firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ipt-gateway/ip6t-firewall-gateway

5342 lines
155 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: ip6t-firewall
# Required-Start: $local_fs $remote_fs $syslog $network $time
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv6 Firewall
### END INIT INFO
# -------------
# - Settings
# -------------
ipt_conf_dir="/etc/ipt-firewall"
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_default_ips=${ipt_conf_dir}/default_ipv6.conf
conf_default_basic_behavior=${ipt_conf_dir}/default_basic_behavior.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
# -------------
# - Some checks and preloads..
# -------------
ip6t=$(which ip6tables)
if [[ -z "$ip6t" ]] ; then
echo ""
echo -e "\tiptables was not found on this server!"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
fi
if [[ ! -f "$inc_functions_file" ]] ; then
echo ""
echo -e "\tMissing include file '$inc_functions_file'"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
else
source $inc_functions_file
fi
if [[ ! -f "$load_modules_file" ]]; then
warn "No modules for loading configured. Missing file '$load_modules_file'!"
else
while read -r module ; do
if ! lsmod | grep -q -E "^$module\s+" ; then
/sbin/modprobe $module > /dev/null 2>&1
if [[ "$?" != "0" ]]; then
warn "Loading module '$module' failed!"
fi
fi
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
fi
if [[ ! -f "$conf_logging" ]]; then
fatal "Missing configuration for logging - file '$conf_logging'"
else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_default_ports
fi
if [[ ! -f "$conf_default_ips" ]]; then
fatal "Missing configuration for default_ips - file '$conf_default_ips'"
else
source $conf_default_ips
fi
if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'"
else
source $conf_interfaces
fi
if [[ ! -f "$conf_default_basic_behavior" ]]; then
fatal "Missing interface configurations - file '$conf_default_basic_behavior'"
else
source $conf_default_basic_behavior
fi
if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'"
else
source $conf_main
fi
if [[ ! -f "$conf_post_declarations" ]]; then
fatal "Missing post declarations - file '$conf_post_declarations'"
else
source $conf_post_declarations
fi
# ---
# - IPv6 Addresses Gateway
# ---
#_ips="$(ip -6 a | grep "inet6 " | awk '{print$2}' | cut -d'/' -f1)"
_ips="$(ip -6 a | grep "inet6 " | grep -v -E "(\s+fd|\s+fe80)" | awk '{print$2}' | cut -d'/' -f1)"
declare -a gateway_ipv6_address_arr=()
if [[ -n "$_ips" ]] ; then
for _ip in $_ips ; do
gateway_ipv6_address_arr+=("$_ip")
done
fi
echo
if $terminal ; then
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
else
echo "Starting firewall iptables (IPv4).."
fi
echo
# -------------
# --- Activate IP Forwarding
# -------------
# ---
# - Enable/Disable ip forwarding between interfaces
# ---
if $kernel_forward_between_interfaces ; then
echononl "\tActivate Forwarding.."
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
else
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
fi
echo_done
# -------------
# --- Adjust Kernel Parameters
# -------------
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
if $adjust6_kernel_parameters ; then
# ---
# - Deactivate Source Routed Packets
# ---
for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do
if $kernel_deactivate_source_route ; then
echo 0 > $asr
fi
done
# ---
# - Deactivate sending ICMP redirects
# ---
if $kernel_dont_accept_redirects ; then
echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects
fi
echo_done # Adjust Kernel Parameters (Security/Tuning)
else
echo_skipped
fi
# -------------
# --- Set default policies / Flush Rules
# -------------
echo
echononl "\tFlushing firewall iptable (IPv6).."
# - default policies
# -
$ip6t -P INPUT ACCEPT
$ip6t -P OUTPUT ACCEPT
$ip6t -P FORWARD ACCEPT
## - flush chains
## -
$ip6t -F
$ip6t -F INPUT
$ip6t -F OUTPUT
$ip6t -F FORWARD
$ip6t -F -t mangle
$ip6t -F -t nat
$ip6t -F -t raw
$ip6t -X
$ip6t -Z
#$ip6t -t nat -A POSTROUTING -o $ext_if_static_1 -j MASQUERADE
$ip6t -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
echo_done # Flushing firewall iptable (IPv6)..
echo
# -------------
# - Log given IP Addresses
# -------------
echononl "\tLog given IP Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip IN: "
$ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip OUT: "
$ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD FROM: "
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD TO: "
done
echo_done
else
echo_skipped
fi
# -------------
# --- ICMP Traffic (i.e. ping requests)
# -------------
echononl "\tPermit all ICMP IPv6 traffic.."
if $permit_all_icmp_traffic ; then
$ip6t -A INPUT -p ipv6-icmp -j ACCEPT
$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT
$ip6t -A FORWARD -p ipv6-icmp -j ACCEPT
echo_done
else
echo_skipped
fi
# -------------
# --- Stopping firewall if only flushing was requested (parameter flush)
# -------------
case $1 in
flush)
warn No firewall rules are active!
exit 0;;
esac
# ---
# - Stop here, if no extern interface is configured
# ---
if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then
fatal "No extern Interface is configured!"
fi
echo
# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------
echononl "\tPass through Devices (not firewalled)"
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
fi
fi
$ip6t -A INPUT -i $_dev -j ACCEPT
$ip6t -A OUTPUT -o $_dev -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -j ACCEPT
$ip6t -A FORWARD -o $_dev -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
echo
# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."
# ---
# - Block IPs
# ---
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
fi
fi
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
done
# ---
# - Block Interfaces
# ---
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
$ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j DROP
$ip6t -A FORWARD -o $_if -j DROP
fi
$ip6t -A INPUT -i $_if -j DROP
$ip6t -A OUTPUT -o $_if -j DROP
done
echo_done # Block IPs / Networks / Interfaces..
# ---
# - Block UPnP Ports
# ---
echononl "\tBlock UPnP Traffic (extern in).."
if $block_upnp_traffic_in ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_upnp || $log_all ; then
$ip6t -A INPUT -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: "
fi
$ip6t -A INPUT -i $_dev -p udp --dport 1900 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: "
fi
$ip6t -A FORWARD -i $_dev -p udp --dport 1900 -j DROP
done
echo_done
else
echo_skipped
fi
echononl "\tBlock UPnP Traffic (extern out).."
if $block_upnp_traffic_out ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_upnp || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: "
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport 1900 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport 1900 -j $LOG_TARGET $tag_log_prefix "$log_prefix Block UPnP in ${_if}: "
fi
$ip6t -A FORWARD -o $_dev -p udp --dport 1900 -j DROP
done
echo_done
else
echo_skipped
fi
# ---
# - Block UDP Ports out
# ---
echononl "\tBlock UDP Ports extern out.."
if [[ ${#block_udp_extern_out_port_arr[@]} -gt 0 ]] ; then
for _port in ${block_udp_extern_out_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Block TCP Ports out
# ---
echononl "\tBlock TCP Ports extern out.."
if [[ ${#block_tcp_extern_out_port_arr[@]} -gt 0 ]] ; then
for _port in ${block_tcp_extern_out_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow Forwarding certain private Addresses
# ---
echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${forward_private_ip_arr[@]}; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -d $_ip -j ACCEPT
$ip6t -A FORWARD -s $_ip -j ACCEPT
echo_done
else
echo_skipped
fi
done
else
echo_skipped
fi
# -------------
# --- Protections against several attacks / unwanted packages
# -------------
if $protect6_against_several_attacks ; then
echo
if $terminal ; then
echo -e "\033[37m\033[1m\tProtections against several attacks / unwanted packages....\033[m"
else
echo "Protections against several attacks / unwanted packages...."
fi
echo
# ---
# - Protection against syn-flooding
# ---
echononl "\t Protection against syn-flooding.."
if $drop6_syn_flood || $log_syn_flood || $log_all ; then
$ip6t -N syn_flood
$ip6t -A INPUT -p tcp --syn -j syn_flood
$ip6t -A syn_flood -m limit --limit 1/second --limit-burst 3 -j RETURN
fi
if $log_syn_flood || $log_all ; then
$ip6t -A syn_flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi
if $drop6_syn_flood ; then
$ip6t -A syn_flood -j DROP
echo_done
else
echo_skipped
fi
# ---
# - drop new packages without syn flag
# ---
echononl "\t Drop Packages new but not sync.."
if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
fi
fi
if $drop6_new_not_sync ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi
echo_done
else
echo_skipped
fi
# ---
# - drop invalid packages
# ---
echononl "\t Drop invalid packages.."
if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
fi
fi
if $drop6_invalid_state ; then
$ip6t -A INPUT -m state --state INVALID -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j DROP
fi
echo_done
else
echo_skipped
fi
# ---
# - ungewöhnliche Flags verwerfen
# ---
echononl "\t Drop Packages with unusal flags .."
if $log_invalid_flags || $log_all ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
fi
done
fi
if $drop6_invalid_flags; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Refuse private addresses on extern interfaces
# ---
echononl "\t Refuse spoofed packets pretending to be from your IP address.."
# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
fi
done
fi
if $drop6_from_own_ip ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
if $kernel_forward_between_interfaces ; then
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
fi
done
echo_done
else
echo_skipped
fi
echononl "\t Drop private addresses on extern interfaces.."
# - private Adressen auf externen interface verwerfen
if $log_spoofed || $log_all ; then
for _dev in ${dsl_device_arr[@]} ; do
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi
done
fi
if $drop6_spoofed ; then
for _dev in ${dsl_device_arr[@]} ; do
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
$ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
fi
# Don't allow spoofing from that server
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
fi
done
echo_done
else
echo_skipped
fi
fi # if $protect6_against_several_attacks ; then
# -------------
# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]})
# -------------
if $log_voip || $log_all ; then
for _ip in ${tel_sys_ip_arr[@]} ; do
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] "
done
fi
#for _PORT in ${VOIP_PORTS} ; do
# $ip6t -A FORWARD -p udp --sport $_PORT -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] "
#done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------
case $1 in
sto*)
echo
if $terminal ; then
echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
else
echo "Stop was requested. No more firewall rules.."
fi
echo
exit 0;;
esac
echo
# -------------
# - suricata IPS (Inline Mode)
# -------------
# - HACK for integrating suricata IPS (Inline Mode) at 'gw-ckubu'
# -
echononl "\tForward to suricata IPS (inline Mode)"
if [[ -n "$(ps ax | grep "/usr/bin/suricata" 2>/dev/null | grep -v grep 2> /dev/null | awk '{print$1}')" ]] ; then
$ip6t -A FORWARD -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-balance 0:3
echo_done
else
echo_skipped
fi
echo
# -------------
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
$ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT
$ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT
#
$ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT
$ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT
$ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# ---
# - Drop packets not wanted on gateway
# ---
echononl "\tDrop packets not wanted on gateway"
for _dev in ${local_if_arr[@]} ; do
if $log_not_wanted || $log_all ; then
if $not_wanted_ident ; then
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
fi
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
done
for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: "
done
fi
if $not_wanted_ident ; then
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
fi
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j DROP
done
for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j DROP
done
done
echo_done
# -------------
# --- Generally prohibited from WAN
# -------------
echononl "\tGenerally prohibited from WAN"
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
if $block_ident ; then
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
if $kernel_forward_between_interfaces ; then
if $block_ident ; then
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
fi
fi
if $block_ident ; then
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP
done
if $kernel_forward_between_interfaces ; then
if $block_ident ; then
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP
done
fi
done
echo_done
echo
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ip6t -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ip6t -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
fi
echo_done
echo ""
unset restricted_vpn_network_arr
unset restricted_vpn_target_network_arr
declare -a restricted_vpn_network_arr
declare -a restricted_vpn_target_network_arr
# ---
# - Restrict VPN Network to local Service
# ---
echononl "\tRestrict VPN Network to local Service"
if [[ ${#restrict_vpn_net_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${restrict_vpn_net_to_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then
restricted_vpn_network_arr+=("${_val_arr[0]}")
fi
if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then
restricted_vpn_target_network_arr+=("${_val_arr[1]}")
fi
if containsElement "${_val_arr[1]}" "${gateway_ipv6_address_arr[@]}" ; then
$ip6t -A INPUT -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
# Allow also ICMP (ping)
$ip6t -A INPUT -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT
else
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
# Allow also ICMP (ping) to these target networks/hosts
$ip6t -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if [[ "${_val_arr[3]}" = "tcp" ]]; then
$ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Restrict VPN Network to local (Sub) network
# ---
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tRestrict VPN Network to local (Sub) network"
if [[ ${#restrict_vpn_net_to_local_subnet_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${restrict_vpn_net_to_local_subnet_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then
restricted_vpn_network_arr+=("${_val_arr[0]}")
fi
if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then
restricted_vpn_target_network_arr+=("${_val_arr[1]}")
fi
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Allow local DNS Service for restricted VPN Networks
# ---
echononl "\tAllow local DNS Service for restricted VPN Networks"
if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then
for _net in "${restricted_vpn_network_arr[@]}" ; do
for _ip in "${gateway_ipv6_address_arr[@]}" ; do
$ip6t -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Block further traffic from Restrict VPN Networks
# ---
echononl "\tBlock further traffic from Restrict VPN Networks"
if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _net in ${restricted_vpn_network_arr[@]} ; do
#$ip6t -A INPUT -p ALL -s $_net -m conntrack --ctstate NEW -j DROP
#$ip6t -A FORWARD -p ALL -s $_net -m conntrack --ctstate NEW -j DROP
$ip6t -A INPUT -p ALL -s $_net -j DROP
$ip6t -A FORWARD -p ALL -s $_net -j DROP
done
echo_done
else
echo_skipped
fi
echo ""
# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
$ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
for _local_dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
# ---
# - Permit all traffic through WireGuard lines
# ---
echononl "\tPermit all traffic through WireGuard lines.."
for _wg_if in ${wg_if_arr[@]} ; do
$ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
for _local_dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_local_dev -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
echo ""
# ---
# - DHCP
# ---
echononl "\tLocal DHCP Client"
if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then
for _dev in ${dhcp_client_interfaces_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp -m udp --dport 546 -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp -m udp --dport 547 -j ACCEPT
done
echo_done
else
echo_skipped
fi
echononl "\tDHCP Service (local network only)"
if $local_dhcp_service ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-request -j ACCEPT
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
$ip6t -A INPUT -p udp -i $_dev --sport 546 --dport 547 -j ACCEPT
$ip6t -A OUTPUT -p udp -o $_dev --sport 547 --dport 546 -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DHCP Failover
# ---
echononl "\tDHCP Failover Server"
if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dhcp_failover_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DNS out only
# ---
echononl "\tDNS out only"
# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
# - forward from virtual mashine(s)
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
# ---
# - DNS Service Gateway
# ---
echononl "\tDNS Service Gateway"
# - Local Nameservice
# -
if $local_dns_service ; then
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
# - Allow requests from local networks
# -
for _dev in ${local_if_arr[@]} ; do
# - in
$ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
done
# - Zonetransfere (uses tcp/53)
#
for _ip in ${dns_server_ips[@]} ; do
# - out
# -
# - local master (here) gets request for a zone from slave ($_ip)
$ip6t -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# - in
# -
# - local slave (here) requests zone from master ($_ip)
$ip6t -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DNS Services at local Network
# ---
echononl "\tDNS Service local Network"
# - Make nameservers at the local network area rechable for all
# -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
for _ip in ${dns_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
echo ""
# ---
# - Allow all Traffic from source mac-address
# ---
echononl "\tAllow all Traffic from MAC Source-Address"
if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then
for _mac in ${allow_all_mac_src_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow local Traffic from source mac-address
# ---
echononl "\tAllow local Traffic from MAC Source-Address"
if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then
for _mac in ${allow_local_mac_src_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow remote Traffic from source mac-address
# ---
echononl "\tAllow remote Traffic from MAC Source-Address"
if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then
for _mac in ${allow_remote_mac_src_address_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
echo ""
# ---
# - Allow remote Traffic for Gaming devices (MAC)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
if ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Deny Traffic to other local networks for Gaming devices (MAC)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices (MAC)"
if [[ ${#gaming_device_mac_address_arr[@]} -gt 0 ]] ; then
for _mac in ${gaming_device_mac_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
echo ""
# ---
# - Allow remote Traffic for Gaming IP addresses (IP-address)
# ---
echononl "\tAllow remote Traffic OUT for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
if ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -p ALL -o $_dev -s $_ip -j ACCEPT
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Deny Traffic to other local networks for Gaming devices (IP-address)
# ---
echononl "\tDeny Traffic to other local networks for Gaming devices (IP-address)"
if [[ ${#gaming_device_ip_address_arr[@]} -gt 0 ]] ; then
for _ip in ${gaming_device_ip_address_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $_ip -j DROP
fi
done
done
echo_done
else
echo_skipped
fi
echo ""
# ---
# - Telefon Systems
# ---
echononl "\tAllow all Traffic between Telefon Systems"
if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then
for _ip_1 in ${tele_sys_ip_arr[@]} ; do
for _ip_2 in ${tele_sys_ip_arr[@]} ; do
#[[ "$_ip_1" = "$_ip_2" ]] && continue
$ip6t -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Telefon Systems to remote SIP-Server
# ---
echononl "\tTelefon System to remote SIP-Server"
if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then
if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then
echo_failed
warn "Local or remote SIP Port not given"!
else
for _ip in ${tele_sys_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \
--dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - All request from local networks to the internet
# ---
echononl "\tPermit all traffic from local networks to the internet.."
if $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
fi
done
if $local_alias_interfaces && $kernel_forward_between_interfaces; then
$ip6t -A FORWARD -p tcp --tcp-flag ACK ACK -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# ---
# - Networks not firewalled through extern interfaces
# ---
echononl "\tAllow these local networks any access to the internet"
if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_local_net_to_inet ; then
for _net in ${any_access_to_inet_network_arr[@]}; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
echononl "\tAllow these local networks any access from the internet"
if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _net in ${any_access_from_inet_network_arr[@]}; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow local services from ALL extern netwoks
# ---
echononl "\tAllow local services from ALL extern netwoks"
if [[ ${#allow_all_ext_traffic_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${allow_all_ext_traffic_to_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[0]}" "${gateway_ipv4_address_arr[@]}" ; then
$ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
continue
fi
if $kernel_forward_between_interfaces ; then
# - Nat if interface is on a dsl line
# -
if containsElement "${_val_arr[0]}" "${nat_device_arr[@]}" ; then
$ip6t -t nat -A PREROUTING -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -j DNAT --to ${_val_arr[0]}:${_val_arr[1]}
fi
$ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
fi
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p ${_val_arr[2]} -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow local services from given extern networks
# ---
echononl "\tAllow local services from given extern networks"
if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" "${gateway_ipv6_address_arr[@]}" ; then
$ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
fi
$ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow all traffic from extern address/network to local address/network
# ---
echononl "\tAllow all traffic from extern to local network/address"
if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Block all extern traffic to (given) local network
# ---
echononl "\tBlock all extern traffic to (given) local network"
if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _net in ${block_all_ext_to_local_net_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP
done
done
echo_done
else
echo_skipped
fi
# ---
# - Allow all traffic from local ip to the internet
# ---
echononl "\tAllow all traffic from local ip to the internet"
if [[ ${#allow_local_ip_to_inet_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _ip in ${allow_local_ip_to_inet_arr[@]} ; do
$ip6t -A FORWARD -p ALL -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow local services from given local networks
# ---
echononl "\tAllow local services from given local networks"
if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${allow_local_net_to_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
if [[ "${_val_arr[3]}" = "tcp" ]]; then
$ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow all traffic from local network to local ip-address
# ---
echononl "\tAllow all traffic from local network to local ip-address"
if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_net_to_local_ip_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_ok
else
echo_skipped
fi
# ---
# - Allow all traffic from local ip-address to local network
# ---
echononl "\tAllow all traffic from local ip-address to local network"
if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_ip_to_local_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_ok
else
echo_skipped
fi
# ---
# - Allow all traffic from (one) local network to (another) local network
# ---
echononl "\tAllow all traffic from local network to (another) local network"
if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_net_to_local_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_ok
else
echo_skipped
fi
# ---
# - Allow local ip address from given local interface
# ---
echononl "\tAllow local ip address from given local interface"
if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_if_to_local_ip_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern service from given local interface
# ---
echononl "\tAllow extern service from given local interface"
if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${allow_local_if_to_ext_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
if [[ "${_val_arr[3]}" = "tcp" ]]; then
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern network from given local interface
# ---
echononl "\tAllow extern network from given local interface"
if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_if_to_ext_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern service from given local network
# ---
echononl "\tAllow extern service from given local network"
if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
if [[ "${_val_arr[3]}" = "tcp" ]]; then
$ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern network from given local network
# ---
echononl "\tAllow extern network from given local network"
if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces ; then
for _val in ${allow_local_net_to_ext_net_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern service
# ---
echononl "\tAllow extern service"
if [[ ${#allow_to_ext_service_arr[@]} -gt 0 ]] ; then
for _val in "${allow_to_ext_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
fi
done
if $local_alias_interfaces && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
if [[ "${_val_arr[2]}" = "tcp" ]]; then
$ip6t -A FORWARD -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Allow extern network
# ---
echononl "\tAllow extern network"
if [[ ${#allow_to_ext_net_arr[@]} -gt 0 ]] ; then
for _net in "${allow_to_ext_net_arr[@]}" ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -d $_net -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -d $_net -m conntrack --ctstate NEW -j ACCEPT
fi
done
if $local_alias_interfaces && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
if [[ "${_val_arr[2]}" = "tcp" ]]; then
$ip6t -A FORWARD -p tcp -d $_net --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_net --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Separate local networks
# ---
echononl "\tSeparate local networks.."
if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _net in ${separate_local_network_arr[@]}; do
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p all -s $_net -j DROP
done
done
echo_done
else
echo_skipped
fi
# ---
# - Separate local interfaces
# ---
echononl "\tSeparate local interfaces.."
if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _dev_1 in ${separate_local_if_arr[@]}; do
for _dev_2 in ${local_if_arr[@]} ; do
[[ "$_dev_1" = "$_dev_2" ]] && continue
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP
$ip6t -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP
done
done
echo_done
else
echo_skipped
fi
# ---
# - Permit all traffic between local networks
# ---
echononl "\tPermit all traffic between local networks.."
if $kernel_forward_between_interfaces ; then
if $permit_between_local_networks ; then
for _dev_1 in ${local_if_arr[@]} ; do
for _dev_2 in ${local_if_arr[@]} ; do
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
# - So DON'T add statement like this:
# - [[ "$_dev_2" = "$_dev_1" ]] && continue
# -
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# -------------
# --- Services
# -------------
echo
if $terminal ; then
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
else
echo "Add Rules for Services.."
fi
# ---
# - IPv4 over IPv6
# ---
# ---
# - SSH out only
# ---
echononl "\t\tSSH out only"
if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then
# - Provide SSH to everywhere (also LAN)
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - SSH Service Gateway
# ---
echononl "\t\tSSH Service Gateway (also from WAN)"
if $local_ssh_service ; then
# - Provides SSH in from everywhere
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - SSH Services only local Network
# ---
echononl "\t\tSSH Services only local Network"
if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - SSH Services DMZ
# ---
echononl "\t\tSSH Services DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then
for _ip in "${!ssh_server_dmz_arr[@]}"; do
# - Skip if no interface is given
# -
if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
fi
# - From intern
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
done
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - SSH Service between local Netwotks
# ---
echononl "\t\tSSH Service between local Netwotks"
if $allow_ssh_between_local_nets ; then
if $kernel_forward_between_interfaces ; then
for _dev_1 in ${local_if_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _dev_2 in ${local_if_arr[@]} ; do
if ! $permit_between_local_networks ; then
# - Notice:
# - In case of routing multiple netwoks on the same interface or
# - using alias interfaces like eth0:0, you need a rule with
# - incomming- and outgoing interface are equal!
# -
# - So DON'T add statement like this:
# - [[ "$_dev_2" = "$_dev_1" ]] && continue
# -
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Cisco kompartibles VPN (FRITZ!Box)
# ---
echononl "\t\tCisco VPN Service (FRITZ\!Box) only out"
if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${cisco_vpn_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
for _vpn_if in ${vpn_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - VPN Service only out
# ---
echononl "\t\tVPN Service only out"
if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${vpn_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
for _vpn_if in ${vpn_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - VPN Service Gateway
# ---
echononl "\t\tVPN Service Gateway"
if $local_vpn_service ; then
# - Cconnection establishment
# -
for _port in ${vpn_gw_port_arr[@]} ; do
$ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - VPN Service DMZ
# ---
echononl "\t\tVPN Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${!vpn_server_dmz_arr[@]} ; do
# - Skip if no interface is given
# -
if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
for _port in ${vpn_local_net_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - WireGuard Service only out
# ---
echononl "\t\tWireGuard Service only out"
if $allow_wg_out && [[ ${#wg_out_port_arr[@]} -gt 0 ]]; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${wg_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
for _wg_if in ${wg_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_wg_if -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - WireGuard Service Gateway
# ---
echononl "\t\tWireGuard Service Gateway"
if $local_wg_service ; then
# - Cconnection establishment
# -
for _port in ${wg_gw_port_arr[@]} ; do
$ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - WireGuard Service DMZ
# ---
echononl "\t\tWireGuard Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#wg_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${!wg_server_dmz_arr[@]} ; do
# - Skip if no interface is given
# -
if [[ -z "${wg_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
for _port in ${wg_local_net_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - HTTP(S) OUT
# ---
echononl "\t\tHTTP(S) out only"
if $allow_http_request_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -o $_dev -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -i $_dev -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) (local) Webserver
# ---
echononl "\t\tHTTP(S) Services Gateway"
# - Access to the local Webservice
if $local_http_service ; then
$ip6t -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) Services only local Network
# ---
echononl "\t\tHTTP(S) Services only local Network"
# - Access to the Webservices (LAN)
if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${http_server_only_local_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) Services DMZ
# ---
echononl "\t\tHTTP(S) Services DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
http_port_arr=(${http_ports//,/ })
for _ip in "${!http_server_dmz_arr[@]}"; do
# - Skip if no interface is given
# -
if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
for _port in ${http_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
fi
done
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - HTTPS Services DMZ (only port 443)
# ---
echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then
for _ip in "${!http_ssl_server_dmz_arr[@]}"; do
# - Skip if no interface is given
# -
if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT
# - From extern
if $kernel_forward_between_interfaces ; then
$ip6t -t filter -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT
fi
# - From intern
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
fi
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - Mail Service SMTP only out
# ---
echononl "\t\tMail Services SMTP only out"
if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then
# - Provide SMTP out for all to WAN
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Mail (additional smtp ports OUT)
# ---
echononl "\t\tMail (additional smtp ports OUT)"
if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - SMTP (Relay) Service Gateway
# ---
echononl "\t\tSMTP (Relay) Service Gateway (only on local network)"
if $local_smtp_service ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Mail User Services smtps/pop(s)/imap(s) only out
# ---
echononl "\t\tMail Services smtps/pop(s)/imap(s) only out"
if $allow_mail_request_out && ! $permit_local_net_to_inet ; then
# - Provide using Mailservices (WAN) from whole LAN
# -
# - Not needed from local machine. But for testing pupose (i.e. telnet <port>)
# -
# -
for _dev in ${ext_if_arr[@]} ; do
if $provide_mailservice_from_local ; then
# - Note!
# - this provides access both to LAN and WAN
$ip6t -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Mail Service SMTP only local Networks
# ---
echononl "\t\tMail Service SMTP only local Networks"
if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_only_local_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
done
for _dev in ${ext_if_arr[@]} ; do
# Razor2 (TCP Port 2703)
$ip6t -A FORWARD -o $_dev -p tcp --dport 2703 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A FORWARD -o $_dev -p tcp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# - DCC (port udp:6277)
$ip6t -A FORWARD -o $_dev -p udp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ip6t -A FORWARD -o $_dev -p tcp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
fi
echo_done
done
else
echo_skipped
fi
# ---
# - Mail Services smtps/pop(s)/imap(s) only local Networks
# ---
echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks"
if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then
for _ip in ${mail_server_only_local_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Mail Server DMZ
# ---
echononl "\t\tMail Server DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
mail_port_arr=(${mail_user_ports//,/ })
mail_port_arr+=("$mail_smtp_port")
for _ip in "${!mail_server_dmz_arr[@]}"; do
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
# Razor2 (TCP Port 2703)
$ip6t -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 2703 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p udp --dport 24441 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# - DCC (port udp:6277)
$ip6t -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p udp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ip6t -A FORWARD -o ${mail_server_dmz_arr[$_ip]} -p tcp --dport 6277 -s $_ip -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport 6277 -d $_ip -m conntrack --ctstate NEW -j ACCEPT
fi
# - Skip if no interface is given
# -
if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
for _port in ${mail_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - FTP common
# ---
ftp_helper_output_defined=false
ftp_helper_prerouting_defined=false
# ---
# - FTP out only
# ---
echononl "\t\tFTP out only"
if $allow_ftp_request_out ; then
# - Used for different ftp6data recent lists 'ftp6data_$i'
# -
declare -i i=1
# - (Re)define helper
# -
if ! $ftp_helper_output_defined ; then
$ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
ftp_helper_output_defined=true
fi
if $kernel_forward_between_interfaces && ! $ftp_helper_prerouting_defined ; then
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
ftp_helper_prerouting_defined=true
fi
for _dev in ${ext_if_arr[@]} ; do
# - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
# -
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections
# -
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add (!) desitnatin ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftp6data_$i!
# -
# - Note:
# - Use flag '--rdest' to match destination address
# -
# =====
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
# -
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections
# -
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
#if $allow_ftp_request_out ; then
# for _dev in ${ext_if_arr[@]} ; do
# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# # - Allow active FTP connections from local network
# # -
# #$ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# fi
# # - Allow active FTP connections from local network
# # -
# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# done
#
# echo_done
#else
# echo_done
#fi
# ---
# - FTP Service Gateway
# ---
echononl "\t\tFTP Service Gateway"
if $local_ftp_service ; then
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add source ip to a 'recent list' named 'ftp6service! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftp6service!
# -
# =====
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
# -
if ! $ftp_helper_prerouting_defined ; then
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
ftp_helper_prerouting_defined=true
fi
# - (1)
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6service'.
# -
$ip6t -A INPUT -p tcp -m state --state NEW --dport $standard_ftp_port -m recent --name ftp6service --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftp6service' list (--update) and the
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
-m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
echo_done
else
echo_skipped
fi
# ---
# - FTP Services only local Network
# ---
echononl "\t\tFTP Service local Networks"
if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# - Used for different ftpdata recent lists 'ftp6data_local_$k'
# -
declare -i k=1
# - (Re)define helper
# -
if ! $ftp_helper_output_defined ; then
$ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
ftp_helper_output_defined=true
fi
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && ! $ftp_helper_prerouting_defined ; then
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
ftp_helper_prerouting_defined=true
fi
for _ip in ${ftp_server_only_local_ip_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_$i'.
# -
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport 1024: -m state --state NEW \
-m recent --name ftp6data_local_$k --rdest --set -j ACCEPT
$ip6t -A FORWARD -d $_ip -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftp6data_local_$k --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ip6t -A OUTPUT -d $_ip -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -d $_ip -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftp6data_local_$k --rdest --update --seconds 1800 --reap -j ACCEPT
fi
((k++))
# - Accept (helper ftp) related connections
# -
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -d $_ip --dport 1024: -j ACCEPT
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp -s $_ip --dport 1024: -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
#echononl "\t\tFTP Service local Networks"
#if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# for _ip in ${ftp_server_only_local_ip_arr[@]} ; do
# $ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
#
# if ! $permit_between_local_networks ; then
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# fi
#
# if $local_alias_interfaces ; then
# # - Control Port
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT
# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT
# # - Data Port activ
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT
# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT
# # - Data Port passiv
# $ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT
# fi
# done
#
# echo_done
#else
# echo_skipped
#fi
# ---
# - FTP Services DMZ
# ---
echononl "\t\tFTP Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then
IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}"
for _ip in "${!ftp_server_dmz_arr[@]}"; do
# - Skip if no interface is given
# -
if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# - From extern
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
fi
# - From intern
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
# - Control Port
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_port --tcp-flag ACK ACK -j ACCEPT
# - Data Port activ
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port --tcp-flag ACK ACK -j ACCEPT
# - Data Port passiv
$ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT
fi
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - TFTF Service out only
# ---
echononl "\t\tTFTF Service out only"
if $allow_tftp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# ---
# - TFTP Service Gateway
# ---
echononl "\t\tTFTF Service Gateway"
if $local_tftp_service ; then
$ip6t -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
echo_done
else
echo_skipped
fi
# ---
# - Samba Service only out
# ---
echononl "\t\tSamba Service only out"
if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${samba_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces ; then
for _port in ${samba_udp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Samba Service Gateway (only for local Networks)
# ---
echononl "\t\tSamba Service Gateway (only for local Networks)"
if $local_samba_service ; then
for _dev in ${local_if_arr[@]} ; do
for _port in ${samba_udp_port_local_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Samba Service only between local Networks
# ---
echononl "\t\tSamba Service only local Networks"
if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then
for _dev in ${local_if_arr[@]} ; do
for _ip in ${samba_server_local_ip_arr[@]} ; do
for _port in ${samba_udp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then
for _port in ${samba_udp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Samba Service DMZ
# ---
echononl "\t\tSamba Service DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then
for _ip in "${!samba_server_dmz_arr[@]}"; do
# - Skip if no interface is given
# -
if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
# - From extern
if $kernel_forward_between_interfaces ; then
for _port in ${samba_udp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - From intern
for _dev in ${local_if_arr[@]} ; do
for _port in ${samba_udp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
for _port in ${samba_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
done
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - LDAP Service only out
# ---
echononl "\t\tLDAP Service only out"
if $allow_ldap_requests_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${ldap_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ldap_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces ; then
for _port in ${ldap_udp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ldap_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - LDAP and LDAP SSL Service Gateway (only for local Networks)
# ---
echononl "\t\tLDAP(S) Service Gateway (only for local Networks)"
if $local_ldap_service ; then
for _dev in ${local_if_arr[@]} ; do
for _port in ${ldap_udp_port_local_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ldap_tcp_port_local_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - LDAP and LDAP SSL Service only between local Networks
# ---
echononl "\t\tLDAP(S) Service only local Networks"
if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then
for _dev in ${local_if_arr[@]} ; do
for _ip in ${ldap_server_local_ip_arr[@]} ; do
for _port in ${ldap_udp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ldap_tcp_port_local_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then
for _port in ${ldap_udp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ldap_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
for _port in ${ldap_tcp_port_local_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - NTP out only
# ---
echononl "\t\tNTP Service out only"
if $allow_ntp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - NTP Service Gateway
# ---
echononl "\t\tNTP Service Gateway"
if $local_ntp_service ; then
if ! $allow_ntp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
$ip6t -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
echo_done
else
echo_skipped
fi
# ---
# - PGP Keyserver out only
# ---
echononl "\t\tPGP Keyserver out only"
if $allow_pgpserver_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Telnet
# ---
echononl "\t\tTelnet (only OUT)"
if $allow_telnet_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Whois out only
# ---
echononl "\t\tWhois out only"
if $allow_whois_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - CPAN Wait only out
# ---
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
# - a WAIT server. It connects to a WAIT server using a simple protocoll
# - resembling NNTP as described in RFC977.
echononl "\t\tCPAN Wait only out"
if $allow_cpan_wait_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - HBCI only out (only forward)
# ---
echononl "\t\tHBCI only out (only forward)"
if $allow_hbci_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Jabber only out
# ---
echononl "\t\tJabber only out"
if $allow_jabber_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Silc only out
# ---
echononl "\t\tSilc only out"
if $allow_silc_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - IRC (Internet Relay Chat) only out
# ---
echononl "\t\tIRC only out"
if $allow_irc_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - MySQL
# ---
echononl "\t\tMySQL (only OUT)"
if $allow_mysql_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
if $allow_timeserver_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Mumble Service out only
# ---
echononl "\t\tMumble Service out only"
if $allow_mumble_request_out ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mumble_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Remote Console (VNC) only out
# ---
echononl "\t\tRemote Console (VNC) only out"
if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Remote Console (VNC) local Networks
# ---
echononl "\t\tRemote Console (VNC) local Networks"
if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${rm_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Remote Console (VNC) DMZ
# ---
echononl "\t\tRemote Console (VNC) DMZ"
unset no_if_for_ip_arr
declare -a no_if_for_ip_arr
if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then
for _ip in ${!rm_server_dmz_arr[@]} ; do
# - Skip if no interface is given
# -
if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then
no_if_for_ip_arr+=("$_ip")
continue
fi
# - From Gateway
$ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
# - From extern
$ip6t -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
# - From intern
if ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
fi
fi
done
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
echo_warning
for _ip in ${no_if_for_ip_arr[@]} ; do
warn "No Interface given for ip '$_ip'"
done
else
echo_done
fi
else
echo_skipped
fi
# ---
# - Munin Service Gateway
# ---
echononl "\t\tMunin Service Gateway"
if $local_munin_server ; then
if $provide_munin_service_to_inet ; then
# - Provide Service for local and extern networks
# -
$ip6t -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
else
# - Provide Service only for for local network
# -
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Munin Service local Networks
# ---
echononl "\t\tMunin Service local Networks"
if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_local_server_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
if ! $permit_between_local_networks ; then
$ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Munin remote Server
# ---
echononl "\t\tMunin remote Server"
if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then
for _ip in ${!munin_local_client_ip_arr[@]} ; do
if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then
$ip6t -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
elif $kernel_forward_between_interfaces ; then
$ip6t -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port
$ip6t -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Outbound Streaming
# ---
echononl "\t\tOutbound Streaming (most providers)"
if $allow_outbound_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${outbound_streaming_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${outbound_streaming_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Turn/Stun Service
# ---
echononl "\t\tTurn/Stun Service"
if $allow_stun_turn_service_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${standard_turn_service_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${standard_turn_service_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Echo360 Video Plattform
# ---
echononl "\t\tEcho360 Video Plattform out only"
if $allow_echo360_video_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${echo360_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - IP Camera Service out only
# ---
echononl "\t\tIP Camera Service out Service out only"
if $allow_ip_camera_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${ip_camera_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${ip_camera_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - BigBlueButton Video Conference Service out only
# ---
echononl "\t\tBigBlueButton Video Conference Service out only"
if $allow_bigbluebutton_video_conference_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${bigbluebutton_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${bigbluebutton_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Skype for Business Online und Microsoft Teams
# ---
echononl "\t\tSkype for Business Online und Microsoft Teams"
if $allow_ms_skype_teams_out \
&& ( [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ) \
|| [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
if [[ ${#ms_skype_teams_udp6_host_arr[@]} -gt 0 ]] && [[ ${#ms_skype_teams_udp6_port_arr[@]} -gt 0 ]] ; then
for _host in ${ms_skype_teams_udp6_host_arr[@]} ; do
for _port in ${ms_skype_teams_udp6_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp -d $_host --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
fi
if [[ ${#ms_skype_teams_tcp_port_arr[@]} -gt 0 ]] ; then
for _port in ${ms_skype_teams_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
fi
done # for _dev in ${ext_if_arr[@]} ; do
echo_done
else
echo_skipped
fi
# ---
# - Webex Meeting Video Conference Service out only
# ---
echononl "\t\tWebex Meeting Video Conference Service out only"
if $allow_webex_video_conference_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${webex_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${webex_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Zoom Meeting - Video Conference Service out only
# ---
echononl "\t\tZoom Meeting - Video Conference Service out only"
if $allow_zoom_video_conference_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${zoom_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${zoom_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Jitsi Video Conference Service out only
# ---
echononl "\t\tJitsi Video Conference Service out only"
if $allow_jitsi_video_conference_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${jitsi_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${jitsi_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - alfaview - Video Conferencing Systems
# ---
echononl "\t\talfaview - Video Conferencing Systems Service out only"
if $allow_alfaview_video_conference_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${alfaview_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${alfaview_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Nextcloud 'talk' App
# ---
echononl "\t\tNextcloud 'talk' App"
if $allow_nc_turn_video_conference_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${nc_turn_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${nc_turn_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Collected TCP Ports OUT
# ---
echononl "\t\tCollected TCP Ports OUT"
if [[ ${#out_tcp_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${out_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Collected UDP Ports OUT
# ---
echononl "\t\tCollected UDP Ports OUT"
if [[ ${#out_udp_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${out_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Rsyncd (only Out) Gateway
# ---
echononl "\t\tRsyncd (only OUT) Gateway"
if $local_rsync_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${rsync_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Rsyncd (only OUT) from all local networks"
# ---
echononl "\t\tRsyncd (only OUT) from all local networks"
if $forward_rsync_out && $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
for _local_dev in ${local_if_arr[@]} ; do
for _ext_dev in ${ext_if_arr[@]} ; do
for _port in ${rsync_port_arr[@]} ; do
$ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -i $_local_dev -o $_ext_dev -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -i $_ext_dev -o $_local_dev -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
done
echo_done
else
echo_skipped
fi
# ---
# - Rsync only Out from given local machines
# ---
echononl "\t\tRsync Out from given local machines"
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces $$ ! $permit_local_net_to_inet; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${rsync_out_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - CUPS only between local Networks (IPP Port 631)
# ---
echononl "\t\tCUPS/IPP (Port 631) only between local Networks"
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
for _local_dev_1 in ${local_if_arr[@]} ; do
for _local_dev_2 in ${local_if_arr[@]} ; do
if ! $local_alias_interfaces ; then
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
fi
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT
done
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Druck Port 9100 (RAW) only out between local Networks
# ---
echononl "\t\tDruck Port 9100 only between local Networks"
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
for _local_dev_1 in ${local_if_arr[@]} ; do
for _local_dev_2 in ${local_if_arr[@]} ; do
if ! $local_alias_interfaces ; then
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
fi
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
done
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Druck LPD (Port 515) only out between local Networks
# ---
echononl "\t\tDruck LPD (Port 515) only between local Networks"
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
for _local_dev_1 in ${local_if_arr[@]} ; do
for _local_dev_2 in ${local_if_arr[@]} ; do
if ! $local_alias_interfaces ; then
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
fi
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT
done
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Printer
# ---
echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks"
if [[ ${#printer_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks \
&& ! $allow_printing_between_local_nets ; then
for _ip in ${printer_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Scanner
# ---
echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks"
if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
for _ip in ${brother_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT
# - TCP
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tEpson Network Scanner (Port $epson_scan_port) only between local Networks"
if [[ ${#epson_scanner_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks \
&& $allow_scanning_between_local_nets ; then
for _ip in ${epson_scanner_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
# - UDP
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $epson_scan_port -m conntrack --ctstate NEW -j ACCEPT
# - TCP
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $epson_scan_port -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $epson_scan_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $epson_scan_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Other local Services
# ---
echononl "\t\tOther local Services"
if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _val in ${other_service_arr[@]} ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then
$ip6t -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_ok
else
echo_skipped
fi
# ---
# - SNMP Services local Networks
# ---
echononl "\t\tSNMP Services local Networks"
if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${snmp_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - freeIPA Services local Networks
# ---
echononl "\t\tFreeIPA Services local Networks"
if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then
for _ip in ${freeipa_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - WakeOnLan only out into local Networks
# ---
echononl "\t\tWakeOnLan only out into local Networks"
$ip6t -A OUTPUT -p udp --dport 9 -j ACCEPT
echo_done
# ---
# - NFS Service (portmapper, mountd, nfs)
# ---
if $terminal; then
echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
echo -e "\033[75G[ \033[37mskipped\033[m ]"
echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
echo -e "\033[75G[ \033[37mskipped\033[m ]"
echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
echo -e "\033[75G[ \033[37mskipped\033[m ]"
echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
echo -e "\033[75G[ \033[37mskipped\033[m ]"
else
echo "NFS Service - Not yet implemented"
echo "VoIP - Not yet implemented"
echo "Sip - Not yet implemented"
echo "Skype - Not yet implemented"
fi
# ---
# - PowerChute Network Shutdown local Network
# ---
echononl "\t\tPowerChute Network Shutdown local Network"
if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then
for _ip in ${pcns_server_ip_arr[@]} ; do
if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then
$ip6t -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
$ip6t -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Ubiquiti Unifi Controller Gateway
# ---
echononl "\t\tUbiquiti Unifi Controller Gateway IN"
if $local_unifi_controller_service \
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
# Not only unifi devices but also clients need some ports to connect to
# unifi controller. So we open the ports on local netwprk devices.
#
for _local_dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_local_dev -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -i $_local_dev -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -o $_local_dev -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -o $_local_dev -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done
# Note:
# in contrast to devices at local networks, devices hosted at extern network
# are only be seen, if the device is part of this array 'unifi_ap_extern_ip_arr'
#
if [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]]; then
for _ip in ${unifi_ap_extern_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -s $_ip -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -s $_ip -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --sport $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -d $_ip -m multiport --sport $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
echononl "\t\tUbiquiti Unifi Controller Gateway OUT (unrestricted)"
if $local_unifi_controller_service \
&& ( [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] || [[ ${#unifi_ap_extern_ip_arr[@]} -gt 0 ]] ) ; then
$ip6t -A OUTPUT -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - Ubiquiti Unifi Controller (Accesspoints) local Network
# ---
echononl "\t\tUbiquiti Unifi Controller (Accesspoints) local Network"
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
&& $kernel_forward_between_interfaces \
&& ! $permit_between_local_networks ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unifi_udp_ctrl_in_ports -m conntrack --ctstate NEW -j ACCEPT
done
# - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule.
# -
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unifi_tcp_ctrl_in_ports --tcp-flag ACK ACK -j ACCEPT
fi
done
# Rules already exists if 'local_unifi_controller_service = true'
#
if ! $local_unifi_controller_service ; then
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -m multiport --dports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -m multiport --sports $unifi_udp_ctrl_out_ports -m conntrack --ctstate NEW -j ACCEPT
if $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -m multiport --dports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -m multiport --sports $unifi_tcp_ctrl_out_ports --tcp-flag ACK ACK -j ACCEPT
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - IPMI Tools (e.g. IPMIView) only out
# ---
echononl "\t\tIPMI Tools (e.g. IPMIView) only out"
if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
done
echo_done
else
echo_skipped
fi
# ---
# - IPMI Tools (e.g. IPMIView) local Networks
# ---
echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks"
if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${ipmi_server_ip_arr[@]} ; do
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $local_alias_interfaces ; then
for _port in ${ipmi_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT
done
for _port in ${ipmi_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
done
fi
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Checkmk Monitoring Service Gateway
# ---
echononl "\t\tCheckmk Monitoring Service Gateway (only local network)"
if $checkmk_service_gateway ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Checkmk Service local Networks
# ---
echononl "\t\tCheckmk Monitoring Service local Networks"
if [[ ${#checkmk_local_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${checkmk_local_server_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
if ! $permit_between_local_networks ; then
$ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --sport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - XyMon local service
# ---
echononl "\t\tXyMon Service Gateway"
if $local_xymon_server ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - XyMon Service Intranet
# ---
echononl "\t\tXyMon Service Intranet"
if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${xymon_server_ip_arr[@]} ; do
if $local_xymon_client ; then
$ip6t -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
done
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Gaming
# ---
echo ""
echononl "\t\tGaming UDP local Ports out"
if $allow_gaming_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_local_udp_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --sport $_port -m conntrack --ctstate NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tGaming TCP local Ports out"
if $allow_gaming_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_local_tcp_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --sport $_port -m conntrack --ctstate NEW -j ACCEPT
done
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -o $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
echononl "\t\tGaming UDP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_udp_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tGaming TCP Ports out"
if $allow_gaming_out && ! $permit_local_net_to_inet ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${game_ports_tcp_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
# - Rule is needed if (local) interface aliases in use (like eth0:1)
# -
if $kernel_activate_forwarding && $local_alias_interfaces ; then
$ip6t -A FORWARD -p tcp -o $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT
$ip6t -A FORWARD -p tcp -i $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# -------------
# --- Portforwarding
# -------------
# ---
# - Portforwarding TCP
# ---
echo
echononl "\tPortforwarding TCP"
if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _val in "${portforward_tcp_arr[@]}" ; do
# - Split value
# -
IFS=',' read -a _val_arr <<< "${_val}"
# - DNAT
# -
if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]}
else
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]}
fi
# - Allow Packets
# -
$ip6t -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Portforwarding UDP
# ---
echononl "\tPortforwarding UDP"
if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _val in "${portforward_udp_arr[@]}" ; do
# - Split value
# -
IFS=',' read -a _val_arr <<< "${_val}"
# - DNAT
# -
if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]}
else
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]}
fi
# - Allow Packets
# -
$ip6t -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - UNIX Traceroute
# ---
echo
echononl "\tUNIX Traceroute"
# versendet udp packete im gegensatz zu tracert von windows
# der icmp-echo-request pakete versendet
# einige implementierungen von traceroute (linux) erm<72>lichens
# die option -I und versenden dann ebenfalls icmp-echo-request pakete
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
$ip6t -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
fi
done
echo_done
# -------------
# --- ICMP Traffic (i.e. ping requests)
# -------------
# ---
# - ICMP is configured above..
# ---
# ---
# - Deny between local networks
# ---
echo
echononl "\tDeny all traffic between local networks.."
if $kernel_forward_between_interfaces ; then
if ! $permit_between_local_networks ; then
for _dev_1 in ${local_if_arr[@]} ; do
for _dev_2 in ${local_if_arr[@]} ; do
if $log_rejected || $log_all ; then
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected local NET: "
fi
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP
done
done
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# -------------
# --- Log traffic not matched so far
# -------------
echo
echononl "\tLog traffic not matched so far.."
if $log_rejected || $log_all ; then
$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: "
#$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: "
#$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: "
echo_done
else
echo_skipped
fi
# -------------
# --- DROP traffic not matched so far
# -------------
echononl "\tDROP traffic not matched so far.."
# - drop all other for all interfaces..
#
$ip6t -A INPUT -j DROP
$ip6t -A OUTPUT -j DROP
$ip6t -A FORWARD -j DROP
#
# ---------- Ende: DROP ----------
echo_done
# ---
# - Warning, if no intern (local) interface is configured
# ---
if [[ ${#local_if_arr[@]} -lt 1 ]] ; then
echo ""
echo ""
if $terminal ; then
echo -e "\t\033[33m\033[1m----------\033[m"
else
echo "----------"
fi
warn "No local Interface is configured!"
if $terminal ; then
echo -e "\t\033[33m\033[1m----------\033[m"
else
echo "----------"
fi
fi
echo
exit 0
Reference in New Issue View Git Blame Copy Permalink