_between_local_networks=false' (see below). +# - +allow_ssh_between_local_nets=true +allow_samba_between_local_nets=false +allow_ldap_between_local_nets=false +allow_printing_between_local_nets=false +allow_scanning_between_local_nets=true + + +# === +# = Other Parameters +# === + +# - Permit internet access to all machines at local network +# - Does not include this server itself +# - +permit_local_net_to_inet=false + +# - Do not block any traffic between local machines +# - +permit_between_local_networks=false + +# - Do not block any ICMP traffic +# - +permit_all_icmp_traffic=true + +# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. +# - +# - Maybe useful for testing purpose with telnet or openssl +# - +provide_mailservice_from_local=true + +# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. +# - +create_iperf_rules=false + + + +# ============= +# - MAC Address Filtering +# ============= + +# - MAC Addreses alowed to all destinations (gateway, remote, local networks) +# - +# - Blank separated list +# - +allow_all_mac_src_addresses="" + +# - MAC Addreses alowed to local networks (gateway, local networks) +# - +# - Blank separated list +# - +allow_local_mac_src_addresses="" + + +# - MAC Addreses alowed to remote networks +# - +# - Blank separated list +# - +allow_remote_mac_src_addresses="" + + + + +# ============= +# --- Block IP's / IP-Ranges +# ============= + +# - Blank separated list +# - +blocked_ips="" + + +# ============= +# --- Block Ports on extern Interfaces +# ============= + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 135 631" +block_udp_ports="111" +if ! $allow_samba_requests_out ; then + block_tcp_ports="$block_udp_ports 137:139 445" + block_udp_ports="$block_udp_ports 137:139" +fi + +block_ident=true + + +# ============= +# - Packets not wanted on gateway on local Interfaces +# ============= + +not_wanted_on_gw_tcp_ports="111 113 135 631" +not_wanted_on_gw_udp_ports="111 631" +if ! $local_samba_service ; then + not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445" + not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139" +fi + +not_wanted_ident=true + + +# ============= +# --- Router +# ============= + +# - Set to "true" to secure/tune the kernel +# - +adjust_kernel_parameters=true + +# - Protection against several attacks +# - +protect_against_several_attacks=true + + + +# ============= +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ============= + +# - Disable ip forwarding between interfaces +# - +kernel_forward_between_interfaces=true + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + + + + +# ============= +# --- Some further Ports/IP-Address Configuration +# ============= + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# unique local address (ULA) - private address block +ula_block="fc00::/7" + +# - Loopback +loopback="::1/128" + diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf new file mode 100644 index 0000000..c8dc0c3 --- /dev/null +++ b/conf/post_decalrations.conf @@ -0,0 +1,418 @@ +#!/usr/bin/env bash + + +# ----------- +# --- Define Arrays +# ----------- + +# --- +# - Masquerade TCP Connections +# --- +declare -a masquerade_tcp_con_arr +for _str in $masquerade_tcp_cons ; do + masquerade_tcp_con_arr+=("$_str") +done + + +# --- +# - Extern Network interfaces (DSL, Staic Lines, All together) +# --- +declare -a dsl_device_arr +declare -a ext_if_arr +for _dev in $ext_ifs_dsl ; do + dsl_device_arr+=("$_dev") + ext_if_arr+=("$_dev") +done +for _dev in $ext_ifs_static ; do + ext_if_arr+=("$_dev") +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Allow these local networks any access to the internet +# --- +declare -a any_access_to_inet_network_arr +for _net in $any_access_to_inet_networks ; do + any_access_to_inet_network_arr+=("$_net") +done + +# --- +# - Allow local services from given local networks +# --- +declare -a allow_local_net_to_local_service_arr +for _val in $allow_local_net_to_local_service ; do + allow_local_net_to_local_service_arr+=("$_val") +done + +# --- +# - Allow local ip address from given local network +# --- +declare -a allow_local_net_to_local_ip_arr +for _val in $allow_local_net_to_local_ip ; do + allow_local_net_to_local_ip_arr+=("$_val") +done + +# --- +# - Allow local ip address from given local interface +# --- +declare -a allow_local_if_to_local_ip_arr +for _val in $allow_local_if_to_local_ip ; do + allow_local_if_to_local_ip_arr+=("$_val") +done + +# --- +# - Separate local Networks +# --- +declare -a separate_local_network_arr +for _net in $separate_local_networks ; do + separate_local_network_arr+=("$_net") +done + +# --- +# - Separate local Interfaces +# --- +declare -a separate_local_if_arr +for _net in $separate_local_ifs ; do + separate_local_if_arr+=("$_net") +done + +# --- +# - Generally block ports on extern interfaces +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Not wanted on intern interfaces +# --- +declare -a not_wanted_on_gw_tcp_port_arr +for _port in $not_wanted_on_gw_tcp_ports ; do + not_wanted_on_gw_tcp_port_arr+=("$_port") +done + +declare -a not_wanted_on_gw_udp_port_arr +for _port in $not_wanted_on_gw_udp_ports ; do + not_wanted_on_gw_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses to log +# --- +declare -a log_ip_arr +for _ip in $log_ips ; do + log_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses DHCP Failover Server +# --- +declare -a dhcp_failover_server_ip_arr +for _ip in $dhcp_failover_server_ips ; do + dhcp_failover_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses DNS Server +# --- +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses HTTP Server only local Networks +# --- +declare -a http_server_only_local_ip_arr +for _ip in $http_server_only_local_ips ; do + http_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Mail Server only local Networks +# --- +declare -a mail_server_only_local_ip_arr +for _ip in $mail_server_only_local_ips ; do + mail_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +declare -a ftp_server_only_local_ip_arr +for _ip in $ftp_server_only_local_ips ; do + ftp_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Samba Server +# --- +declare -a samba_server_local_ip_arr +for _ip in $samba_server_local_ips ; do + samba_server_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses LDAP Server +# --- +declare -a ldap_server_local_ip_arr +for _ip in $ldap_server_local_ips ; do + ldap_server_local_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses Telephone Systems +# --- +declare -a tele_sys_ip_arr +for _ip in $tele_sys_ips ; do + tele_sys_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses SNMP Server +# --- +declare -a snmp_server_ip_arr +for _ip in $snmp_server_ips ; do + snmp_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses Munin Service +# --- +declare -a munin_local_server_ip_arr +for _ip in $munin_local_server_ips ; do + munin_local_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses IPMI interface +# --- +declare -a ipmi_server_ip_arr +for _ip in $ipmi_server_ips ; do + ipmi_server_ip_arr+=("$_ip") +done + +# --- +# -IP Addresses Ubiquiti Unifi Accesspoints +# --- +declare -a unifi_ap_local_ip_arr +for _ip in $unifi_ap_local_ips ; do + unifi_ap_local_ip_arr+=("$_ip") +done +declare -a unifi_controller_gateway_ip_arr +for _ip in $unifi_controller_gateway_ips ; do + unifi_controller_gateway_ip_arr+=("$_ip") +done +declare -a unify_controller_local_net_ip_arr +for _ip in $unify_controller_local_net_ips ; do + unify_controller_local_net_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Printer +# - +declare -a printer_ip_arr +for _ip in $printer_ips ; do + printer_ip_arr+=("$_ip") +done + + +# --- +# - IP Adresses Brother Scanner (brscan) +# --- +declare -a brother_scanner_ip_arr +for _ip in $brother_scanner_ips ; do + brother_scanner_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses PCNS Server +# --- +declare -a pcns_server_ip_arr +for _ip in $pcns_server_ips ; do + pcns_server_ip_arr+=("$_ip") +done + + +# --- +# - IP Addresses VNC Service +# --- +declare -a rm_server_ip_arr +for _ip in $rm_server_ips ; do + rm_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done + +# --- +# - Other local Services +# --- +declare -a other_service_arr +for _val in $other_services ; do + other_service_arr+=("$_val") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +declare -a vpn_gw_port_arr +for _port in $vpn_gw_ports ; do + vpn_gw_port_arr+=("$_port") +done +declare -a vpn_local_net_port_arr +for _port in $vpn_local_net_ports ; do + vpn_local_net_port_arr+=("$_port") +done +declare -a vpn_out_port_arr +for _port in $vpn_out_ports ; do + vpn_out_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + +# --- +# - Samba Ports +# --- + +declare -a samba_udp_port_arr +for _port in $samba_udp_ports ; do + samba_udp_port_arr+=("$_port") +done + +declare -a samba_tcp_port_arr +for _port in $samba_tcp_ports ; do + samba_tcp_port_arr+=("$_port") +done + +# --- +# - LDAP Ports +# --- + +declare -a ldap_udp_port_arr +for _port in $ldap_udp_ports ; do + ldap_udp_port_arr+=("$_port") +done + +declare -a ldap_tcp_port_arr +for _port in $ldap_tcp_ports ; do + ldap_tcp_port_arr+=("$_port") +done + +# --- +# - IPMI +# --- + +declare -a ipmi_tcp_port_arr +for _port in $ipmi_tcp_ports ; do + ipmi_tcp_port_arr+=("$_port") +done + + +# --- +# - Portforwrds TCP +# --- +declare -a portforward_tcp_arr +for _str in $portforward_tcp ; do + portforward_tcp_arr+=("$_str") +done + +# --- +# - Portforwrds UDP +# --- +declare -a portforward_udp_arr +for _str in $portforward_udp ; do + portforward_udp_arr+=("$_str") +done + +# --- +# - MAC Address Filtering +# --- +declare -a allow_all_mac_src_address_arr +for _mac in $allow_all_mac_src_addresses ; do + allow_all_mac_src_address_arr+=("$_mac") +done + +declare -a allow_local_mac_src_address_arr +for _mac in $allow_local_mac_src_addresses ; do + allow_local_mac_src_address_arr+=("$_mac") +done + +declare -a allow_remote_mac_src_address_arr +for _mac in $allow_remote_mac_src_addresses ; do + allow_remote_mac_src_address_arr+=("$_mac") +done + diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway new file mode 100755 index 0000000..cd08c92 --- /dev/null +++ b/ip6t-firewall-gateway @@ -0,0 +1,3113 @@ +#!/usr/bin/env bash + +### BEGIN INIT INFO +# Provides: ip6t-firewall +# Required-Start: $local_fs $remote_fs $syslog $network $time +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv6 Firewall +### END INIT INFO + + +# ------------- +# - Settings +# ------------- + +ipt_conf_dir="/etc/ipt-firewall" + +inc_functions_file="${ipt_conf_dir}/include_functions.conf" + +load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf + +conf_logging=${ipt_conf_dir}/logging_ipv6.conf +conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_main=${ipt_conf_dir}/main_ipv6.conf +conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf + +# ------------- +# - Some checks and preloads.. +# ------------- + +ip6t=$(which ip6tables) + +if [[ -z "$ip6t" ]] ; then + echo "" + echo -e "\tiptables was not found on this server!" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +fi + +if [[ ! -f "$inc_functions_file" ]] ; then + echo "" + echo -e "\tMissing include file '$inc_functions_file'" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +else + source $inc_functions_file +fi + +if [[ ! -f "$load_modules_file" ]]; then + warn "No modules for loading configured. Missing file '$load_modules_file'!" +else + + while read -r module ; do + if ! lsmod | grep -q -E "^$module\s+" ; then + /sbin/modprobe $module > /dev/null 2>&1 + if [[ "$?" != "0" ]]; then + warn "Loading module '$module' failed!" + fi + fi + done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) + +fi + +if [[ ! -f "$conf_logging" ]]; then + fatal "Missing configuration for logging - file '$conf_logging'" +else + source $conf_logging +fi + +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" +else + source $conf_default_ports +fi + +if [[ ! -f "$conf_interfaces" ]]; then + fatal "Missing interface configurations - file '$conf_interfaces'" +else + source $conf_interfaces +fi + +if [[ ! -f "$conf_main" ]]; then + fatal "Missing main configurations - file '$conf_main'" +else + source $conf_main +fi + +if [[ ! -f "$conf_post_declarations" ]]; then + fatal "Missing post declarations - file '$conf_post_declarations'" +else + source $conf_post_declarations +fi + + +echo +if $terminal ; then + echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" +else + echo "Starting firewall iptables (IPv4).." +fi +echo + + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +# --- +# - Enable/Disable ip forwarding between interfaces +# --- +if $kernel_forward_between_interfaces ; then + echononl "\tActivate Forwarding.." + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding +else + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo 0 > /proc/sys/net/ipv6/conf/all/forwarding +fi + +echo_done + + +# ------------- +# --- Adjust Kernel Parameters +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if $adjust_kernel_parameters ; then + + # --- + # - Deactivate Source Routed Packets + # --- + for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do + if $kernel_deactivate_source_route ; then + echo 0 > $asr + fi + done + + + # --- + # - Deactivate sending ICMP redirects + # --- + if $kernel_dont_accept_redirects ; then + echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects + fi + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped + +fi + + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + +echo +echononl "\tFlushing firewall iptable (IPv6).." + +# - default policies +# - +$ip6t -P INPUT ACCEPT +$ip6t -P OUTPUT ACCEPT +$ip6t -P FORWARD ACCEPT + +## - flush chains +## - +$ip6t -F +$ip6t -F INPUT +$ip6t -F OUTPUT +$ip6t -F FORWARD +$ip6t -F -t mangle +$ip6t -F -t nat +$ip6t -F -t raw +$ip6t -X +$ip6t -Z + +$ip6t -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +echo_done # Flushing firewall iptable (IPv6).. +echo + + +# ------------- +# - Log given IP Addresses +# ------------- + +echononl "\tLog given IP Addresses" +if [[ ${#log_ip_arr[@]} -gt 0 ]]; then + for _ip in ${log_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -j LOG --log-prefix "$_ip IN: " --log-level $log_level + $ip6t -A OUTPUT -d $_ip -j LOG --log-prefix "$_ip OUT: " --log-level $log_level + $ip6t -A FORWARD -s $_ip -j LOG --log-prefix "$_ip FORWARD FROM: " --log-level $log_level + $ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$_ip FORWARD TO: " --log-level $log_level + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- ICMP Traffic (i.e. ping requests) +# ------------- + +echononl "\tPermit all ICMP IPv6 traffic.." +if $permit_all_icmp_traffic ; then + $ip6t -A INPUT -p ipv6-icmp -j ACCEPT + $ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT + $ip6t -A FORWARD -p ipv6-icmp -j ACCEPT + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + warn No firewall rules are active! + exit 0;; +esac + + +# --- +# - Stop here, if no extern interface is configured +# --- + +if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then + fatal "No extern Interface is configured!" +fi + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -j ACCEPT + $ip6t -A OUTPUT -o $_dev -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -j ACCEPT + $ip6t -A FORWARD -o $_dev -j ACCEPT + fi + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j DROP + $ip6t -A FORWARD -o $_if -j DROP + fi + $ip6t -A INPUT -i $_if -j DROP + $ip6t -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +echononl "\tAllow forwarding (private) IPs / IP-Ranges.." +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -d $_ip -j ACCEPT + $ip6t -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +else + echo_skipped +fi + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + +if $protect_against_several_attacks ; then + + # --- + # - Protection against syn-flooding + # --- + + $ip6t -N syn-flood + $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN + if $log_syn_flood || $log_all ; then + $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + fi + $ip6t -A syn-flood -j DROP + + + # --- + # - drop new packages without syn flag + # --- + + if $log_new_not_sync || $log_all ; then + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + fi + fi + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP + fi + + + # --- + # - drop invalid packages + # --- + + if $log_invalid_state || $log_all ; then + $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + fi + fi + $ip6t -A INPUT -m state --state INVALID -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j DROP + fi + + + # --- + # - ungewöhnliche Flags verwerfen + # --- + + for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi + done + + + # --- + # - Refuse private addresses on extern interfaces + # --- + + # - Refuse spoofed packets pretending to be from your IP address. + if $log_spoofed || $log_all ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + fi + done + fi + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP + fi + done + + + # - private Adressen auf externen interface verwerfen + for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $ula_block -j DROP + $ip6t -A INPUT -i $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -i $_dev -s $loopback -j DROP + fi + + # Don't allow spoofing from that server + $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -o $_dev -s $loopback -j DROP + fi + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]}) +# ------------- + +if $log_voip || $log_all ; then + for _ip in ${tel_sys_ip_arr[@]} ; do + $ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level + done +fi +#for _PORT in ${VOIP_PORTS} ; do +# $ip6t -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level +#done + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + + +case $1 in + sto*) + echo + if $terminal ; then + echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" + else + echo "Stop was requested. No more firewall rules.." + fi + echo + exit 0;; +esac + + +echo + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop packets not wanted on gateway +# --- + +echononl "\tDrop packets not wanted on gateway" + +for _dev in ${local_if_arr[@]} ; do + if $log_not_wanted || $log_all ; then + if $not_wanted_ident ; then + $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + fi + if $not_wanted_ident ; then + $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -j DROP + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp --dport $_port -j DROP + done +done + +echo_done + + +# ------------- +# --- Generally prohibited from WAN +# ------------- + +echononl "\tGenerally prohibited from WAN" + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + if $block_ident ; then + $ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_forward_between_interfaces ; then + if $block_ident ; then + $ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + if $block_ident ; then + $ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_forward_between_interfaces ; then + if $block_ident ; then + $ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ip6t -A INPUT -i lo -j ACCEPT +$ip6t -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Allow all Traffic from source mac-address +# --- + +echononl "\tAllow all Traffic from MAC Source-Address" + +if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_all_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow local Traffic from source mac-address +# --- + +echononl "\tAllow local Traffic from MAC Source-Address" + + +if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_local_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow remote Traffic from source mac-address +# --- + +echononl "\tAllow remote Traffic from MAC Source-Address" + + +if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_remote_mac_src_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ip6t -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +$ip6t -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + for _local_dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + + +# --- +# - Telefon Systems +# --- + +echononl "\tAllow all Traffic between Telefon Systems" +if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then + for _ip_1 in ${tele_sys_ip_arr[@]} ; do + for _ip_2 in ${tele_sys_ip_arr[@]} ; do + #[[ "$_ip_1" = "$_ip_2" ]] && continue + $ip6t -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Telefon Systems to remote SIP-Server +# --- + +echononl "\tTelefon System to remote SIP-Server" +if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then + if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then + echo_failed + warn "Local or remote SIP Port not given"! + else + for _ip in ${tele_sys_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \ + --dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + + +# --- +# - All request from local networks to the internet +# --- + +echononl "\tPermit all traffic from local networks to the internet.." +if $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Networks not firewalled through extern interfaces +# --- + +echononl "\tAllow these local networks any access to the internet" +if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _net in ${any_access_to_inet_network_arr[@]}; do + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow local services from given local networks +# --- + +echononl "\tAllow local services from given local networks" +if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in "${allow_local_net_to_local_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow local ip address from given local network +# --- + +echononl "\tAllow local ip address from given local network" +if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in ${allow_local_net_to_local_service_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow local ip address from given local interface +# --- + +echononl "\tAllow local ip address from given local interface" +if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in ${allow_local_if_to_local_ip_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Separate local networks +# --- + +echononl "\tSeparate local networks.." +if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _net in ${separate_local_network_arr[@]}; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p all -s $_net -j DROP + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Separate local interfaces +# --- + +echononl "\tSeparate local interfaces.." +if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _dev_1 in ${separate_local_if_arr[@]}; do + for _dev_2 in ${local_if_arr[@]} ; do + [[ "$_dev_1" = "$_dev_2" ]] && continue + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP + $ip6t -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Permit all traffic between local networks +# --- + +echononl "\tPermit all traffic between local networks.." +if $kernel_forward_between_interfaces ; then + if $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + + +# ------------- +# --- Services +# ------------- + +echo +if $terminal ; then + echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" +else + echo "Add Rules for Services.." +fi +echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" + + +# --- +# - IPv4 over IPv6 +# --- + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if $local_dhcp_service ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-request -j ACCEPT + $ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + + $ip6t -A INPUT -p udp -i $_dev --sport 546 --dport 547 -j ACCEPT + $ip6t -A OUTPUT -p udp -o $_dev --sport 547 --dport 546 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DHCP Failover +# --- + +echononl "\t\tDHCP Failover Server" +if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dhcp_failover_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + # - forward from virtual mashine(s) + $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - DNS Service Gateway +# --- + +echononl "\t\tDNS Service Gateway" + +# - Local Nameservice +# - +if $local_dns_service ; then + + # - Allow requests from local networks + # - + for _dev in ${local_if_arr[@]} ; do + # - in + $ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + # - Zonetransfere (uses tcp/53) + # + for _ip in ${dns_server_ips[@]} ; do + # - out + # - + # - local master (here) gets request for a zone from slave ($_ip) + $ip6t -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - in + # - + # - local slave (here) requests zone from master ($_ip) + $ip6t -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - DNS Services at local Network +# --- + +echononl "\t\tDNS Service local Network" + +# - Make nameservers at the local network area rechable for all +# - +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then + # - Provide SSH to everywhere (also LAN) + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Service Gateway +# --- + +echononl "\t\tSSH Service Gateway (also from WAN)" + +if $local_ssh_service ; then + # - Provides SSH in from everywhere + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Services DMZ +# --- + +echononl "\t\tSSH Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!ssh_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${ssh_port_arr[@]} ; do + + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + + $ip6t -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + + # - From intern + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - SSH Service between local Netwotks +# --- + +echononl "\t\tSSH Service between local Netwotks" +if $allow_ssh_between_local_nets ; then + if $kernel_forward_between_interfaces ; then + for _dev_1 in ${local_if_arr[@]} ; do + + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + for _dev_2 in ${local_if_arr[@]} ; do + + if ! $permit_between_local_networks ; then + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service only out +# --- + +echononl "\t\tVPN Service only out" + +if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service Gateway +# --- + +echononl "\t\tVPN Service Gateway" + +if $local_vpn_service ; then + + # - Cconnection establishment + # - + for _port in ${vpn_gw_port_arr[@]} ; do + $ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done + +else + echo_skipped +fi + + +# --- +# - VPN Service DMZ +# --- + +echononl "\t\tVPN Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${!vpn_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${vpn_local_net_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +if $allow_http_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) Services Gateway" +# - Access to the local Webservice +if $local_http_service ; then + $ip6t -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services only local Network +# --- + +echononl "\t\tHTTP(S) Services only local Network" +# - Access to the Webservices (LAN) +if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_only_local_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services DMZ +# --- + +echononl "\t\tHTTP(S) Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then + http_port_arr=(${http_ports//,/ }) + for _ip in "${!http_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${http_port_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + done + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTPS Services DMZ (only port 443) +# --- + +echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!http_ssl_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_forward_between_interfaces ; then + $ip6t -t filter -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT + fi + + # - From intern + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only out +# --- + +echononl "\t\tMail Services SMTP only out" + +if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then + # - Provide SMTP out for all to WAN + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail User Services smtps/pop(s)/imap(s) only out +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only out" + +if $allow_mail_request_out && ! $permit_local_net_to_inet ; then + # - Provide using Mailservices (WAN) from whole LAN + # - + # - Not needed from local machine. But for testing pupose (i.e. telnet ) + # - + # - + for _dev in ${ext_if_arr[@]} ; do + if $provide_mailservice_from_local ; then + # - Note! + # - this provides access both to LAN and WAN + $ip6t -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only local Networks +# --- + +echononl "\t\tMail Service SMTP only local Networks" +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + fi + + echo_done + done +else + echo_skipped +fi + + +# --- +# - Mail Services smtps/pop(s)/imap(s) only local Networks +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks" + +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Server DMZ +# --- + +echononl "\t\tMail Server DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then + mail_port_arr=(${mail_user_ports//,/ }) + mail_port_arr+=("$mail_smtp_port") + for _ip in "${!mail_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${mail_port_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - FTP out only +# --- + +echononl "\t\tFTP out only" + +if $allow_ftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_done +fi + + +# --- +# - FTP Service Gateway +# --- + +echononl "\t\tFTP Service Gateway" + +if $local_ftp_service ; then + $ip6t -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services only local Network +# --- + +echononl "\t\tFTP Service local Networks" +if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${ftp_server_only_local_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + if ! $permit_between_local_networks ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + + if $local_alias_interfaces ; then + # - Control Port + $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services DMZ +# --- + +echononl "\t\tFTP Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then + IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" + for _ip in "${!ftp_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + fi + + # - From intern + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + + # - Control Port + $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT + + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - TFTF Service out only +# --- + +echononl "\t\tTFTF Service out only" + +if $allow_tftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - TFTP Service Gateway +# --- + +echononl "\t\tTFTF Service Gateway" + +if $local_tftp_service ; then + $ip6t -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + + +# --- +# - Samba Service Gateway (only for local Networks) +# --- + +echononl "\t\tSamba Service Gateway (only for local Networks)" + +if $local_samba_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service only between local Networks +# --- + +echononl "\t\tSamba Service only local Networks" + +if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${samba_server_local_ip_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_forward_between_interfaces && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then + for _port in ${samba_udp_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service DMZ +# --- + +echononl "\t\tSamba Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!samba_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From extern + if $kernel_forward_between_interfaces ; then + for _port in ${samba_udp_port_arr[@]} ; do + $ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - From intern + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service Gateway (only for local Networks) +# --- + +echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" + +if $local_ldap_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service only between local Networks +# --- + +echononl "\t\tLDAP(S) Service only local Networks" + +if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${ldap_server_local_ip_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_forward_between_interfaces && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then + for _port in ${ldap_udp_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - NTP out only +# --- + +echononl "\t\tNTP Service out only" + +if $allow_ntp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - NTP Service Gateway +# --- + +echononl "\t\tNTP Service Gateway" +if $local_ntp_service ; then + if ! $allow_ntp_request_out ; then + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + $ip6t -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +if $allow_timeserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - PGP Keyserver out only +# --- + +echononl "\t\tPGP Keyserver out only" + +if $allow_pgpserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +if $allow_telnet_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +if $allow_whois_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CPAN Wait only out +# --- + +# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on +# - a WAIT server. It connects to a WAIT server using a simple protocoll +# - resembling NNTP as described in RFC977. + +echononl "\t\tCPAN Wait only out" + +if $allow_cpan_wait_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HBCI only out (only forward) +# --- + +echononl "\t\tHBCI only out (only forward)" + +if $allow_hbci_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Jabber only out +# --- + +echononl "\t\tJabber only out" + +if $allow_jabber_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Silc only out +# --- + +echononl "\t\tSilc only out" + +if $allow_silc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IRC (Internet Relay Chat) only out +# --- + +echononl "\t\tIRC only out" + +if $allow_irc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +if $allow_mysql_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CUPS only between local Networks (IPP Port 631) +# --- + +echononl "\t\tCUPS/IPP (Port 631) only between local Networks" + +if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck Port 9100 (RAW) only out between local Networks +# --- + +echononl "\t\tDruck Port 9100 only between local Networks" + +if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck LPD (Port 515) only out between local Networks +# --- + +echononl "\t\tDruck LPD (Port 515) only between local Networks" + +if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Printer +# --- + +echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks" +if [[ ${#printer_ip_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks \ + && ! $allow_printing_between_local_nets ; then + for _ip in ${printer_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + + $ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + + $ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Scanner +# --- + +echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" + +if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces \ + && ! $permit_between_local_networks \ + && $allow_scanning_between_local_nets ; then + for _ip in ${brother_scanner_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + # - UDP + $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + # - TCP + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Other local Services +# --- + +echononl "\t\tOther local Services" + +if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in ${other_service_arr[@]} ; do + IFS=',' read -a _val_arr <<< "${_val}" + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then + $ip6t -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_ok +else + echo_skipped +fi + + +# --- +# - Rsync only Out Gateway +# --- + +echononl "\t\tRsync (only OUT) Gateway" + +if $local_rsync_out ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync only Out from given local machines +# --- + +echononl "\t\tRsync Out from given local machines" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces $$ ! $permit_local_net_to_inet; then + for _port in ${rsync_port_arr[@]} ; do + for _ip in ${rsync_out_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - SNMP Services local Networks +# --- + +echononl "\t\tSNMP Services local Networks" + +if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${snmp_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - WakeOnLan only out into local Networks +# --- + +echononl "\t\tWakeOnLan only out into local Networks" +$ip6t -A OUTPUT -p udp --dport 9 -j ACCEPT +echo_done + + +# --- +# - NFS Service (portmapper, mountd, nfs) +# --- + +if $terminal; then + echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" +else + echo "NFS Service - Not yet implemented" + echo "VoIP - Not yet implemented" + echo "Sip - Not yet implemented" + echo "Skype - Not yet implemented" +fi + + +# --- +# - PowerChute Network Shutdown local Network +# --- + +echononl "\t\tPowerChute Network Shutdown local Network" + +if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then + + for _ip in ${pcns_server_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then + $ip6t -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Accesspoints +# --- + +echononl "\t\tUbiquiti Unifi Accesspoints" +if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ip6t -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + fi + + if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + if $provide_hotspot ; then + $ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + fi + fi + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) only out +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) only out" + +if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_forward_between_interfaces ; then + + $ip6t -A FORWARD -o $_dev -p udp --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) local Networks +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks" + +if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${ipmi_server_ip_arr[@]} ; do + + $ip6t -A OUTPUT -p udp -d $_ip --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -p udp -d $_ip --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + $ip6t -A FORWARD -p udp -s $_ip --sport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) only out +# --- + +echononl "\t\tRemote Console (VNC) only out" + +if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) local Networks +# --- + +echononl "\t\tRemote Console (VNC) local Networks" + + +if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${rm_server_ip_arr[@]} ; do + + $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) DMZ +# --- + +echononl "\t\tRemote Console (VNC) DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in ${!rm_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From Gateway + $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + + # - From extern + $ip6t -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - From intern + if ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Munin Service Gateway +# --- + +echononl "\t\tMunin Service Gateway" + +if $local_munin_server ; then + + if $provide_munin_service_to_inet ; then + # - Provide Service for local and extern networks + # - + $ip6t -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + else + # - Provide Service only for for local network + # - + for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin Service local Networks +# --- + +echononl "\t\tMunin Service local Networks" +if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_local_server_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin remote Server +# --- + +echononl "\t\tMunin remote Server" + +if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then + + for _ip in ${!munin_local_client_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then + $ip6t -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + elif $kernel_forward_between_interfaces ; then + $ip6t -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port + $ip6t -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon local service +# --- + +echononl "\t\tXyMon Service Gateway" + +if $local_xymon_server ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon Service Intranet +# --- + +echononl "\t\tXyMon Service Intranet" + +if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${xymon_server_ip_arr[@]} ; do + if $local_xymon_client ; then + $ip6t -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- Portforwarding +# ------------- + +# --- +# - Portforwarding TCP +# --- + +echo +echononl "\tPortforwarding TCP" + +if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in "${portforward_tcp_arr[@]}" ; do + + # - Split value + # - + IFS=',' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then + $ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]} + else + $ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]} + fi + + # - Allow Packets + # - + $ip6t -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Portforwarding UDP +# --- + +echononl "\tPortforwarding UDP" + +if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _val in "${portforward_udp_arr[@]}" ; do + + # - Split value + # - + IFS=',' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then + $ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]} + else + $ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]} + fi + + # - Allow Packets + # - + $ip6t -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - UNIX Traceroute +# --- + +echo +echononl "\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ip6t -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# ------------- +# --- ICMP Traffic (i.e. ping requests) +# ------------- + +# --- +# - ICMP is configured above.. +# --- + + + +# --- +# - Deny between local networks +# --- + +echo +echononl "\tDeny all traffic between local networks.." +if $kernel_forward_between_interfaces ; then + if ! $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + if $log_rejected || $log_all ; then + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level + fi + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + +# ------------- +# --- Log traffic not matched so far +# ------------- +echo + +echononl "\tLog traffic not matched so far.." +if $log_rejected || $log_all ; then + $ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + $ip6t -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + $ip6t -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + #$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + #$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + #$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + echo_done +else + echo_skipped +fi + + +# ------------- +# --- DROP traffic not matched so far +# ------------- +echononl "\tDROP traffic not matched so far.." + +# - drop all other for all interfaces.. +# +$ip6t -A INPUT -j DROP +$ip6t -A OUTPUT -j DROP +$ip6t -A FORWARD -j DROP +# +# ---------- Ende: DROP ---------- + +echo_done + + +# --- +# - Warning, if no intern (local) interface is configured +# --- + +if [[ ${#local_if_arr[@]} -lt 1 ]] ; then + echo "" + echo "" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi + warn "No local Interface is configured!" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi +fi + +echo +exit 0 + diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway new file mode 100755 index 0000000..f66f5ad --- /dev/null +++ b/ipt-firewall-gateway @@ -0,0 +1,3539 @@ +#!/usr/bin/env bash + +### BEGIN INIT INFO +# Provides: ipt-firewall +# Required-Start: $local_fs $remote_fs $syslog $network $time +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv4 Firewall +### END INIT INFO + + +# ------------- +# - Settings +# ------------- + +ipt_conf_dir="/etc/ipt-firewall" + +inc_functions_file="${ipt_conf_dir}/include_functions.conf" + +load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf + +conf_logging=${ipt_conf_dir}/logging_ipv4.conf +conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_main=${ipt_conf_dir}/main_ipv4.conf +conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf + +# ------------- +# - Some checks and preloads.. +# ------------- + +ipt=$(which iptables) + +if [[ -z "$ipt" ]] ; then + echo "" + echo -e "\tiptables was not found on this server!" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +fi + +if [[ ! -f "$inc_functions_file" ]] ; then + echo "" + echo -e "\tMissing include file '$inc_functions_file'" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +else + source $inc_functions_file +fi + +if [[ ! -f "$load_modules_file" ]]; then + warn "No modules for loading configured. Missing file '$load_modules_file'!" +else + + while read -r module ; do + if ! lsmod | grep -q -E "^$module\s+" ; then + /sbin/modprobe $module > /dev/null 2>&1 + if [[ "$?" != "0" ]]; then + warn "Loading module '$module' failed!" + fi + fi + done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) + +fi + +if [[ ! -f "$conf_logging" ]]; then + fatal "Missing configuration for logging - file '$conf_logging'" +else + source $conf_logging +fi + +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" +else + source $conf_default_ports +fi + +if [[ ! -f "$conf_interfaces" ]]; then + fatal "Missing interface configurations - file '$conf_interfaces'" +else + source $conf_interfaces +fi + +if [[ ! -f "$conf_main" ]]; then + fatal "Missing main configurations - file '$conf_main'" +else + source $conf_main +fi + +if [[ ! -f "$conf_post_declarations" ]]; then + fatal "Missing post declarations - file '$conf_post_declarations'" +else + source $conf_post_declarations +fi + + +echo +if $terminal ; then + echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" +else + echo "Starting firewall iptables (IpV4).." +fi +echo + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +## - IP Forwarding aktivieren/deaktivieren. +## - +## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. +## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, +## - weil hiermit auch andere (de)aktiviert werden. +## - +if $kernel_activate_forwarding ; then + echo 1 > /proc/sys/net/ipv4/ip_forward + echononl "\tActivate Forwarding.." + echo_done +else + echo 0 > /proc/sys/net/ipv4/ip_forward + echononl "\t\033[33m\033[1mDisable Forwarding.." + echo_done +fi + +if $kernel_support_dynaddr ; then + echononl "\tActivate kernel support for dynamic addresses.." + if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then + echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr + echo_done + else + echo_failed + fi +else + echo 0 > /proc/sys/net/ipv4/ip_dynaddr + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo_done +fi + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if $adjust_kernel_parameters ; then + ## - Reduce DoS'ing ability by reducing timeouts + ## - + if $kernel_reduce_timeouts ; then + echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout + echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time + echo 1 > /proc/sys/net/ipv4/tcp_window_scaling + echo 0 > /proc/sys/net/ipv4/tcp_sack + fi + + ## - SYN COOKIES + ## - + if $kernel_tcp_syncookies ; then + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog + echo 3 > /proc/sys/net/ipv4/tcp_synack_retries + fi + + ## - Protection against ICMP bogus error responses + ## - + if $kernel_protect_against_icmp_bogus_messages ; then + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + fi + + ## - Ignore Broadcast Pings + ## - + if $kernel_ignore_broadcast_ping ; then + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + fi + + ## - Deactivate Source Routed Packets + ## - + if $kernel_deactivate_source_route ; then + for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do + echo 0 > $asr + done + fi + + ## - Deactivate sending ICMP redirects + ## - + if ! $telekom_internet_tv ; then + if $kernel_dont_accept_redirects ; then + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 1 > $rp_filter + done + else + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 0 > $rp_filter + done + fi + fi + + ## - Logging of spoofed (source routed" and "redirect") packets + ## - + if $kernel_log_martians ; then + echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + fi + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped +fi + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + +echo +echononl "\tFlushing firewall iptable (IPv4).." + +# - default policies +# - +$ipt -P INPUT ACCEPT +$ipt -P OUTPUT ACCEPT +$ipt -P FORWARD ACCEPT + +## - flush chains +## - +$ipt -F +$ipt -F INPUT +$ipt -F OUTPUT +$ipt -F FORWARD +$ipt -F -t mangle +$ipt -F -t nat +$ipt -F -t raw +$ipt -X +$ipt -Z + +$ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +for _dev in ${dsl_device_arr[@]} ; do + $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE +done + +if $telekom_internet_tv ; then + $ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE +fi + +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr +if [[ ${#masquerade_tcp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${masquerade_tcp_con_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + + + # - Skip if no interface is given + # - + if [[ -z "${_val_arr[3]}" ]] ; then + no_if_for_ip_arr+=("${_val_arr[1]}") + continue + fi + $ipt -t nat -A POSTROUTING -o ${_val_arr[3]} -p tcp -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j MASQUERADE + done +fi + +#echo_done # Flushing firewall iptable (IPv4).. +if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "Masquerading for ip '$_ip' was omitted - No idestination interface present!" + done +else + echo_done +fi +echo + + +# ------------- +# - Log given IP Addresses +# ------------- + +echononl "\tLog given IP Addresses" +if [[ ${#log_ip_arr[@]} -gt 0 ]]; then + for _ip in ${log_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -j LOG --log-prefix "IPv4: $_ip IN: " --log-level $log_level + $ipt -A OUTPUT -d $_ip -j LOG --log-prefix "IPv4: $_ip OUT: " --log-level $log_level + $ipt -A FORWARD -s $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD FROM: " --log-level $log_level + $ipt -A FORWARD -d $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD TO: " --log-level $log_level + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + warn No firewall rules are active! + exit 0;; +esac + + +# --- +# - Stop here, if no extern interface is configured +# --- + +if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then + fatal "No extern Interface is configured!" +fi + + + +# ------------- +# --- Traffic Shaping +# ------------- + +echo "" +if $terminal ; then + echononl "\033[37m\033[1m\tStarting outbound shaping...\033[m" +else + echo -n "Starting outbound shaping" +fi + +if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then + + tc=$(which tc) + + if [[ -z "$tc" ]]; then + echo_skipped + warn "'tc'-programm not found. Outbound shaping was ommitted!" + else + + ## - Löschen aller Klassen für $TC_DEV und der Filterregeln + ## - + $tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null + $ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null + $ipt -t mangle -F MYSHAPER-OUT + $ipt -t mangle -X MYSHAPER-OUT + + + # add HTB root qdisc + $tc qdisc add dev $TC_DEV root handle 1:0 htb default 26 + + # add main rate limit class(es) + $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit + + # create fair-share-classes, descending priority + $tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0 + $tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1 + $tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2 + $tc class add dev $TC_DEV parent 1:1 classid 1:23 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 3 + $tc class add dev $TC_DEV parent 1:1 classid 1:24 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 4 + $tc class add dev $TC_DEV parent 1:1 classid 1:25 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 5 + $tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6 + + + # attach qdisc to leaf classes + # + # here we at SFQ to each priority class. SFQ insures that + # within each class connections will be treated (almost) fairly. + $tc qdisc add dev $TC_DEV parent 1:20 handle 20: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:21 handle 21: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:22 handle 22: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:23 handle 23: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:24 handle 24: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:25 handle 25: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:26 handle 26: sfq perturb 10 + + + # filter traffic into classes by fwmark + # + # here we direct traffic into priority class according to + # the fwmark set on the packet (we set fwmark with iptables + # later). Note that above we've set the default priority + # class to 1:26 so unmarked packets (or packets marked with + # unfamiliar IDs) will be defaulted to the lowest priority + # class. + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 + + + # add MYSHAPER-OUT chain to the mangle table in iptables + # + # this sets up the table we'll use + # to filter and mark packets. + $ipt -t mangle -N MYSHAPER-OUT + $ipt -t mangle -I POSTROUTING -o $TC_DEV -j MYSHAPER-OUT + + + # add fwmark entries to classify different types of traffic + # + # Set fwmark from 20-26 according to + # desired class. 20 is highest prio. + + # mark 20 - high prio 0 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 20 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 + $ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN + + # mark 21 - high prio 1 + # - DNS Service + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN + + # mark 22 - high prio 2 + # - VoIP SIP (sip ports, rtp ports, stun ports(3478)) + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j RETURN + + # mark 23 - prio 3 + # - OpenVPN + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN + + # mark 24 - prio 4 + # - WWW + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j MARK --set-mark 24 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j RETURN + + + # mark 25 - prio 5 + # - Mailtraffic + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j MARK --set-mark 25 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j RETURN + + + # Remaining packets are marked according to TOS + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark 25 + # redundant- mark any unmarked packets as 26 (low prio) + $ipt -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 + + echo_done + fi +else + echo_skipped +fi + + + +# --- +# - Provide (Telekom) IP TV +# --- + +echo +echononl "\tProvide (Telekom) Internet TV" + +if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then + + # - Telekom VDSL - Rules for IPTV + # - + $ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT + #$ipt -A INPUT -i $tv_local_if -p igmp -j DROP + + $ipt -A FORWARD -s $tv_ip -j ACCEPT + $ipt -A FORWARD -d $tv_ip -j ACCEPT + + $ipt -A FORWARD -i $tv_ip -j ACCEPT + $ipt -A FORWARD -o $tv_ip -j ACCEPT + + + # - Forward all networks defined defind by igmpproxy + # - (see: phyint eth2.8 upstream ratelimit 0 threshold 1) + # + #$ipt -A FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 239.35.100.6/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 93.230.64.0/19 -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -s 224.0.0.0/4 -j ACCEPT + + $ipt -A OUTPUT -d 224.0.0.0/4 -j ACCEPT + $ipt -A INPUT -d 224.0.0.0/4 -j ACCEPT + + $ipt -A INPUT -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A INPUT -i $tv_local_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A OUTPUT -o $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A OUTPUT -o $tv_local_if -d 224.0.0.0/4 -j ACCEPT + + #$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT + $ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -j ACCEPT + $ipt -A OUTPUT -o $_dev -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -j ACCEPT + $ipt -A FORWARD -o $_dev -j ACCEPT + fi + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j DROP + $ipt -A FORWARD -o $_if -j DROP + fi + $ipt -A INPUT -i $_if -j DROP + $ipt -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +echononl "\tAllow forwarding (private) IPs / IP-Ranges.." +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip -j ACCEPT + $ipt -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +else + echo_skipped +fi + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + +if $protect_against_several_attacks ; then + + # --- + # - Protection against syn-flooding + # --- + + $ipt -N syn-flood + $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN + if $log_syn_flood || $log_all ; then + $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + fi + $ipt -A syn-flood -j DROP + + + # --- + # - Drop Fragments + # --- + + # I have to say that fragments scare me more than anything. + # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" + # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such + # fragments is very OS-dependent (see this paper for details). + # I am not going to trust any fragments. + # Log fragments just to see if we get any, and deny them too + + for _dev in ${ext_if_arr[@]} ; do + if $log_fragments || $log_all ; then + $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -f -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j DROP + fi + done + + + # --- + # - drop new packages without syn flag + # --- + + #if $log_new_not_sync || $log_all ; then + # $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # fi + #fi + #$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #fi + + + # --- + # - drop invalid packages + # --- + + #if $log_invalid_state || $log_all ; then + # $ipt -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # fi + #fi + #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP + #if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP + #fi + + + # --- + # - ungewöhnliche Flags verwerfen + # --- + + for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi + done + + + # --- + # - Refuse private addresses on extern interfaces + # --- + + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address + for _dev in ${dsl_device_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + # + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + fi + fi + # Refuse packets claiming to be from a Class A private network. + $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP + # Retfuse packets claiming to be from a Class C private network. + $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A INPUT -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP + if $kernel_activate_forwarding ; then + # Refuse packets claiming to be from a Class A private network. + $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP + # Refuse packets claiming to be from a Class C private network. + $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A FORWARD -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + fi + done + + + # --- + # - Refuse packets claiming to be to the loopback interface. + # --- + + # Refusing packets claiming to be to the loopback interface protects against + # source quench, whereby a machine can be told to slow itself down by an icmp source + # quench to the loopback. + for _dev in ${ext_if_arr[@]} ; do + if $log_to_lo || $log_all ; then + $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -d $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j DROP + fi + done + + + # --- + # - Don't allow spoofing from that server + # --- + + for _dev in ${dsl_device_arr[@]} ; do + if $log_spoofed_out || $log_all ; then + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + fi + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $loopback -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]}) +# ------------- + +if $log_voip || $log_all ; then + for _ip in ${tel_sys_ip_arr[@]} ; do + $ipt -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level + done +fi +#for _PORT in ${VOIP_PORTS} ; do +# $ipt -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level +#done + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + + +case $1 in + sto*) + echo + if $terminal ; then + echo -e "\t\033[37m\033[1mStop was requested. No more firewall rules..\033[m" + else + echo "Stop was requested. No more firewall rules.." + fi + echo + exit 0;; +esac + + +echo + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop packets not wanted on gateway +# --- + +echononl "\tDrop packets not wanted on gateway" + +for _dev in ${local_if_arr[@]} ; do + if $log_not_wanted || $log_all ; then + if $not_wanted_ident ; then + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + fi + if $not_wanted_ident ; then + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -j DROP + done +done + +echo_done + + +# ------------- +# --- Generally prohibited from WAN +# ------------- + +echononl "\tGenerally prohibited from WAN" + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + if $block_ident ; then + $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_activate_forwarding ; then + if $block_ident ; then + $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + if $block_ident ; then + $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_activate_forwarding ; then + if $block_ident ; then + $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ipt -A INPUT -i lo -j ACCEPT +$ipt -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Allow all Traffic from source mac-address +# --- + +echononl "\tAllow all Traffic from MAC Source-Address" + +if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_all_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow local Traffic from source mac-address +# --- + +echononl "\tAllow local Traffic from MAC Source-Address" + + +if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_local_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow remote Traffic from source mac-address +# --- + +echononl "\tAllow remote Traffic from MAC Source-Address" + + +if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_remote_mac_src_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +$ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + + +# --- +# - Telefon Systems +# --- + +echononl "\tAllow all Traffic between Telefon Systems" +if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then + for _ip_1 in ${tele_sys_ip_arr[@]} ; do + for _ip_2 in ${tele_sys_ip_arr[@]} ; do + #[[ "$_ip_1" = "$_ip_2" ]] && continue + $ipt -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Telefon Systems to remote SIP-Server +# --- + +echononl "\tTelefon System to remote SIP-Server" +if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then + if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then + echo_failed + warn "Local or remote SIP Port not given"! + else + for _ip in ${tele_sys_ip_arr[@]} ; do + $ipt -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \ + --dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + + +# --- +# - All request from local networks to the internet +# --- + +echononl "\tPermit all traffic from local networks to the internet.." +if $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Networks not firewalled through extern interfaces +# --- + +echononl "\tAllow these local networks any access to the internet" +if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _net in ${any_access_to_inet_network_arr[@]}; do + for _dev in ${ext_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow local services from given local networks +# --- + +echononl "\tAllow local services from given local networks" +if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${allow_local_net_to_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow local ip address from given local network +# --- + +echononl "\tAllow local ip address from given local network" +if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in ${allow_local_net_to_local_service_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow local ip address from given local interface +# --- + +echononl "\tAllow local ip address from given local interface" +if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in ${allow_local_if_to_local_ip_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Separate local networks +# --- + +echononl "\tSeparate local networks.." +if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _net in ${separate_local_network_arr[@]}; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p all -s $_net -j DROP + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Separate local interfaces +# --- + +echononl "\tSeparate local interfaces.." +if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev_1 in ${separate_local_if_arr[@]}; do + for _dev_2 in ${local_if_arr[@]} ; do + [[ "$_dev_1" = "$_dev_2" ]] && continue + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP + $ipt -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Permit all traffic between local networks +# --- + +echononl "\tPermit all traffic between local networks.." +if $kernel_activate_forwarding ; then + if $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + + +# ------------- +# --- Services +# ------------- + +echo +if $terminal ; then + echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" +else + echo "Add Rules for Services.." +fi + + +# --- +# - IPv6 over IPv4 (Tunnel Provider SixXS) +# --- + +echononl "\t\tIPv6 Tunnel SixXS" +if $local_sixxs_service ; then + if [ -n "$tic_server" -a -n "$six_pop_server" ]; then + # TIC (tunnel information & control) packages, from/to tic.sixxs.net + $ipt -A OUTPUT -p tcp -d $tic_server --dport 3874 -m conntrack --ctstate NEW -j ACCEPT + + # heartbeat packets (outgoing only) + $ipt -A OUTPUT -p udp -d $six_pop_server --dport 3740 -m conntrack --ctstate NEW -j ACCEPT + + # 6over4 tunnel packets + $ipt -A OUTPUT -p 41 -d $six_pop_server -j ACCEPT + $ipt -A INPUT -p 41 -d $six_pop_server -j ACCEPT + + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if $local_dhcp_service ; then + # - Allow requests from intern networks + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DHCP Failover +# --- + +echononl "\t\tDHCP Failover Server" +if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dhcp_failover_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + # - forward from virtual mashine(s) + $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - DNS Service Gateway +# --- + +echononl "\t\tDNS Service Gateway" + +# - Local Nameservice +# - +if $local_dns_service ; then + + # - Allow requests from local networks + # - + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + # - Zonetransfere (uses tcp/53) + # + for _ip in ${dns_server_ips[@]} ; do + # - out + # - + # - local master (here) gets request for a zone from slave ($_ip) + $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - in + # - + # - local slave (here) requests zone from master ($_ip) + $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - DNS Services at local Network +# --- + +echononl "\t\tDNS Service local Network" + +# - Make nameservers at the local network area rechable for all +# - +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then + # - Provide SSH to everywhere (also LAN) + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Service Gateway +# --- + +echononl "\t\tSSH Service Gateway (also from WAN)" + +if $local_ssh_service ; then + # - Provides SSH in from everywhere + for _port in ${ssh_port_arr[@]} ; do + $ipt -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Services DMZ +# --- + +echononl "\t\tSSH Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!ssh_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${ssh_port_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${ssh_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - SSH Service between local Netwotks +# --- + +echononl "\t\tSSH Service between local Netwotks" +if $allow_ssh_between_local_nets ; then + if $kernel_activate_forwarding ; then + for _dev_1 in ${local_if_arr[@]} ; do + + for _port in ${ssh_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + for _dev_2 in ${local_if_arr[@]} ; do + + if ! $permit_between_local_networks ; then + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service only out +# --- + +echononl "\t\tVPN Service only out" + +if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service Gateway +# --- + +echononl "\t\tVPN Service Gateway" + +if $local_vpn_service ; then + + # - Cconnection establishment + # - + for _port in ${vpn_gw_port_arr[@]} ; do + $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done + +else + echo_skipped +fi + + +# --- +# - VPN Service DMZ +# --- + +echononl "\t\tVPN Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${!vpn_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${vpn_local_net_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${vpn_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port + fi + done + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +if $allow_http_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) Services Gateway" +# - Access to the local Webservice +if $local_http_service ; then + $ipt -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services only local Network +# --- + +echononl "\t\tHTTP(S) Services only local Network" +# - Access to the Webservices (LAN) +if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services DMZ +# --- + +echononl "\t\tHTTP(S) Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then + http_port_arr=(${http_ports//,/ }) + for _ip in "${!http_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${http_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${http_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + done + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTPS Services DMZ (only port 443) +# --- + +echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!http_ssl_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port + fi + $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only out +# --- + +echononl "\t\tMail Services SMTP only out" + +if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then + # - Provide SMTP out for all to WAN + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail User Services smtps/pop(s)/imap(s) only out +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only out" + +if $allow_mail_request_out && ! $permit_local_net_to_inet ; then + # - Provide using Mailservices (WAN) from whole LAN + # - + # - Not needed from local machine. But for testing pupose (i.e. telnet ) + # - + # - + for _dev in ${ext_if_arr[@]} ; do + if $provide_mailservice_from_local ; then + # - Note! + # - this provides access both to LAN and WAN + $ipt -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only local Networks +# --- + +echononl "\t\tMail Service SMTP only local Networks" +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + fi + + echo_done + done +else + echo_skipped +fi + + +# --- +# - Mail Services smtps/pop(s)/imap(s) only local Networks +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks" + +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Server DMZ +# --- + +echononl "\t\tMail Server DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then + mail_port_arr=(${mail_user_ports//,/ }) + mail_port_arr+=("$mail_smtp_port") + for _ip in "${!mail_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${mail_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${mail_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - FTP out only +# --- + +echononl "\t\tFTP out only" + +if $allow_ftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_done +fi + + +# --- +# - FTP Service Gateway +# --- + +echononl "\t\tFTP Service Gateway" + +if $local_ftp_service ; then + $ipt -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services only local Network +# --- + +echononl "\t\tFTP Service local Networks" +if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${ftp_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + + if $local_alias_interfaces ; then + # - Control Port + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services DMZ +# --- + +echononl "\t\tFTP Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then + IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" + for _ip in "${!ftp_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${ftp_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} + fi + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + + # - Control Port + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT + + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - TFTF Service out only +# --- + +echononl "\t\tTFTF Service out only" + +if $allow_tftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - TFTP Service Gateway +# --- + +echononl "\t\tTFTF Service Gateway" + +if $local_tftp_service ; then + $ipt -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + + +# --- +# - Samba Service Gateway (only for local Networks) +# --- + +echononl "\t\tSamba Service Gateway (only for local Networks)" + +if $local_samba_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service only between local Networks +# --- + +echononl "\t\tSamba Service only local Networks" + +if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${samba_server_local_ip_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then + + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service DMZ +# --- + +echononl "\t\tSamba Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!samba_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From extern + if $kernel_activate_forwarding ; then + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + IFS=':' read -a _udp_port_arr <<< ${_port} + if [[ -n "${_udp_port_arr[1]}" ]] ; then + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]} + else + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port + fi + fi + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + done + fi + + # - From intern + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service Gateway (only for local Networks) +# --- + +echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" + +if $local_ldap_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service only between local Networks +# --- + +echononl "\t\tLDAP(S) Service only local Networks" + +if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${ldap_server_local_ip_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then + + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - NTP out only +# --- + +echononl "\t\tNTP Service out only" + +if $allow_ntp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - NTP Service Gateway +# --- + +echononl "\t\tNTP Service Gateway" +if $local_ntp_service ; then + if ! $allow_ntp_request_out ; then + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + $ipt -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +if $allow_timeserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - PGP Keyserver out only +# --- + +echononl "\t\tPGP Keyserver out only" + +if $allow_pgpserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +if $allow_telnet_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +if $allow_whois_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CPAN Wait only out +# --- + +# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on +# - a WAIT server. It connects to a WAIT server using a simple protocoll +# - resembling NNTP as described in RFC977. + +echononl "\t\tCPAN Wait only out" + +if $allow_cpan_wait_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HBCI only out (only forward) +# --- + +echononl "\t\tHBCI only out (only forward)" + +if $allow_hbci_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Jabber only out +# --- + +echononl "\t\tJabber only out" + +if $allow_jabber_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Silc only out +# --- + +echononl "\t\tSilc only out" + +if $allow_silc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IRC (Internet Relay Chat) only out +# --- + +echononl "\t\tIRC only out" + +if $allow_irc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +if $allow_mysql_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CUPS only between local Networks (IPP Port 631) +# --- + +echononl "\t\tCUPS/IPP (Port 631) only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck Port 9100 (RAW) only out between local Networks +# --- + +echononl "\t\tRAW Druck Port 9100 only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck LPD (Port 515) only out between local Networks +# --- + +echononl "\t\tDruck LPD (Port 515) only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Printer +# --- + +echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks" +if [[ ${#printer_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks \ + && ! $allow_printing_between_local_nets ; then + for _ip in ${printer_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Scanner +# --- + +echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" + +if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks \ + && $allow_scanning_between_local_nets ; then + for _ip in ${brother_scanner_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + # - UDP + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + # - TCP + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Other local Services +# --- + +echononl "\t\tOther local Services" + +if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in ${other_service_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then + $ipt -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_ok +else + echo_skipped +fi + + +# --- +# - Rsync only Out Gateway +# --- + +echononl "\t\tRsync (only OUT) Gateway" + +if $local_rsync_out ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync only Out from given local machines +# --- + +echononl "\t\tRsync Out from given local machines" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding $$ ! $permit_local_net_to_inet; then + for _port in ${rsync_port_arr[@]} ; do + for _ip in ${rsync_out_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - SNMP Services local Networks +# --- + +echononl "\t\tSNMP Services local Networks" + +if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${snmp_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - WakeOnLan only out into local Networks +# --- + +echononl "\t\tWakeOnLan only out into local Networks" +$ipt -A OUTPUT -p udp --dport 9 -j ACCEPT +echo_done + + +# --- +# - NFS Service (portmapper, mountd, nfs) +# --- + +if $terminal; then + echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" +else + echo "NFS Service - Not yet implemented" + echo "VoIP - Not yet implemented" + echo "Sip - Not yet implemented" + echo "Skype - Not yet implemented" +fi + + +# --- +# - PowerChute Network Shutdown local Network +# --- + +echononl "\t\tPowerChute Network Shutdown local Network" + +if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then + + for _ip in ${pcns_server_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Accesspoints +# --- + +echononl "\t\tUbiquiti Unifi Accesspoints" +if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + fi + + if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + if $provide_hotspot ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + fi + fi + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) only out +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) only out" + +if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding ; then + + $ipt -A FORWARD -o $_dev -p udp --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) local Networks +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks" + +if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${ipmi_server_ip_arr[@]} ; do + + $ipt -A OUTPUT -p udp -d $_ip --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p udp -d $_ip --dport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + $ipt -A FORWARD -p udp -s $_ip --sport $ipmi_udp_port -m conntrack --ctstate NEW -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) only out +# --- + +echononl "\t\tRemote Console (VNC) only out" + +if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) local Networks +# --- + +echononl "\t\tRemote Console (VNC) local Networks" + + +if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${rm_server_ip_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) DMZ +# --- + +echononl "\t\tRemote Console (VNC) DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in ${!rm_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From Gateway + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + + # - From extern + + # - Nat if interface is on a dsl line + # - + if containsElement "${rm_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port + fi + $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - From intern + if ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Munin Service Gateway +# --- + +echononl "\t\tMunin Service Gateway" + +if $local_munin_server ; then + + if $provide_munin_service_to_inet ; then + # - Provide Service for local and extern networks + # - + $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + else + # - Provide Service only for for local network + # - + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin Service local Networks +# --- + +echononl "\t\tMunin Service local Networks" +if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_local_server_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin remote Server +# --- + +echononl "\t\tMunin remote Server" + +if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then + + for _ip in ${!munin_local_client_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + elif $kernel_activate_forwarding ; then + $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port + $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon local service +# --- + +echononl "\t\tXyMon Service Gateway" + +if $local_xymon_server ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon Service Intranet +# --- + +echononl "\t\tXyMon Service Intranet" + +if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${xymon_server_ip_arr[@]} ; do + if $local_xymon_client ; then + $ipt -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- Portforwarding +# ------------- + +# --- +# - Portforwarding TCP +# --- + +echo +echononl "\tPortforwarding TCP" + +if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${portforward_tcp_arr[@]}" ; do + + # - Split value + # - + IFS=':' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} + + # - Allow Packets + # - + $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Portforwarding UDP +# --- + +echononl "\tPortforwarding UDP" + +if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${portforward_udp_arr[@]}" ; do + + # - Split value + # - + IFS=':' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} + + # - Allow Packets + # - + $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - UNIX Traceroute +# --- + +echo +echononl "\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# ------------- +# --- ICMP Traffic (i.e. ping requests) +# ------------- + +echononl "\tPermit all ICMP traffic.." +if $permit_all_icmp_traffic ; then + $ipt -A INPUT -p icmp -j ACCEPT + $ipt -A OUTPUT -p icmp -j ACCEPT + $ipt -A FORWARD -p icmp -j ACCEPT + echo_done +else + echo_skipped +fi + + + +# --- +# - Deny between local networks +# --- + +echo +echononl "\tDeny all traffic between local networks.." +if $kernel_activate_forwarding ; then + if ! $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + if $log_rejected || $log_all ; then + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level + fi + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + +# ------------- +# --- Log traffic not matched so far +# ------------- +echo + +echononl "\tLog traffic not matched so far.." +if $log_rejected || $log_all ; then + $ipt -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + $ipt -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + $ipt -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + #$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + #$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + #$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- DROP traffic not matched so far +# ------------- +echononl "\tDROP traffic not matched so far.." + +# - drop all other for all interfaces.. +# +$ipt -A INPUT -j DROP +$ipt -A OUTPUT -j DROP +$ipt -A FORWARD -j DROP +# +# ---------- Ende: DROP ---------- + +echo_done + + +# --- +# - Warning, if no intern (local) interface is configured +# --- + +if [[ ${#local_if_arr[@]} -lt 1 ]] ; then + echo "" + echo "" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi + warn "No local Interface is configured!" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi +fi + +echo +exit 0 +