3726 lines
109 KiB
Bash
Executable File
3726 lines
109 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
|
||
### BEGIN INIT INFO
|
||
# Provides: ip6t-firewall
|
||
# Required-Start: $local_fs $remote_fs $syslog $network $time
|
||
# Required-Stop: $local_fs $remote_fs $syslog $network
|
||
# Should-Start:
|
||
# Should-Stop:
|
||
# Default-Start: 2 3 4 5
|
||
# Default-Stop: 0 1 6
|
||
# Short-Description: IPv6 Firewall
|
||
### END INIT INFO
|
||
|
||
|
||
# -------------
|
||
# - Settings
|
||
# -------------
|
||
|
||
ipt_conf_dir="/etc/ipt-firewall"
|
||
|
||
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
|
||
|
||
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
|
||
|
||
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
|
||
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
|
||
conf_default_ports=${ipt_conf_dir}/default_ports.conf
|
||
conf_main=${ipt_conf_dir}/main_ipv6.conf
|
||
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
|
||
|
||
# -------------
|
||
# - Some checks and preloads..
|
||
# -------------
|
||
|
||
ip6t=$(which ip6tables)
|
||
|
||
if [[ -z "$ip6t" ]] ; then
|
||
echo ""
|
||
echo -e "\tiptables was not found on this server!"
|
||
echo
|
||
echo -e "\tFirewall Script was stopped!"
|
||
echo
|
||
exit 1
|
||
fi
|
||
|
||
if [[ ! -f "$inc_functions_file" ]] ; then
|
||
echo ""
|
||
echo -e "\tMissing include file '$inc_functions_file'"
|
||
echo
|
||
echo -e "\tFirewall Script was stopped!"
|
||
echo
|
||
exit 1
|
||
else
|
||
source $inc_functions_file
|
||
fi
|
||
|
||
if [[ ! -f "$load_modules_file" ]]; then
|
||
warn "No modules for loading configured. Missing file '$load_modules_file'!"
|
||
else
|
||
|
||
while read -r module ; do
|
||
if ! lsmod | grep -q -E "^$module\s+" ; then
|
||
/sbin/modprobe $module > /dev/null 2>&1
|
||
if [[ "$?" != "0" ]]; then
|
||
warn "Loading module '$module' failed!"
|
||
fi
|
||
fi
|
||
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
|
||
|
||
fi
|
||
|
||
if [[ ! -f "$conf_logging" ]]; then
|
||
fatal "Missing configuration for logging - file '$conf_logging'"
|
||
else
|
||
source $conf_logging
|
||
fi
|
||
|
||
if [[ ! -f "$conf_default_ports" ]]; then
|
||
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
|
||
else
|
||
source $conf_default_ports
|
||
fi
|
||
|
||
if [[ ! -f "$conf_interfaces" ]]; then
|
||
fatal "Missing interface configurations - file '$conf_interfaces'"
|
||
else
|
||
source $conf_interfaces
|
||
fi
|
||
|
||
if [[ ! -f "$conf_main" ]]; then
|
||
fatal "Missing main configurations - file '$conf_main'"
|
||
else
|
||
source $conf_main
|
||
fi
|
||
|
||
if [[ ! -f "$conf_post_declarations" ]]; then
|
||
fatal "Missing post declarations - file '$conf_post_declarations'"
|
||
else
|
||
source $conf_post_declarations
|
||
fi
|
||
|
||
|
||
echo
|
||
if $terminal ; then
|
||
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
|
||
else
|
||
echo "Starting firewall iptables (IPv4).."
|
||
fi
|
||
echo
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Activate IP Forwarding
|
||
# -------------
|
||
|
||
# ---
|
||
# - Enable/Disable ip forwarding between interfaces
|
||
# ---
|
||
if $kernel_forward_between_interfaces ; then
|
||
echononl "\tActivate Forwarding.."
|
||
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
||
else
|
||
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
|
||
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
|
||
fi
|
||
|
||
echo_done
|
||
|
||
|
||
# -------------
|
||
# --- Adjust Kernel Parameters
|
||
# -------------
|
||
|
||
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
|
||
|
||
if $adjust_kernel_parameters ; then
|
||
|
||
# ---
|
||
# - Deactivate Source Routed Packets
|
||
# ---
|
||
for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do
|
||
if $kernel_deactivate_source_route ; then
|
||
echo 0 > $asr
|
||
fi
|
||
done
|
||
|
||
|
||
# ---
|
||
# - Deactivate sending ICMP redirects
|
||
# ---
|
||
if $kernel_dont_accept_redirects ; then
|
||
echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects
|
||
fi
|
||
|
||
echo_done # Adjust Kernel Parameters (Security/Tuning)
|
||
else
|
||
echo_skipped
|
||
|
||
fi
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Set default policies / Flush Rules
|
||
# -------------
|
||
|
||
echo
|
||
echononl "\tFlushing firewall iptable (IPv6).."
|
||
|
||
# - default policies
|
||
# -
|
||
$ip6t -P INPUT ACCEPT
|
||
$ip6t -P OUTPUT ACCEPT
|
||
$ip6t -P FORWARD ACCEPT
|
||
|
||
## - flush chains
|
||
## -
|
||
$ip6t -F
|
||
$ip6t -F INPUT
|
||
$ip6t -F OUTPUT
|
||
$ip6t -F FORWARD
|
||
$ip6t -F -t mangle
|
||
$ip6t -F -t nat
|
||
$ip6t -F -t raw
|
||
$ip6t -X
|
||
$ip6t -Z
|
||
|
||
#$ip6t -t nat -A POSTROUTING -o $ext_if_static_1 -j MASQUERADE
|
||
$ip6t -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||
|
||
echo_done # Flushing firewall iptable (IPv6)..
|
||
echo
|
||
|
||
|
||
# -------------
|
||
# - Log given IP Addresses
|
||
# -------------
|
||
|
||
echononl "\tLog given IP Addresses"
|
||
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
|
||
for _ip in ${log_ip_arr[@]} ; do
|
||
$ip6t -A INPUT -s $_ip -j LOG --log-prefix "$_ip IN: " --log-level $log_level
|
||
$ip6t -A OUTPUT -d $_ip -j LOG --log-prefix "$_ip OUT: " --log-level $log_level
|
||
$ip6t -A FORWARD -s $_ip -j LOG --log-prefix "$_ip FORWARD FROM: " --log-level $log_level
|
||
$ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$_ip FORWARD TO: " --log-level $log_level
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- ICMP Traffic (i.e. ping requests)
|
||
# -------------
|
||
|
||
echononl "\tPermit all ICMP IPv6 traffic.."
|
||
if $permit_all_icmp_traffic ; then
|
||
$ip6t -A INPUT -p ipv6-icmp -j ACCEPT
|
||
$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT
|
||
$ip6t -A FORWARD -p ipv6-icmp -j ACCEPT
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- Stopping firewall if only flushing was requested (parameter flush)
|
||
# -------------
|
||
|
||
case $1 in
|
||
flush)
|
||
warn No firewall rules are active!
|
||
exit 0;;
|
||
esac
|
||
|
||
|
||
# ---
|
||
# - Stop here, if no extern interface is configured
|
||
# ---
|
||
|
||
if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then
|
||
fatal "No extern Interface is configured!"
|
||
fi
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Pass through Devices Interfaces (not firewalled)
|
||
# -------------
|
||
|
||
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
|
||
echononl "\tPass through Devices (not firewalled)"
|
||
for _dev in ${unprotected_if_arr[@]} ; do
|
||
if $log_unprotected || $log_all ; then
|
||
$ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
|
||
$ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
|
||
$ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -i $_dev -j ACCEPT
|
||
$ip6t -A OUTPUT -o $_dev -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
fi
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Block IPs / Networks / Interfaces
|
||
# -------------
|
||
echononl "\tBlock IPs / Networks / Interfaces.."
|
||
|
||
|
||
# ---
|
||
# - Block IPs
|
||
# ---
|
||
|
||
for _ip in $blocked_ips ; do
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $log_blocked_ip || $log_all ; then
|
||
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -s $_ip -j DROP
|
||
fi
|
||
done
|
||
done
|
||
|
||
|
||
# ---
|
||
# - Block Interfaces
|
||
# ---
|
||
|
||
for _if in ${blocked_if_arr[@]} ; do
|
||
if $log_blocked_if || $log_all ; then
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
|
||
$ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
|
||
fi
|
||
$ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
|
||
$ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
|
||
fi
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_if -j DROP
|
||
$ip6t -A FORWARD -o $_if -j DROP
|
||
fi
|
||
$ip6t -A INPUT -i $_if -j DROP
|
||
$ip6t -A OUTPUT -o $_if -j DROP
|
||
done
|
||
|
||
echo_done # Block IPs / Networks / Interfaces..
|
||
|
||
|
||
# ---
|
||
# - Allow Forwarding certain private Addresses
|
||
# ---
|
||
|
||
echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
|
||
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${forward_private_ip_arr[@]}; do
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -d $_ip -j ACCEPT
|
||
$ip6t -A FORWARD -s $_ip -j ACCEPT
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- Protections against several attacks / unwanted packages
|
||
# -------------
|
||
echo
|
||
echononl "\tProtections against several attacks / unwanted packages.."
|
||
|
||
if $protect_against_several_attacks ; then
|
||
|
||
# ---
|
||
# - Protection against syn-flooding
|
||
# ---
|
||
|
||
$ip6t -N syn-flood
|
||
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
||
if $log_syn_flood || $log_all ; then
|
||
$ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
|
||
fi
|
||
$ip6t -A syn-flood -j DROP
|
||
|
||
|
||
# ---
|
||
# - drop new packages without syn flag
|
||
# ---
|
||
|
||
if $log_new_not_sync || $log_all ; then
|
||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
|
||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - drop invalid packages
|
||
# ---
|
||
|
||
if $log_invalid_state || $log_all ; then
|
||
$ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -m state --state INVALID -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -m state --state INVALID -j DROP
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - ungewöhnliche Flags verwerfen
|
||
# ---
|
||
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $log_invalid_flags || $log_all ; then
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||
fi
|
||
done
|
||
|
||
|
||
# ---
|
||
# - Refuse private addresses on extern interfaces
|
||
# ---
|
||
|
||
# - Refuse spoofed packets pretending to be from your IP address.
|
||
if $log_spoofed || $log_all ; then
|
||
for _ip in ${ext_ip_arr[@]} ; do
|
||
$ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
|
||
fi
|
||
done
|
||
fi
|
||
for _ip in ${ext_ip_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
|
||
fi
|
||
done
|
||
|
||
|
||
# - private Adressen auf externen interface verwerfen
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $log_spoofed || $log_all ; then
|
||
$ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
|
||
$ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
|
||
$ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
|
||
fi
|
||
fi
|
||
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
|
||
$ip6t -A INPUT -i $_dev -s $loopback -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
|
||
$ip6t -A FORWARD -i $_dev -s $loopback -j DROP
|
||
fi
|
||
|
||
# Don't allow spoofing from that server
|
||
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
|
||
$ip6t -A OUTPUT -o $_dev -s $loopback -j DROP
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
|
||
$ip6t -A FORWARD -o $_dev -s $loopback -j DROP
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]})
|
||
# -------------
|
||
|
||
if $log_voip || $log_all ; then
|
||
for _ip in ${tel_sys_ip_arr[@]} ; do
|
||
$ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
|
||
done
|
||
fi
|
||
#for _PORT in ${VOIP_PORTS} ; do
|
||
# $ip6t -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level
|
||
#done
|
||
|
||
|
||
# -------------
|
||
# ------------- Stopping firewall here if requested (parameter stop)
|
||
# -------------
|
||
|
||
|
||
case $1 in
|
||
sto*)
|
||
echo
|
||
if $terminal ; then
|
||
echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
|
||
else
|
||
echo "Stop was requested. No more firewall rules.."
|
||
fi
|
||
echo
|
||
exit 0;;
|
||
esac
|
||
|
||
|
||
echo
|
||
|
||
|
||
# -------------
|
||
# --- iPerf
|
||
# -------------
|
||
|
||
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
||
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
||
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
||
|
||
echononl "\tCreate \"iPerf\" rules.."
|
||
if $create_iperf_rules ; then
|
||
$ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT
|
||
$ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT
|
||
#
|
||
$ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT
|
||
$ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT
|
||
fi
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Drop packets not wanted on gateway
|
||
# ---
|
||
|
||
echononl "\tDrop packets not wanted on gateway"
|
||
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
if $log_not_wanted || $log_all ; then
|
||
if $not_wanted_ident ; then
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
|
||
fi
|
||
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
|
||
done
|
||
for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level
|
||
done
|
||
fi
|
||
if $not_wanted_ident ; then
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset
|
||
fi
|
||
for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -j DROP
|
||
done
|
||
for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p udp --dport $_port -j DROP
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
|
||
|
||
# -------------
|
||
# --- Generally prohibited from WAN
|
||
# -------------
|
||
|
||
echononl "\tGenerally prohibited from WAN"
|
||
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $log_prohibited || $log_all ; then
|
||
if $block_ident ; then
|
||
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
fi
|
||
for _port in ${block_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
done
|
||
for _port in ${block_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
done
|
||
if $kernel_forward_between_interfaces ; then
|
||
if $block_ident ; then
|
||
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
fi
|
||
for _port in ${block_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
done
|
||
for _port in ${block_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
|
||
done
|
||
fi
|
||
fi
|
||
if $block_ident ; then
|
||
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
|
||
fi
|
||
for _port in ${block_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP
|
||
done
|
||
for _port in ${block_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP
|
||
done
|
||
if $kernel_forward_between_interfaces ; then
|
||
if $block_ident ; then
|
||
$ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset
|
||
fi
|
||
for _port in ${block_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
|
||
done
|
||
for _port in ${block_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP
|
||
done
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
echo
|
||
|
||
|
||
# -------------
|
||
# --- Traffic generally allowed
|
||
# -------------
|
||
|
||
echononl "\tLoopback device generally allowed.."
|
||
|
||
# ---
|
||
# - Loopback device
|
||
# ---
|
||
|
||
$ip6t -A INPUT -i lo -j ACCEPT
|
||
$ip6t -A OUTPUT -o lo -j ACCEPT
|
||
|
||
echo_done
|
||
|
||
|
||
# ---
|
||
# - Allow all Traffic from source mac-address
|
||
# ---
|
||
|
||
echononl "\tAllow all Traffic from MAC Source-Address"
|
||
|
||
if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then
|
||
for _mac in ${allow_all_mac_src_address_arr[@]} ; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Allow local Traffic from source mac-address
|
||
# ---
|
||
|
||
echononl "\tAllow local Traffic from MAC Source-Address"
|
||
|
||
|
||
if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then
|
||
for _mac in ${allow_local_mac_src_address_arr[@]} ; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Allow remote Traffic from source mac-address
|
||
# ---
|
||
|
||
echononl "\tAllow remote Traffic from MAC Source-Address"
|
||
|
||
|
||
if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then
|
||
for _mac in ${allow_remote_mac_src_address_arr[@]} ; do
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Already established connections
|
||
# ---
|
||
|
||
echononl "\tAccept already established connections.."
|
||
|
||
$ip6t -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
$ip6t -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
fi
|
||
|
||
echo_done
|
||
|
||
|
||
# ---
|
||
# - Permit all traffic through VPN lines
|
||
# ---
|
||
echononl "\tPermit all traffic through VPN lines.."
|
||
for _vpn_if in ${vpn_if_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
for _local_dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
echo_done
|
||
|
||
|
||
|
||
# ---
|
||
# - Telefon Systems
|
||
# ---
|
||
|
||
echononl "\tAllow all Traffic between Telefon Systems"
|
||
if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then
|
||
for _ip_1 in ${tele_sys_ip_arr[@]} ; do
|
||
for _ip_2 in ${tele_sys_ip_arr[@]} ; do
|
||
#[[ "$_ip_1" = "$_ip_2" ]] && continue
|
||
$ip6t -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Telefon Systems to remote SIP-Server
|
||
# ---
|
||
|
||
echononl "\tTelefon System to remote SIP-Server"
|
||
if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then
|
||
if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then
|
||
echo_failed
|
||
warn "Local or remote SIP Port not given"!
|
||
else
|
||
for _ip in ${tele_sys_ip_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \
|
||
--dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - All request from local networks to the internet
|
||
# ---
|
||
|
||
echononl "\tPermit all traffic from local networks to the internet.."
|
||
if $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Networks not firewalled through extern interfaces
|
||
# ---
|
||
|
||
echononl "\tAllow these local networks any access to the internet"
|
||
if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces \
|
||
&& ! $permit_local_net_to_inet ; then
|
||
|
||
for _net in ${any_access_to_inet_network_arr[@]}; do
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
echononl "\tAllow these local networks any access from the internet"
|
||
if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _net in ${any_access_from_inet_network_arr[@]}; do
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow local services from given extern networks
|
||
# ---
|
||
|
||
echononl "\tAllow local services from given extern networks"
|
||
if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
|
||
if containsElement "${_val_arr[1]}" "${gateway_ipv6_address_arr[@]}" ; then
|
||
$ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
$ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow all traffic from extern address/network to local address/network
|
||
# ---
|
||
|
||
echononl "\tAllow all traffic from extern to local network/address"
|
||
|
||
if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Block all extern traffic to (given) local network
|
||
# ---
|
||
|
||
echononl "\tBlock all extern traffic to (given) local network"
|
||
if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _net in ${block_all_ext_to_local_net_arr[@]} ; do
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow local services from given local networks
|
||
# ---
|
||
|
||
echononl "\tAllow local services from given local networks"
|
||
if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in "${allow_local_net_to_local_service_arr[@]}" ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
if [[ "${_val_arr[3]}" = "tcp" ]]; then
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow all traffic from local network to local ip-address
|
||
# ---
|
||
|
||
echononl "\tAllow all traffic from local network to local ip-address"
|
||
|
||
if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_net_to_local_ip_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_ok
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow all traffic from local ip-address to local network
|
||
# ---
|
||
|
||
echononl "\tAllow all traffic from local ip-address to local network"
|
||
|
||
if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_ip_to_local_net_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_ok
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow all traffic from (one) local network to (another) local network
|
||
# ---
|
||
|
||
echononl "\tAllow all traffic from local network to (another) local network"
|
||
|
||
if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_net_to_local_net_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_ok
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow local ip address from given local interface
|
||
# ---
|
||
|
||
echononl "\tAllow local ip address from given local interface"
|
||
|
||
if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_if_to_local_ip_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow extern service from given local interface
|
||
# ---
|
||
|
||
echononl "\tAllow extern service from given local interface"
|
||
|
||
if [[ ${#allow_local_if_to_ext_service_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in "${allow_local_if_to_ext_service_arr[@]}" ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -i ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
if [[ "${_val_arr[3]}" = "tcp" ]]; then
|
||
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow extern network from given local interface
|
||
# ---
|
||
|
||
echononl "\tAllow extern network from given local interface"
|
||
|
||
if [[ ${#allow_local_if_to_ext_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_if_to_ext_net_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow extern service from given local network
|
||
# ---
|
||
|
||
echononl "\tAllow extern service from given local network"
|
||
|
||
if [[ ${#allow_local_net_to_ext_service_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in "${allow_local_net_to_ext_service_arr[@]}" ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
if [[ "${_val_arr[3]}" = "tcp" ]]; then
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Allow extern network from given local network
|
||
# ---
|
||
|
||
echononl "\tAllow extern network from given local network"
|
||
|
||
if [[ ${#allow_local_net_to_ext_net_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces ; then
|
||
|
||
for _val in ${allow_local_net_to_ext_net_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
$ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d ${_val_arr[1]} -s ${_val_arr[0]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -d ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Separate local networks
|
||
# ---
|
||
|
||
echononl "\tSeparate local networks.."
|
||
if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _net in ${separate_local_network_arr[@]}; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p all -s $_net -j DROP
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Separate local interfaces
|
||
# ---
|
||
|
||
echononl "\tSeparate local interfaces.."
|
||
if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _dev_1 in ${separate_local_if_arr[@]}; do
|
||
for _dev_2 in ${local_if_arr[@]} ; do
|
||
[[ "$_dev_1" = "$_dev_2" ]] && continue
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP
|
||
$ip6t -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Permit all traffic between local networks
|
||
# ---
|
||
|
||
echononl "\tPermit all traffic between local networks.."
|
||
if $kernel_forward_between_interfaces ; then
|
||
if $permit_between_local_networks ; then
|
||
for _dev_1 in ${local_if_arr[@]} ; do
|
||
for _dev_2 in ${local_if_arr[@]} ; do
|
||
|
||
# - Notice:
|
||
# - In case of routing multiple netwoks on the same interface or
|
||
# - using alias interfaces like eth0:0, you need a rule with
|
||
# - incomming- and outgoing interface are equal!
|
||
# -
|
||
# - So DON'T add statement like this:
|
||
# - [[ "$_dev_2" = "$_dev_1" ]] && continue
|
||
# -
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Services
|
||
# -------------
|
||
|
||
echo
|
||
if $terminal ; then
|
||
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
|
||
else
|
||
echo "Add Rules for Services.."
|
||
fi
|
||
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
|
||
|
||
|
||
# ---
|
||
# - IPv4 over IPv6
|
||
# ---
|
||
|
||
|
||
# ---
|
||
# - DHCP
|
||
# ---
|
||
|
||
echononl "\t\tLocal DHCP Client"
|
||
|
||
if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then
|
||
for _dev in ${dhcp_client_interfaces_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p udp -m udp --dport 546 -j ACCEPT
|
||
$ip6t -A OUTPUT -o $_dev -p udp -m udp --dport 547 -j ACCEPT
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
echononl "\t\tDHCP Service (local network only)"
|
||
|
||
if $local_dhcp_service ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
|
||
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
|
||
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||
$ip6t -A INPUT -i $_dev -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||
|
||
$ip6t -A INPUT -p udp -i $_dev --sport 546 --dport 547 -j ACCEPT
|
||
$ip6t -A OUTPUT -p udp -o $_dev --sport 547 --dport 546 -j ACCEPT
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - DHCP Failover
|
||
# ---
|
||
|
||
echononl "\t\tDHCP Failover Server"
|
||
if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${dhcp_failover_server_ip_arr[@]} ; do
|
||
$ip6t -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - DNS out only
|
||
# ---
|
||
|
||
echononl "\t\tDNS out only"
|
||
|
||
# - Nameservers on the INET must be reachable for the local recursiv nameserver
|
||
# - but also for all others
|
||
# -
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
# - out from local and virtual mashine(s)
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
# - forward from virtual mashine(s)
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
|
||
|
||
# ---
|
||
# - DNS Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tDNS Service Gateway"
|
||
|
||
# - Local Nameservice
|
||
# -
|
||
if $local_dns_service ; then
|
||
|
||
# dns requests
|
||
#
|
||
# Note:
|
||
# If the total size of the DNS record is larger than 512 bytes,
|
||
# it will be sent over TCP, not UDP.
|
||
#
|
||
|
||
# - Allow requests from local networks
|
||
# -
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
# - in
|
||
$ip6t -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
# - Zonetransfere (uses tcp/53)
|
||
#
|
||
for _ip in ${dns_server_ips[@]} ; do
|
||
# - out
|
||
# -
|
||
# - local master (here) gets request for a zone from slave ($_ip)
|
||
$ip6t -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - in
|
||
# -
|
||
# - local slave (here) requests zone from master ($_ip)
|
||
$ip6t -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - DNS Services at local Network
|
||
# ---
|
||
|
||
echononl "\t\tDNS Service local Network"
|
||
|
||
# - Make nameservers at the local network area rechable for all
|
||
# -
|
||
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
|
||
|
||
# dns requests
|
||
#
|
||
# Note:
|
||
# If the total size of the DNS record is larger than 512 bytes,
|
||
# it will be sent over TCP, not UDP.
|
||
#
|
||
|
||
for _ip in ${dns_server_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - SSH out only
|
||
# ---
|
||
|
||
echononl "\t\tSSH out only"
|
||
|
||
if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then
|
||
# - Provide SSH to everywhere (also LAN)
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SSH Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tSSH Service Gateway (also from WAN)"
|
||
|
||
if $local_ssh_service ; then
|
||
# - Provides SSH in from everywhere
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SSH Services only local Network
|
||
# ---
|
||
|
||
echononl "\t\tSSH Services only local Network"
|
||
|
||
if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${ssh_server_only_local_ip_arr[@]} ; do
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SSH Services DMZ
|
||
# ---
|
||
|
||
echononl "\t\tSSH Services DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
for _ip in "${!ssh_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces ; then
|
||
|
||
$ip6t -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
# - From intern
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
done
|
||
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SSH Service between local Netwotks
|
||
# ---
|
||
|
||
echononl "\t\tSSH Service between local Netwotks"
|
||
if $allow_ssh_between_local_nets ; then
|
||
if $kernel_forward_between_interfaces ; then
|
||
for _dev_1 in ${local_if_arr[@]} ; do
|
||
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
for _dev_2 in ${local_if_arr[@]} ; do
|
||
|
||
if ! $permit_between_local_networks ; then
|
||
# - Notice:
|
||
# - In case of routing multiple netwoks on the same interface or
|
||
# - using alias interfaces like eth0:0, you need a rule with
|
||
# - incomming- and outgoing interface are equal!
|
||
# -
|
||
# - So DON'T add statement like this:
|
||
# - [[ "$_dev_2" = "$_dev_1" ]] && continue
|
||
# -
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then
|
||
for _port in ${ssh_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
done
|
||
fi
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Cisco kompartibles VPN (FRITZ!Box)
|
||
# ---
|
||
|
||
echononl "\t\tCisco VPN Service (FRITZ\!Box) only out"
|
||
|
||
if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
for _port in ${cisco_vpn_out_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
|
||
for _vpn_if in ${vpn_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - VPN Service only out
|
||
# ---
|
||
|
||
echononl "\t\tVPN Service only out"
|
||
|
||
if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
for _port in ${vpn_out_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
|
||
for _vpn_if in ${vpn_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - VPN Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tVPN Service Gateway"
|
||
|
||
if $local_vpn_service ; then
|
||
|
||
# - Cconnection establishment
|
||
# -
|
||
for _port in ${vpn_gw_port_arr[@]} ; do
|
||
$ip6t -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
echo_done
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - VPN Service DMZ
|
||
# ---
|
||
|
||
echononl "\t\tVPN Service DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _ip in ${!vpn_server_dmz_arr[@]} ; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
for _port in ${vpn_local_net_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - HTTP(S) OUT
|
||
# ---
|
||
|
||
echononl "\t\tHTTP(S) out only"
|
||
|
||
if $allow_http_request_out && ! $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - HTTP(S) (local) Webserver
|
||
# ---
|
||
|
||
echononl "\t\tHTTP(S) Services Gateway"
|
||
# - Access to the local Webservice
|
||
if $local_http_service ; then
|
||
$ip6t -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - HTTP(S) Services only local Network
|
||
# ---
|
||
|
||
echononl "\t\tHTTP(S) Services only local Network"
|
||
# - Access to the Webservices (LAN)
|
||
if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${http_server_only_local_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - HTTP(S) Services DMZ
|
||
# ---
|
||
|
||
echononl "\t\tHTTP(S) Services DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
http_port_arr=(${http_ports//,/ })
|
||
for _ip in "${!http_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
for _port in ${http_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - HTTPS Services DMZ (only port 443)
|
||
# ---
|
||
|
||
echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
for _ip in "${!http_ssl_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - From extern
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -t filter -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT
|
||
fi
|
||
|
||
# - From intern
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Mail Service SMTP only out
|
||
# ---
|
||
|
||
echononl "\t\tMail Services SMTP only out"
|
||
|
||
if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then
|
||
# - Provide SMTP out for all to WAN
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SMTP (Relay) Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tSMTP (Relay) Service Gateway (only on local network)"
|
||
if $local_smtp_service ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Mail User Services smtps/pop(s)/imap(s) only out
|
||
# ---
|
||
|
||
echononl "\t\tMail Services smtps/pop(s)/imap(s) only out"
|
||
|
||
if $allow_mail_request_out && ! $permit_local_net_to_inet ; then
|
||
# - Provide using Mailservices (WAN) from whole LAN
|
||
# -
|
||
# - Not needed from local machine. But for testing pupose (i.e. telnet <port>)
|
||
# -
|
||
# -
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $provide_mailservice_from_local ; then
|
||
# - Note!
|
||
# - this provides access both to LAN and WAN
|
||
$ip6t -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Mail Service SMTP only local Networks
|
||
# ---
|
||
|
||
echononl "\t\tMail Service SMTP only local Networks"
|
||
if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${mail_server_only_local_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
echo_done
|
||
done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Mail Services smtps/pop(s)/imap(s) only local Networks
|
||
# ---
|
||
|
||
echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks"
|
||
|
||
if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then
|
||
for _ip in ${mail_server_only_local_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Mail Server DMZ
|
||
# ---
|
||
|
||
echononl "\t\tMail Server DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
mail_port_arr=(${mail_user_ports//,/ })
|
||
mail_port_arr+=("$mail_smtp_port")
|
||
for _ip in "${!mail_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
for _port in ${mail_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --sports $standard_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - FTP out only
|
||
# ---
|
||
|
||
echononl "\t\tFTP out only"
|
||
|
||
if $allow_ftp_request_out ; then
|
||
|
||
# - Used for different ftp6data recent lists 'ftp6data_$i'
|
||
# -
|
||
declare -i i=1
|
||
|
||
# - (Re)define helper
|
||
# -
|
||
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
|
||
fi
|
||
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
|
||
# - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
|
||
# -
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
|
||
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
|
||
|
||
# - (2)
|
||
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
|
||
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||
# -
|
||
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
|
||
# -
|
||
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
|
||
# -
|
||
$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
|
||
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
|
||
|
||
((i++))
|
||
|
||
# - Accept (helper ftp) related connections
|
||
# -
|
||
$ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
|
||
# =====
|
||
# -
|
||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||
# - ======================================================
|
||
# -
|
||
# - Workaround:
|
||
# - (1) add (!) desitnatin ip to a 'recent list' named 'ftp6data_$i! if ftp control connections appear
|
||
# - (2) accept packets of the formaly created recent list 'ftp6data_$i!
|
||
# -
|
||
# - Note:
|
||
# - Use flag '--rdest' to match destination address
|
||
# -
|
||
# =====
|
||
|
||
# - (1)
|
||
# -
|
||
# - Open FTP connection and add the destination ip (--rdest) to ftp6data recent list 'ftp6data_$i'.
|
||
# -
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW \
|
||
-m recent --name ftp6data_$i --rdest --set -j ACCEPT
|
||
|
||
# - (2)
|
||
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftp6data_$i' list (--update)
|
||
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||
# -
|
||
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
|
||
# -
|
||
# - - Entries in the ftp6data list not seen in the last 1800 will be removed (--reap).
|
||
# -
|
||
$ip6t -A FORWARD -o $_dev -p tcp -m state --state NEW --dport 1024: \
|
||
-m recent --name ftp6data_$i --rdest --update --seconds 1800 --reap -j ACCEPT
|
||
|
||
((i++))
|
||
|
||
|
||
# - Accept (helper ftp) related connections
|
||
# -
|
||
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
|
||
$ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -i $_dev -p tcp --dport 1024: -j ACCEPT
|
||
|
||
fi
|
||
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
#if $allow_ftp_request_out ; then
|
||
# for _dev in ${ext_if_arr[@]} ; do
|
||
# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||
# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
|
||
# # - Allow active FTP connections from local network
|
||
# # -
|
||
# #$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
|
||
# if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||
# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
|
||
# fi
|
||
# # - Allow active FTP connections from local network
|
||
# # -
|
||
# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
|
||
# done
|
||
#
|
||
# echo_done
|
||
#else
|
||
# echo_done
|
||
#fi
|
||
|
||
|
||
# ---
|
||
# - FTP Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tFTP Service Gateway"
|
||
|
||
if $local_ftp_service ; then
|
||
|
||
# =====
|
||
# -
|
||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||
# - ======================================================
|
||
# -
|
||
# - Workaround:
|
||
# - (1) add source ip to a 'recent list' named 'ftp6service! if ftp control connections appear
|
||
# - (2) accept packets of the formaly created recent list 'ftp6service!
|
||
# -
|
||
# =====
|
||
|
||
# - (Re)define helper
|
||
# -
|
||
# - !! Note: !!
|
||
# - for both, local FTP server (ftp_server_ip_arr)
|
||
# - and forward to (extern) FTP server (forward_ftp_server_ip_arr)
|
||
# -
|
||
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
|
||
|
||
# - (1)
|
||
# -
|
||
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftp6service'.
|
||
# -
|
||
$ip6t -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftp6service --set -j ACCEPT
|
||
|
||
# - (2)
|
||
# - - Accept packets if the source ip-address is in the 'ftp6service' list (--update) and the
|
||
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
|
||
# -
|
||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||
# -
|
||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||
# -
|
||
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: --dport $ftp_passive_port_range \
|
||
-m recent --name ftp6service --update --seconds 1800 --reap -j ACCEPT
|
||
|
||
# - Accept (helper ftp) related connections
|
||
# -
|
||
$ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - FTP Services only local Network
|
||
# ---
|
||
|
||
echononl "\t\tFTP Service local Networks"
|
||
if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _ip in ${ftp_server_only_local_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
if $local_alias_interfaces ; then
|
||
# - Control Port
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT
|
||
# - Data Port activ
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT
|
||
# - Data Port passiv
|
||
$ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - FTP Services DMZ
|
||
# ---
|
||
|
||
echononl "\t\tFTP Service DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then
|
||
IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}"
|
||
for _ip in "${!ftp_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - From extern
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
# - From intern
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
|
||
# - Control Port
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT
|
||
# - Data Port activ
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT
|
||
# - Data Port passiv
|
||
$ip6t -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT
|
||
|
||
fi
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - TFTF Service out only
|
||
# ---
|
||
|
||
echononl "\t\tTFTF Service out only"
|
||
|
||
if $allow_tftp_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - TFTP Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tTFTF Service Gateway"
|
||
|
||
if $local_tftp_service ; then
|
||
$ip6t -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Samba Service only out
|
||
# ---
|
||
|
||
echononl "\t\tSamba Service only out"
|
||
|
||
if $allow_samba_requests_out && ! $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
|
||
for _port in ${samba_udp_ports[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_ports[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $kernel_forward_between_interfaces ; then
|
||
|
||
for _port in ${samba_udp_ports[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_ports[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# ---
|
||
# - Samba Service Gateway (only for local Networks)
|
||
# ---
|
||
|
||
echononl "\t\tSamba Service Gateway (only for local Networks)"
|
||
|
||
if $local_samba_service ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
for _port in ${samba_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Samba Service only between local Networks
|
||
# ---
|
||
|
||
echononl "\t\tSamba Service only local Networks"
|
||
|
||
if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
for _ip in ${samba_server_local_ip_arr[@]} ; do
|
||
for _port in ${samba_udp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
if $kernel_forward_between_interfaces && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then
|
||
for _port in ${samba_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Samba Service DMZ
|
||
# ---
|
||
|
||
echononl "\t\tSamba Service DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
for _ip in "${!samba_server_dmz_arr[@]}"; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
# - From extern
|
||
if $kernel_forward_between_interfaces ; then
|
||
for _port in ${samba_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - From intern
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
for _port in ${samba_udp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
for _port in ${samba_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - LDAP and LDAP SSL Service Gateway (only for local Networks)
|
||
# ---
|
||
|
||
echononl "\t\tLDAP(S) Service Gateway (only for local Networks)"
|
||
|
||
if $local_ldap_service ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
for _port in ${ldap_udp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ldap_tcp_port_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - LDAP and LDAP SSL Service only between local Networks
|
||
# ---
|
||
|
||
echononl "\t\tLDAP(S) Service only local Networks"
|
||
|
||
if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
for _ip in ${ldap_server_local_ip_arr[@]} ; do
|
||
for _port in ${ldap_udp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ldap_tcp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
if $kernel_forward_between_interfaces && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then
|
||
for _port in ${ldap_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ldap_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
for _port in ${ldap_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - NTP out only
|
||
# ---
|
||
|
||
echononl "\t\tNTP Service out only"
|
||
|
||
if $allow_ntp_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - NTP Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tNTP Service Gateway"
|
||
if $local_ntp_service ; then
|
||
if ! $allow_ntp_request_out ; then
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
$ip6t -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Timeserver (Port 37 NOT NTP!)"
|
||
# ---
|
||
|
||
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
|
||
|
||
if $allow_timeserver_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - PGP Keyserver out only
|
||
# ---
|
||
|
||
echononl "\t\tPGP Keyserver out only"
|
||
|
||
if $allow_pgpserver_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Telnet
|
||
# ---
|
||
|
||
echononl "\t\tTelnet (only OUT)"
|
||
|
||
if $allow_telnet_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Whois out only
|
||
# ---
|
||
|
||
echononl "\t\tWhois out only"
|
||
|
||
if $allow_whois_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - CPAN Wait only out
|
||
# ---
|
||
|
||
# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on
|
||
# - a WAIT server. It connects to a WAIT server using a simple protocoll
|
||
# - resembling NNTP as described in RFC977.
|
||
|
||
echononl "\t\tCPAN Wait only out"
|
||
|
||
if $allow_cpan_wait_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - HBCI only out (only forward)
|
||
# ---
|
||
|
||
echononl "\t\tHBCI only out (only forward)"
|
||
|
||
if $allow_hbci_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Jabber only out
|
||
# ---
|
||
|
||
echononl "\t\tJabber only out"
|
||
|
||
if $allow_jabber_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Silc only out
|
||
# ---
|
||
|
||
echononl "\t\tSilc only out"
|
||
|
||
if $allow_silc_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - IRC (Internet Relay Chat) only out
|
||
# ---
|
||
|
||
echononl "\t\tIRC only out"
|
||
|
||
if $allow_irc_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - MySQL
|
||
# ---
|
||
|
||
echononl "\t\tMySQL (only OUT)"
|
||
|
||
if $allow_mysql_request_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - CUPS only between local Networks (IPP Port 631)
|
||
# ---
|
||
|
||
echononl "\t\tCUPS/IPP (Port 631) only between local Networks"
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
|
||
for _local_dev_1 in ${local_if_arr[@]} ; do
|
||
for _local_dev_2 in ${local_if_arr[@]} ; do
|
||
if ! $local_alias_interfaces ; then
|
||
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
|
||
fi
|
||
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Druck Port 9100 (RAW) only out between local Networks
|
||
# ---
|
||
|
||
echononl "\t\tDruck Port 9100 only between local Networks"
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
|
||
for _local_dev_1 in ${local_if_arr[@]} ; do
|
||
for _local_dev_2 in ${local_if_arr[@]} ; do
|
||
if ! $local_alias_interfaces ; then
|
||
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
|
||
fi
|
||
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Druck LPD (Port 515) only out between local Networks
|
||
# ---
|
||
|
||
echononl "\t\tDruck LPD (Port 515) only between local Networks"
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then
|
||
for _local_dev_1 in ${local_if_arr[@]} ; do
|
||
for _local_dev_2 in ${local_if_arr[@]} ; do
|
||
if ! $local_alias_interfaces ; then
|
||
[[ "$_local_dev_1" = "$_local_dev_2" ]] && continue
|
||
fi
|
||
$ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Printer
|
||
# ---
|
||
|
||
echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks"
|
||
if [[ ${#printer_ip_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces \
|
||
&& ! $permit_between_local_networks \
|
||
&& ! $allow_printing_between_local_nets ; then
|
||
for _ip in ${printer_ip_arr[@]} ; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT
|
||
|
||
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT
|
||
|
||
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Scanner
|
||
# ---
|
||
|
||
echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks"
|
||
|
||
if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces \
|
||
&& ! $permit_between_local_networks \
|
||
&& $allow_scanning_between_local_nets ; then
|
||
for _ip in ${brother_scanner_ip_arr[@]} ; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
# - UDP
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT
|
||
# - TCP
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Other local Services
|
||
# ---
|
||
|
||
echononl "\t\tOther local Services"
|
||
|
||
if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _val in ${other_service_arr[@]} ; do
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
done
|
||
echo_ok
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Rsync only Out Gateway
|
||
# ---
|
||
|
||
echononl "\t\tRsync (only OUT) Gateway"
|
||
|
||
if $local_rsync_out ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
for _port in ${rsync_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Rsync only Out from given local machines
|
||
# ---
|
||
|
||
echononl "\t\tRsync Out from given local machines"
|
||
|
||
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces $$ ! $permit_local_net_to_inet; then
|
||
for _port in ${rsync_port_arr[@]} ; do
|
||
for _ip in ${rsync_out_ip_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - SNMP Services local Networks
|
||
# ---
|
||
|
||
echononl "\t\tSNMP Services local Networks"
|
||
|
||
if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${snmp_server_ip_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - WakeOnLan only out into local Networks
|
||
# ---
|
||
|
||
echononl "\t\tWakeOnLan only out into local Networks"
|
||
$ip6t -A OUTPUT -p udp --dport 9 -j ACCEPT
|
||
echo_done
|
||
|
||
|
||
# ---
|
||
# - NFS Service (portmapper, mountd, nfs)
|
||
# ---
|
||
|
||
if $terminal; then
|
||
echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
|
||
echo -e "\033[75G[ \033[37mskipped\033[m ]"
|
||
|
||
echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
|
||
echo -e "\033[75G[ \033[37mskipped\033[m ]"
|
||
|
||
echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
|
||
echo -e "\033[75G[ \033[37mskipped\033[m ]"
|
||
|
||
echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -"
|
||
echo -e "\033[75G[ \033[37mskipped\033[m ]"
|
||
else
|
||
echo "NFS Service - Not yet implemented"
|
||
echo "VoIP - Not yet implemented"
|
||
echo "Sip - Not yet implemented"
|
||
echo "Skype - Not yet implemented"
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - PowerChute Network Shutdown local Network
|
||
# ---
|
||
|
||
echononl "\t\tPowerChute Network Shutdown local Network"
|
||
|
||
if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then
|
||
|
||
for _ip in ${pcns_server_ip_arr[@]} ; do
|
||
if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then
|
||
$ip6t -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Ubiquiti Unifi Controller (Accesspoints) Gateway
|
||
# ---
|
||
|
||
|
||
echononl "\t\tUbiquiti Unifi Controller Gateway"
|
||
if $local_unifi_controller_service ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
$ip6t -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs"
|
||
if $local_unifi_controller_service ; then
|
||
|
||
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
|
||
|
||
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
|
||
|
||
$ip6t -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
warn "Local Unifi Controller is defined, but no Unifi APs!"
|
||
fi
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Ubiquiti Unifi Controller (Accesspoints) local Network
|
||
# ---
|
||
|
||
echononl "\t\tUbiquiti Unifi Controller (Accesspoints) local Network"
|
||
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
|
||
&& $kernel_forward_between_interfaces \
|
||
&& ! $permit_between_local_networks ; then
|
||
|
||
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
# - Note:
|
||
# - If (local) alias interfaces like eth1:0 in use, youe need a further
|
||
# - special rule.
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - IPMI Tools (e.g. IPMIView) only out
|
||
# ---
|
||
|
||
echononl "\t\tIPMI Tools (e.g. IPMIView) only out"
|
||
|
||
if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
|
||
for _port in ${ipmi_udp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ipmi_tcp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $kernel_forward_between_interfaces ; then
|
||
|
||
for _port in ${ipmi_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ipmi_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - IPMI Tools (e.g. IPMIView) local Networks
|
||
# ---
|
||
|
||
echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks"
|
||
|
||
if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then
|
||
for _ip in ${ipmi_server_ip_arr[@]} ; do
|
||
|
||
for _port in ${ipmi_udp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ipmi_tcp_port_arr[@]} ; do
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _port in ${ipmi_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ipmi_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
for _port in ${ipmi_udp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
for _port in ${ipmi_tcp_port_arr[@]} ; do
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT
|
||
done
|
||
fi
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Remote Console (VNC) only out
|
||
# ---
|
||
|
||
echononl "\t\tRemote Console (VNC) only out"
|
||
|
||
if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Remote Console (VNC) local Networks
|
||
# ---
|
||
|
||
echononl "\t\tRemote Console (VNC) local Networks"
|
||
|
||
|
||
if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then
|
||
for _ip in ${rm_server_ip_arr[@]} ; do
|
||
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Remote Console (VNC) DMZ
|
||
# ---
|
||
|
||
echononl "\t\tRemote Console (VNC) DMZ"
|
||
unset no_if_for_ip_arr
|
||
declare -a no_if_for_ip_arr
|
||
|
||
if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${!rm_server_dmz_arr[@]} ; do
|
||
|
||
# - Skip if no interface is given
|
||
# -
|
||
if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then
|
||
no_if_for_ip_arr+=("$_ip")
|
||
continue
|
||
fi
|
||
|
||
# - From Gateway
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces ; then
|
||
|
||
# - From extern
|
||
$ip6t -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# - From intern
|
||
if ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
fi
|
||
done
|
||
|
||
if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then
|
||
echo_warning
|
||
for _ip in ${no_if_for_ip_arr[@]} ; do
|
||
warn "No Interface given for ip '$_ip'"
|
||
done
|
||
else
|
||
echo_done
|
||
fi
|
||
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Munin Service Gateway
|
||
# ---
|
||
|
||
echononl "\t\tMunin Service Gateway"
|
||
|
||
if $local_munin_server ; then
|
||
|
||
if $provide_munin_service_to_inet ; then
|
||
# - Provide Service for local and extern networks
|
||
# -
|
||
$ip6t -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
|
||
else
|
||
# - Provide Service only for for local network
|
||
# -
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Munin Service local Networks
|
||
# ---
|
||
|
||
echononl "\t\tMunin Service local Networks"
|
||
if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${munin_local_server_ip_arr[@]} ; do
|
||
$ip6t -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
if ! $permit_between_local_networks ; then
|
||
$ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Munin remote Server
|
||
# ---
|
||
|
||
echononl "\t\tMunin remote Server"
|
||
|
||
if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then
|
||
|
||
for _ip in ${!munin_local_client_ip_arr[@]} ; do
|
||
if containsElement "$_ip" "${gateway_ipv6_address_arr[@]}" ; then
|
||
$ip6t -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
|
||
elif $kernel_forward_between_interfaces ; then
|
||
$ip6t -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port
|
||
$ip6t -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - XyMon local service
|
||
# ---
|
||
|
||
echononl "\t\tXyMon Service Gateway"
|
||
|
||
if $local_xymon_server ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - XyMon Service Intranet
|
||
# ---
|
||
|
||
echononl "\t\tXyMon Service Intranet"
|
||
|
||
if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then
|
||
for _ip in ${xymon_server_ip_arr[@]} ; do
|
||
if $local_xymon_client ; then
|
||
$ip6t -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
|
||
fi
|
||
if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
|
||
for _dev in ${local_if_arr[@]} ; do
|
||
$ip6t -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT
|
||
done
|
||
fi
|
||
|
||
# - Rule is needed if (local) interface aliases in use (like eth0:1)
|
||
# -
|
||
if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
|
||
$ip6t -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT
|
||
$ip6t -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
|
||
# -------------
|
||
# --- Portforwarding
|
||
# -------------
|
||
|
||
# ---
|
||
# - Portforwarding TCP
|
||
# ---
|
||
|
||
echo
|
||
echononl "\tPortforwarding TCP"
|
||
|
||
if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _val in "${portforward_tcp_arr[@]}" ; do
|
||
|
||
# - Split value
|
||
# -
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
|
||
# - DNAT
|
||
# -
|
||
if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then
|
||
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]}
|
||
else
|
||
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]}
|
||
fi
|
||
|
||
# - Allow Packets
|
||
# -
|
||
$ip6t -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - Portforwarding UDP
|
||
# ---
|
||
|
||
echononl "\tPortforwarding UDP"
|
||
|
||
if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||
for _val in "${portforward_udp_arr[@]}" ; do
|
||
|
||
# - Split value
|
||
# -
|
||
IFS=',' read -a _val_arr <<< "${_val}"
|
||
|
||
# - DNAT
|
||
# -
|
||
if [[ "${_val_arr[1]}" = "${_val_arr[3]}" ]] ; then
|
||
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination ${_val_arr[2]}
|
||
else
|
||
$ip6t -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to-destination [${_val_arr[2]}]:${_val_arr[3]}
|
||
fi
|
||
|
||
# - Allow Packets
|
||
# -
|
||
$ip6t -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# ---
|
||
# - UNIX Traceroute
|
||
# ---
|
||
|
||
echo
|
||
echononl "\tUNIX Traceroute"
|
||
|
||
# versendet udp packete im gegensatz zu tracert von windows
|
||
# der icmp-echo-request pakete versendet
|
||
# einige implementierungen von traceroute (linux) erm<72>lichens
|
||
# die option -I und versenden dann ebenfalls icmp-echo-request pakete
|
||
|
||
for _dev in ${ext_if_arr[@]} ; do
|
||
$ip6t -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
|
||
$ip6t -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
|
||
if $kernel_forward_between_interfaces ; then
|
||
$ip6t -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
|
||
$ip6t -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
|
||
fi
|
||
done
|
||
|
||
echo_done
|
||
|
||
|
||
# -------------
|
||
# --- ICMP Traffic (i.e. ping requests)
|
||
# -------------
|
||
|
||
# ---
|
||
# - ICMP is configured above..
|
||
# ---
|
||
|
||
|
||
|
||
# ---
|
||
# - Deny between local networks
|
||
# ---
|
||
|
||
echo
|
||
echononl "\tDeny all traffic between local networks.."
|
||
if $kernel_forward_between_interfaces ; then
|
||
if ! $permit_between_local_networks ; then
|
||
for _dev_1 in ${local_if_arr[@]} ; do
|
||
for _dev_2 in ${local_if_arr[@]} ; do
|
||
if $log_rejected || $log_all ; then
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level
|
||
fi
|
||
$ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP
|
||
done
|
||
done
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- Log traffic not matched so far
|
||
# -------------
|
||
echo
|
||
|
||
echononl "\tLog traffic not matched so far.."
|
||
if $log_rejected || $log_all ; then
|
||
$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level
|
||
$ip6t -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
|
||
$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
|
||
#$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level
|
||
#$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level
|
||
#$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level
|
||
echo_done
|
||
else
|
||
echo_skipped
|
||
fi
|
||
|
||
|
||
# -------------
|
||
# --- DROP traffic not matched so far
|
||
# -------------
|
||
echononl "\tDROP traffic not matched so far.."
|
||
|
||
# - drop all other for all interfaces..
|
||
#
|
||
$ip6t -A INPUT -j DROP
|
||
$ip6t -A OUTPUT -j DROP
|
||
$ip6t -A FORWARD -j DROP
|
||
#
|
||
# ---------- Ende: DROP ----------
|
||
|
||
echo_done
|
||
|
||
|
||
# ---
|
||
# - Warning, if no intern (local) interface is configured
|
||
# ---
|
||
|
||
if [[ ${#local_if_arr[@]} -lt 1 ]] ; then
|
||
echo ""
|
||
echo ""
|
||
if $terminal ; then
|
||
echo -e "\t\033[33m\033[1m----------\033[m"
|
||
else
|
||
echo "----------"
|
||
fi
|
||
warn "No local Interface is configured!"
|
||
if $terminal ; then
|
||
echo -e "\t\033[33m\033[1m----------\033[m"
|
||
else
|
||
echo "----------"
|
||
fi
|
||
fi
|
||
|
||
echo
|
||
exit 0
|
||
|