#!/usr/bin/env bash ### BEGIN INIT INFO # Provides: ipt-firewall # Required-Start: $local_fs $remote_fs $syslog $network $time # Required-Stop: $local_fs $remote_fs $syslog $network # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: IPv4 Firewall ### END INIT INFO # ------------- # - Settings # ------------- ipt_conf_dir="/etc/ipt-firewall" inc_functions_file="${ipt_conf_dir}/include_functions.conf" load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_default_ports=${ipt_conf_dir}/default_ports.conf conf_default_ips=${ipt_conf_dir}/default_ipv4.conf conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf conf_main=${ipt_conf_dir}/main_ipv4.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf # ------------- # - Some checks and preloads.. # ------------- ipt=$(which iptables) if [[ -z "$ipt" ]] ; then echo "" echo -e "\tiptables was not found on this server!" echo echo -e "\tFirewall Script was stopped!" echo exit 1 fi if [[ ! -f "$inc_functions_file" ]] ; then echo "" echo -e "\tMissing include file '$inc_functions_file'" echo echo -e "\tFirewall Script was stopped!" echo exit 1 else source $inc_functions_file fi if [[ ! -f "$load_modules_file" ]]; then warn "No modules for loading configured. Missing file '$load_modules_file'!" else while read -r module ; do if ! lsmod | grep -q -E "^$module\s+" ; then /sbin/modprobe $module > /dev/null 2>&1 if [[ "$?" != "0" ]]; then warn "Loading module '$module' failed!" fi fi done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) fi if [[ ! -f "$conf_logging" ]]; then fatal "Missing configuration for logging - file '$conf_logging'" else source $conf_logging fi if [[ ! -f "$conf_default_ports" ]]; then fatal "Missing configuration for default_ports - file '$conf_default_ports'" else source $conf_default_ports fi if [[ ! -f "$conf_default_ips" ]]; then fatal "Missing configuration for default_ips - file '$conf_default_ips'" else source $conf_default_ips fi if [[ ! -f "$conf_interfaces" ]]; then fatal "Missing interface configurations - file '$conf_interfaces'" else source $conf_interfaces fi if [[ ! -f "$conf_default_basic_behavior" ]]; then fatal "Missing interface configurations - file '$conf_default_basic_behavior'" else source $conf_default_basic_behavior fi if [[ ! -f "$conf_main" ]]; then fatal "Missing main configurations - file '$conf_main'" else source $conf_main fi if [[ ! -f "$conf_post_declarations" ]]; then fatal "Missing post declarations - file '$conf_post_declarations'" else source $conf_post_declarations fi # --- # - IPv4 Addresses Gateway # --- _ips="$(ip -4 a | grep "inet " | awk '{print$2}' | cut -d'/' -f1)" declare -a gateway_ipv4_address_arr=() if [[ -n "$_ips" ]] ; then for _ip in $_ips ; do gateway_ipv4_address_arr+=("$_ip") done fi echo if $terminal ; then echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" else echo "Starting firewall iptables (IpV4).." fi echo # ------------- # --- Activate IP Forwarding # ------------- ## - IP Forwarding aktivieren/deaktivieren. ## - ## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. ## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, ## - weil hiermit auch andere (de)aktiviert werden. ## - if $kernel_activate_forwarding ; then echo 1 > /proc/sys/net/ipv4/ip_forward echononl "\tActivate Forwarding.." echo_done else echo 0 > /proc/sys/net/ipv4/ip_forward echononl "\t\033[33m\033[1mDisable Forwarding.." echo_done fi if $kernel_support_dynaddr ; then echononl "\tActivate kernel support for dynamic addresses.." if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr echo_done else echo_failed fi else echo 0 > /proc/sys/net/ipv4/ip_dynaddr echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" echo_done fi # ------------- # --- Adjust Kernel Parameters (Security/Tuning) # ------------- echononl "\tAdjust Kernel Parameters (Security/Tuning).." if $adjust_kernel_parameters ; then ## - Reduce DoS'ing ability by reducing timeouts ## - if $kernel_reduce_timeouts ; then echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack fi ## - SYN COOKIES ## - if $kernel_tcp_syncookies ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 3 > /proc/sys/net/ipv4/tcp_synack_retries fi ## - Protection against ICMP bogus error responses ## - if $kernel_protect_against_icmp_bogus_messages ; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi ## - Ignore Broadcast Pings ## - if $kernel_ignore_broadcast_ping ; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ## - Deactivate Source Routed Packets ## - if $kernel_deactivate_source_route ; then for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do echo 0 > $asr done fi ## - Deactivate sending ICMP redirects ## - if ! $telekom_internet_tv ; then if $kernel_dont_accept_redirects ; then for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $rp_filter done else for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $rp_filter done fi fi ## - Logging of spoofed (source routed" and "redirect") packets ## - if $kernel_log_martians ; then echo "0" > /proc/sys/net/ipv4/conf/all/log_martians fi echo_done # Adjust Kernel Parameters (Security/Tuning) else echo_skipped fi # ------------- # --- Set default policies / Flush Rules # ------------- echo echononl "\tFlushing firewall iptable (IPv4).." # - default policies # - $ipt -P INPUT ACCEPT $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT ## - flush chains ## - $ipt -F $ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -F -t mangle $ipt -F -t nat $ipt -F -t raw $ipt -X $ipt -Z echo_done $ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu unset natted_interface_arr declare -a natted_interface_arr echo "" echononl "\tMasquerade (NAT) interfaces.." if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _dev in ${nat_device_arr[@]} ; do $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE natted_interface_arr+=("$_dev") done echo_done else echo_skipped fi echononl "\tMasquerade (NAT) networks.." if [[ ${#nat_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${nat_network_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" # - Prevent natting on an interface already natted # - if containsElement "${_val_arr[1]}" "${nat_device_arr[@]}" ; then continue fi # - ?? - Don't know which rule is the right one , maybe both.. # - $ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -d ${_val_arr[0]} -j MASQUERADE $ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -s ${_val_arr[0]} -j MASQUERADE done echo_done else echo_skipped fi echo if $telekom_internet_tv ; then echononl "\tNAT Telekom Intzernet TV.." $ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE echo_done echo fi unset no_if_for_ip_arr declare -a no_if_for_ip_arr echononl "\tMasquerade TCP Connections .." if [[ ${#masquerade_tcp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${masquerade_tcp_con_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" # - Skip if no interface is given # - if [[ -z "${_val_arr[3]}" ]] ; then no_if_for_ip_arr+=("${_val_arr[1]}") continue fi $ipt -t nat -A POSTROUTING -o ${_val_arr[3]} -p tcp -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j MASQUERADE done echo_done else echo_skipped fi if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "(TCP) Masquerading for ip '$_ip' was omitted - No destination interface present!" done fi unset no_if_for_ip_arr declare -a no_if_for_ip_arr echononl "\tMasquerade UDP Connections .." if [[ ${#masquerade_udp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${masquerade_udp_con_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" # - Skip if no interface is given # - if [[ -z "${_val_arr[3]}" ]] ; then no_if_for_ip_arr+=("${_val_arr[1]}") continue fi $ipt -t nat -A POSTROUTING -o ${_val_arr[3]} -p udp -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j MASQUERADE done echo_done else echo_skipped fi if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "(UDP) Masquerading for ip '$_ip' was omitted - No destination interface present!" done fi echononl "\tMasquerade ICMP Connections .." if [[ ${#masquerade_icmp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${masquerade_icmp_con_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -t nat -A POSTROUTING -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j MASQUERADE done echo_done else echo_skipped fi echo # ------------- # - Log given IP Addresses # ------------- echononl "\tLog given IP Addresses" if [[ ${#log_ip_arr[@]} -gt 0 ]]; then for _ip in ${log_ip_arr[@]} ; do $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip IN: " $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip OUT: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip FORWARD FROM: " $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip FORWARD TO: " done echo_done else echo_skipped fi # ------------- # --- Stopping firewall if only flushing was requested (parameter flush) # ------------- case $1 in flush) warn No firewall rules are active! exit 0;; esac # --- # - Stop here, if no extern interface is configured # --- if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then fatal "No extern Interface is configured!" fi # ------------- # --- Traffic Shaping # ------------- echo "" if $terminal ; then echononl "\033[37m\033[1m\tStarting outbound shaping...\033[m" else echo -n "Starting outbound shaping" fi if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then tc=$(which tc) if [[ -z "$tc" ]]; then echo_skipped warn "'tc'-programm not found. Outbound shaping was ommitted!" else ## - Löschen aller Klassen für $TC_DEV und der Filterregeln ## - $tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null $ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null $ipt -t mangle -F MYSHAPER-OUT $ipt -t mangle -X MYSHAPER-OUT # add HTB root qdisc $tc qdisc add dev $TC_DEV root handle 1:0 htb default 26 # add main rate limit class(es) $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit # create fair-share-classes, descending priority $tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0 $tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1 $tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2 $tc class add dev $TC_DEV parent 1:1 classid 1:23 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 3 $tc class add dev $TC_DEV parent 1:1 classid 1:24 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 4 $tc class add dev $TC_DEV parent 1:1 classid 1:25 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 5 $tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6 # attach qdisc to leaf classes # # here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. $tc qdisc add dev $TC_DEV parent 1:20 handle 20: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:21 handle 21: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:22 handle 22: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:23 handle 23: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:24 handle 24: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:25 handle 25: sfq perturb 10 $tc qdisc add dev $TC_DEV parent 1:26 handle 26: sfq perturb 10 # filter traffic into classes by fwmark # # here we direct traffic into priority class according to # the fwmark set on the packet (we set fwmark with iptables # later). Note that above we've set the default priority # class to 1:26 so unmarked packets (or packets marked with # unfamiliar IDs) will be defaulted to the lowest priority # class. $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25 $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 # add MYSHAPER-OUT chain to the mangle table in iptables # # this sets up the table we'll use # to filter and mark packets. $ipt -t mangle -N MYSHAPER-OUT $ipt -t mangle -I POSTROUTING -o $TC_DEV -j MYSHAPER-OUT # add fwmark entries to classify different types of traffic # # Set fwmark from 20-26 according to # desired class. 20 is highest prio. # mark 20 - high prio 0 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 20 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 $ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN # mark 21 - high prio 1 # - DNS Service $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN # mark 22 - high prio 2 # - VoIP SIP (sip ports, rtp ports, stun ports(3478)) $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j RETURN # mark 23 - prio 3 # - OpenVPN $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN # mark 24 - prio 4 # - WWW $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j MARK --set-mark 24 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j RETURN # mark 25 - prio 5 # - Mailtraffic $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j MARK --set-mark 25 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j RETURN # Remaining packets are marked according to TOS $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark 22 $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark 25 # redundant- mark any unmarked packets as 26 (low prio) $ipt -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 echo_done fi else echo_skipped fi # --- # - Provide (Telekom) IP TV # --- echo echononl "\tProvide (Telekom) Internet TV" if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then # - Telekom VDSL - Rules for IPTV # - $ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT #$ipt -A INPUT -i $tv_local_if -p igmp -j DROP $ipt -A FORWARD -s $tv_ip -j ACCEPT $ipt -A FORWARD -d $tv_ip -j ACCEPT $ipt -A FORWARD -i $tv_ip -j ACCEPT $ipt -A FORWARD -o $tv_ip -j ACCEPT # - Forward all networks defined defind by igmpproxy # - (see: phyint eth2.8 upstream ratelimit 0 threshold 1) # #$ipt -A FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT #$ipt -A FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT #$ipt -A FORWARD -s 239.35.100.6/24 -d 224.0.0.0/4 -j ACCEPT #$ipt -A FORWARD -s 93.230.64.0/19 -d 224.0.0.0/4 -j ACCEPT $ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT $ipt -A FORWARD -s 224.0.0.0/4 -j ACCEPT $ipt -A OUTPUT -d 224.0.0.0/4 -j ACCEPT $ipt -A INPUT -d 224.0.0.0/4 -j ACCEPT $ipt -A INPUT -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT $ipt -A INPUT -i $tv_local_if -d 224.0.0.0/4 -j ACCEPT $ipt -A OUTPUT -o $tv_extern_if -d 224.0.0.0/4 -j ACCEPT $ipt -A OUTPUT -o $tv_local_if -d 224.0.0.0/4 -j ACCEPT #$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT $ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT $ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT echo_done else echo_skipped fi echo # ------------- # --- Pass through Devices Interfaces (not firewalled) # ------------- echononl "\tPass through Devices (not firewalled)" if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " fi fi $ipt -A INPUT -i $_dev -j ACCEPT $ipt -A OUTPUT -o $_dev -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -j ACCEPT $ipt -A FORWARD -o $_dev -j ACCEPT fi done echo_done else echo_skipped fi # ------------- # --- Traffic generally allowed # ------------- echononl "\tLoopback device generally allowed.." # --- # - Loopback device # --- $ipt -A INPUT -i lo -j ACCEPT $ipt -A OUTPUT -o lo -j ACCEPT echo_done echo # ------------- # --- Block IPs / Networks / Interfaces # ------------- echononl "\tBlock IPs / Networks / Interfaces.." # --- # - Block IPs # --- for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j DROP fi done done # --- # - Block Interfaces # --- for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j DROP $ipt -A FORWARD -o $_if -j DROP fi $ipt -A INPUT -i $_if -j DROP $ipt -A OUTPUT -o $_if -j DROP done echo_done # Block IPs / Networks / Interfaces.. # --- # - Block UPnP Ports # --- echononl "\tBlock UPnP Traffic (extern in).." if $block_upnp_traffic_in ; then for _dev in ${ext_if_arr[@]} ; do if $log_upnp || $log_all ; then $ipt -A INPUT -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " fi $ipt -A INPUT -i $_dev -p udp --dport 1900 -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " fi $ipt -A FORWARD -i $_dev -p udp --dport 1900 -j DROP done echo_done else echo_skipped fi echononl "\tBlock UPnP Traffic (extern out).." if $block_upnp_traffic_out ; then for _dev in ${ext_if_arr[@]} ; do if $log_upnp || $log_all ; then $ipt -A OUTPUT -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " fi $ipt -A OUTPUT -o $_dev -p udp --dport 1900 -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: " fi $ipt -A FORWARD -o $_dev -p udp --dport 1900 -j DROP done echo_done else echo_skipped fi # --- # - Block UDP Ports out # --- echononl "\tBlock UDP Ports extern out.." if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then echo"" for _port in ${block_udp_extern_out_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -j DROP fi done done echo_done else echo_skipped fi # --- # - Block TCP Ports out # --- echononl "\tBlock TCP Ports extern out.." if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then for _port in ${block_tcp_extern_out_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -j DROP fi done done echo_done else echo_skipped fi # --- # - Block IPs/Netwoks reading from file 'ban_ipv4.list'" # --- echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then declare -a octets declare -i index while IFS='' read -r _line || [[ -n $_line ]] ; do is_valid_ipv4=true is_valid_mask=true ipv4="" mask="" # Ignore comment lines # [[ $_line =~ ^[[:space:]]{0,}# ]] && continue # Ignore blank lines # [[ $_line =~ ^[[:space:]]*$ ]] && continue # Remove leading whitespace characters # _line="${_line#"${_line%%[![:space:]]*}"}" # Catch IPv4 Address # given_ipv4="$(echo $_line | cut -d ' ' -f1)" # Splitt Ipv4 address from possible given CIDR number # IFS='/' read -ra _addr <<< "$given_ipv4" _ipv4="${_addr[0]}" if [[ -n "${_addr[1]}" ]] ; then _mask="${_addr[1]}" test_netmask=false # Is 'mask' a valid CIDR number? If not, test agains a valid netmask # if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then # Its not a vaild mask number, but naybe a valit netmask. # test_netmask=true else if [[ $_mask -gt 32 ]]; then # Its not a vaild cidr number, but naybe a valit netmask. # test_netmask=true else # OK, we have a vaild cidr number between '0' and '32' # mask=$_mask fi fi # Test if given '_mask' is a valid netmask. # if $test_netmask ; then octets=( ${_mask//\./ } ) # Complete netmask if necessary # while [[ ${#octets[@]} -lt 4 ]]; do octets+=(0) done [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false index=0 for octet in ${octets[@]} ; do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then if [[ $octet -gt 255 ]] ; then is_valid_mask=false fi if [[ $index -gt 0 ]] ; then mask="${mask}.${octet}" else mask="${octet}" fi else is_valid_mask=false fi ((index++)) done fi adjust_mask=false else mask=32 adjust_mask=true fi # Splitt given address into their octets # octets=( ${_ipv4//\./ } ) # Complete IPv4 address if necessary # while [[ ${#octets[@]} -lt 4 ]]; do octets+=(0) # Only adjust CIDR number if not given # if $adjust_mask ; then mask="$(expr $mask - 8)" fi done # Pre-check if given IPv4 Address seems to be a valid address # [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false # Check if given IPv4 Address is a valid address # if $is_valid_ipv4 ; then index=0 for octet in ${octets[@]} ; do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then if [[ $octet -gt 255 ]] ; then is_valid_ipv4=false fi if [[ $index -gt 0 ]] ; then ipv4="${ipv4}.${octet}" else ipv4="${octet}" fi else is_valid_ipv4=false fi ((index++)) done fi if $is_valid_ipv4 && $is_valid_mask; then _ip="${ipv4}/${mask}" for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j DROP fi done else msg="$msg '${given_ipv4}'" fi done < "${ipt_conf_dir}/ban_ipv4.list" echo_done if [[ -n "$msg" ]]; then warn "Ignored:$msg" fi else echo_skipped fi # --- # - Allow Forwarding certain private Addresses # --- echononl "\tAllow forwarding (private) IPs / IP-Ranges.." if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then for _ip in ${forward_private_ip_arr[@]}; do if $kernel_activate_forwarding ; then $ipt -A FORWARD -d $_ip -j ACCEPT $ipt -A FORWARD -s $_ip -j ACCEPT echo_done else echo_skipped fi done else echo_skipped fi # ------------- # --- Protections against several attacks / unwanted packages # ------------- if $protect_against_several_attacks ; then echo if $terminal ; then echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m" else echo "Protections against several attacks / unwanted packages...." fi echo # --- # - Protection against syn-flooding # --- echononl "\t Protection against syn-flooding.." if $drop_syn_flood || $log_syn_flood || $log_all ; then $ipt -N syn_flood $ipt -A INPUT -p tcp --syn -j syn_flood $ipt -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN fi if $log_syn_flood || $log_all ; then $ipt -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi if $drop_syn_flood ; then $ipt -A syn_flood -j DROP echo_done else echo_skipped fi # --- # - Drop Fragments # --- # I have to say that fragments scare me more than anything. # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such # fragments is very OS-dependent (see this paper for details). # I am not going to trust any fragments. # Log fragments just to see if we get any, and deny them too echononl "\t Drop Fragments.." if $log_fragments || $log_all ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " fi done fi if $drop_fragments ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -f -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -f -j DROP fi done echo_done else echo_skipped fi # --- # - drop new packages without syn flag # --- echononl "\t Drop Packages new but not sync.." if $log_new_not_sync || $log_all ; then $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " fi fi if $drop_new_not_sync; then $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP fi echo_done else echo_skipped fi # --- # - drop invalid packages # --- echononl "\t Drop invalid packages.." if $log_invalid_state || $log_all ; then $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " fi fi if $drop_invalid_state ; then $ipt -A INPUT -m conntrack --ctstate INVALID -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP fi echo_done else echo_skipped fi # --- # - ungewöhnliche Flags verwerfen # --- echononl "\t Drop Packages with unusal flags .." if $log_invalid_flags || $log_all ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi done fi if $drop_invalid_flags ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP fi done echo_done else echo_skipped fi # --- # - Refuse private addresses on extern interfaces # --- echononl "\t Refuse private addresses on extern interfaces (DSL).." if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then # Refuse packets claiming to be from a # Class A private network # Class B private network # Class C private network # loopback interface # Class D multicast address # Class E reserved IP address # broadcast address if $log_spoofed || $log_all ; then for _dev in ${dsl_device_arr[@]} ; do $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " # if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " fi done fi if $drop_spoofed ; then for _dev in ${dsl_device_arr[@]} ; do # Refuse packets claiming to be from a Class A private network. $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP # Refuse packets claiming to be from a Class B private network. $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP # Retfuse packets claiming to be from a Class C private network. $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP # Refuse packets claiming to be from loopback interface. $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP # Refuse Class E reserved IP addresses. $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP # Refuse broadcast address packets. #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP if $kernel_activate_forwarding ; then # Refuse packets claiming to be from a Class A private network. $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP # Refuse packets claiming to be from a Class B private network. $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP # Refuse packets claiming to be from a Class C private network. $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP # Refuse packets claiming to be from loopback interface. $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP # Refuse Class E reserved IP addresses. $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP # Refuse broadcast address packets. #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP fi done echo_done else echo_skipped fi else echo_skipped fi # --- # - Refuse packets claiming to be to the loopback interface. # --- echononl "\t Refuse packets claiming to be to the loopback interface.." # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. if $log_to_lo || $log_all ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " fi done fi if $drop_ext_to_lo ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP fi done echo_done else echo_skipped fi # --- # - Don't allow spoofing from that server # --- echononl "\t Don't allow spoofing out from that server.." if [[ ${#dsl_device_arr[@]} -gt 0 ]] ; then if $log_spoofed_out || $log_all ; then for _dev in ${dsl_device_arr[@]} ; do $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: " $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: " $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: " $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: " done fi if $drop_spoofed_out ; then for _dev in ${dsl_device_arr[@]} ; do $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP done echo_done else echo_skipped fi else echo_skipped fi fi # if $protect_against_several_attacks ; then # ------------- # --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]}) # ------------- if $log_voip || $log_all ; then for _ip in ${tel_sys_ip_arr[@]} ; do $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " done fi #for _PORT in ${VOIP_PORTS} ; do # $ipt -A FORWARD -p udp --sport $_PORT -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " #done # ------------- # ------------- Stopping firewall here if requested (parameter stop) # ------------- case $1 in sto*) echo if $terminal ; then echo -e "\t\033[37m\033[1mStop was requested. No more firewall rules..\033[m" else echo "Stop was requested. No more firewall rules.." fi echo exit 0;; esac echo # ------------- # - suricata IPS (Inline Mode) # ------------- # - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu' # - echononl "\tForward to suricata IPS (inline Mode)" if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then $ipt -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3 echo_done else echo_skipped fi echo # ------------- # --- iPerf # ------------- # iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." if $create_iperf_rules ; then $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT # $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT fi echo_done else echo_skipped fi # --- # - Drop packets not wanted on gateway # --- echononl "\tDrop packets not wanted on gateway" for _dev in ${local_if_arr[@]} ; do if $log_not_wanted || $log_all ; then if $not_wanted_ident ; then $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done fi if $not_wanted_ident ; then $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP done for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -j DROP done done echo_done # ------------- # --- Generally prohibited from WAN # ------------- echononl "\tGenerally prohibited from WAN" for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then if $block_ident ; then $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done if $kernel_activate_forwarding ; then if $block_ident ; then $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done fi fi if $block_ident ; then $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset fi for _port in ${block_tcp_port_arr[@]} ; do $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP done if $kernel_activate_forwarding ; then if $block_ident ; then $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset fi for _port in ${block_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP done fi done echo_done echo # --- # - Already established connections # --- echononl "\tAccept already established connections.." $ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT fi echo_done echo "" unset restricted_vpn_network_arr unset restricted_vpn_target_network_arr declare -a restricted_vpn_network_arr declare -a restricted_vpn_target_network_arr # --- # - Restrict VPN Network to local Service # --- echononl "\tRestrict VPN Network to local Service" if [[ ${#restrict_vpn_net_to_local_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in "${restrict_vpn_net_to_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then restricted_vpn_network_arr+=("${_val_arr[0]}") fi if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then restricted_vpn_target_network_arr+=("${_val_arr[1]}") fi if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then $ipt -A INPUT -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # Allow also ICMP (ping) $ipt -A INPUT -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT $ipt -A INPUT -s $_net else $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # Allow also ICMP (ping) to these target networks/hosts $ipt -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Restrict VPN Network to local (Sub) network # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tRestrict VPN Network to local (Sub) network" if [[ ${#restrict_vpn_net_to_local_subnet_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${restrict_vpn_net_to_local_subnet_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then restricted_vpn_network_arr+=("${_val_arr[0]}") fi if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then restricted_vpn_target_network_arr+=("${_val_arr[1]}") fi $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT #$ipt -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT done echo_done else echo_skipped fi # --- # - Allow local DNS Service for restricted VPN Networks # --- echononl "\tAllow local DNS Service for restricted VPN Networks" if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then for _net in "${restricted_vpn_network_arr[@]}" ; do for _ip in "${gateway_ipv4_address_arr[@]}" ; do $ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT done done echo_done else echo_skipped fi # --- # - Block further traffic from Restrict VPN Networks # --- echononl "\tBlock further traffic from Restrict VPN Networks" if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _net in ${restricted_vpn_network_arr[@]} ; do #$ipt -A INPUT -p ALL -s $_net -m conntrack --ctstate NEW -j DROP #$ipt -A FORWARD -p ALL -s $_net -m conntrack --ctstate NEW -j DROP $ipt -A INPUT -p ALL -s $_net -j DROP $ipt -A FORWARD -p ALL -s $_net -j DROP done echo_done else echo_skipped fi echo "" # --- # - Permit all traffic through VPN lines # --- echononl "\tPermit all traffic through VPN lines.." for _vpn_if in ${vpn_if_arr[@]} ; do $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then for _local_dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done # --- # - Permit all traffic through WireGuard lines # --- echononl "\tPermit all traffic through WireGuard lines.." for _wg_if in ${wg_if_arr[@]} ; do $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then for _local_dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done echo "" # --- # - DHCP # --- echononl "\tLocal DHCP Client" if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_client_interfaces_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT $ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT done echo_done else echo_skipped fi echononl "\tDHCP" if $local_dhcp_service ; then # - Allow requests from intern networks for _dev in ${local_if_arr[@]} ; do # - in $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done echo_done else echo_skipped fi # --- # - DHCP Failover # --- echononl "\tDHCP Failover Server" if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${dhcp_failover_server_ip_arr[@]} ; do $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - DNS out only # --- echononl "\tDNS out only" # - Nameservers on the INET must be reachable for the local recursiv nameserver # - but also for all others # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - DNS Service Gateway # --- echononl "\tDNS Service Gateway" # - Local Nameservice # - if $local_dns_service ; then # dns requests # # Note: # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # # - Allow requests from local networks # - for _dev in ${local_if_arr[@]} ; do # - in $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT done # - Zonetransfere (uses tcp/53) # for _ip in ${dns_server_ips[@]} ; do # - out # - # - local master (here) gets request for a zone from slave ($_ip) $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT # - in # - # - local slave (here) requests zone from master ($_ip) $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - DNS Services at local Network # --- echononl "\tDNS Service local Network" # - Make nameservers at the local network area rechable for all # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then # dns requests # # Note: # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # for _ip in ${dns_server_ip_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi echo "" # --- # - Allow all Traffic from source mac-address # --- echononl "\tAllow all Traffic from MAC Source-Address" if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then for _mac in ${allow_all_mac_src_address_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Allow local Traffic from source mac-address # --- echononl "\tAllow local Traffic from MAC Source-Address" if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then for _mac in ${allow_local_mac_src_address_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Allow remote Traffic from source mac-address # --- echononl "\tAllow remote Traffic from MAC Source-Address" if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then for _mac in ${allow_remote_mac_src_address_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi done done echo_done else echo_skipped fi echo "" # --- # - Allow remote Traffic for Gaming devices (MAC) # --- echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding ; then if ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT fi fi done done echo_done else echo_skipped fi # --- # - Deny Traffic to other local networks for Gaming devices (MAC) # --- echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)" if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then for _mac in ${gaming_device_mac_address_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j DROP fi done done echo_done else echo_skipped fi echo "" # --- # - Allow remote Traffic for Gaming IP addresses (IP-address) # --- echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)" if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then for _ip in ${gaming_device_ip_address_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding ; then if ! $permit_local_net_to_inet ; then $ipt -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT fi fi done done echo_done else echo_skipped fi # --- # - Deny Traffic to other local networks for Gaming devices (IP-address) # --- echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)" if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then for _ip in ${gaming_device_ip_address_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $_ip -j DROP fi done done echo_done else echo_skipped fi echo "" # --- # - Telefon Systems # --- echononl "\tAllow all Traffic between Telefon Systems" if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then for _ip_1 in ${tele_sys_ip_arr[@]} ; do for _ip_2 in ${tele_sys_ip_arr[@]} ; do #[[ "$_ip_1" = "$_ip_2" ]] && continue $ipt -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - Telefon Systems to remote SIP-Server # --- echononl "\tTelefon System to remote SIP-Server" if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then echo_failed warn "Local or remote SIP Port not given"! else for _ip in ${tele_sys_ip_arr[@]} ; do $ipt -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \ --dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - All request from local networks to the internet # --- echononl "\tPermit all traffic from local networks to the internet.." if $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT fi done if $local_alias_interfaces && $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp --tcp-flag ACK ACK -j ACCEPT fi echo_done else echo_skipped fi # --- # - Networks not firewalled through extern interfaces # --- echononl "\tAllow these local networks any access to the internet" if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_local_net_to_inet ; then for _net in ${any_access_to_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do $ipt -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echononl "\tAllow these local networks any access from the internet" if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then _found=false for _net in ${any_access_from_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do # - Traffic recieved on natted interfaces will be ommitted! # - if containsElement "$_dev" "${nat_device_arr[@]}" ; then continue else _found=true fi $ipt -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT done done if $_found ; then echo_done else echo_skipped fi else echo_skipped fi # --- # - Allow local services from ALL extern netwoks # --- echononl "\tAllow local services from ALL extern netwoks" if [[ ${#allow_all_ext_traffic_to_local_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in "${allow_all_ext_traffic_to_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do if containsElement "${_val_arr[0]}" "${gateway_ipv4_address_arr[@]}" ; then $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT continue fi if $kernel_activate_forwarding ; then # - Nat if interface is on a dsl line # - if containsElement "${_val_arr[0]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -j DNAT --to ${_val_arr[0]}:${_val_arr[1]} fi $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT fi done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p ${_val_arr[2]} -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow local services from given extern networks # --- echononl "\tAllow local services from given extern networks" if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then _found=false for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT fi # - Traffic recieved on natted interfaces will be ommitted! # - if containsElement "$_dev" "${nat_device_arr[@]}" ; then continue else _found=true fi $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT done done if $_found ; then echo_done else echo_skipped fi else echo_skipped fi # --- # - Allow all traffic from extern address/network to local address/network # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tAllow all traffic from extern to local network/address" if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then _found=false for _val in ${allow_ext_net_to_local_net_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do # - Traffic recieved on natted interfaces will be ommitted! # - if containsElement "$_dev" "${nat_device_arr[@]}" ; then continue else _found=true fi $ipt -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done if $_found ; then echo_done else echo_skipped fi else echo_skipped fi # --- # - Block all extern traffic to (given) local network # --- echononl "\tBlock all extern traffic to (given) local network" if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then _found=false for _net in ${block_all_ext_to_local_net_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do # - Traffic recieved on natted interfaces will be ommitted! # - if containsElement "$_dev" "${nat_device_arr[@]}" ; then continue else _found=true fi $ipt -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP done done if $_found ; then echo_done else echo_skipped fi else echo_skipped fi # --- # - Allow all traffic from local ip to the internet # --- echononl "\tAllow all traffic from local ip to the internet" if [[ ${#allow_local_ip_to_inet_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _ip in ${allow_local_ip_to_inet_arr[@]} ; do $ipt -A FORWARD -p ALL -s $_ip -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow local services from given local networks # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tAllow local services from given local networks" if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in "${allow_local_net_to_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Allow all traffic from local network to local ip-address # --- echononl "\tAllow all traffic from local network to local ip-address" # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_net_to_local_ip_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_ok else echo_skipped fi # --- # - Allow all traffic from local ip-address to local network # --- echononl "\tAllow all traffic from local ip-address to local network" # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_ip_to_local_net_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow all traffic from (one) local network to (another) local network # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tAllow all traffic from local network to (another) local network" if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_net_to_local_net_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_ok else echo_skipped fi # --- # - Allow local ip address from given local interface # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tAllow local ip address from given local interface" if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_if_to_local_ip_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow extern service from given local interface # --- echononl "\tAllow extern service from given local interface" if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in "${allow_local_if_to_ext_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Allow extern network from given local interface # --- echononl "\tAllow extern network from given local interface" if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_if_to_ext_net_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow extern service from given local network # --- echononl "\tAllow extern service from given local network" if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then if [[ "${_val_arr[3]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Allow extern network from given local network # --- echononl "\tAllow extern network from given local network" if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding ; then for _val in ${allow_local_net_to_ext_net_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Allow extern service # --- echononl "\tAllow extern service" if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then for _val in "${allow_to_ext_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT fi done if $local_alias_interfaces ; then if [[ "${_val_arr[2]}" = "tcp" ]]; then $ipt -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Allow extern network # --- echononl "\tAllow extern network" if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then for _net in "${allow_to_ext_net_arr[@]}" ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -d $_net -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -d $_net -m conntrack --ctstate NEW -j ACCEPT fi done if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_net --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Separate local networks # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tSeparate local networks.." if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _net in ${separate_local_network_arr[@]}; do for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -o $_dev -p all -s $_net -j DROP done done echo_done else echo_skipped fi # --- # - Separate local interfaces # --- # - !! Note: # - does NOT depend on settings 'permit_between_local_networks' !! # - echononl "\tSeparate local interfaces.." if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _dev_1 in ${separate_local_if_arr[@]}; do for _dev_2 in ${local_if_arr[@]} ; do [[ "$_dev_1" = "$_dev_2" ]] && continue $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP $ipt -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP done done echo_done else echo_skipped fi # --- # - Permit all traffic between local networks # --- echononl "\tPermit all traffic between local networks.." if $kernel_activate_forwarding ; then if $permit_between_local_networks ; then for _dev_1 in ${local_if_arr[@]} ; do for _dev_2 in ${local_if_arr[@]} ; do # - Notice: # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - # - So DON'T add statement like this: # - [[ "$_dev_2" = "$_dev_1" ]] && continue # - $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi else echo_skipped fi # ------------- # --- Services # ------------- echo if $terminal ; then echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" else echo "Add Rules for Services.." fi # --- # - IPv6 over IPv4 (Tunnel Provider SixXS) # --- echononl "\t\tIPv6 Tunnel SixXS" if $local_sixxs_service ; then if [ -n "$tic_server" -a -n "$six_pop_server" ]; then # TIC (tunnel information & control) packages, from/to tic.sixxs.net $ipt -A OUTPUT -p tcp -d $tic_server --dport 3874 -m conntrack --ctstate NEW -j ACCEPT # heartbeat packets (outgoing only) $ipt -A OUTPUT -p udp -d $six_pop_server --dport 3740 -m conntrack --ctstate NEW -j ACCEPT # 6over4 tunnel packets $ipt -A OUTPUT -p 41 -d $six_pop_server -j ACCEPT $ipt -A INPUT -p 41 -d $six_pop_server -j ACCEPT echo_done else echo_skipped fi else echo_skipped fi # --- # - SSH out only # --- echononl "\t\tSSH out only" if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then # - Provide SSH to everywhere (also LAN) for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT fi done for _dev in ${local_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - SSH Service Gateway # --- echononl "\t\tSSH Service Gateway (also from WAN)" if $local_ssh_service ; then # - Provides SSH in from everywhere for _port in ${ssh_port_arr[@]} ; do $ipt -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - SSH Services only local Network # --- echononl "\t\tSSH Services only local Network" if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then for _ip in ${ssh_server_only_local_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - SSH Services DMZ # --- echononl "\t\tSSH Services DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then for _ip in "${!ssh_server_dmz_arr[@]}"; do # - Skip if no interface is given # - if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi for _port in ${ssh_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then # - Nat if interface is on a dsl line # - if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT fi # - From intern if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then for _port in ${ssh_port_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done fi done done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - SSH Service between local Netwotks # --- echononl "\t\tSSH Service between local Netwotks" if $allow_ssh_between_local_nets ; then if $kernel_activate_forwarding ; then for _dev_1 in ${local_if_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _dev_2 in ${local_if_arr[@]} ; do if ! $permit_between_local_networks ; then # - Notice: # - In case of routing multiple netwoks on the same interface or # - using alias interfaces like eth0:0, you need a rule with # - incomming- and outgoing interface are equal! # - # - So DON'T add statement like this: # - [[ "$_dev_2" = "$_dev_1" ]] && continue # - for _port in ${ssh_port_arr[@]} ; do $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then for _port in ${ssh_port_arr[@]} ; do $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT done fi done done fi echo_done else echo_skipped fi # --- # - Cisco kompartibles VPN (FRITZ!Box) # --- echononl "\t\tCisco VPN Service (FRITZ\!Box) only out" if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then for _dev in ${ext_if_arr[@]} ; do for _port in ${cisco_vpn_out_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done for _vpn_if in ${vpn_if_arr[@]} ; do $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - VPN Service only out # --- echononl "\t\tVPN Service only out" if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then for _dev in ${ext_if_arr[@]} ; do for _port in ${vpn_out_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done for _vpn_if in ${vpn_if_arr[@]} ; do $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - VPN Service Gateway # --- echononl "\t\tVPN Service Gateway" if $local_vpn_service ; then # - Cconnection establishment # - for _port in ${vpn_gw_port_arr[@]} ; do $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - VPN Service DMZ # --- echononl "\t\tVPN Service DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${!vpn_server_dmz_arr[@]} ; do # - Skip if no interface is given # - if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi for _port in ${vpn_local_net_port_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port fi done done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - WireGuard Service only out # --- echononl "\t\tWireGuard Service only out" if $allow_wg_out && [[ ${#wg_out_port_arr[@]} -gt 0 ]]; then for _dev in ${ext_if_arr[@]} ; do for _port in ${wg_out_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done for _wg_if in ${wg_if_arr[@]} ; do $ipt -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - WireGuard Service Gateway # --- echononl "\t\tWireGuard Service Gateway" if $local_wg_service ; then # - Cconnection establishment # - for _port in ${wg_gw_port_arr[@]} ; do $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - WireGuard Service DMZ # --- echononl "\t\tWireGuard Service DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#wg_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${!wg_server_dmz_arr[@]} ; do # - Skip if no interface is given # - if [[ -z "${wg_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi for _port in ${wg_local_net_port_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${wg_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${wg_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port fi done done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - HTTP(S) OUT # --- echononl "\t\tHTTP(S) out only" if $allow_http_request_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -o $_dev -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -i $_dev -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - HTTP(S) (local) Webserver # --- echononl "\t\tHTTP(S) Services Gateway" # - Access to the local Webservice if $local_http_service ; then $ipt -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT echo_done else echo_skipped fi # --- # - HTTP(S) Services only local Network # --- echononl "\t\tHTTP(S) Services only local Network" # - Access to the Webservices (LAN) if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then for _ip in ${http_server_only_local_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - HTTP(S) Services DMZ # --- echononl "\t\tHTTP(S) Services DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then http_port_arr=(${http_ports//,/ }) for _ip in "${!http_server_dmz_arr[@]}"; do # - Skip if no interface is given # - if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi for _port in ${http_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then # - Nat if interface is on a dsl line # - if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT fi done if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - HTTPS Services DMZ (only port 443) # --- echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then for _ip in "${!http_ssl_server_dmz_arr[@]}"; do # - Skip if no interface is given # - if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT # - From extern if $kernel_activate_forwarding ; then # - Nat if interface is on a dsl line # - if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port fi $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT fi # - From intern if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - Mail Service SMTP only out # --- echononl "\t\tMail Services SMTP only out" if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then # - Provide SMTP out for all to WAN for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Mail (additional smtp ports OUT) # --- echononl "\t\tMail (additional smtp ports OUT)" if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - SMTP (Relay) Service Gateway # --- echononl "\t\tSMTP (Relay) Service Gateway (only on local network)" if $local_smtp_service ; then for _dev in ${local_if_arr[@]} ; do $ipt -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - Mail User Services smtps/pop(s)/imap(s) only out # --- echononl "\t\tMail Services smtps/pop(s)/imap(s) only out" if $allow_mail_request_out && ! $permit_local_net_to_inet ; then # - Provide using Mailservices (WAN) from whole LAN # - # - Not needed from local machine. But for testing pupose (i.e. telnet ) # - # - for _dev in ${ext_if_arr[@]} ; do if $provide_mailservice_from_local ; then # - Note! # - this provides access both to LAN and WAN $ipt -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT fi if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - Mail Service SMTP only local Networks # --- echononl "\t\tMail Service SMTP only local Networks" if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mail_server_only_local_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT done for _dev in ${ext_if_arr[@]} ; do # Razor2 (TCP Port 2703) $ipt -A FORWARD -o $_dev -p tcp --dport 2703 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ipt -A FORWARD -o $_dev -p tcp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p udp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # - DCC (port udp:6277) $ipt -A FORWARD -o $_dev -p udp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A FORWARD -o $_dev -p tcp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT fi echo_done done else echo_skipped fi # --- # - Mail Services smtps/pop(s)/imap(s) only local Networks # --- echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks" if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then for _ip in ${mail_server_only_local_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Mail Server DMZ # --- echononl "\t\tMail Server DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then mail_port_arr=(${mail_user_ports//,/ }) mail_port_arr+=("$mail_smtp_port") for _ip in "${!mail_server_dmz_arr[@]}"; do if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # Razor2 (TCP Port 2703) $ipt -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 2703 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ipt -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p udp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # - DCC (port udp:6277) $ipt -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p udp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport 6277 -d $_ip -m conntrack --ctstate NEW -j ACCEPT fi # - Skip if no interface is given # - if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi for _port in ${mail_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - FTP common # --- ftp_helper_output_defined=false ftp_helper_prerouting_defined=false # --- # - FTP out only # --- echononl "\t\tFTP out only" if $allow_ftp_request_out ; then # - Used for different ftpdata recent lists 'ftpdata_$i' # - declare -i i=1 if ! $ftp_helper_output_defined ; then $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_activate_forwarding && ! $ftp_helper_prerouting_defined ; then $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi for _dev in ${ext_if_arr[@]} ; do # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -m recent --name ftpdata_$i --rdest --set -j ACCEPT # - (2) # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT ((i++)) # - Accept (helper ftp) related connections # - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic # - ====================================================== # - # - Workaround: # - (1) add (!) desitnatin ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear # - (2) accept packets of the formaly created recent list 'ftpdata_$i! # - # - Note: # - Use flag '--rdest' to match destination address # - # ===== # - (1) # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftpdata_$i --rdest --set -j ACCEPT # - (2) # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ipt -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \ -m recent --name ftpdata_$i --rdest --update --seconds 1800 --reap -j ACCEPT ((i++)) # - Accept (helper ftp) related connections # - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT fi done echo_done else echo_skipped fi #if $allow_ftp_request_out ; then # for _dev in ${ext_if_arr[@]} ; do # $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Allow active FTP connections from local network # # - # $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # - Allow active FTP connections from local network # # - # $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # done # # echo_done #else # echo_done #fi # --- # - FTP Service Gateway # --- echononl "\t\tFTP Service Gateway" if $local_ftp_service ; then # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic # - ====================================================== # - # - Workaround: # - (1) add source ip to a 'recent list' named 'ftpservice! if ftp control connections appear # - (2) accept packets of the formaly created recent list 'ftpservice! # - # ===== # - (Re)define helper # - # - !! Note: !! # - for both, local FTP server (ftp_server_ip_arr) # - and forward to (extern) FTP server (forward_ftp_server_ip_arr) # - if ! $ftp_helper_prerouting_defined ; then $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi # - (1) # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpservice'. # - $ipt -A INPUT -p tcp -m state --state NEW --dport $standard_ftp_port -m recent --name ftpservice --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpservice' list (--update) and the # - source ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \ -m recent --name ftpservice --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections # - $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT echo_done else echo_skipped fi # --- # - FTP Services only local Network # --- echononl "\t\tFTP Service local Networks" if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # - Used for different ftpdata recent lists 'ftpdata_local_$k' # - declare -i k=1 # - (Re)define helper # - if ! $ftp_helper_output_defined ; then $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_output_defined=true fi if $kernel_activate_forwarding && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp ftp_helper_prerouting_defined=true fi for _ip in ${ftp_server_only_local_ip_arr[@]} ; do # - (1) # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'. # - $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport 1024: -m state --state NEW \ -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT $ipt -A FORWARD -d $_ip -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftpdata_local_$k --rdest --set -j ACCEPT # - (2) # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). # - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - $ipt -A OUTPUT -d $_ip -p tcp -m state --state NEW --dport 1024: \ -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -d $_ip -p tcp -m state --state NEW --dport 1024: \ -m recent --name ftpdata_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT fi ((k++)) # - Accept (helper ftp) related connections # - $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT fi done echo_done else echo_skipped fi #echononl "\t\tFTP Service local Networks" #if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # for _ip in ${ftp_server_only_local_ip_arr[@]} ; do # $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # if ! $permit_between_local_networks ; then # $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # fi # # if $local_alias_interfaces ; then # # - Control Port # $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port activ # $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # # - Data Port passiv # $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT # fi # done # # echo_done #else # echo_skipped #fi # --- # - FTP Services DMZ # --- echononl "\t\tFTP Service DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" for _ip in "${!ftp_server_dmz_arr[@]}"; do # - Skip if no interface is given # - if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - From extern if $kernel_activate_forwarding ; then $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $standard_ftp_port -j DNAT --to $_ip:$standard_ftp_port $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $standard_ftp_data_port -j DNAT --to $_ip:20 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} fi fi # - From intern if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then # - Control Port $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT # - Data Port activ $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT # - Data Port passiv $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - TFTF Service out only # --- echononl "\t\tTFTF Service out only" if $allow_tftp_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT fi echo_done else echo_skipped fi # --- # - TFTP Service Gateway # --- echononl "\t\tTFTF Service Gateway" if $local_tftp_service ; then $ipt -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT echo_done else echo_skipped fi # --- # - Samba Service only out # --- echononl "\t\tSamba Service only out" if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${samba_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${samba_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding ; then for _port in ${samba_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${samba_tcp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - Samba Service Gateway (only for local Networks) # --- echononl "\t\tSamba Service Gateway (only for local Networks)" if $local_samba_service ; then for _dev in ${local_if_arr[@]} ; do for _port in ${samba_udp_port_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - Samba Service only between local Networks # --- echononl "\t\tSamba Service only local Networks" if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${samba_server_local_ip_arr[@]} ; do for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done fi fi done done echo_done else echo_skipped fi # --- # - Samba Service DMZ # --- echononl "\t\tSamba Service DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then for _ip in "${!samba_server_dmz_arr[@]}"; do # - Skip if no interface is given # - if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi # - From extern if $kernel_activate_forwarding ; then for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then IFS=':' read -a _udp_port_arr <<< ${_port} if [[ -n "${_udp_port_arr[1]}" ]] ; then $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]} else $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port fi fi done for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Nat if interface is on a dsl line # - if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi done fi # - From intern for _dev in ${local_if_arr[@]} ; do for _port in ${samba_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then for _port in ${samba_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done fi done done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - LDAP Service only out # --- echononl "\t\tLDAP Service only out" if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${ldap_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ldap_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding ; then for _port in ${ldap_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ldap_tcp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - LDAP and LDAP SSL Service Gateway (only for local Networks) # --- echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" if $local_ldap_service ; then for _dev in ${local_if_arr[@]} ; do for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - LDAP and LDAP SSL Service only between local Networks # --- echononl "\t\tLDAP(S) Service only local Networks" if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do for _ip in ${ldap_server_local_ip_arr[@]} ; do for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then for _port in ${ldap_udp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then for _port in ${ldap_tcp_port_local_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done fi fi done done echo_done else echo_skipped fi # --- # - NTP out only # --- echononl "\t\tNTP Service out only" if $allow_ntp_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - NTP Service Gateway # --- echononl "\t\tNTP Service Gateway" if $local_ntp_service ; then if ! $allow_ntp_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT done fi $ipt -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT echo_done else echo_skipped fi # --- # - PGP Keyserver out only # --- echononl "\t\tPGP Keyserver out only" if $allow_pgpserver_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Telnet # --- echononl "\t\tTelnet (only OUT)" if $allow_telnet_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Whois out only # --- echononl "\t\tWhois out only" if $allow_whois_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - CPAN Wait only out # --- # - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on # - a WAIT server. It connects to a WAIT server using a simple protocoll # - resembling NNTP as described in RFC977. echononl "\t\tCPAN Wait only out" if $allow_cpan_wait_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - HBCI only out (only forward) # --- echononl "\t\tHBCI only out (only forward)" if $allow_hbci_request_out ; then $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT for _dev in ${ext_if_arr[@]} ; do if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Jabber only out # --- echononl "\t\tJabber only out" if $allow_jabber_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Silc only out # --- echononl "\t\tSilc only out" if $allow_silc_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - IRC (Internet Relay Chat) only out # --- echononl "\t\tIRC only out" if $allow_irc_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - MySQL # --- echononl "\t\tMySQL (only OUT)" if $allow_mysql_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Timeserver (Port 37 NOT NTP!)" # --- echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" if $allow_timeserver_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Mumble Service out only # --- echononl "\t\tMumble Service out only" if $allow_mumble_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Remote Console (VNC) only out # --- echononl "\t\tRemote Console (VNC) only out" if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Remote Console (VNC) local Networks # --- echononl "\t\tRemote Console (VNC) local Networks" if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${rm_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT fi fi done echo_done else echo_skipped fi # --- # - Remote Console (VNC) DMZ # --- echononl "\t\tRemote Console (VNC) DMZ" unset no_if_for_ip_arr declare -a no_if_for_ip_arr if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then for _ip in ${!rm_server_dmz_arr[@]} ; do # - Skip if no interface is given # - if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then no_if_for_ip_arr+=("$_ip") continue fi # - From Gateway $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then # - From extern # - Nat if interface is on a dsl line # - if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port fi $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT # - From intern if ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT fi fi done if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then echo_warning for _ip in ${no_if_for_ip_arr[@]} ; do warn "No Interface given for ip '$_ip'" done else echo_done fi else echo_skipped fi # --- # - Munin Service Gateway # --- echononl "\t\tMunin Service Gateway" if $local_munin_server ; then if $provide_munin_service_to_inet ; then # - Provide Service for local and extern networks # - $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT else # - Provide Service only for for local network # - for _dev in ${local_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Munin Service local Networks # --- echononl "\t\tMunin Service local Networks" if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_local_server_ip_arr[@]} ; do $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do if ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT fi done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Munin remote Server # --- echononl "\t\tMunin remote Server" if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then for _ip in ${!munin_local_client_ip_arr[@]} ; do if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT elif $kernel_activate_forwarding ; then $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Outbound Streaming # --- echononl "\t\tOutbound Streaming (most providers)" if $allow_outbound_streaming ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${outbound_streaming_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${outbound_streaming_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Turn/Stun Service # --- echononl "\t\tTurn/Stun Service" if $allow_stun_turn_service_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${standard_turn_service_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${standard_turn_service_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Echo360 Video Plattform # --- echononl "\t\tEcho360 Video Plattform out only" if $allow_echo360_video_streaming ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${echo360_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - IP Camera Service out only # --- echononl "\t\tIP Camera Service out Service out only" if $allow_ip_camera_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${ip_camera_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${ip_camera_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - BigBlueButton Video Conference Service out only # --- echononl "\t\tBigBlueButton Video Conference Service out only" if $allow_bigbluebutton_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${bigbluebutton_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${bigbluebutton_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Skype for Business Online und Microsoft Teams # --- echononl "\t\tSkype for Business Online und Microsoft Teams" if $allow_ms_skype_teams_out \ && ( [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ) \ || [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do if [[ ${#ms_skype_teams_udp4_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp4_port_arr[@]} -gt 0 ]] ; then for _host in ${ms_skype_teams_udp4_host_arr[@]} ; do for _port in ${ms_skype_teams_udp4_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done fi if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done fi done # for _dev in ${ext_if_arr[@]} ; do echo_done else echo_skipped fi # --- # - Webex Meeting Video Conference Service out only # --- echononl "\t\tWebex Meeting Video Conference Service out only" if $allow_webex_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${webex_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${webex_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Zoom Meeting - Video Conference Service out only # --- echononl "\t\tZoom Meeting - Video Conference Service out only" if $allow_zoom_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${zoom_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${zoom_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Jitsi Video Conference Service out only # --- echononl "\t\tJitsi Video Conference Service out only" if $allow_jitsi_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${jitsi_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${jitsi_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - alfaview - Video Conferencing Systems # --- echononl "\t\talfaview - Video Conferencing Systems Service out only" if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${alfaview_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${alfaview_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Nextcloud 'talk' App # --- echononl "\t\tNextcloud 'talk' App" if $allow_nc_turn_video_conference_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${nc_turn_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done for _port in ${nc_turn_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Collected TCP Ports OUT # --- echononl "\t\tCollected TCP Ports OUT" if [[ ${#out_tcp_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${out_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Collected UDP Ports OUT # --- echononl "\t\tCollected UDP Ports OUT" if [[ ${#out_udp_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${out_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Rsyncd (only Out) Gateway # --- echononl "\t\tRsyncd (only OUT) Gateway" if $local_rsync_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${rsync_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - Rsyncd (only OUT) from all local networks" # --- echononl "\t\tRsyncd (only OUT) from all local networks" if $forward_rsync_out && $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then for _local_dev in ${local_if_arr[@]} ; do for _ext_dev in ${ext_if_arr[@]} ; do for _port in ${rsync_port_arr[@]} ; do $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT fi done done done echo_done else echo_skipped fi # --- # - Rsync only Out from given local machines # --- echononl "\t\tRsync Out from given local machines" if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then for _port in ${rsync_port_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - CUPS only between local Networks (IPP Port 631) # --- echononl "\t\tCUPS/IPP (Port 631) only between local Networks" if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then for _local_dev_1 in ${local_if_arr[@]} ; do for _local_dev_2 in ${local_if_arr[@]} ; do if ! $local_alias_interfaces ; then [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT done if $local_alias_interfaces ; then $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Druck Port 9100 (RAW) only out between local Networks # --- echononl "\t\tRAW Druck Port 9100 only between local Networks" if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then for _local_dev_1 in ${local_if_arr[@]} ; do for _local_dev_2 in ${local_if_arr[@]} ; do if ! $local_alias_interfaces ; then [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT done if $local_alias_interfaces ; then $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Druck LPD (Port 515) only out between local Networks # --- echononl "\t\tDruck LPD (Port 515) only between local Networks" if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then for _local_dev_1 in ${local_if_arr[@]} ; do for _local_dev_2 in ${local_if_arr[@]} ; do if ! $local_alias_interfaces ; then [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT done if $local_alias_interfaces ; then $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Printer # --- echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks" if [[ ${#printer_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ && ! $allow_printing_between_local_nets ; then for _ip in ${printer_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Scanner # --- echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ && $allow_scanning_between_local_nets ; then for _ip in ${brother_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT # - TCP $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local Networks" if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks \ && $allow_scanning_between_local_nets ; then for _ip in ${epson_scanner_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do # - UDP $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $epson_scan_port -m conntrack --ctstate NEW -j ACCEPT # - TCP $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $epson_scan_port -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $epson_scan_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $epson_scan_port --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Other local Services # --- echononl "\t\tOther local Services" if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in ${other_service_arr[@]} ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then $ipt -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT fi done done echo_ok else echo_skipped fi # --- # - SNMP Services local Networks # --- echononl "\t\tSNMP Services local Networks" if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then for _ip in ${snmp_server_ip_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - freeIPA Services local Networks # --- echononl "\t\tFreeIPA Services local Networks" if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then for _ip in ${freeipa_server_ip_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - WakeOnLan only out into local Networks # --- echononl "\t\tWakeOnLan only out into local Networks" $ipt -A OUTPUT -p udp --dport 9 -j ACCEPT echo_done # --- # - NFS Service (portmapper, mountd, nfs) # --- if $terminal; then echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" echo -e "\033[75G[ \033[37mskipped\033[m ]" echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" echo -e "\033[75G[ \033[37mskipped\033[m ]" echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" echo -e "\033[75G[ \033[37mskipped\033[m ]" echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" echo -e "\033[75G[ \033[37mskipped\033[m ]" else echo "NFS Service - Not yet implemented" echo "VoIP - Not yet implemented" echo "Sip - Not yet implemented" echo "Skype - Not yet implemented" fi # --- # - PowerChute Network Shutdown local Network # --- echononl "\t\tPowerChute Network Shutdown local Network" if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then for _ip in ${pcns_server_ip_arr[@]} ; do if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then $ipt -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT fi if $kernel_activate_forwarding && ! $permit_between_local_networks ; then $ipt -A FORWARD -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT fi if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Ubiquiti Unifi Controller Gateway # --- echononl "\t\tUbiquiti Unifi Controller Gateway IN from Unifi devicess" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then # Not only unifi devices but also clients need some ports to connect to # unifi controller. So we open the ports on local netwprk devices. # for _local_dev in ${local_if_arr[@]} ; do $ipt -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done # Note: # in contrast to devices at local networks, devices hosted at extern network # are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr' # if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then for _ip in ${unifi_ap_extern_ip_arr[@]} ; do $ipt -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)" if $local_unifi_controller_service \ && ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then $ipt -A OUTPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi fi echo_done else echo_skipped fi # --- # - Ubiquiti Unifi Controller local Network # --- echononl "\t\tUbiquiti Unifi Controller local Network" if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ && $kernel_activate_forwarding \ && ! $permit_between_local_networks ; then for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT done # - Note: # - If (local) alias interfaces like eth1:0 in use, youe need a further # - special rule. # - if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT fi done # Rules already exists if 'local_unifi_controller_service = true' # if ! $local_unifi_controller_service ; then $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT if $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT fi fi echo_done else echo_skipped fi # --- # - IPMI Tools (e.g. IPMIView) only out # --- echononl "\t\tIPMI Tools (e.g. IPMIView) only out" if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding ; then for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - IPMI Tools (e.g. IPMIView) local Networks # --- echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks" if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${ipmi_server_ip_arr[@]} ; do for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $local_alias_interfaces ; then for _port in ${ipmi_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${ipmi_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT done fi fi done echo_done else echo_skipped fi # --- # - Checkmk Monitoring Service Gateway # --- echononl "\t\tCheckmk Monitoring Service Gateway (only local network)" if $checkmk_service_gateway ; then for _dev in ${local_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - Checkmk Service local Networks # --- echononl "\t\tCheckmk Monitoring Service local Networks" if [[ ${#checkmk_local_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${checkmk_local_server_ip_arr[@]} ; do $ipt -A INPUT -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do if ! $permit_between_local_networks ; then $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT fi done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --sport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - XyMon local service # --- echononl "\t\tXyMon Service Gateway" if $local_xymon_server ; then for _dev in ${local_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - XyMon Service Intranet # --- echononl "\t\tXyMon Service Intranet" if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${xymon_server_ip_arr[@]} ; do if $local_xymon_client ; then $ipt -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT fi if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT done fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Gaming # --- echo "" echononl "\t\tGaming UDP local Ports out" if $allow_gaming_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${game_ports_local_udp_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --sport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echononl "\t\tGaming TCP local Ports out" if $allow_gaming_out ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${game_ports_local_tcp_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --sport $_port -m conntrack --ctstate NEW -j ACCEPT done # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -o $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -i $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT fi done echo_done else echo_skipped fi echononl "\t\tGaming UDP Ports out" if $allow_gaming_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${game_ports_udp_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi echononl "\t\tGaming TCP Ports out" if $allow_gaming_out && ! $permit_local_net_to_inet ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${game_ports_tcp_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi # - Rule is needed if (local) interface aliases in use (like eth0:1) # - if $kernel_activate_forwarding && $local_alias_interfaces ; then $ipt -A FORWARD -p tcp -o $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -i $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT fi done done echo_done else echo_skipped fi # ------------- # --- Portforwarding # ------------- # --- # - Portforwarding TCP # --- echo echononl "\tPortforwarding TCP" if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${portforward_tcp_arr[@]}" ; do # - Split value # - IFS=':' read -a _val_arr <<< "${_val}" # - DNAT # - $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} # - Allow Packets # - $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - Portforwarding UDP # --- echononl "\tPortforwarding UDP" if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _val in "${portforward_udp_arr[@]}" ; do # - Split value # - IFS=':' read -a _val_arr <<< "${_val}" # - DNAT # - $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} # - Allow Packets # - $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - UNIX Traceroute # --- echo echononl "\tUNIX Traceroute" # versendet udp packete im gegensatz zu tracert von windows # der icmp-echo-request pakete versendet # einige implementierungen von traceroute (linux) erm�lichens # die option -I und versenden dann ebenfalls icmp-echo-request pakete for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT fi done echo_done # ------------- # --- ICMP Traffic (i.e. ping requests) # ------------- echononl "\tPermit all ICMP traffic.." if $permit_all_icmp_traffic ; then $ipt -A INPUT -p icmp -j ACCEPT $ipt -A OUTPUT -p icmp -j ACCEPT $ipt -A FORWARD -p icmp -j ACCEPT echo_done else echo_skipped fi # --- # - Deny between local networks # --- echo echononl "\tDeny all traffic between local networks.." if $kernel_activate_forwarding ; then if ! $permit_between_local_networks ; then for _dev_1 in ${local_if_arr[@]} ; do for _dev_2 in ${local_if_arr[@]} ; do if $log_rejected || $log_all ; then $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected local NET: " fi $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP done done echo_done else echo_skipped fi else echo_skipped fi # ------------- # --- Log traffic not matched so far # ------------- echo echononl "\tLog traffic not matched so far.." if $log_rejected || $log_all ; then $ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " $ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " $ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " #$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " #$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " #$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " echo_done else echo_skipped fi # ------------- # --- DROP traffic not matched so far # ------------- echononl "\tDROP traffic not matched so far.." # - drop all other for all interfaces.. # $ipt -A INPUT -j DROP $ipt -A OUTPUT -j DROP $ipt -A FORWARD -j DROP # # ---------- Ende: DROP ---------- echo_done # --- # - Warning, if no intern (local) interface is configured # --- if [[ ${#local_if_arr[@]} -lt 1 ]] ; then echo "" echo "" if $terminal ; then echo -e "\t\033[33m\033[1m----------\033[m" else echo "----------" fi warn "No local Interface is configured!" if $terminal ; then echo -e "\t\033[33m\033[1m----------\033[m" else echo "----------" fi fi echo exit 0