Redesign script.

conf/main_ipv4.conf.sample

@@ -0,0 +1,494 @@
+#!/usr/bin/env bash
+
+  
+## ----------------------------------------------------------------
+## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
+## ----------------------------------------------------------------
+
+# -------------
+# --- Prevent bridged traffic getting pushed through the host's iptables rules
+# -------------
+
+# - Note: Maybe youe have also to activate forwarding
+# -
+# -    Set: kernel_activate_forwarding=true
+# -
+do_not_firewall_bridged_traffic=false
+
+
+# -------------
+# --- Interfaces completly blocked
+# -------------
+
+# - Interfaces to block (note: they will all be blocked)
+# -
+# - Example: eth1 is used for DSL Line, that becomes an extra 
+# - interface (maybe ppp0). A further use of eth1 (which would 
+# - be possible) is not configured at time, so you can block it.
+# -   blocked_ifs="eth1"
+# -
+blocked_ifs=""
+
+
+# -------------
+# --- Interfaces not firewalled
+# -------------
+
+# - Note:
+# - Can be (for example) an interface, whose (complete) traffic is 
+# - protected by a firewall on an other system in the local area 
+# -
+unprotected_ifs=""
+
+
+# -------------
+# ---- Allow Forwarding (private) IPs / IP-Ranges
+# -------------
+
+# - Maybe useful in case of virtual hosts with private addresses or
+# - if using a vpn network to forward into private areas.
+# -
+# - Note: this rules takes affect before rules to protect against
+# -       unwanted packages e.g. blocking private addresses on
+# -       externel interfaces.
+# -       
+# - Note: you can specify networks using CIDR notation
+# -       like "192.168.2.0/24"
+# -
+forward_private_ips=""
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Web Server Ports
+# -
+http_ports="80,443"
+
+# - FTP Servers Passive Portrange
+# -
+ftp_passive_port_range="50000:50400"
+
+# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
+# -
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""
+
+broadcast_ips=""
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
+# -
+# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
+# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
+
+# -------------
+# ---- Allow extern Service 
+# -------------
+
+# - allow_ext_service
+# -
+# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
+# -
+# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
+# - are allowed
+# -
+# - Example:
+# -    allow_ext_service="
+# -       80.152.216.128:9998:tcp 
+# -       80.152.216.128:8443:tcp
+# -    "
+# -
+# - Blank separated list
+# -
+allow_ext_service=""
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+# - allow_ext_net
+# -
+# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
+# -
+# - Allow all traffic to the given extern network/ip-address.
+# -
+# - Example:
+# -    allow_ext_net="80.152.216.128 84.140.157.102"
+# -
+# - Blank separated list
+# -
+allow_ext_net=""
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+# - allow_local_service
+# -
+# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service
+# -
+# - Example:
+# -    allow_local_service="8443:tcp 8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service=""
+
+
+# -------------
+# --- Services local Network
+# -------------
+
+# - VPN Server
+# -
+vpn_server_ips=""
+forward_vpn_server_ips=""
+
+# DHCP Server
+#
+# Comma seperated Interface list for DHCP services
+#
+dhcp_server_ifs=""
+
+# - DNS Server 
+dns_server_ips=""
+forward_dns_server_ips=""
+
+# - SSH Server
+# -
+ssh_server_ips=""
+forward_ssh_server_ips=""
+
+# - HTTP(S) Server
+# -
+http_server_ips=""
+forward_http_server_ips=""
+
+# - Mail SMTP Server 
+# -
+smtpd_ips=""
+forward_smtpd_ips=""
+
+# - Mail Services (smtps/pop(s)/imap(s)
+# -
+mail_server_ips=""
+forward_mail_server_ips=""
+
+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+forward_mail_client_ips=""
+
+# - FTP Server
+# -
+ftp_server_ips=""
+forward_ftp_server_ips=""
+
+# - Mumble Server
+# -
+mumble_server_ips=""
+forward_mumble_server_ips=""
+
+# - TFTP Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+tftp_server_ips=""
+
+# - Munin Server
+# -
+munin_server_ips=""
+forward_munin_server_ips=""
+
+# - Remote Munin Server
+# -
+munin_remote_ip="83.223.86.99"
+munin_local_port="4949"
+
+# - XyMon Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_server_ips=""
+local_xymon_client=false
+
+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+rsync_out_ips=""
+forward_rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# --- Allow special Ports (OUT)
+# -------------
+
+# - TCP Ports
+tcp_out_ports=""
+forward_tcp_out_ports=""
+
+# - UDP Ports
+udp_out_ports=""
+forward_udp_out_ports=""
+
+
+# -------------
+# --- Block IP's / IP-Ranges
+# -------------
+
+# -    222.184.0.0/13 CHINANET-JS
+# -    61.160.0.0/16 - CHINANET-JS
+# -    116.8.0.0/14 CHINANET-GX
+# -
+blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
+
+
+# -------------
+# --- Block Ports
+# -------------
+
+# - Generally (for all interfaces) block this ports
+# -
+# - Portmapper
+# - tcp 111
+# - udp 111
+# -
+# - Authentication tap ident
+# - tcp 113
+# -
+# - Location Service
+# - tcp 135
+# -
+# - Windows Stuff
+# - tcp 137:139
+# - udp 137:139
+# - tcp 445
+# -
+block_tcp_ports="111 113 135 137:139 445"
+block_udp_ports="111 137:139"
+
+
+# -------------
+# - Some special stuff
+# -------------
+
+create_traffic_counter=true
+create_iperf_rules=true
+
+
+# -------------
+# --- Router ?
+# -------------
+
+# - Activate forwarding
+# -
+# - Enable/disable forwarding to and between interfaces
+# -
+kernel_activate_forwarding=false
+
+# - Activate kernel support for dynamic IP adresses
+# - (not needed in case of static IP)
+# -
+# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
+# -
+# - The values for the ip_dynaddr sysctl are [*]:
+# -
+# -   1:  To enable:
+# -   2:  To enable verbosity:
+# -   4:  To enable RST-provoking:
+# -   8:  To enable asymetric routing work-around [**]
+# -
+# -  [*] At boot, by default no address rewriting is attempted.
+# -  [**] This code is currently totaly untested.
+# -
+# - Flags can be combined by adding them. Common settings
+# - would be:
+# -
+# - To enable rewriting in quiet mode:
+# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable rewriting in verbose mode:
+# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable quiet RST-provoking mode (1+4):
+# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
+# - ...
+# -
+kernel_support_dynaddr=false
+dynaddr_flag="5"
+
+
+# -------------
+# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
+# -------------
+
+# - Reduce DoS'ing ability by reducing timeouts
+# -
+kernel_reduce_timeouts=true
+
+# - Hardening TCP/IP Stack Against SYN Floods
+# -
+# - Enable syn cookies prevents against the common 'syn flood attack'
+# -
+kernel_tcp_syncookies=true
+
+# - Protection against ICMP bogus error responses
+# -
+kernel_protect_against_icmp_bogus_messages=true
+
+# - Ignore Broadcast Pings
+# -
+kernel_ignore_broadcast_ping=true
+
+# - Deactivate Source Routed Packets
+# -
+kernel_deactivate_source_route=true
+
+# - Deactivate sending ICMP redirects
+# -
+# - ICMP redirects are used by routers to specify better routing paths out of 
+# - one network, based on the host choice, so basically it affects the way 
+# - packets are routed and destinations. 
+# -
+kernel_dont_accept_redirects=true
+
+# - Activate Reverse Path Filtering (Antispoofing)
+# -
+# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
+# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
+# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
+# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
+# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
+# - nicht voll funktionsfähig ist. 
+# -
+kernel_activate_rp_filter=true
+
+# - Logging of spoofed (source routed" and "redirect") packets
+# -
+kernel_log_martians=false
+
+
+# -------------
+# --- Some further Ports/IP-Address Configuration
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+# - Loopback
+loopback="127.0.0.0/8"
+
+# - Private Networks
+priv_class_a="10.0.0.0/8"
+priv_class_b="172.16.0.0/12"
+priv_class_c="192.168.0.0/16"
+
+# - Multicast Addresse
+class_d_multicast="224.0.0.0/4"
+
+# Reserved Addresse
+class_e_reserved="240.0.0.0/5"
+