firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Redesign script.

Browse Source
This commit is contained in:
Christoph
2019-03-07 05:03:30 +01:00
parent 3c896d7052
commit 040f453e6d
13 changed files with 1635 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

366
conf/main_ipv6.conf.sample Normal file
View File

@ -0,0 +1,366 @@
#!/usr/bin/env bash
## ----------------------------------------------------------------
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
## ----------------------------------------------------------------
# -------------
# --- Some Ports/IP-Address Configuration
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# unique local address (ULA) - private address block
ula_block="fc00::/7"
# - Loopback
loopback="::1/128"
# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------
# - Prevent bridged traffic getting pushed through the
# - host's iptables rules
# -
# - Note: Maybe youe have also to activate forwarding
# -
# - Set: kernel_forward_between_interfaces=true
# -
do_not_firewall_bridged_traffic=false
# -------------
# --- Interfaces completly blocked
# -------------
# - Interfaces to block (note: they will all be blocked)
# -
# - Example: eth1 is used for DSL Line, that becomes an extra
# - interface (maybe ppp0). A further use of eth1 (which would
# - be possible) is not configured at time, so you can block it.
# - blocked_ifs="eth1"
# -
blocked_ifs=""
# -------------
# --- Interfaces not firewalled
# -------------
# - Note:
# - Can be (for example) an interface, whose (complete) traffic is
# - protected by a firewall on an other system in the local area
# -
unprotected_ifs=""
# -------------
# ---- Allow Forwarding (private) IPs / IP-Ranges
# -------------
# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# - unwanted packages e.g. blocking private addresses on
# - externel interfaces.
# -
# - Note: you can specify networks using CIDR notation
# - like "192.168.2.0/24"
# -
forward_private_ips=""
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
# - restrict_local_service_to_net
# -
# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# - - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some extern netwoks access to special local
# - services.
# -
# - Example:
# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
# -
# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
# -
# - Blank separated list
# -
restrict_local_service_to_net=""
# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------
# - restrict_local_net_to_net
# -
# - restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# - - Traffic recieved on natted interfaces will be ommitted!
# - - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
# -
# - Blank separated list
# -
restrict_local_net_to_net=""
# -------------
# ---- Allow extern Service
# -------------
# - allow_ext_service
# -
# - allow_ext_service="<ext-ip>,<ext_port>,<protocol> [<ext-ip>,<ext_port>,<protocol> [ ..
# -
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
# - are allowed
# -
# - Example:
# - - allow_ext_service="
# - 2a01:4f8:221:3b4e::247,8443,tcp
# - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp
# - "
# - - allow_ext_service="
# - ::/0,8443,tcp
# - ::/0,8080,tcp
# - "
# -
# - Note:
# - =====
# - To allow traffic on a certain port to all extern networks, set extern network to '::/0'
# -
# - Blank separated list
# -
allow_ext_service=""
# -------------
# ---- Allow extern IP-Address/Network
# -------------
# - allow_ext_net
# -
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
# -
# - Allow all traffic to the given extern network/ip-address.
# -
# - Example:
# - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c"
# - - allow_ext_net="::/0"
# -
# - Note:
# - =====
# - To allow traffic to all extern networks, set extern network to '::/0'
# -
# - Blank separated list
# -
allow_ext_net=""
# -------------
# ---- Allow (non-standard) local Services
# -------------
# - allow_local_service
# -
# - allow_local_service="<port>:<protocol> [<port>:<protocol> [.."
# -
# - Allow all traffic to given local service
# -
# - Example:
# - allow_local_service="8443:tcp 8080:tcp"
# -
# - Blank separated list
# -
allow_local_service=""
# -------------
# --- Services local Network
# -------------
# - VPN Server
# -
vpn_server_ips=""
forward_vpn_server_ips=""
# DHCP Server
#
# Comma seperated Interface list for DHCP services
#
dhcp_server_ifs=""
# - DNS Server
dns_server_ips=""
forward_dns_server_ips=""
# - SSH Server
# -
ssh_server_ips=""
forward_ssh_server_ips=""
# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""
# - Mail SMTP Server
# -
smtpd_ips=""
forward_smtpd_ips=""
# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
forward_mail_server_ips=""
# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
forward_mail_client_ips=""
# - FTP Server
# -
ftp_server_ips=""
forward_ftp_server_ips=""
# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""
# - TFTP Server
# -
# - NOT YET IMPLEMENTED
# -
tftp_server_ips=""
# - Munin Server
# -
munin_server_ips=""
forward_munin_server_ips=""
# - Remote Munin Server
# -
munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
munin_local_port="4949"
# - XyMon Server
# -
# - NOT YET IMPLEMENTED
# -
xymon_server_ips=""
local_xymon_client=false
# -------------
# - Protocols Out
# -------------
# - Rsync Protocol
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
rsync_out_ips=""
forward_rsync_out_ips=""
rsync_ports="873"
# -------------
# --- Allow special Ports (OUT)
# -------------
# - TCP Ports
tcp_out_ports=""
forward_tcp_out_ports=""
# - UDP Ports
udp_out_ports=""
forward_udp_out_ports=""
# -------------
# --- Block IP's / IP-Ranges
# -------------
blocked_ips=""
# -------------
# --- Block Ports
# -------------
# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 113 135 137:139 445"
block_udp_ports="111 137:139"
# -------------
# - Some special stuff
# -------------
create_traffic_counter=true
create_iperf_rules=true
# -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# -------------
# - Disable ip forwarding between interfaces
# -
kernel_forward_between_interfaces=false
# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true
# - Deactivate sending ICMP redirects
# -
# - ICMP redirects are used by routers to specify better routing paths out of
# - one network, based on the host choice, so basically it affects the way
# - packets are routed and destinations.
# -
kernel_dont_accept_redirects=true