Redesign script.

conf/ban_ipv4.list.sample

@@ -0,0 +1,22 @@
+# - IPv4 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
+# -    partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
+# -    network/nn CIDR notation like 1.2.3.0/27
+# -    network/netmask notaions like 1.2.3.0/255.255.255.0
+# -    network/partial_netmask  like 1.2.3.4/255
+# -
+# - Note: 
+# -    - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
+# -
+# - Example:
+# -    79.171.81.0/24
+# -    79.171.81.0/255.255.255.0
+# -    79.171.81.0/255.255.255
+# -    79.171.81
+

conf/ban_ipv6.list.sample

@@ -0,0 +1,20 @@
+# - IPv6 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
+# -    network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
+# -
+# -
+# - Note: 
+# -    - If no mask is given mask will be set to '64'
+# -    - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
+# -
+# - Example:
+# -    240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
+# -    2a01:30:0:13:5054:ff::1
+# -    2a01:30:0:13:5054:ff::1/56
+

conf/default_ports.conf

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Web Server Ports
+# -
+http_ports="80,443"
+
+# - FTP Servers Passive Portrange
+# -
+ftp_passive_port_range="50000:50400"
+
+# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
+# -
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"

conf/include_functions.conf

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+
+# -------------
+# --- Some functions
+# -------------
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   echo -e "\033[75G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[75G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
+}
+
+
+fatal (){
+   echo ""
+   echo -e "fatal Error: $*"
+   echo ""
+   echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   echo ""
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+
+

conf/interfaces_ipv4.conf.sample

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1=""
+ext_if_2=""
+ext_if_3=""
+
+ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs=""
+
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""
+

conf/interfaces_ipv6.conf.sample

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1=""
+ext_if_2=""
+ext_if_3=""
+
+ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
+
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs=""
+
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""

conf/load_modules_ipv4.conf

@@ -0,0 +1,59 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip_tables
+iptable_nat
+
+# - Note:! 
+# -    Since Kernel 4.7 the automatic conntrack helper assignment
+# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
+# -    Enable it by setting this variable in file /etc/sysctl.conf:
+# -
+# -       net.netfilter.nf_conntrack_helper = 1
+# -
+# -    Reboot or type "sysctl -p"
+# -
+# - !! But this is NOT the recommend method !!
+
+
+# ---
+# - Load module for FTP Connection tracking and NAT
+# ---
+
+# - Once a helper is loaded, it will treat packets for a given port and all IP addresses. 
+# - As explained before, this is not optimal and is even a security risk. A better 
+# - solution is to load the module helper and deactivate their parsing by default. Each 
+# - helper we need to use is then set by using a call to the CT target.
+# -
+# - Desactivate the automatic conntrack helper assignment:
+# - 
+# -    method 1: modprobe nf_conntrack nf_conntrack_helper=0
+# -    method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
+# -
+# - Note:
+# - =====
+# -    Each helper we need to use is then set by using a call to the CT target.
+# -    Example for ftp helper on standardport:
+# -
+# -      ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp 
+# -    
+/sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1
+
+/sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1
+/sbin/modprobe nf_nat > /dev/null 2>&1
+/sbin/modprobe nf_nat_ftp > /dev/null 2>&1
+
+## - Load modules for SIP VOIP
+## -
+#/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1
+#/sbin/modprobe nf_nat_sip > /dev/null 2>&1
+
+
+# - Load kernel nf_log modules for IPv4 netfilter userspace logging
+# -
+# - Note: 
+# -    netfilter userspace logging daemon (ulogd/ulogd2) is required
+# -
+nf_log
+nf_log_ipv4

conf/load_modules_ipv6.conf

@@ -0,0 +1,9 @@
+# =============
+# -  Load Kernel Modules
+# =============
+
+ip6_tables
+ip6table_filter
+ip6t_REJECT
+
+ip6table_mangle

conf/logging_ipv4.conf

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Logging
+# -------------
+
+if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then 
+   tag_log_prefix="--nflog-prefix"
+   LOG_TARGET="NFLOG --nflog-group 11"
+else 
+   # - Log using the specified syslog level. 7 (debug) is a good choice 
+   # - unless you specifically need something else. 
+   # -
+   log_level=debug
+   LOG_TARGET="LOG --log-level $log_level"
+   tag_log_prefix="--log-prefix"
+fi
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_ssh=false
+
+# - logging messages
+# -
+log_prefix="[ IPv4 ]"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+# - You can also give hostname(s)
+# -
+# - Blank seoarated list of ips/hostnames
+# -
+log_ips=""

conf/logging_ipv6.conf

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Logging
+# -------------
+
+if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then 
+   tag_log_prefix="--nflog-prefix"
+   LOG_TARGET="NFLOG --nflog-group 12"
+else 
+   # - Log using the specified syslog level. 7 (debug) is a good choice 
+   # - unless you specifically need something else. 
+   # -
+   log_level=debug
+   LOG_TARGET="LOG --log-level $log_level"
+   tag_log_prefix="--log-prefix"
+fi
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_ssh=false
+
+# - logging messages
+# -
+log_prefix="[ IPv6 ]"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+log_ips=""
+

conf/main_ipv4.conf.sample

@@ -0,0 +1,494 @@
+#!/usr/bin/env bash
+
+  
+## ----------------------------------------------------------------
+## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
+## ----------------------------------------------------------------
+
+# -------------
+# --- Prevent bridged traffic getting pushed through the host's iptables rules
+# -------------
+
+# - Note: Maybe youe have also to activate forwarding
+# -
+# -    Set: kernel_activate_forwarding=true
+# -
+do_not_firewall_bridged_traffic=false
+
+
+# -------------
+# --- Interfaces completly blocked
+# -------------
+
+# - Interfaces to block (note: they will all be blocked)
+# -
+# - Example: eth1 is used for DSL Line, that becomes an extra 
+# - interface (maybe ppp0). A further use of eth1 (which would 
+# - be possible) is not configured at time, so you can block it.
+# -   blocked_ifs="eth1"
+# -
+blocked_ifs=""
+
+
+# -------------
+# --- Interfaces not firewalled
+# -------------
+
+# - Note:
+# - Can be (for example) an interface, whose (complete) traffic is 
+# - protected by a firewall on an other system in the local area 
+# -
+unprotected_ifs=""
+
+
+# -------------
+# ---- Allow Forwarding (private) IPs / IP-Ranges
+# -------------
+
+# - Maybe useful in case of virtual hosts with private addresses or
+# - if using a vpn network to forward into private areas.
+# -
+# - Note: this rules takes affect before rules to protect against
+# -       unwanted packages e.g. blocking private addresses on
+# -       externel interfaces.
+# -       
+# - Note: you can specify networks using CIDR notation
+# -       like "192.168.2.0/24"
+# -
+forward_private_ips=""
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Web Server Ports
+# -
+http_ports="80,443"
+
+# - FTP Servers Passive Portrange
+# -
+ftp_passive_port_range="50000:50400"
+
+# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
+# -
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""
+
+broadcast_ips=""
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
+# -
+# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
+# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
+
+# -------------
+# ---- Allow extern Service 
+# -------------
+
+# - allow_ext_service
+# -
+# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
+# -
+# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
+# - are allowed
+# -
+# - Example:
+# -    allow_ext_service="
+# -       80.152.216.128:9998:tcp 
+# -       80.152.216.128:8443:tcp
+# -    "
+# -
+# - Blank separated list
+# -
+allow_ext_service=""
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+# - allow_ext_net
+# -
+# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
+# -
+# - Allow all traffic to the given extern network/ip-address.
+# -
+# - Example:
+# -    allow_ext_net="80.152.216.128 84.140.157.102"
+# -
+# - Blank separated list
+# -
+allow_ext_net=""
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+# - allow_local_service
+# -
+# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service
+# -
+# - Example:
+# -    allow_local_service="8443:tcp 8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service=""
+
+
+# -------------
+# --- Services local Network
+# -------------
+
+# - VPN Server
+# -
+vpn_server_ips=""
+forward_vpn_server_ips=""
+
+# DHCP Server
+#
+# Comma seperated Interface list for DHCP services
+#
+dhcp_server_ifs=""
+
+# - DNS Server 
+dns_server_ips=""
+forward_dns_server_ips=""
+
+# - SSH Server
+# -
+ssh_server_ips=""
+forward_ssh_server_ips=""
+
+# - HTTP(S) Server
+# -
+http_server_ips=""
+forward_http_server_ips=""
+
+# - Mail SMTP Server 
+# -
+smtpd_ips=""
+forward_smtpd_ips=""
+
+# - Mail Services (smtps/pop(s)/imap(s)
+# -
+mail_server_ips=""
+forward_mail_server_ips=""
+
+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+forward_mail_client_ips=""
+
+# - FTP Server
+# -
+ftp_server_ips=""
+forward_ftp_server_ips=""
+
+# - Mumble Server
+# -
+mumble_server_ips=""
+forward_mumble_server_ips=""
+
+# - TFTP Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+tftp_server_ips=""
+
+# - Munin Server
+# -
+munin_server_ips=""
+forward_munin_server_ips=""
+
+# - Remote Munin Server
+# -
+munin_remote_ip="83.223.86.99"
+munin_local_port="4949"
+
+# - XyMon Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_server_ips=""
+local_xymon_client=false
+
+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+rsync_out_ips=""
+forward_rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# --- Allow special Ports (OUT)
+# -------------
+
+# - TCP Ports
+tcp_out_ports=""
+forward_tcp_out_ports=""
+
+# - UDP Ports
+udp_out_ports=""
+forward_udp_out_ports=""
+
+
+# -------------
+# --- Block IP's / IP-Ranges
+# -------------
+
+# -    222.184.0.0/13 CHINANET-JS
+# -    61.160.0.0/16 - CHINANET-JS
+# -    116.8.0.0/14 CHINANET-GX
+# -
+blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
+
+
+# -------------
+# --- Block Ports
+# -------------
+
+# - Generally (for all interfaces) block this ports
+# -
+# - Portmapper
+# - tcp 111
+# - udp 111
+# -
+# - Authentication tap ident
+# - tcp 113
+# -
+# - Location Service
+# - tcp 135
+# -
+# - Windows Stuff
+# - tcp 137:139
+# - udp 137:139
+# - tcp 445
+# -
+block_tcp_ports="111 113 135 137:139 445"
+block_udp_ports="111 137:139"
+
+
+# -------------
+# - Some special stuff
+# -------------
+
+create_traffic_counter=true
+create_iperf_rules=true
+
+
+# -------------
+# --- Router ?
+# -------------
+
+# - Activate forwarding
+# -
+# - Enable/disable forwarding to and between interfaces
+# -
+kernel_activate_forwarding=false
+
+# - Activate kernel support for dynamic IP adresses
+# - (not needed in case of static IP)
+# -
+# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
+# -
+# - The values for the ip_dynaddr sysctl are [*]:
+# -
+# -   1:  To enable:
+# -   2:  To enable verbosity:
+# -   4:  To enable RST-provoking:
+# -   8:  To enable asymetric routing work-around [**]
+# -
+# -  [*] At boot, by default no address rewriting is attempted.
+# -  [**] This code is currently totaly untested.
+# -
+# - Flags can be combined by adding them. Common settings
+# - would be:
+# -
+# - To enable rewriting in quiet mode:
+# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable rewriting in verbose mode:
+# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable quiet RST-provoking mode (1+4):
+# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
+# - ...
+# -
+kernel_support_dynaddr=false
+dynaddr_flag="5"
+
+
+# -------------
+# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
+# -------------
+
+# - Reduce DoS'ing ability by reducing timeouts
+# -
+kernel_reduce_timeouts=true
+
+# - Hardening TCP/IP Stack Against SYN Floods
+# -
+# - Enable syn cookies prevents against the common 'syn flood attack'
+# -
+kernel_tcp_syncookies=true
+
+# - Protection against ICMP bogus error responses
+# -
+kernel_protect_against_icmp_bogus_messages=true
+
+# - Ignore Broadcast Pings
+# -
+kernel_ignore_broadcast_ping=true
+
+# - Deactivate Source Routed Packets
+# -
+kernel_deactivate_source_route=true
+
+# - Deactivate sending ICMP redirects
+# -
+# - ICMP redirects are used by routers to specify better routing paths out of 
+# - one network, based on the host choice, so basically it affects the way 
+# - packets are routed and destinations. 
+# -
+kernel_dont_accept_redirects=true
+
+# - Activate Reverse Path Filtering (Antispoofing)
+# -
+# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
+# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
+# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
+# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
+# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
+# - nicht voll funktionsfähig ist. 
+# -
+kernel_activate_rp_filter=true
+
+# - Logging of spoofed (source routed" and "redirect") packets
+# -
+kernel_log_martians=false
+
+
+# -------------
+# --- Some further Ports/IP-Address Configuration
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+# - Loopback
+loopback="127.0.0.0/8"
+
+# - Private Networks
+priv_class_a="10.0.0.0/8"
+priv_class_b="172.16.0.0/12"
+priv_class_c="192.168.0.0/16"
+
+# - Multicast Addresse
+class_d_multicast="224.0.0.0/4"
+
+# Reserved Addresse
+class_e_reserved="240.0.0.0/5"
+

conf/main_ipv6.conf.sample

@@ -0,0 +1,366 @@
+#!/usr/bin/env bash
+
+  
+## ----------------------------------------------------------------
+## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
+## ----------------------------------------------------------------
+
+
+# -------------
+# --- Some Ports/IP-Address Configuration
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+# unique local address (ULA) - private address block
+ula_block="fc00::/7"
+
+# - Loopback
+loopback="::1/128"
+
+
+# -------------
+# --- Prevent bridged traffic getting pushed through the host's iptables rules
+# -------------
+
+# - Prevent bridged traffic getting pushed through the 
+# - host's iptables rules
+# -
+# - Note: Maybe youe have also to activate forwarding
+# -
+# -    Set: kernel_forward_between_interfaces=true
+# -
+do_not_firewall_bridged_traffic=false
+
+
+# -------------
+# --- Interfaces completly blocked
+# -------------
+
+# - Interfaces to block (note: they will all be blocked)
+# -
+# - Example: eth1 is used for DSL Line, that becomes an extra 
+# - interface (maybe ppp0). A further use of eth1 (which would 
+# - be possible) is not configured at time, so you can block it.
+# -   blocked_ifs="eth1"
+# -
+blocked_ifs=""
+
+
+# -------------
+# --- Interfaces not firewalled
+# -------------
+
+# - Note:
+# - Can be (for example) an interface, whose (complete) traffic is 
+# - protected by a firewall on an other system in the local area 
+# -
+unprotected_ifs=""
+
+
+# -------------
+# ---- Allow Forwarding (private) IPs / IP-Ranges
+# -------------
+
+# - Maybe useful in case of virtual hosts with private addresses or
+# - if using a vpn network to forward into private areas.
+# -
+# - Note: this rules takes affect before rules to protect against
+# -       unwanted packages e.g. blocking private addresses on
+# -       externel interfaces.
+# -       
+# - Note: you can specify networks using CIDR notation
+# -       like "192.168.2.0/24"
+# -
+forward_private_ips=""
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
+# -    allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
+# -
+# -    restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp 
+# -                                   2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
+# -                               2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
+
+# -------------
+# ---- Allow extern Service 
+# -------------
+
+# - allow_ext_service
+# -
+# - allow_ext_service="<ext-ip>,<ext_port>,<protocol> [<ext-ip>,<ext_port>,<protocol> [ ..
+# -
+# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
+# - are allowed
+# -
+# - Example:
+# -    - allow_ext_service="
+# -         2a01:4f8:221:3b4e::247,8443,tcp 
+# -         2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp
+# -      "
+# -    - allow_ext_service="
+# -         ::/0,8443,tcp
+# -         ::/0,8080,tcp
+# -       "
+# -
+# - Note:
+# - =====
+# -    To allow traffic on a certain port to all extern networks, set extern network to '::/0'
+# -
+# - Blank separated list
+# -
+allow_ext_service=""
+
+
+# -------------
+# ---- Allow extern IP-Address/Network
+# -------------
+
+# - allow_ext_net
+# -
+# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
+# -
+# - Allow all traffic to the given extern network/ip-address.
+# -
+# - Example:
+# -    - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c"
+# -    - allow_ext_net="::/0"
+# -
+# - Note:
+# - =====
+# -    To allow traffic to all extern networks, set extern network to '::/0'
+# -
+# - Blank separated list
+# -
+allow_ext_net=""
+
+
+# -------------
+# ---- Allow (non-standard) local Services 
+# -------------
+
+# - allow_local_service
+# -
+# - allow_local_service="<port>:<protocol> [<port>:<protocol> [.."
+# -
+# - Allow all traffic to given local service
+# -
+# - Example:
+# -    allow_local_service="8443:tcp 8080:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_service=""
+
+
+# -------------
+# --- Services local Network
+# -------------
+
+# - VPN Server
+# -
+vpn_server_ips=""
+forward_vpn_server_ips=""
+
+# DHCP Server
+#
+# Comma seperated Interface list for DHCP services
+#
+dhcp_server_ifs=""
+
+# - DNS Server 
+dns_server_ips=""
+forward_dns_server_ips=""
+
+# - SSH Server
+# -
+ssh_server_ips=""
+forward_ssh_server_ips=""
+
+# - HTTP(S) Server
+# -
+http_server_ips=""
+forward_http_server_ips=""
+
+# - Mail SMTP Server 
+# -
+smtpd_ips=""
+forward_smtpd_ips=""
+
+# - Mail Services (smtps/pop(s)/imap(s)
+# -
+mail_server_ips=""
+forward_mail_server_ips=""
+
+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+forward_mail_client_ips=""
+
+# - FTP Server
+# -
+ftp_server_ips=""
+forward_ftp_server_ips=""
+
+# - Mumble Server
+# -
+mumble_server_ips=""
+forward_mumble_server_ips=""
+
+# - TFTP Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+tftp_server_ips=""
+
+# - Munin Server
+# -
+munin_server_ips=""
+forward_munin_server_ips=""
+
+# - Remote Munin Server
+# -
+munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
+munin_local_port="4949"
+
+# - XyMon Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_server_ips=""
+local_xymon_client=false
+
+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+rsync_out_ips=""
+forward_rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# --- Allow special Ports (OUT)
+# -------------
+
+# - TCP Ports
+tcp_out_ports=""
+forward_tcp_out_ports=""
+
+# - UDP Ports
+udp_out_ports=""
+forward_udp_out_ports=""
+
+
+# -------------
+# --- Block IP's / IP-Ranges
+# -------------
+
+blocked_ips=""
+
+
+# -------------
+# --- Block Ports
+# -------------
+
+# - Generally (for all interfaces) block this ports
+# -
+# - Portmapper
+# - tcp 111
+# - udp 111
+# -
+# - Authentication tap ident
+# - tcp 113
+# -
+# - Location Service
+# - tcp 135
+# -
+# - Windows Stuff
+# - tcp 137:139
+# - udp 137:139
+# - tcp 445
+# -
+block_tcp_ports="111 113 135 137:139 445"
+block_udp_ports="111 137:139"
+
+
+# -------------
+# - Some special stuff
+# -------------
+
+create_traffic_counter=true
+create_iperf_rules=true
+
+
+# -------------
+# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
+# -------------
+
+# - Disable ip forwarding between interfaces
+# -
+kernel_forward_between_interfaces=false
+
+# - Deactivate Source Routed Packets
+# -
+kernel_deactivate_source_route=true
+
+# - Deactivate sending ICMP redirects
+# -
+# - ICMP redirects are used by routers to specify better routing paths out of 
+# - one network, based on the host choice, so basically it affects the way 
+# - packets are routed and destinations. 
+# -
+kernel_dont_accept_redirects=true
+

conf/post_decalrations.conf

@@ -0,0 +1,357 @@
+#!/usr/bin/env bash
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+# ---
+# - IP Addresses to log
+# ---
+declare -a log_ip_arr
+for _ip in $log_ips ; do
+   log_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP-Addresses (Host, Guests (VServer, LX_Container)
+# ---
+declare -a ext_ip_arr
+for _ip in $ext_ips ; do
+   host_ip_arr+=("$_ip")
+done
+
+# ---
+# - Extern Interfaces
+# ---
+declare -a ext_if_arr
+for _dev in $ext_ifs ; do
+   ext_if_arr+=("$_dev")
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Restrict local Servive to given IP-Address/Network
+# ---
+declare -a restrict_local_service_to_net_arr
+for _val in $restrict_local_service_to_net ; do
+   restrict_local_service_to_net_arr+=("$_val")
+done
+
+# ---
+# - Restrict local Network to given IP-Address/Network
+# ---
+declare -a restrict_local_net_to_net_arr
+for _val in $restrict_local_net_to_net ; do
+   restrict_local_net_to_net_arr+=("$_val")
+done
+
+# ---
+# - Allow extern Service 
+# ---
+declare -a allow_ext_service_arr
+for _val in $allow_ext_service ; do
+   allow_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern IP-Address/Network
+# ---
+declare -a allow_ext_net_arr
+for _net in $allow_ext_net ; do
+   allow_ext_net_arr+=("$_net")
+done
+
+# ---
+# - Allow (non-standard) local Services 
+# ---
+declare -a allow_local_service_arr
+for _val in $allow_local_service ; do
+   allow_local_service_arr+=("$_val")
+done
+
+# ---
+# - Generally block ports
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Interfaces DHCP Service
+# ---
+declare -a dhcp_if_arr
+for _dev in $dhcp_server_ifs ; do
+   dhcp_if_arr+=($_dev)
+done
+
+# ---
+# - IP Addresses DNS Server
+# ---
+# - local
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_dns_server_ip_arr
+for _ip in $forward_dns_server_ips ; do
+   forward_dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses VPN Server
+# ---
+# local
+declare -a vpn_server_ip_arr
+for _ip in $vpn_server_ips ; do
+   vpn_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_vpn_server_ip_arr
+for _ip in $forward_vpn_server_ips ; do
+   forward_vpn_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses SSH Server
+# ---
+# local
+declare -a ssh_server_ip_arr
+for _ip in $ssh_server_ips ; do
+   ssh_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ssh_server_ip_arr
+for _ip in $forward_ssh_server_ips ; do
+   forward_ssh_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses HTTP Server
+# ---
+# local
+declare -a http_server_ip_arr
+for _ip in $http_server_ips ; do
+   http_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_http_server_ip_arr
+for _ip in $forward_http_server_ips ; do
+   forward_http_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+# local
+declare -a ftp_server_ip_arr
+for _ip in $ftp_server_ips ; do
+   ftp_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ftp_server_ip_arr
+for _ip in $forward_ftp_server_ips ; do
+   forward_ftp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail SMTP Server
+# ---
+# local
+declare -a smtpd_ips_arr
+for _ip in $smtpd_ips ; do
+   smtpd_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_smtpd_ip_arr
+for _ip in $forward_smtpd_ips ; do
+   forward_smtpd_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail Services (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_server_ips_arr
+for _ip in $mail_server_ips ; do
+   mail_server_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_server_ip_arr
+for _ip in $forward_mail_server_ips ; do
+   forward_mail_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail client (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_client_ips_arr
+for _ip in $mail_client_ips ; do
+   mail_client_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_client_ip_arr
+for _ip in $forward_mail_client_ips ; do
+   forward_mail_client_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mumble Server
+# ---
+# local
+declare -a mumble_server_ip_arr
+for _ip in $mumble_server_ips ; do
+   mumble_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mumble_server_ip_arr
+for _ip in $forward_mumble_server_ips ; do
+   forward_mumble_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Telephone Systems
+# ---
+declare -a tel_sys_ip_arr
+for _ip in $tel_sys_ips ; do
+   tel_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Munin
+# ---
+# local
+declare -a munin_server_ip_arr
+for _ip in $munin_server_ips ; do
+   munin_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_munin_server_ip_arr
+for _ip in $forward_munin_server_ips ; do
+   forward_munin_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_rsync_out_ip_arr
+for _ip in $forward_rsync_out_ips ; do
+   forward_rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+# local
+declare -a vpn_port_arr
+for _port in $vpn_ports ; do
+   vpn_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+
+# ---
+# - Special TCP Ports OUT
+# ---
+# local
+declare -a tcp_out_port_arr
+for _port in $tcp_out_ports ; do
+   tcp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_tcp_out_port_arr
+for _port in $forward_tcp_out_ports ; do
+   forward_tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - Special UDP Ports OUT
+# ---
+# local
+declare -a udp_out_port_arr
+for _port in $udp_out_ports ; do
+   udp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_udp_out_port_arr
+for _port in $forward_udp_out_ports ; do
+   forward_udp_out_port_arr+=("$_port")
+done
+
+