#!/usr/bin/env bash ## --------------------------------------------------------- ## --- Main Configurations Ipv4 Firewall Script ipt-firewall ## --------------------------------------------------------- # --- # - IPv4 Addresses Gateway # --- declare -a gateway_ipv4_address_arr read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2) # ============= # --- Interfaces completly blocked # ============= # - Interfaces to block (note: they will all be blocked) # - # - For Example: eth1 is used for DSL Line, that becomes an extra # - interface (ppp-light). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="" # ============= # --- Interfaces not firewalled # ============= # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - # - Here: the static line castle stockhausen # - unprotected_ifs="" # ============= # --- Networks not firewalled through extern interfaces # ============= # - Allow these networks any access to the internet. # - # - Blank separated list of networks # - any_access_to_inet_networks="" # - Allow these networks getting any access from the internet. # - # - Note: # - ===== # - Traffic recieved on natted interfaces will be ommitted! # - # - Blank separated list of networks # - any_access_from_inet_networks="" # ============= # - Allow local services from given extern networks # ============= # - allow_ext_net_to_local_service # - # - allow_ext_net_to_local_service="ext-net:local-address:port:protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some local netwoks access to special local # - services (but not for all local networks as you can configure later). # - # - If you plan to separate networks (see parameter 'separate_local_networks'), but # - to allow these networks some special local services, you can also use this parameter. # - # - Example: # - allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036 # - allow access from 86.73.85.0/24 to https service at 83.223.73.204 # - # - allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp # - 86.73.85.0/24:83.223.73.204:$standard_https_port:tcp" # - # - Blank separated list # - allow_ext_net_to_local_service="" # ============= # - Allow all traffic from extern address/network to local address/network # ============= # - allow_ext_net_to_local_net # - # - allow_ext_net_to_local_net=": [:] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 # - 83.223.86.96/32:86.223.73.0/24" # - # - Blank separated list # - allow_ext_net_to_local_net="" # ============= # - Block all extern traffic to (given) local network # ============= # - block_all_ext_to_local_net # - # - block_all_ext_to_local_net=" []= # - # - Note: # - Each extern interface can have only one thuch service # - # - vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 # - vpn_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A vpn_server_dmz_arr # - Local VPN Ports # - # - Blank separated list # - vpn_local_net_ports="1194" # ====== # - DHCP Service # ====== # - DHCP Server Gateway # - local_dhcp_service=true # - Are DHCP Failover Servers present? # - # - Balnk separated list # - dhcp_failover_server_ips="" dhcp_failover_port=647 # ====== # - DNS Service # ====== # - DNS Service Gateway # - local_dns_service=true # - DNS Server local Networks # - # - Blank separated list # - dns_server_ips="" # ====== # - SSH # ====== # - SSH Service Gateway # - local_ssh_service=true # - SSH Services local Networks # - # - Blank separated list # - ssh_server_only_local_ips="" # - SSH Services DMZ (reachable also from WAN) # - # - ssh_server_dmz_arr[]= # - # - Note: # - Each extern interface can have only one service on a certain port. # - # - ssh_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 # - ssh_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A ssh_server_dmz_arr # - SSH Ports used on Gateway and also local machines # - # - blank separated list # - ssh_ports="22" # ====== # - HTTP(S) Service # ====== # - HTTP(S) Service Gateway # - local_http_service=false # - HTTP(S) Services only locale Networks # - # - Blank separated list # - http_server_only_local_ips="" # - HTTP(S) Services DMZ (reachable also from WAN) # - # - http_server_dmz_arr[]= # - # - Note: # - Each extern interface can have only one service on a certain port. # - # - Example: # - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) # - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) # - # - http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 # - http_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 # - # - WebServer Luna: 192.168.63.20 (ppp-ckubu = $ext_if_dsl_1) # - # - Multiple settins of this parameter is possible # - declare -A http_server_dmz_arr # - HTTPS Services DMZ only port 443 (reachable also from WAN) # - # - http__ssl_server_dmz_arr[]= # - # - Note: # - Each extern interface can have only one thuch service # - # - Example: # - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) # - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) # - # - http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 # - http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 # - # - Multiple settins of this parameter is possible # - declare -A http_ssl_server_dmz_arr # - HTTP(S) Ports # - # - comma separated list # - http_ports="$standard_http_ports" # ====== # - Mail Services # ====== # - SMTP server (i.e. mail relay service) Gateway # - local_smtp_service=false # - Mailserver (SMTP(POP/IMAP) Gateway # - # - NOT YET IMPLEMENTED # - local_mail_service=false # - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks # - # - comma separated list # - mail_server_only_local_ips="" # - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN) # - # - mail_server_dmz_arr[]= # - # - Multiple declarations are possible # - # - Example: # - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) # - # - mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 # - declare -A mail_server_dmz_arr # - Mail client ports (smtps/pop(s)/imap(s) # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" # - Mail Server (local Networks) SMTP Port # - mail_smtp_port="$standard_smtp_port" # ====== # - FTP Service # ====== # - FTP Service Gateway # - local_ftp_service=false # - FTP Server at local Networks # - # - comma separated list # - ftp_server_only_local_ips="" # - FTP Service DMZ # - # - Note: # - Each extern interface can have only one thuch service # - # - ftp_server_dmz_arr[]= # - ftp_passive_port_range= # - declare -A ftp_server_dmz_arr #ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 ftp_passive_port_range="50000:50400" # - FTP Ports # - # - Hard scriptetd: # - FTP Control Port: 21 # - FTP Data Port: 20 # ====== # - TFTP Service Gateway # ====== # - TFTP Server Gateway (Port udp 69) local_tftp_service=false # - TFTP Server at local Networks # - tftp_server_ips="" # - TFTF Ports # - # - Note: its udp ! # - tftp_udp_port=69 # ====== # - LDAP Service # ====== # - Is this a LDAP Server ? # - local_ldap_service=false # - LDAP Service local Networks # - # - Ports: 389 udp # - 389 tcp # - # - Ports LDAP SSL: 636 tcp # - ldap_server_local_ips="" ldap_udp_ports="389" ldap_tcp_ports="389 636" # ====== # - Samba Service # ====== # - Samba Server Gateway # - local_samba_service=false # - Samba Service # - # - Ports: 137,138 udp # - 139,445 tcp # - samba_udp_ports="137:138" samba_tcp_ports="137 138 139 445" # - Samba Service local networks # - samba_server_local_ips="" # - Samba Service DMZ # - # - samba_server_dmz_arr[]= # - # - Note: # - Each extern interface can have only one thuch service # - # - Multiple settins of this parameter is possible # - declare -A samba_server_dmz_arr # ====== # - NTP Service # ====== # - NTP Service Gateway # - local_ntp_service=true # ====== # - SNMP Service # ====== # - SNMP services local Networks # - # - Blank separated list of ip's # - snmp_server_ips="" # - SNMP Port # - # - snmp_port Port Agent # - snmp_trap_port Port Management Station # - snmp_port="$standard_snmp_port" snmp_trap_port="$standard_snmp_trap_port" # ====== # - Mumble Service # ====== # - NOT YET IMPLEMENTED # - Mumble ports # - mumble_ports="64738" # ====== # - XyMon Service # ====== # - XyMon Service Gateway (usually TCP port 1984) # - local_xymon_server=false # - XyMon Service (usually TCP port 1984) # - # - Blank separated list of ip's # - xymon_server_ips="" local_xymon_client="" # - XyMon Ports # - xymon_port="$standard_xymon_port" # ====== # - Munin Service # ====== # - Munin Service Gateway (usually TCP port 4949) # - local_munin_server=false # - If 'local_munin_server=' provide service also to inet? # - provide_munin_service_to_inet=true munin_remote_port="4949" # - Munin Server local Networks (usually TCP port 4949) # - # - Blank separated list # - munin_local_server_ips="" # - Munin Remote Server # - # - Note: # - The munin server himself initiates the connection to the concerning clients. # - In case of natted (local) networks you have to also nat the incomming # - requests from munin server. # - # - Note: # - Each extern interface can have only one thuch service # - # - munin_local_client_ip_arr[]= # - # - Multiple settins of this parameter is possible # - #munin_remote_server="83.223.86.163" munin_remote_server="" # - Munin - clients on local network (server is $munin_remote_server) # - # - Example: # - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 # - declare -A munin_local_client_ip_arr # - Munin Port # - munin_local_port=4949 # ====== # - PowerChut Network Shutdown (PCNS) # ====== # - PCNS local Services # - pcns_server_ips="" # - local USV # - usv_ip="" # - PCNS Ports # - # - Webinterface (https): tcp 6547 # - Connection usv: tcp/udp 3052 # - pcns_tcp_port=3052 pcns_udp_port=3052 pcns_web_port=6547 # ====== # - Remote Console (VNC Service) # ====== # - VNC Service local network # # - Blank separated list # - rm_server_ips="" # - VNC Service DMZ # - # - Note: # - Each extern interface can have only one thuch service # - # - rm_server_dmz_arr[]= # - declare -A rm_server_dmz_arr #rm_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 # - Remote Console (VNC) Port # - remote_console_port=5900 # ====== # - Ubiquiti Unifi # ====== # - By default, the UniFi controller will operate on the following ports: # - # - unifi_http_port=8080 (port for UAP to inform controller) # - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser) # - unifi_portal_http_port=8880 (port for HTTP portal redirect) # - unifi_portal_https_port=8843 (port for HTTPS portal redirect) # - unifi_http_port=6789 (port used for throughput measurement) # - unifi_db_port=27117 (local-bound port for DB server) # - # - # - In version 4.5.2 and later, users can also define the port assigned to STUN services, # - for scenarios where two or more separate UniFi instances are desired on the # - same controller machine. # - # - unifi_stun_port=3478 # UDP port used for STUN # - # - # - Ubiquity Networks uses port 10001/UDP for its AirControl # - management discovery protocol # - # - unifi_aircontroll_port=10001 # - # - # - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector. # - There is no need to open firewall for these ports on controller. However, on # - controller, avoid to use these ports: # - # - port 8881 for redirector port for wireless clients # - port 8882 for redirector port for wired clients # - # - # - For AP-EDU Broadcasts: # - # - UDP ports 5656-5699 # - unify_tcp_ports="8080,8443,8880,8843,6789,27117" unify_udp_ports="3478" unify_broadcast_udp_ports="10001,5656:5699" # - Unifi Controller at gateway? # - local_unifi_controller_service=false # - UniFi Controllers on local network (other than this machine) # - unify_controller_local_net_ips="" # ====== # - IPMI Tools # ====== # - IPMI Tools local Networks # - # - Blank seoarated list # - ipmi_server_ips="" # - IPMI Tools Port # - # - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) # - TCP 623: Virtual Media for Remote Console # - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." # - ipmi_udp_ports="623 5900" ipmi_tcp_ports="80 443 623 3520" # ============= # - Rsync Out for given src ip-addresses # ============= # - Rsync Protocol # - # - The given server address (from local network) can access rsyncd at (any) remote machine # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" rsync_ports="873" # - rsync out from this machine? # - local_rsync_out=false # ============= # - Printer # ============= # - IP Addresses Printer # - # - Blank separated list # - printer_ips="" # ============= # --- Scanner # ============= # ====== # - Brother (brscan) # ====== # - IP Adresses Brother Scanner # - # - Blank seoarated list # - brother_scanner_ips="" brscan_port=54921 # ============= # --- Telefon Systems # ============= # - IP Adresses Telephone Systems (Telefonanlagen) # - # - Dont't foregt to add ip-adresses also to http(s) service if the # - systems provide webinterfaces! # - # - Blank seoarated list # - tele_sys_ips="" tele_sys_remote_sip_server_port=5060 tele_sys_local_sip_server_port=5067 allow_between_tele_systems=false VOIP_PORTS="69 5000:5099 7775 32000:32512" # - TFTP=69 (used from telephones getting their connection data / firmwareupdate ) # - RTP_PORTS= UDP i.e. 5000:5099 or here # - RTP_PORTS_END=5099 #SIP_PORT_REMOTE=5060 #SIP_PORT_LOCAL=5067 #SIP_LOCAL_IP=192.168.63.240 #STUN_PORTS=3478 udp_voip_ports="7775 5000:5099" # ===== # - Telekom Internet TV (Entertain) # ===== telekom_internet_tv=false tv_ip="192.168.63.5" tv_extern_if="eth2.8" tv_local_if="$local_if_1" # ====== # - Other local Services # ====== # - You can configure further local services here. # - # - other_services=":: [:: [.." # - # - Blank seperated list # - other_services="" # ============= # --- Masuqerading # ============= # - Masquerade (NAT) networks # - # - nat_networks=": [:] [.." # - # - Multiple declarations (blank separated list) are possible # - # - Example: # - nat_network="172.16.1.0/24:${local_if_2} # - 172.16.63.0/24:${ext_if_static_1}" # - # - 172.16.1.0/24 Rescue network (routers) # - nat_networks="" # - Masquerade TCP Connections # - # - masquerade_tcp_con="::: [::..]" # - # - Multiple declarations (blank separated list) are possible # - # - Example: # - # - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} # - 10.0.0.0/8:192.168.62.244:443:${local_if_1}" # - # - 192.168.64.55: Repeater TP-Link TL-WA850RE # - # - Blank separated list # - masquerade_tcp_cons="" # ============= # --- Portforwarding # ============= # - Portforwarding TCP # - # - portforward_tcp=":::" # - # - Multiple declarations (blank separated list) are possible # - # - Example: # - portforward_tcp="$ext_if_dsl_1:9997:192.168.52.25:22 # - $ext_if_dsl_1:9998:192.168.53.24:22" # - portforward_tcp="" # - Portforwarding UDP # - # - portforward_udp=":::" # - # - Multiple declarations (blank separated list) are possible # - # - Example: # - portforward_udp="$ext_if_dsl_1:1094:192.168.52.25:1094 # - $ext_if_dsl_1:9999:192.168.53.24:1095" # - portforward_udp="" # ============= # --- Basic behavior # ============= # === # = Services allowed out to the world wide web # === allow_ssh_request_out=true allow_http_request_out=true allow_smtp_request_out=true allow_mail_request_out=true allow_ftp_request_out=true allow_tftp_request_out=true allow_ntp_request_out=true allow_timeserver_request_out=true allow_pgpserver_request_out=true allow_telnet_request_out=true allow_whois_request_out=true allow_cpan_wait_request_out=true allow_hbci_request_out=true allow_jabber_request_out=true allow_silc_request_out=true allow_irc_request_out=true allow_mysql_request_out=true allow_ipmi_request_out=true allow_remote_console_request_out=true allow_samba_requests_out=true allow_vpn_out=true vpn_out_ports="1194 1195 1196" # === # = Services allowed between local networks # === # - These Parameters are only considered, if traffic # - between local networks are not permitted, thats # - if 'permit_between_local_networks=false' (see below). # - allow_ssh_between_local_nets=true allow_samba_between_local_nets=false allow_ldap_between_local_nets=false allow_printing_between_local_nets=true allow_scanning_between_local_nets=true # === # = Other Parameters # === # - Permit internet access to all machines at local network # - Does not include this server itself # - permit_local_net_to_inet=false # - Do not block any traffic between local machines # - permit_between_local_networks=false # - Do not block any ICMP traffic # - permit_all_icmp_traffic=true # - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. # - # - Maybe useful for testing purpose with telnet or openssl # - provide_mailservice_from_local=true # - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. # - create_iperf_rules=false # ============= # - MAC Address Filtering # ============= # - MAC Addreses alowed to all destinations (gateway, remote, local networks) # - # - Blank separated list # - allow_all_mac_src_addresses="" # - MAC Addreses alowed to local networks (gateway, local networks) # - # - Blank separated list # - allow_local_mac_src_addresses="" # - MAC Addreses alowed to remote networks # - # - Blank separated list # - allow_remote_mac_src_addresses="" # ============= # --- Block IP's / IP-Ranges # ============= # - 222.184.0.0/13 CHINANET-JS # - 61.160.0.0/16 - CHINANET-JS # - 116.8.0.0/14 CHINANET-GX # - # - Blank separated list # - blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" # ============= # --- Block Ports on extern Interfaces # ============= # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 135 631" block_udp_ports="111" if ! $allow_samba_requests_out ; then block_tcp_ports="$block_udp_ports 137:139 445" block_udp_ports="$block_udp_ports 137:139" fi block_ident=true # ============= # - Packets not wanted on gateway on local Interfaces # ============= not_wanted_on_gw_tcp_ports="111 113 135 631" not_wanted_on_gw_udp_ports="111 631" if ! $local_samba_service ; then not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445" not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139" fi not_wanted_ident=true # ============= # --- Router # ============= # - Set to "true" to secure/tune the kernel # - adjust_kernel_parameters=true # - Protection against several attacks # - protect_against_several_attacks=true # ============= # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ============= # - Activate forwarding # - # - Enable/disable forwarding to and between interfaces # - kernel_activate_forwarding=true # - Activate kernel support for dynamic IP adresses # - (not needed in case of static IP) # - # - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt # - # - The values for the ip_dynaddr sysctl are [*]: # - # - 1: To enable: # - 2: To enable verbosity: # - 4: To enable RST-provoking: # - 8: To enable asymetric routing work-around [**] # - # - [*] At boot, by default no address rewriting is attempted. # - [**] This code is currently totaly untested. # - # - Flags can be combined by adding them. Common settings # - would be: # - # - To enable rewriting in quiet mode: # - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr # - To enable rewriting in verbose mode: # - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr # - To enable quiet RST-provoking mode (1+4): # - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr # - ... # - kernel_support_dynaddr=true dynaddr_flag="5" # - Reduce DoS'ing ability by reducing timeouts # - kernel_reduce_timeouts=true # - Hardening TCP/IP Stack Against SYN Floods # - # - Enable syn cookies prevents against the common 'syn flood attack' # - kernel_tcp_syncookies=true # - Protection against ICMP bogus error responses # - kernel_protect_against_icmp_bogus_messages=true # - Ignore Broadcast Pings # - kernel_ignore_broadcast_ping=true # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - Note: IP TV requires sending ICMP redirects. So if IP TV is provided, this # - Parameter will be set to "false" # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true # - Activate Reverse Path Filtering (Antispoofing) # - # - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen # - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, # - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat # - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für # - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle # - nicht voll funktionsfähig ist. # - kernel_activate_rp_filter=true # - Logging of spoofed (source routed" and "redirect") packets # - kernel_log_martians=false # ============= # --- Some further Ports/IP-Address Configuration # ============= # - unpriviligierte Ports # - unprivports="1024:65535" # - Loopback loopback="127.0.0.0/8" # - Private Networks priv_class_a="10.0.0.0/8" priv_class_b="172.16.0.0/12" priv_class_c="192.168.0.0/16" # - Multicast Addresse class_d_multicast="224.0.0.0/4" # Reserved Addresse class_e_reserved="240.0.0.0/5"