From fe554628037fe3243b854223edb3569dfaaf491e Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 21 Mar 2020 15:11:39 +0100 Subject: [PATCH] Add support for NC's Talk App (only client). --- conf/default_ports.conf | 5 ++++ conf/main_ipv4.conf.sample | 23 +++++++++++++++-- conf/main_ipv6.conf.sample | 23 +++++++++++++++-- ip6t-firewall-gateway | 46 ++++++++++++++++++++++++--------- ipt-firewall-gateway | 52 +++++++++++++++++++++++++++----------- 5 files changed, 118 insertions(+), 31 deletions(-) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index db1c97f..4238eed 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -54,6 +54,11 @@ standard_mailuser_ports="587,465,110,995,143,993" standard_jitsi_tcp_ports="$standard_http_ports" standard_jitsi_udp_port_range="10000:20000" +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# - +standard_turn_service_ports="3478:3479,5349:5350" +standard_turn_service_udp_ports="49152:65535" + # ------------- # --- Predefined Ports # ------------- diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index e8caf12..e05d03e 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -817,8 +817,26 @@ local_jitsi_video_conference_service=false # - # - UDP 10000-20000: Virtual Media for Remote Console # - -jitsi_tcp_ports="$standard_http_ports" -jitsi_udp_ports="10000:20000" +jitsi_tcp_ports="$standard_jitsi_tcp_ports" +jitsi_udp_port_range="$standard_jitsi_udp_port_range" + + +# ====== +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# ====== + +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# - +# - NOT YET IMPLEMENTED +# - +local_nc_turn_service="" + +# - Ports used by local TURN Server (Stun Server) +# - +# - comma separated list +# - +nc_turn_ports="$standard_turn_service_ports" +nc_turn_udp_ports="$standard_turn_service_udp_ports" # ====== @@ -1280,6 +1298,7 @@ allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true allow_jitsi_video_conference_out=true +allow_nc_talk_out=true allow_samba_requests_out=true diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 6c66593..7a28479 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -791,8 +791,26 @@ local_jitsi_video_conference_service=false # - # - comma separated list # - -jitsi_tcp_ports="$standard_http_ports" -jitsi_udp_port_range="10000:20000" +jitsi_tcp_ports="$standard_jitsi_tcp_ports" +jitsi_udp_port_range="$standard_jitsi_udp_port_range" + + +# ====== +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# ====== + +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# - +# - NOT YET IMPLEMENTED +# - +local_nc_turn_service="" + +# - Ports used by local TURN Server (Stun Server) +# - +# - comma separated list +# - +nc_turn_ports="$standard_turn_service_ports" +nc_turn_udp_ports="$standard_turn_service_udp_ports" # ====== @@ -1223,6 +1241,7 @@ allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true allow_jitsi_video_conference_out=true +allow_nc_talk_out=true allow_samba_requests_out=true diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 40c65b2..5fc6daa 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2867,22 +2867,17 @@ echononl "\t\tJitsi Video Conference Service out only" if $allow_jitsi_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + if [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + fi fi - if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT - + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2892,6 +2887,33 @@ else fi +# --- +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- + +echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" + +if $allow_nc_talk_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + + echo_done +else + echo_skipped +fi + + # --- # - PGP Keyserver out only # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index f18e2d1..ecb0695 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3577,22 +3577,17 @@ echononl "\t\tJitsi Video Conference Service out only" if $allow_jitsi_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT - fi - - if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT - fi - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT - - - if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - if [[ "$standard_jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + if [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + fi + + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $jitsi_udp_ports -m conntrack --ctstate NEW -j ACCEPT fi done @@ -3602,6 +3597,33 @@ else fi +# --- +# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- + +echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" + +if $allow_nc_talk_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + + done + + + echo_done +else + echo_skipped +fi + + # --- # - PGP Keyserver out only # ---