diff --git a/conf/ban_ipv4.list.sample b/conf/ban_ipv4.list.sample new file mode 100644 index 0000000..10b7da3 --- /dev/null +++ b/conf/ban_ipv4.list.sample @@ -0,0 +1,22 @@ +# - IPv4 addresses listet here will be completly banned by the firewall +# - +# - - Line beginning with '#' will be ignored. +# - - Blank lines will be ignored +# - - Only the first entry (until space sign or end of line) of each line will be considered. +# - +# - Valid values are: +# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32) +# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24) +# - network/nn CIDR notation like 1.2.3.0/27 +# - network/netmask notaions like 1.2.3.0/255.255.255.0 +# - network/partial_netmask like 1.2.3.4/255 +# - +# - Note: +# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored +# - +# - Example: +# - 79.171.81.0/24 +# - 79.171.81.0/255.255.255.0 +# - 79.171.81.0/255.255.255 +# - 79.171.81 + diff --git a/conf/ban_ipv6.list.sample b/conf/ban_ipv6.list.sample new file mode 100644 index 0000000..bbc3a73 --- /dev/null +++ b/conf/ban_ipv6.list.sample @@ -0,0 +1,20 @@ +# - IPv6 addresses listet here will be completly banned by the firewall +# - +# - - Line beginning with '#' will be ignored. +# - - Blank lines will be ignored +# - - Only the first entry (until space sign or end of line) of each line will be considered. +# - +# - Valid values are: +# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c +# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56 +# - +# - +# - Note: +# - - If no mask is given mask will be set to '64' +# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored +# - +# - Example: +# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c +# - 2a01:30:0:13:5054:ff::1 +# - 2a01:30:0:13:5054:ff::1/56 + diff --git a/conf/default_ports.conf b/conf/default_ports.conf new file mode 100644 index 0000000..344eb49 --- /dev/null +++ b/conf/default_ports.conf @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Define Ports for Services +# ------------- + +# - Web Server Ports +# - +http_ports="80,443" + +# - FTP Servers Passive Portrange +# - +ftp_passive_port_range="50000:50400" + +# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) +# - +mail_user_ports="587,465,110,995,143,993" + +# - SSH Ports +# - +# - comma separated list +ssh_ports="22" + +# - VPN Service +vpn_ports="1194 1195" + +# - Mumble Server +# - +mumble_ports="64738" + +# - XyMon Service (usually TCP port 1984) +# - +# - NOT YET IMPLEMENTED +# - +xymon_port=1984 + +# - Munin Server Port (usually TCP port 4949) +# - +munin_remote_port="4949" diff --git a/conf/include_functions.conf b/conf/include_functions.conf new file mode 100644 index 0000000..8c82067 --- /dev/null +++ b/conf/include_functions.conf @@ -0,0 +1,68 @@ +#!/usr/bin/env bash + +# ------------- +# --- Some functions +# ------------- + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} +echo_done() { + echo -e "\033[75G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[75G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" +} + + +fatal (){ + echo "" + echo -e "fatal Error: $*" + echo "" + echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m" + echo "" + exit 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +## - Check if a given array (parameter 2) contains a given string (parameter 1) +## - +containsElement () { + local e + for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done + return 1 +} + + diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample new file mode 100644 index 0000000..021334f --- /dev/null +++ b/conf/interfaces_ipv4.conf.sample @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Network Interfaces +# ------------- + +# - External interface(s) +# +ext_if_1="" +ext_if_2="" +ext_if_3="" + +ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" + + +# - VPN Interfaces +# - (comma separated list) +vpn_ifs="" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3" + + +# ------------- +# --- Network Interfaces +# ------------- + +# - Extern IP Addresses on this Host +# - +# NOT IN USE +ext_1_ip="" +# NOT IN USE +ext_2_ip="" +# NOT IN USE +ext_3_ip="" + +ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" + +# NOT IN USE +local_1_ip="" +# NOT IN USE +local_2_ip="" +# NOT IN USE +local_2_ip="" + diff --git a/conf/interfaces_ipv6.conf.sample b/conf/interfaces_ipv6.conf.sample new file mode 100644 index 0000000..082fa5b --- /dev/null +++ b/conf/interfaces_ipv6.conf.sample @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Network Interfaces +# ------------- + +# - External interface(s) +# +ext_if_1="" +ext_if_2="" +ext_if_3="" + +ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" + + +# - VPN Interfaces +# - (comma separated list) +vpn_ifs="" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3" + + +# ------------- +# --- IP-Addresses +# ------------- + +# - Extern IP Addresses on this Host +# - +# NOT IN USE +ext_1_ip="" +# NOT IN USE +ext_2_ip="" +# NOT IN USE +ext_3_ip="" + +ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" + +# NOT IN USE +local_1_ip="" +# NOT IN USE +local_2_ip="" +# NOT IN USE +local_2_ip="" diff --git a/conf/load_modules_ipv4.conf b/conf/load_modules_ipv4.conf new file mode 100644 index 0000000..a0dbae9 --- /dev/null +++ b/conf/load_modules_ipv4.conf @@ -0,0 +1,59 @@ +# ============= +# - Load Kernel Modules +# ============= + +ip_tables +iptable_nat + +# - Note:! +# - Since Kernel 4.7 the automatic conntrack helper assignment +# - is disabled by default (net.netfilter.nf_conntrack_helper = 0). +# - Enable it by setting this variable in file /etc/sysctl.conf: +# - +# - net.netfilter.nf_conntrack_helper = 1 +# - +# - Reboot or type "sysctl -p" +# - +# - !! But this is NOT the recommend method !! + + +# --- +# - Load module for FTP Connection tracking and NAT +# --- + +# - Once a helper is loaded, it will treat packets for a given port and all IP addresses. +# - As explained before, this is not optimal and is even a security risk. A better +# - solution is to load the module helper and deactivate their parsing by default. Each +# - helper we need to use is then set by using a call to the CT target. +# - +# - Desactivate the automatic conntrack helper assignment: +# - +# - method 1: modprobe nf_conntrack nf_conntrack_helper=0 +# - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper +# - +# - Note: +# - ===== +# - Each helper we need to use is then set by using a call to the CT target. +# - Example for ftp helper on standardport: +# - +# - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp +# - +/sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1 + +/sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 +/sbin/modprobe nf_nat > /dev/null 2>&1 +/sbin/modprobe nf_nat_ftp > /dev/null 2>&1 + +## - Load modules for SIP VOIP +## - +#/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1 +#/sbin/modprobe nf_nat_sip > /dev/null 2>&1 + + +# - Load kernel nf_log modules for IPv4 netfilter userspace logging +# - +# - Note: +# - netfilter userspace logging daemon (ulogd/ulogd2) is required +# - +nf_log +nf_log_ipv4 diff --git a/conf/load_modules_ipv6.conf b/conf/load_modules_ipv6.conf new file mode 100644 index 0000000..2c55689 --- /dev/null +++ b/conf/load_modules_ipv6.conf @@ -0,0 +1,9 @@ +# ============= +# - Load Kernel Modules +# ============= + +ip6_tables +ip6table_filter +ip6t_REJECT + +ip6table_mangle diff --git a/conf/logging_ipv4.conf b/conf/logging_ipv4.conf new file mode 100644 index 0000000..78875c2 --- /dev/null +++ b/conf/logging_ipv4.conf @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Logging +# ------------- + +if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then + tag_log_prefix="--nflog-prefix" + LOG_TARGET="NFLOG --nflog-group 11" +else + # - Log using the specified syslog level. 7 (debug) is a good choice + # - unless you specifically need something else. + # - + log_level=debug + LOG_TARGET="LOG --log-level $log_level" + tag_log_prefix="--log-prefix" +fi + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=true + +log_ssh=false + +# - logging messages +# - +log_prefix="[ IPv4 ]" + + +# --- +# - Log all traffic for givven ip address +# --- + +# - You can also give hostname(s) +# - +# - Blank seoarated list of ips/hostnames +# - +log_ips="" diff --git a/conf/logging_ipv6.conf b/conf/logging_ipv6.conf new file mode 100644 index 0000000..8395f36 --- /dev/null +++ b/conf/logging_ipv6.conf @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + + +# ------------- +# --- Logging +# ------------- + +if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then + tag_log_prefix="--nflog-prefix" + LOG_TARGET="NFLOG --nflog-group 12" +else + # - Log using the specified syslog level. 7 (debug) is a good choice + # - unless you specifically need something else. + # - + log_level=debug + LOG_TARGET="LOG --log-level $log_level" + tag_log_prefix="--log-prefix" +fi + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=true + +log_ssh=false + +# - logging messages +# - +log_prefix="[ IPv6 ]" + + +# --- +# - Log all traffic for givven ip address +# --- + +log_ips="" + diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample new file mode 100644 index 0000000..d11044d --- /dev/null +++ b/conf/main_ipv4.conf.sample @@ -0,0 +1,494 @@ +#!/usr/bin/env bash + + +## ---------------------------------------------------------------- +## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server +## ---------------------------------------------------------------- + +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +# - Note: Maybe youe have also to activate forwarding +# - +# - Set: kernel_activate_forwarding=true +# - +do_not_firewall_bridged_traffic=false + + +# ------------- +# --- Interfaces completly blocked +# ------------- + +# - Interfaces to block (note: they will all be blocked) +# - +# - Example: eth1 is used for DSL Line, that becomes an extra +# - interface (maybe ppp0). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - blocked_ifs="eth1" +# - +blocked_ifs="" + + +# ------------- +# --- Interfaces not firewalled +# ------------- + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +unprotected_ifs="" + + +# ------------- +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ------------- + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + +# ------------- +# --- Define Ports for Services +# ------------- + +# - Web Server Ports +# - +http_ports="80,443" + +# - FTP Servers Passive Portrange +# - +ftp_passive_port_range="50000:50400" + +# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) +# - +mail_user_ports="587,465,110,995,143,993" + +# - SSH Ports +# - +# - comma separated list +ssh_ports="22" + +# - VPN Service +vpn_ports="1194 1195" + +# - Mumble Server +# - +mumble_ports="64738" + +# - XyMon Service (usually TCP port 1984) +# - +# - NOT YET IMPLEMENTED +# - +xymon_port=1984 + +# - Munin Server Port (usually TCP port 4949) +# - +munin_remote_port="4949" + + +# ------------- +# --- Network Interfaces +# ------------- + +# - Extern IP Addresses on this Host +# - +# NOT IN USE +ext_1_ip="" +# NOT IN USE +ext_2_ip="" +# NOT IN USE +ext_3_ip="" + +ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" + +# NOT IN USE +local_1_ip="" +# NOT IN USE +local_2_ip="" +# NOT IN USE +local_2_ip="" + +broadcast_ips="" + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-net:local-address:port:protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036 +# - allow access from 86.73.85.0/24 to https service at 83.223.86.98 +# - +# - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp +# - 86.73.85.0/24:83.223.86.98:443:tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 +# - 83.223.86.96/32:86.223.73.0/24" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + + +# ------------- +# ---- Allow extern Service +# ------------- + +# - allow_ext_service +# - +# - allow_ext_service=":: [:: [ .. +# - +# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' +# - are allowed +# - +# - Example: +# - allow_ext_service=" +# - 80.152.216.128:9998:tcp +# - 80.152.216.128:8443:tcp +# - " +# - +# - Blank separated list +# - +allow_ext_service="" + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +# - allow_ext_net +# - +# - allow_ext_net=" [ [ ..! +# - +# - Allow all traffic to the given extern network/ip-address. +# - +# - Example: +# - allow_ext_net="80.152.216.128 84.140.157.102" +# - +# - Blank separated list +# - +allow_ext_net="" + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +# - allow_local_service +# - +# - allow_local_service=" [: [.." +# - +# - Allow all traffic to given local service +# - +# - Example: +# - allow_local_service="8443:tcp 8080:tcp" +# - +# - Blank separated list +# - +allow_local_service="" + + +# ------------- +# --- Services local Network +# ------------- + +# - VPN Server +# - +vpn_server_ips="" +forward_vpn_server_ips="" + +# DHCP Server +# +# Comma seperated Interface list for DHCP services +# +dhcp_server_ifs="" + +# - DNS Server +dns_server_ips="" +forward_dns_server_ips="" + +# - SSH Server +# - +ssh_server_ips="" +forward_ssh_server_ips="" + +# - HTTP(S) Server +# - +http_server_ips="" +forward_http_server_ips="" + +# - Mail SMTP Server +# - +smtpd_ips="" +forward_smtpd_ips="" + +# - Mail Services (smtps/pop(s)/imap(s) +# - +mail_server_ips="" +forward_mail_server_ips="" + +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" +forward_mail_client_ips="" + +# - FTP Server +# - +ftp_server_ips="" +forward_ftp_server_ips="" + +# - Mumble Server +# - +mumble_server_ips="" +forward_mumble_server_ips="" + +# - TFTP Server +# - +# - NOT YET IMPLEMENTED +# - +tftp_server_ips="" + +# - Munin Server +# - +munin_server_ips="" +forward_munin_server_ips="" + +# - Remote Munin Server +# - +munin_remote_ip="83.223.86.99" +munin_local_port="4949" + +# - XyMon Server +# - +# - NOT YET IMPLEMENTED +# - +xymon_server_ips="" +local_xymon_client=false + + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +forward_rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# --- Allow special Ports (OUT) +# ------------- + +# - TCP Ports +tcp_out_ports="" +forward_tcp_out_ports="" + +# - UDP Ports +udp_out_ports="" +forward_udp_out_ports="" + + +# ------------- +# --- Block IP's / IP-Ranges +# ------------- + +# - 222.184.0.0/13 CHINANET-JS +# - 61.160.0.0/16 - CHINANET-JS +# - 116.8.0.0/14 CHINANET-GX +# - +blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" + + +# ------------- +# --- Block Ports +# ------------- + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 113 135 137:139 445" +block_udp_ports="111 137:139" + + +# ------------- +# - Some special stuff +# ------------- + +create_traffic_counter=true +create_iperf_rules=true + + +# ------------- +# --- Router ? +# ------------- + +# - Activate forwarding +# - +# - Enable/disable forwarding to and between interfaces +# - +kernel_activate_forwarding=false + +# - Activate kernel support for dynamic IP adresses +# - (not needed in case of static IP) +# - +# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt +# - +# - The values for the ip_dynaddr sysctl are [*]: +# - +# - 1: To enable: +# - 2: To enable verbosity: +# - 4: To enable RST-provoking: +# - 8: To enable asymetric routing work-around [**] +# - +# - [*] At boot, by default no address rewriting is attempted. +# - [**] This code is currently totaly untested. +# - +# - Flags can be combined by adding them. Common settings +# - would be: +# - +# - To enable rewriting in quiet mode: +# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable rewriting in verbose mode: +# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable quiet RST-provoking mode (1+4): +# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr +# - ... +# - +kernel_support_dynaddr=false +dynaddr_flag="5" + + +# ------------- +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ------------- + +# - Reduce DoS'ing ability by reducing timeouts +# - +kernel_reduce_timeouts=true + +# - Hardening TCP/IP Stack Against SYN Floods +# - +# - Enable syn cookies prevents against the common 'syn flood attack' +# - +kernel_tcp_syncookies=true + +# - Protection against ICMP bogus error responses +# - +kernel_protect_against_icmp_bogus_messages=true + +# - Ignore Broadcast Pings +# - +kernel_ignore_broadcast_ping=true + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + +# - Activate Reverse Path Filtering (Antispoofing) +# - +# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen +# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, +# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat +# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für +# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle +# - nicht voll funktionsfähig ist. +# - +kernel_activate_rp_filter=true + +# - Logging of spoofed (source routed" and "redirect") packets +# - +kernel_log_martians=false + + +# ------------- +# --- Some further Ports/IP-Address Configuration +# ------------- + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# - Loopback +loopback="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample new file mode 100644 index 0000000..8f03723 --- /dev/null +++ b/conf/main_ipv6.conf.sample @@ -0,0 +1,366 @@ +#!/usr/bin/env bash + + +## ---------------------------------------------------------------- +## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server +## ---------------------------------------------------------------- + + +# ------------- +# --- Some Ports/IP-Address Configuration +# ------------- + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# unique local address (ULA) - private address block +ula_block="fc00::/7" + +# - Loopback +loopback="::1/128" + + +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +# - Prevent bridged traffic getting pushed through the +# - host's iptables rules +# - +# - Note: Maybe youe have also to activate forwarding +# - +# - Set: kernel_forward_between_interfaces=true +# - +do_not_firewall_bridged_traffic=false + + +# ------------- +# --- Interfaces completly blocked +# ------------- + +# - Interfaces to block (note: they will all be blocked) +# - +# - Example: eth1 is used for DSL Line, that becomes an extra +# - interface (maybe ppp0). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - blocked_ifs="eth1" +# - +blocked_ifs="" + + +# ------------- +# --- Interfaces not firewalled +# ------------- + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +unprotected_ifs="" + + +# ------------- +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ------------- + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-netr,local-address,port,protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 +# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c +# - +# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=", [,] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + + +# ------------- +# ---- Allow extern Service +# ------------- + +# - allow_ext_service +# - +# - allow_ext_service=",, [,, [ .. +# - +# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' +# - are allowed +# - +# - Example: +# - - allow_ext_service=" +# - 2a01:4f8:221:3b4e::247,8443,tcp +# - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp +# - " +# - - allow_ext_service=" +# - ::/0,8443,tcp +# - ::/0,8080,tcp +# - " +# - +# - Note: +# - ===== +# - To allow traffic on a certain port to all extern networks, set extern network to '::/0' +# - +# - Blank separated list +# - +allow_ext_service="" + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +# - allow_ext_net +# - +# - allow_ext_net=" [ [ ..! +# - +# - Allow all traffic to the given extern network/ip-address. +# - +# - Example: +# - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c" +# - - allow_ext_net="::/0" +# - +# - Note: +# - ===== +# - To allow traffic to all extern networks, set extern network to '::/0' +# - +# - Blank separated list +# - +allow_ext_net="" + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +# - allow_local_service +# - +# - allow_local_service=": [: [.." +# - +# - Allow all traffic to given local service +# - +# - Example: +# - allow_local_service="8443:tcp 8080:tcp" +# - +# - Blank separated list +# - +allow_local_service="" + + +# ------------- +# --- Services local Network +# ------------- + +# - VPN Server +# - +vpn_server_ips="" +forward_vpn_server_ips="" + +# DHCP Server +# +# Comma seperated Interface list for DHCP services +# +dhcp_server_ifs="" + +# - DNS Server +dns_server_ips="" +forward_dns_server_ips="" + +# - SSH Server +# - +ssh_server_ips="" +forward_ssh_server_ips="" + +# - HTTP(S) Server +# - +http_server_ips="" +forward_http_server_ips="" + +# - Mail SMTP Server +# - +smtpd_ips="" +forward_smtpd_ips="" + +# - Mail Services (smtps/pop(s)/imap(s) +# - +mail_server_ips="" +forward_mail_server_ips="" + +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" +forward_mail_client_ips="" + +# - FTP Server +# - +ftp_server_ips="" +forward_ftp_server_ips="" + +# - Mumble Server +# - +mumble_server_ips="" +forward_mumble_server_ips="" + +# - TFTP Server +# - +# - NOT YET IMPLEMENTED +# - +tftp_server_ips="" + +# - Munin Server +# - +munin_server_ips="" +forward_munin_server_ips="" + +# - Remote Munin Server +# - +munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4" +munin_local_port="4949" + +# - XyMon Server +# - +# - NOT YET IMPLEMENTED +# - +xymon_server_ips="" +local_xymon_client=false + + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +forward_rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# --- Allow special Ports (OUT) +# ------------- + +# - TCP Ports +tcp_out_ports="" +forward_tcp_out_ports="" + +# - UDP Ports +udp_out_ports="" +forward_udp_out_ports="" + + +# ------------- +# --- Block IP's / IP-Ranges +# ------------- + +blocked_ips="" + + +# ------------- +# --- Block Ports +# ------------- + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 113 135 137:139 445" +block_udp_ports="111 137:139" + + +# ------------- +# - Some special stuff +# ------------- + +create_traffic_counter=true +create_iperf_rules=true + + +# ------------- +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ------------- + +# - Disable ip forwarding between interfaces +# - +kernel_forward_between_interfaces=false + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf new file mode 100644 index 0000000..a86192b --- /dev/null +++ b/conf/post_decalrations.conf @@ -0,0 +1,357 @@ +#!/usr/bin/env bash + + +# ----------- +# --- Define Arrays +# ----------- + +# --- +# - IP Addresses to log +# --- +declare -a log_ip_arr +for _ip in $log_ips ; do + log_ip_arr+=("$_ip") +done + +# --- +# - IP-Addresses (Host, Guests (VServer, LX_Container) +# --- +declare -a ext_ip_arr +for _ip in $ext_ips ; do + host_ip_arr+=("$_ip") +done + +# --- +# - Extern Interfaces +# --- +declare -a ext_if_arr +for _dev in $ext_ifs ; do + ext_if_arr+=("$_dev") +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + +# --- +# - Allow extern Service +# --- +declare -a allow_ext_service_arr +for _val in $allow_ext_service ; do + allow_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern IP-Address/Network +# --- +declare -a allow_ext_net_arr +for _net in $allow_ext_net ; do + allow_ext_net_arr+=("$_net") +done + +# --- +# - Allow (non-standard) local Services +# --- +declare -a allow_local_service_arr +for _val in $allow_local_service ; do + allow_local_service_arr+=("$_val") +done + +# --- +# - Generally block ports +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - Network Interfaces DHCP Service +# --- +declare -a dhcp_if_arr +for _dev in $dhcp_server_ifs ; do + dhcp_if_arr+=($_dev) +done + +# --- +# - IP Addresses DNS Server +# --- +# - local +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_dns_server_ip_arr +for _ip in $forward_dns_server_ips ; do + forward_dns_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses VPN Server +# --- +# local +declare -a vpn_server_ip_arr +for _ip in $vpn_server_ips ; do + vpn_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_vpn_server_ip_arr +for _ip in $forward_vpn_server_ips ; do + forward_vpn_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses SSH Server +# --- +# local +declare -a ssh_server_ip_arr +for _ip in $ssh_server_ips ; do + ssh_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ssh_server_ip_arr +for _ip in $forward_ssh_server_ips ; do + forward_ssh_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses HTTP Server +# --- +# local +declare -a http_server_ip_arr +for _ip in $http_server_ips ; do + http_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_http_server_ip_arr +for _ip in $forward_http_server_ips ; do + forward_http_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +# local +declare -a ftp_server_ip_arr +for _ip in $ftp_server_ips ; do + ftp_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ftp_server_ip_arr +for _ip in $forward_ftp_server_ips ; do + forward_ftp_server_ip_arr+=("$_ip") +done + +# --- +# - Mail SMTP Server +# --- +# local +declare -a smtpd_ips_arr +for _ip in $smtpd_ips ; do + smtpd_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_smtpd_ip_arr +for _ip in $forward_smtpd_ips ; do + forward_smtpd_ip_arr+=("$_ip") +done + +# --- +# - Mail Services (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_server_ips_arr +for _ip in $mail_server_ips ; do + mail_server_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_server_ip_arr +for _ip in $forward_mail_server_ips ; do + forward_mail_server_ip_arr+=("$_ip") +done + +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_client_ip_arr +for _ip in $forward_mail_client_ips ; do + forward_mail_client_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Mumble Server +# --- +# local +declare -a mumble_server_ip_arr +for _ip in $mumble_server_ips ; do + mumble_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_mumble_server_ip_arr +for _ip in $forward_mumble_server_ips ; do + forward_mumble_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Telephone Systems +# --- +declare -a tel_sys_ip_arr +for _ip in $tel_sys_ips ; do + tel_sys_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Munin +# --- +# local +declare -a munin_server_ip_arr +for _ip in $munin_server_ips ; do + munin_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_munin_server_ip_arr +for _ip in $forward_munin_server_ips ; do + forward_munin_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_rsync_out_ip_arr +for _ip in $forward_rsync_out_ips ; do + forward_rsync_out_ip_arr+=("$_ip") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +# local +declare -a vpn_port_arr +for _port in $vpn_ports ; do + vpn_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + + +# --- +# - Special TCP Ports OUT +# --- +# local +declare -a tcp_out_port_arr +for _port in $tcp_out_ports ; do + tcp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_tcp_out_port_arr +for _port in $forward_tcp_out_ports ; do + forward_tcp_out_port_arr+=("$_port") +done + +# --- +# - Special UDP Ports OUT +# --- +# local +declare -a udp_out_port_arr +for _port in $udp_out_ports ; do + udp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_udp_out_port_arr +for _port in $forward_udp_out_ports ; do + forward_udp_out_port_arr+=("$_port") +done + +