From fb556bc381445db1687834540e32faf732ea32ca Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 10 Feb 2022 23:16:35 +0100 Subject: [PATCH] Prevent duplicate rules. --- conf/default_basic_behavior.conf | 3 +- conf/default_ports.conf | 6 +- conf/main_ipv4.conf.sample | 4 +- conf/main_ipv6.conf.sample | 4 +- conf/post_decalrations.conf | 979 +++++++++++++++---- ip6t-firewall-gateway | 1515 +++++++++++++++-------------- ipt-firewall-gateway | 1523 ++++++++++++++++-------------- 7 files changed, 2381 insertions(+), 1653 deletions(-) diff --git a/conf/default_basic_behavior.conf b/conf/default_basic_behavior.conf index 5fa4a44..415eac4 100644 --- a/conf/default_basic_behavior.conf +++ b/conf/default_basic_behavior.conf @@ -37,9 +37,10 @@ allow_webex_video_conference_out=true allow_zoom_video_conference_out=true allow_jitsi_video_conference_out=true allow_alfaview_video_conference_out=true -allow_nc_talk_out=true +allow_nc_turn_video_conference_out=true allow_samba_requests_out=true +allow_ldap_requests_out=true allow_vpn_out=true diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 377909b..3c8bd44 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -202,6 +202,8 @@ standard_bigbluebutton_udp_port_range="16384:32768" # - TCP 5004: Fall-back ports for media connectivity when UDP port 9000 # - is not open in the firewall # - +# - Comma separated list of ports +# - standard_webex_tcp_ports="$standard_http_ports" standard_webex_udp_ports="9000" @@ -258,12 +260,12 @@ standard_ms_skype_teams_udp6_hosts="" # - MeetingConnector2.IP2 # - standard_zoom_tcp_ports="80,443,8801,8802" -standard_zoom_udp_port_range="3478,3479,8801,8802 " +standard_zoom_udp_ports="3478,3479,8801,8802 " # - Jitsi Video Conference Service # - standard_jitsi_tcp_ports="$standard_http_ports" -standard_jitsi_udp_port_range="10000:20000" +standard_jitsi_udp_ports="10000:20000" # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 81648c3..dac16ab 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -1007,7 +1007,7 @@ webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" # - MeetingConnector2.IP2 # - zoom_tcp_ports="$standard_zoom_tcp_ports" -zoom_udp_ports="$standard_zoom_udp_port_range" +zoom_udp_ports="$standard_zoom_udp_ports" # ====== @@ -1028,7 +1028,7 @@ local_jitsi_video_conference_service=false # - UDP 10000-20000: Virtual Media for Remote Console # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" -jitsi_udp_ports="$standard_jitsi_udp_port_range" +jitsi_udp_ports="$standard_jitsi_udp_ports" # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 9725389..919004b 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -975,7 +975,7 @@ webex_tcp_fall_back_ports="$standard_webex_tcp_fall_back_ports" # - MeetingConnector2.IP2 # - zoom_tcp_ports="$standard_zoom_tcp_ports" -zoom_udp_ports="$standard_zoom_udp_port_range" +zoom_udp_ports="$standard_zoom_udp_ports" # ====== @@ -1001,7 +1001,7 @@ local_jitsi_video_conference_service=false # - comma separated list # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" -jitsi_udp_ports="$standard_jitsi_udp_port_range" +jitsi_udp_ports="$standard_jitsi_udp_ports" # ====== diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 522eba0..811c143 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -6,16 +6,6 @@ # ----------- -# --- -# - Standard http ports -# --- -declare -a standard_http_port_arr -CUR_IFS="$IFS" -IFS=',' ; for _port in $standard_http_ports ; do - standard_http_port_arr+=("${_port}") -done -IFS="$CUR_IFS" - # --- # - Standard mail user prts # --- @@ -26,7 +16,6 @@ IFS=',' ; for _port in $standard_mailuser_ports ; do done IFS="$CUR_IFS" - # --- # - Masquerade TCP Connections # --- @@ -502,24 +491,6 @@ for _ip in $rsync_out_ips ; do rsync_out_ip_arr+=("$_ip") done -# --- -# - Special TCP Ports OUT -# --- -# local -declare -a tcp_out_port_arr -for _port in $tcp_out_ports ; do - tcp_out_port_arr+=("$_port") -done - -# --- -# - Special UDP Ports OUT -# --- -# local -declare -a udp_out_port_arr -for _port in $udp_out_ports ; do - udp_out_port_arr+=("$_port") -done - # --- # - Other local Services # --- @@ -528,22 +499,64 @@ for _val in $other_services ; do other_service_arr+=("$_val") done + +# ================================================== +# BEGIN: gather out ports +# ================================================== + +# === +# Services +# === + +declare -a out_udp_port_arr +declare -a out_tcp_port_arr + # --- -# - SSH Ports +# - DNS out only +# --- +out_udp_port_arr+=("$standard_dns_port") +out_tcp_port_arr+=("$standard_dns_port") + + +# --- +# - SSH out only +# --- +if $allow_ssh_request_out ; then + out_tcp_port_arr+=("$_port") +fi + +# --- +# SSH Service Gateway +# +# SSH Services only local Network # --- declare -a ssh_port_arr for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") + done + # --- # - Cisco kompartible VPN Ports # --- declare -a cisco_vpn_out_port_arr for _port in $cisco_vpn_out_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + cisco_vpn_out_port_arr+=("$_port") + + if $allow_cisco_vpn_out ; then + out_tcp_port_arr+=("$_port") + fi + done + # --- # - VPN Ports # --- @@ -560,7 +573,17 @@ if [[ -z "$vpn_out_ports" ]] ; then vpn_out_ports="$standard_vpn_port" fi for _port in $vpn_out_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + vpn_out_port_arr+=("$_port") + + if $allow_vpn_out ; then + out_udp_port_arr+=("$_port") + fi + done # --- @@ -578,46 +601,385 @@ declare -a wg_out_port_arr if [[ -z "$wg_out_ports" ]] ; then wg_out_ports="$standard_wg_port" fi +# WireGuard Service only out for _port in $wg_out_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + wg_out_port_arr+=("$_port") + + if $allow_wg_out ; then + out_udp_port_arr+=("$_port") + fi + done -# --- -# - Rsync Out Ports -# -- -declare -a rsync_port_arr -for _port in $rsync_ports ; do - rsync_port_arr+=("$_port") -done # --- -# - Samba Ports +# - Standard http ports +# --- +#HTTP(S) OUT +declare -a standard_http_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_http_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + standard_http_port_arr+=("${_port}") + + if $allow_http_request_out ; then + out_tcp_port_arr+=("$_port") + fi +done +IFS="$CUR_IFS" + + +# Mail Service SMTP only out +if $allow_smtp_request_out ; then + + if containsElement "${standard_smtp_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("${standard_smtp_port}") +fi + +# --- +# - Standard mail user prts +# --- +declare -a standard_mailuser_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_mailuser_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + standard_mailuser_port_arr+=("${_port}") + + if $allow_mail_request_out ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + + + +# --- +# - FTP out only +# --- + +if $allow_ftp_request_out ; then + + if containsElement "${standard_ftp_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("${standard_ftp_port}") +fi + +# --- +# - Samba Service only out # --- declare -a samba_udp_port_arr +declare -a samba_udp_port_local_arr for _port in $samba_udp_ports ; do + + samba_udp_port_local_arr+=("${_port}") + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + samba_udp_port_arr+=("$_port") + + if $allow_samba_requests_out; then + out_udp_port_arr+=("$_port") + fi done declare -a samba_tcp_port_arr +declare -a samba_tcp_port_local_arr for _port in $samba_tcp_ports ; do + + samba_tcp_port_local_arr+=("${_port}") + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + samba_tcp_port_arr+=("$_port") + + if $allow_samba_requests_out; then + out_tcp_port_arr+=("$_port") + fi done + # --- # - LDAP Ports # --- declare -a ldap_udp_port_arr +declare -a ldap_udp_port_local_arr for _port in $ldap_udp_ports ; do - ldap_udp_port_arr+=("$_port") + ldap_udp_port_local_arr+=("$_port") + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + ldap_udp_port_local_arr+=("$_port") + + if $allow_samba_requests_out; then + out_udp_port_arr+=("$_port") + fi done declare -a ldap_tcp_port_arr +declare -a ldap_tcp_port_local_arr for _port in $ldap_tcp_ports ; do - ldap_tcp_port_arr+=("$_port") + ldap_tcp_port_local_arr+=("$_port") + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + ldap_tcp_port_local_arr+=("$_port") + + if $allow_samba_requests_out; then + out_tcp_port_arr+=("$_port") + fi done + +# --- +# - NTP out only +# --- +if $allow_ntp_request_out ; then + + if containsElement "${standard_ntp_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + out_udp_port_arr+=("$_port") + +fi + + +# --- +# - PGP Keyserver out only +# --- +if $allow_pgpserver_request_out ; then + + if containsElement "${standard_pgp_keyserver_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Telnet out only +# --- +if $allow_telnet_request_out ; then + + if containsElement "${standard_telnet_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Whois out only +# --- +if $allow_whois_request_out ; then + + if containsElement "${standard_whois_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - CPAN Wait only out +# --- +if $allow_cpan_wait_request_out ; then + + if containsElement "${standard_cpan_wait_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - HBCI only out (only forward) +# --- +if $allow_hbci_request_out ; then + + if containsElement "${standard_hbci_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Jabber only out +# --- +if $allow_jabber_request_out ; then + + if containsElement "${standard_jabber_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi +if $allow_jabber_request_out ; then + + if containsElement "${standard_jabber_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Silc only out +# --- +if $allow_silc_request_out ; then + + if containsElement "${standard_silc_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - IRC (Internet Relay Chat) only out +# --- +if $allow_irc_request_out ; then + + if containsElement "${standard_irc_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - MySQL (only OUT) +# --- +if $allow_mysql_request_out ; then + + if containsElement "${standard_mysql_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- +if $allow_timeserver_request_out && ! containsElement "${standard_timeserver_port}" "${out_tcp_port_arr[@]}" ; then + + out_tcp_port_arr+=("$standard_timeserver_port") + +fi + + +# --- +# - Mumble Service out only +# --- +if $allow_mumble_request_out && ! containsElement "${standard_mumble_port}" "${out_tcp_port_arr[@]}" ; then + + out_tcp_port_arr+=("$standard_mumble_port") + +fi + + +# --- +# - Remote Console (VNC) only out +# --- +if $allow_remote_console_request_out ; then + + if containsElement "${standard_remote_console_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + out_tcp_port_arr+=("$_port") + +fi + + +# --- +# - Outbound Streaming +# --- +declare -a outbound_streaming_tcp_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_outbound_streaming_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + outbound_streaming_tcp_port_arr+=("$_port") + + if $allow_outbound_streaming ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + +declare -a outbound_streaming_udp_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_outbound_streaming_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + outbound_streaming_udp_port_arr+=("$_port") + + if $allow_outbound_streaming ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + + # --- # - Turn/Stun Ports # --- @@ -629,46 +991,112 @@ if $allow_outbound_streaming \ || $allow_zoom_video_conference_out \ || $allow_jitsi_video_conference_out \ || $allow_alfaview_video_conference_out \ - || $allow_nc_talk_out ; then + || $allow_nc_turn_video_conference_out ; then allow_stun_turn_service_out=true else allow_stun_turn_service_out=false fi -declare -a standard_turn_service_port_arr -CUR_IFS="$IFS" -IFS=',' ; for _port in $standard_turn_service_ports ; do - standard_turn_service_port_arr+=("$_port") -done -IFS="$CUR_IFS" - +declare -a standard_turn_service_tcp_port_arr declare -a standard_turn_service_udp_port_arr CUR_IFS="$IFS" -IFS=',' ; for _port in $standard_turn_service_udp_ports ; do +IFS=',' ; for _port in $standard_turn_service_ports ; do + if ! containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + standard_turn_service_tcp_port_arr+=("$_port") + + if $allow_stun_turn_service_out ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS=',' ; for _port in $standard_turn_service_ports ; do + if ! containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + standard_turn_service_udp_port_arr+=("$_port") + + if $allow_stun_turn_service_out ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS=',' ; for _port in $standard_turn_service_udp_ports ; do + + if ! containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + standard_turn_service_udp_port_arr+=("$_port") + + if $allow_stun_turn_service_out ; then + out_udp_port_arr+=("$_port") + fi + done IFS="$CUR_IFS" # --- -# - BigBlueButton Video Conference - adjust 'bigbluebutton_tcp_ports' +# - Echo360 Video Plattform +# --- +declare -a echo360_udp_port_arr + +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_echo360_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + echo360_udp_port_arr+=("$_port") + + if $allow_echo360_video_streaming ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + + +# --- +# - BigBlueButton Video Conference Service # --- declare -a bigbluebutton_tcp_port_arr CUR_IFS="$IFS" -_tmp_tcp_ports="$bigbluebutton_tcp_ports" -bigbluebutton_tcp_ports="" -declare -i count=0 -IFS=',' ; for _port in $_tmp_tcp_ports ; do - if $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then +IFS=',' ; for _port in $bigbluebutton_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue fi - if [[ $count -eq 0 ]]; then - bigbluebutton_tcp_ports="$_port" - else - bigbluebutton_tcp_ports="${bigbluebutton_tcp_ports},${_port}" + + bigbluebutton_tcp_port_arr+=("$_port") + + if $allow_bigbluebutton_video_conference_out ; then + out_tcp_port_arr+=("$_port") fi - ((count++)) + +done +IFS="$CUR_IFS" + +declare -a bigbluebutton_udp_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $bigbluebutton_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + bigbluebutton_udp_port_arr+=("$_port") + + if $allow_bigbluebutton_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + done IFS="$CUR_IFS" @@ -693,21 +1121,21 @@ if [[ -n "$ms_skype_teams_udp6_hosts" ]]; then done fi IFS=',' ; for _port in $ms_skype_teams_udp4_ports ; do - if containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue fi ms_skype_teams_udp4_port_arr+=("$_port") done IFS="$CUR_IFS" IFS=',' ; for _port in $ms_skype_teams_udp6_ports ; do - if containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue fi ms_skype_teams_udp6_port_arr+=("$_port") done IFS="$CUR_IFS" IFS=',' ; for _port in $ms_skype_teams_tcp_ports ; do - if $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue fi ms_skype_teams_tcp_port_arr+=("$_port") @@ -715,68 +1143,259 @@ done IFS="$CUR_IFS" +# --- +# - Webex Meeting Video Conference Service out only +# --- + +declare -a webex_tcp_port_arr +declare -a webex_udp_port_arr + +IFS=',' ; for _port in $webex_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + webex_tcp_port_arr+=("$_port") + + if $allow_webex_video_conference_out ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS=',' ; for _port in $webex_tcp_fall_back_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + webex_tcp_port_arr+=("$_port") + + if $allow_webex_video_conference_out ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS=',' ; for _port in $webex_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + webex_udp_port_arr+=("$_port") + + if $allow_webex_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + + # --- # Zoom Meetings - Video Conference - adjust 'zoom_tcp_ports' # --- + declare -a zoom_tcp_port_arr -CUR_IFS="$IFS" -_tmp_tcp_ports="$zoom_tcp_ports" -zoom_tcp_ports="" -declare -i count=0 -IFS=',' ; for _port in $_tmp_tcp_ports ; do - if containsElement "${_port}" "${standard_http_port_arr[@]}" ; then +declare -a zoom_udp_port_arr + +IFS=',' ; for _port in $zoom_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue fi - if [[ $count -eq 0 ]]; then - zoom_tcp_ports="$_port" - else - zoom_tcp_ports="${zoom_tcp_ports},${_port}" + + zoom_tcp_port_arr+=("$_port") + + if $allow_zoom_video_conference_out ; then + out_tcp_port_arr+=("$_port") fi - ((count++)) + +done +IFS=',' ; for _port in $zoom_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + zoom_udp_port_arr+=("$_port") + + if $allow_zoom_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + done IFS="$CUR_IFS" # --- -# - Nextcloud 'talk' app +# - Jitsi Video Conference Service out only # --- -declare -a nc_turn_port_arr -CUR_IFS="$IFS" -_tmp_ports="$nc_turn_ports" -nc_turn_ports="" -declare -i count=0 -IFS=',' ; for _port in $_tmp_ports ; do - if containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + +declare -a jitsi_tcp_port_arr +declare -a jitsi_udp_port_arr + +IFS=',' ; for _port in $jitsi_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue fi - if [[ $count -eq 0 ]]; then - nc_turn_ports="$_port" - else - nc_turn_ports="${nc_turn_ports},${_port}" + + jitsi_tcp_port_arr+=("$_port") + + if $allow_jitsi_video_conference_out ; then + out_tcp_port_arr+=("$_port") fi - ((count++)) + +done +IFS=',' ; for _port in $jitsi_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + jitsi_udp_port_arr+=("$_port") + + if $allow_jitsi_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + done IFS="$CUR_IFS" + +# --- +# - alfaview - Video Conferencing Systems +# --- + +declare -a alfaview_tcp_port_arr +declare -a alfaview_udp_port_arr + +IFS=',' ; for _port in $alfaview_tcp_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + alfaview_tcp_port_arr+=("$_port") + + if $allow_alfaview_video_conference_out ; then + out_tcp_port_arr+=("$_port") + fi + +done +IFS=',' ; for _port in $alfaview_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + alfaview_udp_port_arr+=("$_port") + + if $allow_alfaview_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" + +# --- +# - Nextcloud 'talk' App +# --- + +declare -a nc_turn_tcp_port_arr declare -a nc_turn_udp_port_arr -CUR_IFS="$IFS" -_tmp_udp_ports="$nc_turn_udp_ports" -nc_turn_udp_ports="" -declare -i count=0 -IFS=',' ; for _port in $_tmp_udp_ports ; do - if containsElement "${_port}" "${standard_turn_service_udp_port_arr[@]}" ; then + +IFS=',' ; for _port in $nc_turn_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue fi - if [[ $count -eq 0 ]]; then - nc_turn_udp_ports="$_port" - else - nc_turn_udp_ports="${nc_turn_udp_ports},${_port}" + + nc_turn_tcp_port_arr+=("$_port") + + if $allow_nc_turn_video_conference_out ; then + out_tcp_port_arr+=("$_port") fi - ((count++)) + +done +IFS=',' ; for _port in $nc_turn_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + nc_turn_udp_port_arr+=("$_port") + + if $allow_nc_turn_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + +done +IFS="$CUR_IFS" +IFS=',' ; for _port in $nc_turn_udp_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + nc_turn_udp_port_arr+=("$_port") + + if $allow_nc_turn_video_conference_out ; then + out_udp_port_arr+=("$_port") + fi + done IFS="$CUR_IFS" +# --- +# - Special TCP Ports OUT +# --- +declare -a tcp_out_port_arr +for _port in $tcp_out_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + tcp_out_port_arr+=("$_port") + + out_tcp_port_arr+=("$_port") +done + + +# --- +# - Special UDP Ports OUT +# --- +# local +declare -a udp_out_port_arr +for _port in $udp_out_ports ; do + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then + continue + fi + + udp_out_port_arr+=("$_port") + + out_udp_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then + continue + fi + + rsync_port_arr+=("$_port") + + out_tcp_port_arr+=("$_port") +done + # --- # Gaming @@ -794,71 +1413,71 @@ fi declare -a game_ports_udp_arr if $allow_game_xbox_360_out ; then IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then - continue - else - game_ports_udp_arr+=("$_port") fi + + game_ports_udp_arr+=("$_port") + + out_udp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_xbox_one_out ; then IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then - continue - else - game_ports_udp_arr+=("$_port") fi + + game_ports_udp_arr+=("$_port") + + out_udp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_ps3_out ; then IFS=',' ; for _port in $standard_game_ps3_udp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then - continue - else - game_ports_udp_arr+=("$_port") fi + + game_ports_udp_arr+=("$_port") + + out_udp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_ps4_out ; then IFS=',' ; for _port in $standard_game_ps4_udp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then - continue - else - game_ports_udp_arr+=("$_port") fi + + game_ports_udp_arr+=("$_port") + + out_udp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_fifa21_out ; then IFS=',' ; for _port in $standard_game_fifa21_udp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif containsElement "${_port}" "${game_ports_udp_arr[@]}" ; then - continue - else - game_ports_udp_arr+=("$_port") fi + + game_ports_udp_arr+=("$_port") + + out_udp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi @@ -867,96 +1486,78 @@ fi declare -a game_ports_tcp_arr if $allow_game_xbox_360_out ; then IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then - continue - elif $allow_mail_request_out && containsElement "${_port}" "${standard_mailuser_port_arr[@]}" ; then - continue - elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then - continue - else - game_ports_tcp_arr+=("$_port") fi + + game_ports_tcp_arr+=("$_port") + + out_tcp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_xbox_one_out ; then IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then - continue - elif $allow_mail_request_out && containsElement "${_port}" "${standard_mailuser_port_arr[@]}" ; then - continue - elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then - continue - else - game_ports_tcp_arr+=("$_port") fi + + game_ports_tcp_arr+=("$_port") + + out_tcp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_ps3_out ; then IFS=',' ; for _port in $standard_game_ps3_tcp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then - continue - elif $allow_mail_request_out && containsElement "${_port}" "${standard_mailuser_port_arr[@]}" ; then - continue - elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then - continue - else - game_ports_tcp_arr+=("$_port") fi + + game_ports_tcp_arr+=("$_port") + + out_tcp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_ps4_out ; then IFS=',' ; for _port in $standard_game_ps4_tcp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then - continue - elif $allow_mail_request_out && containsElement "${_port}" "${standard_mailuser_port_arr[@]}" ; then - continue - elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then - continue - else - game_ports_tcp_arr+=("$_port") fi + + game_ports_tcp_arr+=("$_port") + + out_tcp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi if $allow_game_fifa21_out ; then IFS=',' ; for _port in $standard_game_fifa21_tcp_ports ; do - if $allow_stun_turn_service_out && containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + + if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then continue - elif [[ "$_port" = "$standard_dns_port" ]] ; then - continue - elif $allow_http_request_out && containsElement "${_port}" "${standard_http_port_arr[@]}" ; then - continue - elif $allow_mail_request_out && containsElement "${_port}" "${standard_mailuser_port_arr[@]}" ; then - continue - elif containsElement "${_port}" "${game_ports_tcp_arr[@]}" ; then - continue - else - game_ports_tcp_arr+=("$_port") fi + + game_ports_tcp_arr+=("$_port") + + out_tcp_port_arr+=("$_port") + done IFS="$CUR_IFS" fi - +# ================================================== +# END: gather out ports +# ================================================== diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 2503d6f..d7a6f11 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -1583,14 +1583,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) - $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2439,11 +2439,11 @@ if $allow_ftp_request_out ; then # - (Re)define helper # - if ! $ftp_helper_output_defined ; then - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_forward_between_interfaces && ! $ftp_helper_prerouting_defined ; then - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -2451,7 +2451,7 @@ if $allow_ftp_request_out ; then # - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'. # - - $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftp6data_$i --rdest --set -j ACCEPT # - (2) @@ -2492,7 +2492,7 @@ if $allow_ftp_request_out ; then # - # - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'. # - - $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \ + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftp6data_$i --rdest --set -j ACCEPT # - (2) @@ -2525,18 +2525,18 @@ fi #if $allow_ftp_request_out ; then # for _dev in ${ext_if_arr[@]} ; do -# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Allow active FTP connections from local network # # - -# #$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# #$ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then -# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # - Allow active FTP connections from local network # # - -# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # done # # echo_done @@ -2571,7 +2571,7 @@ if $local_ftp_service ; then # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - if ! $ftp_helper_prerouting_defined ; then - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -2579,7 +2579,7 @@ if $local_ftp_service ; then # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6service'. # - - $ip6t -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftp6service --set -j ACCEPT + $ip6t -A INPUT -p tcp -m state --state NEW --dport $standard_ftp_port -m recent --name ftp6service --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftp6service' list (--update) and the @@ -2617,11 +2617,11 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i # - (Re)define helper # - if ! $ftp_helper_output_defined ; then - $ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_forward_between_interfaces && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -2631,10 +2631,10 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_i # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \ + $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport 1024: -m state --state NEW \ -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT - $ip6t -A FORWARD -d $_ip -p tcp --dport 21 -m state --state NEW \ + $ip6t -A FORWARD -d $_ip -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftp6data_local_$k --rdest --set -j ACCEPT # - (2) @@ -2675,19 +2675,19 @@ fi #echononl "\t\tFTP Service local Networks" #if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then # for _ip in ${ftp_server_only_local_ip_arr[@]} ; do -# $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # if ! $permit_between_local_networks ; then -# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # if $local_alias_interfaces ; then # # - Control Port -# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT -# $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port activ -# $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT -# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port passiv # $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT # fi @@ -2718,17 +2718,17 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th continue fi - $ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - From extern if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT fi # - From intern if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2737,11 +2737,11 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th if $kernel_forward_between_interfaces && $local_alias_interfaces ; then # - Control Port - $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # - Data Port activ - $ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # - Data Port passiv $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT @@ -2805,19 +2805,19 @@ echononl "\t\tSamba Service only out" if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do - for _port in ${samba_udp_ports[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_ports[@]} ; do + for _port in ${samba_tcp_port_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_forward_between_interfaces ; then - for _port in ${samba_udp_ports[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_ports[@]} ; do + for _port in ${samba_tcp_port_arr[@]} ; do $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2838,10 +2838,10 @@ echononl "\t\tSamba Service Gateway (only for local Networks)" if $local_samba_service ; then for _dev in ${local_if_arr[@]} ; do - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -2861,24 +2861,24 @@ echononl "\t\tSamba Service only local Networks" if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${samba_server_local_ip_arr[@]} ; do - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_forward_between_interfaces && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -2912,23 +2912,23 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - From extern if $kernel_forward_between_interfaces ; then - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi # - From intern for _dev in ${local_if_arr[@]} ; do - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT @@ -2938,7 +2938,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_forward_between_interfaces && $local_alias_interfaces ; then - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -2961,6 +2961,39 @@ else fi +# --- +# - LDAP Service only out +# --- + +echononl "\t\tLDAP Service only out" + +if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${ldap_udp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_forward_between_interfaces ; then + + for _port in ${ldap_udp_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + # --- # - LDAP and LDAP SSL Service Gateway (only for local Networks) # --- @@ -2969,10 +3002,10 @@ echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" if $local_ldap_service ; then for _dev in ${local_if_arr[@]} ; do - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -2992,24 +3025,24 @@ echononl "\t\tLDAP(S) Service only local Networks" if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${ldap_server_local_ip_arr[@]} ; do - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_forward_between_interfaces && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -3050,7 +3083,9 @@ fi echononl "\t\tNTP Service Gateway" if $local_ntp_service ; then if ! $allow_ntp_request_out ; then - $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + done fi $ip6t -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT echo_done @@ -3059,374 +3094,6 @@ else fi -# --- -# - Timeserver (Port 37 NOT NTP!)" -# --- - -echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" - -if $allow_timeserver_request_out ; then - for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Mumble Service out only -# --- - -echononl "\t\tMumble Service out only" - -if $allow_mumble_request_out ; then - for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Outbound Streaming -# --- - -echononl "\t\tOutbound Streaming (most providers)" - -if $allow_outbound_streaming ; then - - for _dev in ${ext_if_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - fi - - done - echo_done -else - echo_skipped -fi -# --- -# - Turn/Stun Service -# --- - -echononl "\t\tTurn/Stun Service" - -if $allow_stun_turn_service_out ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${standard_turn_service_port_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - - done - for _port in ${standard_turn_service_udp_port_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - done - echo_done -else - echo_skipped -fi - - -# --- -# - Echo360 Video Plattform -# --- - -echononl "\t\tEcho360 Video Plattform out only" - -if $allow_echo360_video_streaming ; then - - for _dev in ${ext_if_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done - echo_done -else - echo_skipped -fi - - -# --- -# - BigBlueButton Video Conference Service out only -# --- - -echononl "\t\tBigBlueButton Video Conference Service out only" - -if $allow_bigbluebutton_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ -n $bigbluebutton_tcp_ports ]] ; then - - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Skype for Business Online und Microsoft Teams -# --- - -echononl "\t\tSkype for Business Online und Microsoft Teams" - -if $allow_ms_skype_teams_out \ - && ( [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ) \ - || [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - - if [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ; then - - for _host in ${ms_skype_teams_udp6_host_arr[@]} ; do - - for _port in ${ms_skype_teams_udp6_port_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - done - fi - - if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then - - - for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do - - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - fi - - done # for _dev in ${ext_if_arr[@]} ; do - echo_done -else - echo_skipped -fi - - -# --- -# - Webex Meeting Video Conference Service out only -# --- - -echononl "\t\tWebex Meeting Video Conference Service out only" - -if $allow_webex_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ "$webex_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $webex_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $webex_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - if [[ -n "$webex_tcp_fall_back_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $webex_tcp_fall_back_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $webex_tcp_fall_back_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $webex_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $webex_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Zoom Meeting - Video Conference Service out only -# --- - -echononl "\t\tZoom Meeting - Video Conference Service out only" - -if $allow_zoom_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ -n $zoom_tcp_ports ]] ; then - - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $zoom_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $zoom_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $zoom_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $zoom_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Jitsi Video Conference Service out only -# --- - -echononl "\t\tJitsi Video Conference Service out only" - -if $allow_jitsi_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - alfaview - Video Conferencing Systems -# --- - -echononl "\t\talfaview - Video Conferencing Systems Service out only" - -if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then - for _dev in ${ext_if_arr[@]} ; do - - # alfaview is a browser application - # - if ! $allow_http_request_out ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $alfaview_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $alfaview_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $alfaview_udp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $alfaview_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - - -# --- -# - Nextcloud 'talk' App -# --- - -echononl "\t\tNextcloud 'talk' App" - -if $allow_nc_talk_out ; then - for _dev in ${ext_if_arr[@]} ; do - if [[ -n "$nc_turn_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - fi - if [[ -n "$nc_turn_udp_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - if [[ -n "$nc_turn_ports" ]] ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - fi - if [[ -n "$nc_turn_udp_ports" ]] ; then - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - done - - - echo_done -else - echo_skipped -fi - - # --- # - PGP Keyserver out only # --- @@ -3519,6 +3186,7 @@ echononl "\t\tHBCI only out (only forward)" if $allow_hbci_request_out ; then for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT fi @@ -3612,6 +3280,704 @@ else fi +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +if $allow_timeserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mumble Service out only +# --- + +echononl "\t\tMumble Service out only" + +if $allow_mumble_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) only out +# --- + +echononl "\t\tRemote Console (VNC) only out" + +if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) local Networks +# --- + +echononl "\t\tRemote Console (VNC) local Networks" + + +if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${rm_server_ip_arr[@]} ; do + + $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) DMZ +# --- + +echononl "\t\tRemote Console (VNC) DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in ${!rm_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From Gateway + $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces ; then + + # - From extern + $ip6t -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - From intern + if ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Munin Service Gateway +# --- + +echononl "\t\tMunin Service Gateway" + +if $local_munin_server ; then + + if $provide_munin_service_to_inet ; then + # - Provide Service for local and extern networks + # - + $ip6t -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + else + # - Provide Service only for for local network + # - + for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin Service local Networks +# --- + +echononl "\t\tMunin Service local Networks" +if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_local_server_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin remote Server +# --- + +echononl "\t\tMunin remote Server" + +if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then + + for _ip in ${!munin_local_client_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then + $ip6t -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + elif $kernel_forward_between_interfaces ; then + $ip6t -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port + $ip6t -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Outbound Streaming +# --- + +echononl "\t\tOutbound Streaming (most providers)" + +if $allow_outbound_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${outbound_streaming_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${outbound_streaming_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Turn/Stun Service +# --- + +echononl "\t\tTurn/Stun Service" + +if $allow_stun_turn_service_out ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${standard_turn_service_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + for _port in ${standard_turn_service_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Echo360 Video Plattform +# --- + +echononl "\t\tEcho360 Video Plattform out only" + +if $allow_echo360_video_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${echo360_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - BigBlueButton Video Conference Service out only +# --- + +echononl "\t\tBigBlueButton Video Conference Service out only" + +if $allow_bigbluebutton_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${bigbluebutton_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${bigbluebutton_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Skype for Business Online und Microsoft Teams +# --- + +echononl "\t\tSkype for Business Online und Microsoft Teams" + +if $allow_ms_skype_teams_out \ + && ( [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ) \ + || [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + + if [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ; then + + for _host in ${ms_skype_teams_udp6_host_arr[@]} ; do + + for _port in ${ms_skype_teams_udp6_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + fi + + if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then + + + for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + fi + + done # for _dev in ${ext_if_arr[@]} ; do + echo_done +else + echo_skipped +fi + + +# --- +# - Webex Meeting Video Conference Service out only +# --- + +echononl "\t\tWebex Meeting Video Conference Service out only" + +if $allow_webex_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${webex_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${webex_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Zoom Meeting - Video Conference Service out only +# --- + +echononl "\t\tZoom Meeting - Video Conference Service out only" + +if $allow_zoom_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${zoom_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${zoom_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Jitsi Video Conference Service out only +# --- + +echononl "\t\tJitsi Video Conference Service out only" + +if $allow_jitsi_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${jitsi_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${jitsi_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - alfaview - Video Conferencing Systems +# --- + +echononl "\t\talfaview - Video Conferencing Systems Service out only" + +if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${alfaview_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${alfaview_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Nextcloud 'talk' App +# --- + +echononl "\t\tNextcloud 'talk' App" + +if $allow_nc_turn_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${nc_turn_tcp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${nc_turn_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsyncd (only Out) Gateway +# --- + +echononl "\t\tRsyncd (only OUT) Gateway" + +if $local_rsync_out ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsyncd (only OUT) from all local networks" +# --- + +echononl "\t\tRsyncd (only OUT) from all local networks" + +if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + for _local_dev in ${local_if_arr[@]} ; do + for _ext_dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + + $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Rsync only Out from given local machines +# --- + +echononl "\t\tRsync Out from given local machines" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces $$ ! $permit_local_net_to_inet; then + for _port in ${rsync_port_arr[@]} ; do + for _ip in ${rsync_out_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + # --- # - CUPS only between local Networks (IPP Port 631) # --- @@ -3795,52 +4161,6 @@ fi -# --- -# - Special TCP Ports OUT -# --- - -echononl "\t\tSpecial TCP Ports OUT" - -if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${tcp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Special UDP Ports OUT -# --- - -echononl "\t\tSpecial UDP Ports OUT" - -if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${udp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done - - echo_done -else - echo_skipped -fi - - # --- # - Other local Services # --- @@ -3869,75 +4189,6 @@ else fi -# --- -# - Rsyncd (only Out) Gateway -# --- - -echononl "\t\tRsyncd (only OUT) Gateway" - -if $local_rsync_out ; then - for _dev in ${ext_if_arr[@]} ; do - for _port in ${rsync_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - done - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Rsyncd (only OUT) from all local networks" -# --- - -echononl "\t\tRsyncd (only OUT) from all local networks" - -if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - for _local_dev in ${local_if_arr[@]} ; do - for _ext_dev in ${ext_if_arr[@]} ; do - for _port in ${rsync_port_arr[@]} ; do - - $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - # - Note: - # - If (local) alias interfaces like eth1:0 in use, youe need a further - # - special rule. - # - - if $local_alias_interfaces ; then - $ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT - fi - done - done - done - - echo_done -else - echo_skipped -fi - - - -# --- -# - Rsync only Out from given local machines -# --- - -echononl "\t\tRsync Out from given local machines" - -if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces $$ ! $permit_local_net_to_inet; then - for _port in ${rsync_port_arr[@]} ; do - for _ip in ${rsync_out_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT - done - done - echo_done -else - echo_skipped -fi - - # --- # - SNMP Services local Networks # --- @@ -4216,194 +4467,6 @@ else fi -# --- -# - Remote Console (VNC) only out -# --- - -echononl "\t\tRemote Console (VNC) only out" - -if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then - for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Remote Console (VNC) local Networks -# --- - -echononl "\t\tRemote Console (VNC) local Networks" - - -if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then - for _ip in ${rm_server_ip_arr[@]} ; do - - $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then - $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - fi - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Remote Console (VNC) DMZ -# --- - -echononl "\t\tRemote Console (VNC) DMZ" -unset no_if_for_ip_arr -declare -a no_if_for_ip_arr - -if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then - for _ip in ${!rm_server_dmz_arr[@]} ; do - - # - Skip if no interface is given - # - - if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then - no_if_for_ip_arr+=("$_ip") - continue - fi - - # - From Gateway - $ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces ; then - - # - From extern - $ip6t -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - # - From intern - if ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - done - fi - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - fi - fi - done - - if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then - echo_warning - for _ip in ${no_if_for_ip_arr[@]} ; do - warn "No Interface given for ip '$_ip'" - done - else - echo_done - fi - -else - echo_skipped -fi - - -# --- -# - Munin Service Gateway -# --- - -echononl "\t\tMunin Service Gateway" - -if $local_munin_server ; then - - if $provide_munin_service_to_inet ; then - # - Provide Service for local and extern networks - # - - $ip6t -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT - else - # - Provide Service only for for local network - # - - for _dev in ${local_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT - done - fi - - echo_done -else - echo_skipped -fi - - -# --- -# - Munin Service local Networks -# --- - -echononl "\t\tMunin Service local Networks" -if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${munin_local_server_ip_arr[@]} ; do - $ip6t -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - if ! $permit_between_local_networks ; then - $ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - fi - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $kernel_forward_between_interfaces && $local_alias_interfaces ; then - $ip6t -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT - fi - - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Munin remote Server -# --- - -echononl "\t\tMunin remote Server" - -if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then - - for _ip in ${!munin_local_client_ip_arr[@]} ; do - if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then - $ip6t -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - elif $kernel_forward_between_interfaces ; then - $ip6t -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port - $ip6t -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - # --- # - Checkmk Monitoring Service Gateway # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index a01c1db..380e93d 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2274,14 +2274,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) - $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -3164,11 +3164,11 @@ if $allow_ftp_request_out ; then declare -i i=1 if ! $ftp_helper_output_defined ; then - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -3176,7 +3176,7 @@ if $allow_ftp_request_out ; then # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT # - (2) # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) @@ -3216,7 +3216,7 @@ if $allow_ftp_request_out ; then # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \ + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftpdata_$i --rdest --set -j ACCEPT # - (2) @@ -3249,18 +3249,18 @@ fi #if $allow_ftp_request_out ; then # for _dev in ${ext_if_arr[@]} ; do -# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Allow active FTP connections from local network # # - -# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then -# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # - Allow active FTP connections from local network # # - -# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # done # # echo_done @@ -3295,7 +3295,7 @@ if $local_ftp_service ; then # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - if ! $ftp_helper_prerouting_defined ; then - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -3303,7 +3303,7 @@ if $local_ftp_service ; then # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpservice'. # - - $ipt -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpservice --set -j ACCEPT + $ipt -A INPUT -p tcp -m state --state NEW --dport $standard_ftp_port -m recent --name ftpservice --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpservice' list (--update) and the @@ -3341,11 +3341,11 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwardi # - (Re)define helper # - if ! $ftp_helper_output_defined ; then - $ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_activate_forwarding && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi @@ -3355,10 +3355,10 @@ if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwardi # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport 1024: -m state --state NEW \ + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport 1024: -m state --state NEW \ -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT - $ipt -A FORWARD -d $_ip -p tcp --dport 21 -m state --state NEW \ + $ipt -A FORWARD -d $_ip -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT # - (2) @@ -3401,19 +3401,19 @@ fi #echononl "\t\tFTP Service local Networks" #if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # for _ip in ${ftp_server_only_local_ip_arr[@]} ; do -# $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # if ! $permit_between_local_networks ; then -# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # if $local_alias_interfaces ; then # # - Control Port -# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT -# $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port activ -# $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT -# $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port passiv # $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT # fi @@ -3444,17 +3444,17 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th continue fi - $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - From extern if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then - $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 - $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $standard_ftp_port -j DNAT --to $_ip:$standard_ftp_port + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $standard_ftp_data_port -j DNAT --to $_ip:20 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} fi fi @@ -3462,7 +3462,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th # - From intern if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -3471,11 +3471,11 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th if $kernel_activate_forwarding && $local_alias_interfaces ; then # - Control Port - $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # - Data Port activ - $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # - Data Port passiv $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT @@ -3539,19 +3539,19 @@ echononl "\t\tSamba Service only out" if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do - for _port in ${samba_udp_ports[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_ports[@]} ; do + for _port in ${samba_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding ; then - for _port in ${samba_udp_ports[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_ports[@]} ; do + for _port in ${samba_tcp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -3574,7 +3574,7 @@ if $local_samba_service ; then for _port in ${samba_udp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -3594,25 +3594,25 @@ echononl "\t\tSamba Service only local Networks" if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${samba_server_local_ip_arr[@]} ; do - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -3646,7 +3646,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - From extern if $kernel_activate_forwarding ; then - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line @@ -3660,7 +3660,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then fi fi done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line @@ -3673,13 +3673,13 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - From intern for _dev in ${local_if_arr[@]} ; do - for _port in ${samba_udp_port_arr[@]} ; do + for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT @@ -3689,7 +3689,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then - for _port in ${samba_tcp_port_arr[@]} ; do + for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -3712,6 +3712,39 @@ else fi +# --- +# - LDAP Service only out +# --- + +echononl "\t\tLDAP Service only out" + +if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding ; then + + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + # --- # - LDAP and LDAP SSL Service Gateway (only for local Networks) # --- @@ -3720,10 +3753,10 @@ echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" if $local_ldap_service ; then for _dev in ${local_if_arr[@]} ; do - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -3743,25 +3776,25 @@ echononl "\t\tLDAP(S) Service only local Networks" if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${ldap_server_local_ip_arr[@]} ; do - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then - for _port in ${ldap_udp_port_arr[@]} ; do + for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then - for _port in ${ldap_tcp_port_arr[@]} ; do + for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done @@ -3802,7 +3835,9 @@ fi echononl "\t\tNTP Service Gateway" if $local_ntp_service ; then if ! $allow_ntp_request_out ; then - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + done fi $ipt -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT echo_done @@ -3811,373 +3846,6 @@ else fi -# --- -# - Timeserver (Port 37 NOT NTP!)" -# --- - -echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" - -if $allow_timeserver_request_out ; then - for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Mumble Service out only -# --- - -echononl "\t\tMumble Service out only" - -if $allow_mumble_request_out ; then - for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Outbound Streaming -# --- - -echononl "\t\tOutbound Streaming (most providers)" - -if $allow_outbound_streaming ; then - - for _dev in ${ext_if_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Turn/Stun Service -# --- - -echononl "\t\tTurn/Stun Service" - -if $allow_stun_turn_service_out ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${standard_turn_service_port_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - - done - for _port in ${standard_turn_service_udp_port_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - done - echo_done -else - echo_skipped -fi - - -# --- -# - Echo360 Video Plattform -# --- - -echononl "\t\tEcho360 Video Plattform out only" - -if $allow_echo360_video_streaming ; then - - for _dev in ${ext_if_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done - echo_done -else - echo_skipped -fi - - -# --- -# - BigBlueButton Video Conference Service out only -# --- - -echononl "\t\tBigBlueButton Video Conference Service out only" - -if $allow_bigbluebutton_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ -n $bigbluebutton_tcp_ports ]] ; then - - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Skype for Business Online und Microsoft Teams -# --- - -echononl "\t\tSkype for Business Online und Microsoft Teams" - -if $allow_ms_skype_teams_out \ - && ( [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ) \ - || [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - - if [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ; then - - for _host in ${ms_skype_teams_udp4_host_arr[@]} ; do - - for _port in ${ms_skype_teams_udp4_port_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - done - fi - - if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then - - for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do - - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - fi - - done # for _dev in ${ext_if_arr[@]} ; do - echo_done -else - echo_skipped -fi - - -# --- -# - Webex Meeting Video Conference Service out only -# --- - -echononl "\t\tWebex Meeting Video Conference Service out only" - -if $allow_webex_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ "$webex_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $webex_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $webex_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - if [[ -n "$webex_tcp_fall_back_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $webex_tcp_fall_back_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $webex_tcp_fall_back_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $webex_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $webex_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Zoom Meeting - Video Conference Service out only -# --- - -echononl "\t\tZoom Meeting - Video Conference Service out only" - -if $allow_zoom_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ -n $zoom_tcp_ports ]] ; then - - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $zoom_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $zoom_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $zoom_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $zoom_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Jitsi Video Conference Service out only -# --- - -echononl "\t\tJitsi Video Conference Service out only" - -if $allow_jitsi_video_conference_out ; then - for _dev in ${ext_if_arr[@]} ; do - - if [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - alfaview - Video Conferencing Systems -# --- - -echononl "\t\talfaview - Video Conferencing Systems Service out only" - -if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then - for _dev in ${ext_if_arr[@]} ; do - - # alfaview is a browser application - # - if ! $allow_http_request_out ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $alfaview_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $alfaview_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $alfaview_udp_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $alfaview_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - done - echo_done -else - echo_skipped -fi - - -# --- -# - Nextcloud 'talk' App -# --- - -echononl "\t\tNextcloud 'talk' App" - -if $allow_nc_talk_out ; then - for _dev in ${ext_if_arr[@]} ; do - if [[ -n "$nc_turn_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - fi - if [[ -n "$nc_turn_udp_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - if [[ -n "$nc_turn_ports" ]] ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - fi - if [[ -n "$nc_turn_udp_ports" ]] ; then - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - fi - - done - - - echo_done -else - echo_skipped -fi - - # --- # - PGP Keyserver out only # --- @@ -4269,6 +3937,7 @@ fi echononl "\t\tHBCI only out (only forward)" if $allow_hbci_request_out ; then + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT @@ -4363,6 +4032,706 @@ else fi +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +if $allow_timeserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mumble Service out only +# --- + +echononl "\t\tMumble Service out only" + +if $allow_mumble_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) only out +# --- + +echononl "\t\tRemote Console (VNC) only out" + +if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) local Networks +# --- + +echononl "\t\tRemote Console (VNC) local Networks" + + +if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${rm_server_ip_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) DMZ +# --- + +echononl "\t\tRemote Console (VNC) DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in ${!rm_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From Gateway + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + + # - From extern + + # - Nat if interface is on a dsl line + # - + if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port + fi + $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - From intern + if ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Munin Service Gateway +# --- + +echononl "\t\tMunin Service Gateway" + +if $local_munin_server ; then + + if $provide_munin_service_to_inet ; then + # - Provide Service for local and extern networks + # - + $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + else + # - Provide Service only for for local network + # - + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin Service local Networks +# --- + +echononl "\t\tMunin Service local Networks" +if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_local_server_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin remote Server +# --- + +echononl "\t\tMunin remote Server" + +if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then + + for _ip in ${!munin_local_client_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + elif $kernel_activate_forwarding ; then + $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port + $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Outbound Streaming +# --- + +echononl "\t\tOutbound Streaming (most providers)" + +if $allow_outbound_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${outbound_streaming_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${outbound_streaming_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + fi + + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Turn/Stun Service +# --- + +echononl "\t\tTurn/Stun Service" + +if $allow_stun_turn_service_out ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${standard_turn_service_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + for _port in ${standard_turn_service_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Echo360 Video Plattform +# --- + +echononl "\t\tEcho360 Video Plattform out only" + +if $allow_echo360_video_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${echo360_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - BigBlueButton Video Conference Service out only +# --- + +echononl "\t\tBigBlueButton Video Conference Service out only" + +if $allow_bigbluebutton_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${bigbluebutton_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${bigbluebutton_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Skype for Business Online und Microsoft Teams +# --- + +echononl "\t\tSkype for Business Online und Microsoft Teams" + +if $allow_ms_skype_teams_out \ + && ( [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ) \ + || [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + + if [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ; then + + for _host in ${ms_skype_teams_udp4_host_arr[@]} ; do + + for _port in ${ms_skype_teams_udp4_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + fi + + if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then + + for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + fi + + done # for _dev in ${ext_if_arr[@]} ; do + echo_done +else + echo_skipped +fi + + +# --- +# - Webex Meeting Video Conference Service out only +# --- + +echononl "\t\tWebex Meeting Video Conference Service out only" + +if $allow_webex_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${webex_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${webex_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Zoom Meeting - Video Conference Service out only +# --- + +echononl "\t\tZoom Meeting - Video Conference Service out only" + +if $allow_zoom_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${zoom_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${zoom_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Jitsi Video Conference Service out only +# --- + +echononl "\t\tJitsi Video Conference Service out only" + +if $allow_jitsi_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${jitsi_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${jitsi_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - alfaview - Video Conferencing Systems +# --- + +echononl "\t\talfaview - Video Conferencing Systems Service out only" + +if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${alfaview_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${alfaview_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Nextcloud 'talk' App +# --- + +echononl "\t\tNextcloud 'talk' App" + +if $allow_nc_turn_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${nc_turn_tcp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + for _port in ${nc_turn_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsyncd (only Out) Gateway +# --- + +echononl "\t\tRsyncd (only OUT) Gateway" + +if $local_rsync_out ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsyncd (only OUT) from all local networks" +# --- + +echononl "\t\tRsyncd (only OUT) from all local networks" + +if $forward_rsync_out && $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + for _local_dev in ${local_if_arr[@]} ; do + for _ext_dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + + $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync only Out from given local machines +# --- + +echononl "\t\tRsync Out from given local machines" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then + for _port in ${rsync_port_arr[@]} ; do + for _ip in ${rsync_out_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + # --- # - CUPS only between local Networks (IPP Port 631) # --- @@ -4544,52 +4913,6 @@ else fi -# --- -# - Special TCP Ports OUT -# --- - -echononl "\t\tSpecial TCP Ports OUT" - -if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${tcp_out_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Special UDP Ports OUT -# --- - -echononl "\t\tSpecial UDP Ports OUT" - -if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then - - for _dev in ${ext_if_arr[@]} ; do - for _port in ${udp_out_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT - fi - done - done - - echo_done -else - echo_skipped -fi - - # --- # - Other local Services # --- @@ -4618,74 +4941,6 @@ else fi -# --- -# - Rsyncd (only Out) Gateway -# --- - -echononl "\t\tRsyncd (only OUT) Gateway" - -if $local_rsync_out ; then - for _dev in ${ext_if_arr[@]} ; do - for _port in ${rsync_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - done - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Rsyncd (only OUT) from all local networks" -# --- - -echononl "\t\tRsyncd (only OUT) from all local networks" - -if $forward_rsync_out && $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - for _local_dev in ${local_if_arr[@]} ; do - for _ext_dev in ${ext_if_arr[@]} ; do - for _port in ${rsync_port_arr[@]} ; do - - $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT - - # - Note: - # - If (local) alias interfaces like eth1:0 in use, youe need a further - # - special rule. - # - - if $local_alias_interfaces ; then - $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT - fi - done - done - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Rsync only Out from given local machines -# --- - -echononl "\t\tRsync Out from given local machines" - -if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then - for _port in ${rsync_port_arr[@]} ; do - for _ip in ${rsync_out_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT - done - done - echo_done -else - echo_skipped -fi - - # --- # - SNMP Services local Networks # --- @@ -4965,200 +5220,6 @@ else fi -# --- -# - Remote Console (VNC) only out -# --- - -echononl "\t\tRemote Console (VNC) only out" - -if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then - for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Remote Console (VNC) local Networks -# --- - -echononl "\t\tRemote Console (VNC) local Networks" - - -if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then - for _ip in ${rm_server_ip_arr[@]} ; do - - $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_between_local_networks ; then - $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - fi - fi - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Remote Console (VNC) DMZ -# --- - -echononl "\t\tRemote Console (VNC) DMZ" -unset no_if_for_ip_arr -declare -a no_if_for_ip_arr - -if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then - for _ip in ${!rm_server_dmz_arr[@]} ; do - - # - Skip if no interface is given - # - - if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then - no_if_for_ip_arr+=("$_ip") - continue - fi - - # - From Gateway - $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding ; then - - # - From extern - - # - Nat if interface is on a dsl line - # - - if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then - $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port - fi - $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - - # - From intern - if ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT - done - fi - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT - fi - fi - done - - if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then - echo_warning - for _ip in ${no_if_for_ip_arr[@]} ; do - warn "No Interface given for ip '$_ip'" - done - else - echo_done - fi - -else - echo_skipped -fi - - -# --- -# - Munin Service Gateway -# --- - -echononl "\t\tMunin Service Gateway" - -if $local_munin_server ; then - - if $provide_munin_service_to_inet ; then - # - Provide Service for local and extern networks - # - - $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT - else - # - Provide Service only for for local network - # - - for _dev in ${local_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT - done - fi - - echo_done -else - echo_skipped -fi - - -# --- -# - Munin Service local Networks -# --- - -echononl "\t\tMunin Service local Networks" -if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${munin_local_server_ip_arr[@]} ; do - $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - - if $kernel_activate_forwarding && ! $permit_between_local_networks ; then - for _dev in ${local_if_arr[@]} ; do - if ! $permit_between_local_networks ; then - $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - fi - - # - Rule is needed if (local) interface aliases in use (like eth0:1) - # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT - fi - - done - - echo_done -else - echo_skipped -fi - - -# --- -# - Munin remote Server -# --- - -echononl "\t\tMunin remote Server" - -if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then - - for _ip in ${!munin_local_client_ip_arr[@]} ; do - if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then - $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - elif $kernel_activate_forwarding ; then - $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port - $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT - fi - done - - echo_done -else - echo_skipped -fi - - # --- # - Checkmk Monitoring Service Gateway # ---