Redesign script.
This commit is contained in:
parent
3c896d7052
commit
040f453e6d
22
conf/ban_ipv4.list.sample
Normal file
22
conf/ban_ipv4.list.sample
Normal file
@ -0,0 +1,22 @@
|
||||
# - IPv4 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
|
||||
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
|
||||
# - network/nn CIDR notation like 1.2.3.0/27
|
||||
# - network/netmask notaions like 1.2.3.0/255.255.255.0
|
||||
# - network/partial_netmask like 1.2.3.4/255
|
||||
# -
|
||||
# - Note:
|
||||
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 79.171.81.0/24
|
||||
# - 79.171.81.0/255.255.255.0
|
||||
# - 79.171.81.0/255.255.255
|
||||
# - 79.171.81
|
||||
|
20
conf/ban_ipv6.list.sample
Normal file
20
conf/ban_ipv6.list.sample
Normal file
@ -0,0 +1,20 @@
|
||||
# - IPv6 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
|
||||
# -
|
||||
# -
|
||||
# - Note:
|
||||
# - - If no mask is given mask will be set to '64'
|
||||
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - 2a01:30:0:13:5054:ff::1
|
||||
# - 2a01:30:0:13:5054:ff::1/56
|
||||
|
40
conf/default_ports.conf
Normal file
40
conf/default_ports.conf
Normal file
@ -0,0 +1,40 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Define Ports for Services
|
||||
# -------------
|
||||
|
||||
# - Web Server Ports
|
||||
# -
|
||||
http_ports="80,443"
|
||||
|
||||
# - FTP Servers Passive Portrange
|
||||
# -
|
||||
ftp_passive_port_range="50000:50400"
|
||||
|
||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
||||
# -
|
||||
mail_user_ports="587,465,110,995,143,993"
|
||||
|
||||
# - SSH Ports
|
||||
# -
|
||||
# - comma separated list
|
||||
ssh_ports="22"
|
||||
|
||||
# - VPN Service
|
||||
vpn_ports="1194 1195"
|
||||
|
||||
# - Mumble Server
|
||||
# -
|
||||
mumble_ports="64738"
|
||||
|
||||
# - XyMon Service (usually TCP port 1984)
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
xymon_port=1984
|
||||
|
||||
# - Munin Server Port (usually TCP port 4949)
|
||||
# -
|
||||
munin_remote_port="4949"
|
68
conf/include_functions.conf
Normal file
68
conf/include_functions.conf
Normal file
@ -0,0 +1,68 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# -------------
|
||||
# --- Some functions
|
||||
# -------------
|
||||
|
||||
echononl(){
|
||||
echo X\\c > /tmp/shprompt$$
|
||||
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
|
||||
echo -e -n "$*\\c" 1>&2
|
||||
else
|
||||
echo -e -n "$*" 1>&2
|
||||
fi
|
||||
rm /tmp/shprompt$$
|
||||
}
|
||||
echo_done() {
|
||||
echo -e "\033[75G[ \033[32mdone\033[m ]"
|
||||
}
|
||||
echo_ok() {
|
||||
echo -e "\033[75G[ \033[32mok\033[m ]"
|
||||
}
|
||||
echo_warning() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
|
||||
}
|
||||
echo_failed(){
|
||||
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
|
||||
}
|
||||
echo_skipped() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
|
||||
}
|
||||
|
||||
|
||||
fatal (){
|
||||
echo ""
|
||||
echo -e "fatal Error: $*"
|
||||
echo ""
|
||||
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
|
||||
echo ""
|
||||
exit 1
|
||||
}
|
||||
|
||||
error(){
|
||||
echo ""
|
||||
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
warn (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
info (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
## - Check if a given array (parameter 2) contains a given string (parameter 1)
|
||||
## -
|
||||
containsElement () {
|
||||
local e
|
||||
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
|
||||
return 1
|
||||
}
|
||||
|
||||
|
50
conf/interfaces_ipv4.conf.sample
Normal file
50
conf/interfaces_ipv4.conf.sample
Normal file
@ -0,0 +1,50 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - External interface(s)
|
||||
#
|
||||
ext_if_1=""
|
||||
ext_if_2=""
|
||||
ext_if_3=""
|
||||
|
||||
ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
|
||||
|
||||
|
||||
# - VPN Interfaces
|
||||
# - (comma separated list)
|
||||
vpn_ifs=""
|
||||
|
||||
# - Local Interfaces
|
||||
local_if_1=""
|
||||
local_if_2=""
|
||||
local_if_3=""
|
||||
|
||||
local_ifs="$local_if_1 $local_if_2 $local_if_3"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - Extern IP Addresses on this Host
|
||||
# -
|
||||
# NOT IN USE
|
||||
ext_1_ip=""
|
||||
# NOT IN USE
|
||||
ext_2_ip=""
|
||||
# NOT IN USE
|
||||
ext_3_ip=""
|
||||
|
||||
ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
|
||||
|
||||
# NOT IN USE
|
||||
local_1_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
||||
|
49
conf/interfaces_ipv6.conf.sample
Normal file
49
conf/interfaces_ipv6.conf.sample
Normal file
@ -0,0 +1,49 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - External interface(s)
|
||||
#
|
||||
ext_if_1=""
|
||||
ext_if_2=""
|
||||
ext_if_3=""
|
||||
|
||||
ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
|
||||
|
||||
|
||||
# - VPN Interfaces
|
||||
# - (comma separated list)
|
||||
vpn_ifs=""
|
||||
|
||||
# - Local Interfaces
|
||||
local_if_1=""
|
||||
local_if_2=""
|
||||
local_if_3=""
|
||||
|
||||
local_ifs="$local_if_1 $local_if_2 $local_if_3"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- IP-Addresses
|
||||
# -------------
|
||||
|
||||
# - Extern IP Addresses on this Host
|
||||
# -
|
||||
# NOT IN USE
|
||||
ext_1_ip=""
|
||||
# NOT IN USE
|
||||
ext_2_ip=""
|
||||
# NOT IN USE
|
||||
ext_3_ip=""
|
||||
|
||||
ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
|
||||
|
||||
# NOT IN USE
|
||||
local_1_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
59
conf/load_modules_ipv4.conf
Normal file
59
conf/load_modules_ipv4.conf
Normal file
@ -0,0 +1,59 @@
|
||||
# =============
|
||||
# - Load Kernel Modules
|
||||
# =============
|
||||
|
||||
ip_tables
|
||||
iptable_nat
|
||||
|
||||
# - Note:!
|
||||
# - Since Kernel 4.7 the automatic conntrack helper assignment
|
||||
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
|
||||
# - Enable it by setting this variable in file /etc/sysctl.conf:
|
||||
# -
|
||||
# - net.netfilter.nf_conntrack_helper = 1
|
||||
# -
|
||||
# - Reboot or type "sysctl -p"
|
||||
# -
|
||||
# - !! But this is NOT the recommend method !!
|
||||
|
||||
|
||||
# ---
|
||||
# - Load module for FTP Connection tracking and NAT
|
||||
# ---
|
||||
|
||||
# - Once a helper is loaded, it will treat packets for a given port and all IP addresses.
|
||||
# - As explained before, this is not optimal and is even a security risk. A better
|
||||
# - solution is to load the module helper and deactivate their parsing by default. Each
|
||||
# - helper we need to use is then set by using a call to the CT target.
|
||||
# -
|
||||
# - Desactivate the automatic conntrack helper assignment:
|
||||
# -
|
||||
# - method 1: modprobe nf_conntrack nf_conntrack_helper=0
|
||||
# - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - Each helper we need to use is then set by using a call to the CT target.
|
||||
# - Example for ftp helper on standardport:
|
||||
# -
|
||||
# - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
|
||||
# -
|
||||
/sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1
|
||||
|
||||
/sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1
|
||||
/sbin/modprobe nf_nat > /dev/null 2>&1
|
||||
/sbin/modprobe nf_nat_ftp > /dev/null 2>&1
|
||||
|
||||
## - Load modules for SIP VOIP
|
||||
## -
|
||||
#/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1
|
||||
#/sbin/modprobe nf_nat_sip > /dev/null 2>&1
|
||||
|
||||
|
||||
# - Load kernel nf_log modules for IPv4 netfilter userspace logging
|
||||
# -
|
||||
# - Note:
|
||||
# - netfilter userspace logging daemon (ulogd/ulogd2) is required
|
||||
# -
|
||||
nf_log
|
||||
nf_log_ipv4
|
9
conf/load_modules_ipv6.conf
Normal file
9
conf/load_modules_ipv6.conf
Normal file
@ -0,0 +1,9 @@
|
||||
# =============
|
||||
# - Load Kernel Modules
|
||||
# =============
|
||||
|
||||
ip6_tables
|
||||
ip6table_filter
|
||||
ip6t_REJECT
|
||||
|
||||
ip6table_mangle
|
52
conf/logging_ipv4.conf
Normal file
52
conf/logging_ipv4.conf
Normal file
@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 11"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_fragments=false
|
||||
log_new_not_sync=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv4 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
49
conf/logging_ipv6.conf
Normal file
49
conf/logging_ipv6.conf
Normal file
@ -0,0 +1,49 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Logging
|
||||
# -------------
|
||||
|
||||
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
|
||||
tag_log_prefix="--nflog-prefix"
|
||||
LOG_TARGET="NFLOG --nflog-group 12"
|
||||
else
|
||||
# - Log using the specified syslog level. 7 (debug) is a good choice
|
||||
# - unless you specifically need something else.
|
||||
# -
|
||||
log_level=debug
|
||||
LOG_TARGET="LOG --log-level $log_level"
|
||||
tag_log_prefix="--log-prefix"
|
||||
fi
|
||||
|
||||
log_all=false
|
||||
|
||||
log_syn_flood=false
|
||||
log_fragments=false
|
||||
log_new_not_sync=false
|
||||
log_invalid_state=false
|
||||
log_invalid_flags=false
|
||||
log_spoofed=false
|
||||
log_spoofed_out=false
|
||||
log_to_lo=false
|
||||
log_not_wanted=false
|
||||
log_blocked=false
|
||||
log_unprotected=false
|
||||
log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
# -
|
||||
log_prefix="[ IPv6 ]"
|
||||
|
||||
|
||||
# ---
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
log_ips=""
|
||||
|
494
conf/main_ipv4.conf.sample
Normal file
494
conf/main_ipv4.conf.sample
Normal file
@ -0,0 +1,494 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
## ----------------------------------------------------------------
|
||||
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
|
||||
## ----------------------------------------------------------------
|
||||
|
||||
# -------------
|
||||
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
||||
# -------------
|
||||
|
||||
# - Note: Maybe youe have also to activate forwarding
|
||||
# -
|
||||
# - Set: kernel_activate_forwarding=true
|
||||
# -
|
||||
do_not_firewall_bridged_traffic=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interfaces completly blocked
|
||||
# -------------
|
||||
|
||||
# - Interfaces to block (note: they will all be blocked)
|
||||
# -
|
||||
# - Example: eth1 is used for DSL Line, that becomes an extra
|
||||
# - interface (maybe ppp0). A further use of eth1 (which would
|
||||
# - be possible) is not configured at time, so you can block it.
|
||||
# - blocked_ifs="eth1"
|
||||
# -
|
||||
blocked_ifs=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interfaces not firewalled
|
||||
# -------------
|
||||
|
||||
# - Note:
|
||||
# - Can be (for example) an interface, whose (complete) traffic is
|
||||
# - protected by a firewall on an other system in the local area
|
||||
# -
|
||||
unprotected_ifs=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow Forwarding (private) IPs / IP-Ranges
|
||||
# -------------
|
||||
|
||||
# - Maybe useful in case of virtual hosts with private addresses or
|
||||
# - if using a vpn network to forward into private areas.
|
||||
# -
|
||||
# - Note: this rules takes affect before rules to protect against
|
||||
# - unwanted packages e.g. blocking private addresses on
|
||||
# - externel interfaces.
|
||||
# -
|
||||
# - Note: you can specify networks using CIDR notation
|
||||
# - like "192.168.2.0/24"
|
||||
# -
|
||||
forward_private_ips=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Define Ports for Services
|
||||
# -------------
|
||||
|
||||
# - Web Server Ports
|
||||
# -
|
||||
http_ports="80,443"
|
||||
|
||||
# - FTP Servers Passive Portrange
|
||||
# -
|
||||
ftp_passive_port_range="50000:50400"
|
||||
|
||||
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
|
||||
# -
|
||||
mail_user_ports="587,465,110,995,143,993"
|
||||
|
||||
# - SSH Ports
|
||||
# -
|
||||
# - comma separated list
|
||||
ssh_ports="22"
|
||||
|
||||
# - VPN Service
|
||||
vpn_ports="1194 1195"
|
||||
|
||||
# - Mumble Server
|
||||
# -
|
||||
mumble_ports="64738"
|
||||
|
||||
# - XyMon Service (usually TCP port 1984)
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
xymon_port=1984
|
||||
|
||||
# - Munin Server Port (usually TCP port 4949)
|
||||
# -
|
||||
munin_remote_port="4949"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Network Interfaces
|
||||
# -------------
|
||||
|
||||
# - Extern IP Addresses on this Host
|
||||
# -
|
||||
# NOT IN USE
|
||||
ext_1_ip=""
|
||||
# NOT IN USE
|
||||
ext_2_ip=""
|
||||
# NOT IN USE
|
||||
ext_3_ip=""
|
||||
|
||||
ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
|
||||
|
||||
# NOT IN USE
|
||||
local_1_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
||||
# NOT IN USE
|
||||
local_2_ip=""
|
||||
|
||||
broadcast_ips=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_service_to_net
|
||||
# -
|
||||
# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# -
|
||||
# - Use this parameter to (only) give some extern netwoks access to special local
|
||||
# - services.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
|
||||
# - allow access from 86.73.85.0/24 to https service at 83.223.86.98
|
||||
# -
|
||||
# - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp
|
||||
# - 86.73.85.0/24:83.223.86.98:443:tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_service_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_net_to_net
|
||||
# -
|
||||
# - restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
|
||||
# -
|
||||
# - All traffic from the given first network to the given second network is allowed
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
|
||||
# - 83.223.86.96/32:86.223.73.0/24"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_net_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow extern Service
|
||||
# -------------
|
||||
|
||||
# - allow_ext_service
|
||||
# -
|
||||
# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
|
||||
# -
|
||||
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
|
||||
# - are allowed
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_service="
|
||||
# - 80.152.216.128:9998:tcp
|
||||
# - 80.152.216.128:8443:tcp
|
||||
# - "
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_ext_service=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - allow_ext_net
|
||||
# -
|
||||
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
|
||||
# -
|
||||
# - Allow all traffic to the given extern network/ip-address.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_net="80.152.216.128 84.140.157.102"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_ext_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow (non-standard) local Services
|
||||
# -------------
|
||||
|
||||
# - allow_local_service
|
||||
# -
|
||||
# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
|
||||
# -
|
||||
# - Allow all traffic to given local service
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_local_service="8443:tcp 8080:tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_local_service=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services local Network
|
||||
# -------------
|
||||
|
||||
# - VPN Server
|
||||
# -
|
||||
vpn_server_ips=""
|
||||
forward_vpn_server_ips=""
|
||||
|
||||
# DHCP Server
|
||||
#
|
||||
# Comma seperated Interface list for DHCP services
|
||||
#
|
||||
dhcp_server_ifs=""
|
||||
|
||||
# - DNS Server
|
||||
dns_server_ips=""
|
||||
forward_dns_server_ips=""
|
||||
|
||||
# - SSH Server
|
||||
# -
|
||||
ssh_server_ips=""
|
||||
forward_ssh_server_ips=""
|
||||
|
||||
# - HTTP(S) Server
|
||||
# -
|
||||
http_server_ips=""
|
||||
forward_http_server_ips=""
|
||||
|
||||
# - Mail SMTP Server
|
||||
# -
|
||||
smtpd_ips=""
|
||||
forward_smtpd_ips=""
|
||||
|
||||
# - Mail Services (smtps/pop(s)/imap(s)
|
||||
# -
|
||||
mail_server_ips=""
|
||||
forward_mail_server_ips=""
|
||||
|
||||
# - Mail Client (smtps/pop(s)/imap(s)
|
||||
# -
|
||||
mail_client_ips=""
|
||||
forward_mail_client_ips=""
|
||||
|
||||
# - FTP Server
|
||||
# -
|
||||
ftp_server_ips=""
|
||||
forward_ftp_server_ips=""
|
||||
|
||||
# - Mumble Server
|
||||
# -
|
||||
mumble_server_ips=""
|
||||
forward_mumble_server_ips=""
|
||||
|
||||
# - TFTP Server
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
tftp_server_ips=""
|
||||
|
||||
# - Munin Server
|
||||
# -
|
||||
munin_server_ips=""
|
||||
forward_munin_server_ips=""
|
||||
|
||||
# - Remote Munin Server
|
||||
# -
|
||||
munin_remote_ip="83.223.86.99"
|
||||
munin_local_port="4949"
|
||||
|
||||
# - XyMon Server
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
xymon_server_ips=""
|
||||
local_xymon_client=false
|
||||
|
||||
|
||||
# -------------
|
||||
# - Protocols Out
|
||||
# -------------
|
||||
|
||||
# - Rsync Protocol
|
||||
# -
|
||||
# - Needed for some integrated provider of clamav-unofficial-sigs
|
||||
# -
|
||||
rsync_out_ips=""
|
||||
forward_rsync_out_ips=""
|
||||
rsync_ports="873"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow special Ports (OUT)
|
||||
# -------------
|
||||
|
||||
# - TCP Ports
|
||||
tcp_out_ports=""
|
||||
forward_tcp_out_ports=""
|
||||
|
||||
# - UDP Ports
|
||||
udp_out_ports=""
|
||||
forward_udp_out_ports=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Block IP's / IP-Ranges
|
||||
# -------------
|
||||
|
||||
# - 222.184.0.0/13 CHINANET-JS
|
||||
# - 61.160.0.0/16 - CHINANET-JS
|
||||
# - 116.8.0.0/14 CHINANET-GX
|
||||
# -
|
||||
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Block Ports
|
||||
# -------------
|
||||
|
||||
# - Generally (for all interfaces) block this ports
|
||||
# -
|
||||
# - Portmapper
|
||||
# - tcp 111
|
||||
# - udp 111
|
||||
# -
|
||||
# - Authentication tap ident
|
||||
# - tcp 113
|
||||
# -
|
||||
# - Location Service
|
||||
# - tcp 135
|
||||
# -
|
||||
# - Windows Stuff
|
||||
# - tcp 137:139
|
||||
# - udp 137:139
|
||||
# - tcp 445
|
||||
# -
|
||||
block_tcp_ports="111 113 135 137:139 445"
|
||||
block_udp_ports="111 137:139"
|
||||
|
||||
|
||||
# -------------
|
||||
# - Some special stuff
|
||||
# -------------
|
||||
|
||||
create_traffic_counter=true
|
||||
create_iperf_rules=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Router ?
|
||||
# -------------
|
||||
|
||||
# - Activate forwarding
|
||||
# -
|
||||
# - Enable/disable forwarding to and between interfaces
|
||||
# -
|
||||
kernel_activate_forwarding=false
|
||||
|
||||
# - Activate kernel support for dynamic IP adresses
|
||||
# - (not needed in case of static IP)
|
||||
# -
|
||||
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
|
||||
# -
|
||||
# - The values for the ip_dynaddr sysctl are [*]:
|
||||
# -
|
||||
# - 1: To enable:
|
||||
# - 2: To enable verbosity:
|
||||
# - 4: To enable RST-provoking:
|
||||
# - 8: To enable asymetric routing work-around [**]
|
||||
# -
|
||||
# - [*] At boot, by default no address rewriting is attempted.
|
||||
# - [**] This code is currently totaly untested.
|
||||
# -
|
||||
# - Flags can be combined by adding them. Common settings
|
||||
# - would be:
|
||||
# -
|
||||
# - To enable rewriting in quiet mode:
|
||||
# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
|
||||
# - To enable rewriting in verbose mode:
|
||||
# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
|
||||
# - To enable quiet RST-provoking mode (1+4):
|
||||
# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
|
||||
# - ...
|
||||
# -
|
||||
kernel_support_dynaddr=false
|
||||
dynaddr_flag="5"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
|
||||
# -------------
|
||||
|
||||
# - Reduce DoS'ing ability by reducing timeouts
|
||||
# -
|
||||
kernel_reduce_timeouts=true
|
||||
|
||||
# - Hardening TCP/IP Stack Against SYN Floods
|
||||
# -
|
||||
# - Enable syn cookies prevents against the common 'syn flood attack'
|
||||
# -
|
||||
kernel_tcp_syncookies=true
|
||||
|
||||
# - Protection against ICMP bogus error responses
|
||||
# -
|
||||
kernel_protect_against_icmp_bogus_messages=true
|
||||
|
||||
# - Ignore Broadcast Pings
|
||||
# -
|
||||
kernel_ignore_broadcast_ping=true
|
||||
|
||||
# - Deactivate Source Routed Packets
|
||||
# -
|
||||
kernel_deactivate_source_route=true
|
||||
|
||||
# - Deactivate sending ICMP redirects
|
||||
# -
|
||||
# - ICMP redirects are used by routers to specify better routing paths out of
|
||||
# - one network, based on the host choice, so basically it affects the way
|
||||
# - packets are routed and destinations.
|
||||
# -
|
||||
kernel_dont_accept_redirects=true
|
||||
|
||||
# - Activate Reverse Path Filtering (Antispoofing)
|
||||
# -
|
||||
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
|
||||
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
|
||||
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
|
||||
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
|
||||
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
|
||||
# - nicht voll funktionsfähig ist.
|
||||
# -
|
||||
kernel_activate_rp_filter=true
|
||||
|
||||
# - Logging of spoofed (source routed" and "redirect") packets
|
||||
# -
|
||||
kernel_log_martians=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some further Ports/IP-Address Configuration
|
||||
# -------------
|
||||
|
||||
# - unpriviligierte Ports
|
||||
# -
|
||||
unprivports="1024:65535"
|
||||
|
||||
# - Loopback
|
||||
loopback="127.0.0.0/8"
|
||||
|
||||
# - Private Networks
|
||||
priv_class_a="10.0.0.0/8"
|
||||
priv_class_b="172.16.0.0/12"
|
||||
priv_class_c="192.168.0.0/16"
|
||||
|
||||
# - Multicast Addresse
|
||||
class_d_multicast="224.0.0.0/4"
|
||||
|
||||
# Reserved Addresse
|
||||
class_e_reserved="240.0.0.0/5"
|
||||
|
366
conf/main_ipv6.conf.sample
Normal file
366
conf/main_ipv6.conf.sample
Normal file
@ -0,0 +1,366 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
## ----------------------------------------------------------------
|
||||
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
|
||||
## ----------------------------------------------------------------
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Some Ports/IP-Address Configuration
|
||||
# -------------
|
||||
|
||||
# - unpriviligierte Ports
|
||||
# -
|
||||
unprivports="1024:65535"
|
||||
|
||||
# unique local address (ULA) - private address block
|
||||
ula_block="fc00::/7"
|
||||
|
||||
# - Loopback
|
||||
loopback="::1/128"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Prevent bridged traffic getting pushed through the host's iptables rules
|
||||
# -------------
|
||||
|
||||
# - Prevent bridged traffic getting pushed through the
|
||||
# - host's iptables rules
|
||||
# -
|
||||
# - Note: Maybe youe have also to activate forwarding
|
||||
# -
|
||||
# - Set: kernel_forward_between_interfaces=true
|
||||
# -
|
||||
do_not_firewall_bridged_traffic=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interfaces completly blocked
|
||||
# -------------
|
||||
|
||||
# - Interfaces to block (note: they will all be blocked)
|
||||
# -
|
||||
# - Example: eth1 is used for DSL Line, that becomes an extra
|
||||
# - interface (maybe ppp0). A further use of eth1 (which would
|
||||
# - be possible) is not configured at time, so you can block it.
|
||||
# - blocked_ifs="eth1"
|
||||
# -
|
||||
blocked_ifs=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Interfaces not firewalled
|
||||
# -------------
|
||||
|
||||
# - Note:
|
||||
# - Can be (for example) an interface, whose (complete) traffic is
|
||||
# - protected by a firewall on an other system in the local area
|
||||
# -
|
||||
unprotected_ifs=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow Forwarding (private) IPs / IP-Ranges
|
||||
# -------------
|
||||
|
||||
# - Maybe useful in case of virtual hosts with private addresses or
|
||||
# - if using a vpn network to forward into private areas.
|
||||
# -
|
||||
# - Note: this rules takes affect before rules to protect against
|
||||
# - unwanted packages e.g. blocking private addresses on
|
||||
# - externel interfaces.
|
||||
# -
|
||||
# - Note: you can specify networks using CIDR notation
|
||||
# - like "192.168.2.0/24"
|
||||
# -
|
||||
forward_private_ips=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_service_to_net
|
||||
# -
|
||||
# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# -
|
||||
# - Use this parameter to (only) give some extern netwoks access to special local
|
||||
# - services.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
|
||||
# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
|
||||
# -
|
||||
# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp
|
||||
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_service_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Restrict local Network to given extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - restrict_local_net_to_net
|
||||
# -
|
||||
# - restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
|
||||
# -
|
||||
# - All traffic from the given first network to the given second network is allowed
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - - Traffic recieved on natted interfaces will be ommitted!
|
||||
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
|
||||
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
restrict_local_net_to_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow extern Service
|
||||
# -------------
|
||||
|
||||
# - allow_ext_service
|
||||
# -
|
||||
# - allow_ext_service="<ext-ip>,<ext_port>,<protocol> [<ext-ip>,<ext_port>,<protocol> [ ..
|
||||
# -
|
||||
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
|
||||
# - are allowed
|
||||
# -
|
||||
# - Example:
|
||||
# - - allow_ext_service="
|
||||
# - 2a01:4f8:221:3b4e::247,8443,tcp
|
||||
# - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp
|
||||
# - "
|
||||
# - - allow_ext_service="
|
||||
# - ::/0,8443,tcp
|
||||
# - ::/0,8080,tcp
|
||||
# - "
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - To allow traffic on a certain port to all extern networks, set extern network to '::/0'
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_ext_service=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow extern IP-Address/Network
|
||||
# -------------
|
||||
|
||||
# - allow_ext_net
|
||||
# -
|
||||
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
|
||||
# -
|
||||
# - Allow all traffic to the given extern network/ip-address.
|
||||
# -
|
||||
# - Example:
|
||||
# - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c"
|
||||
# - - allow_ext_net="::/0"
|
||||
# -
|
||||
# - Note:
|
||||
# - =====
|
||||
# - To allow traffic to all extern networks, set extern network to '::/0'
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_ext_net=""
|
||||
|
||||
|
||||
# -------------
|
||||
# ---- Allow (non-standard) local Services
|
||||
# -------------
|
||||
|
||||
# - allow_local_service
|
||||
# -
|
||||
# - allow_local_service="<port>:<protocol> [<port>:<protocol> [.."
|
||||
# -
|
||||
# - Allow all traffic to given local service
|
||||
# -
|
||||
# - Example:
|
||||
# - allow_local_service="8443:tcp 8080:tcp"
|
||||
# -
|
||||
# - Blank separated list
|
||||
# -
|
||||
allow_local_service=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Services local Network
|
||||
# -------------
|
||||
|
||||
# - VPN Server
|
||||
# -
|
||||
vpn_server_ips=""
|
||||
forward_vpn_server_ips=""
|
||||
|
||||
# DHCP Server
|
||||
#
|
||||
# Comma seperated Interface list for DHCP services
|
||||
#
|
||||
dhcp_server_ifs=""
|
||||
|
||||
# - DNS Server
|
||||
dns_server_ips=""
|
||||
forward_dns_server_ips=""
|
||||
|
||||
# - SSH Server
|
||||
# -
|
||||
ssh_server_ips=""
|
||||
forward_ssh_server_ips=""
|
||||
|
||||
# - HTTP(S) Server
|
||||
# -
|
||||
http_server_ips=""
|
||||
forward_http_server_ips=""
|
||||
|
||||
# - Mail SMTP Server
|
||||
# -
|
||||
smtpd_ips=""
|
||||
forward_smtpd_ips=""
|
||||
|
||||
# - Mail Services (smtps/pop(s)/imap(s)
|
||||
# -
|
||||
mail_server_ips=""
|
||||
forward_mail_server_ips=""
|
||||
|
||||
# - Mail Client (smtps/pop(s)/imap(s)
|
||||
# -
|
||||
mail_client_ips=""
|
||||
forward_mail_client_ips=""
|
||||
|
||||
# - FTP Server
|
||||
# -
|
||||
ftp_server_ips=""
|
||||
forward_ftp_server_ips=""
|
||||
|
||||
# - Mumble Server
|
||||
# -
|
||||
mumble_server_ips=""
|
||||
forward_mumble_server_ips=""
|
||||
|
||||
# - TFTP Server
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
tftp_server_ips=""
|
||||
|
||||
# - Munin Server
|
||||
# -
|
||||
munin_server_ips=""
|
||||
forward_munin_server_ips=""
|
||||
|
||||
# - Remote Munin Server
|
||||
# -
|
||||
munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
|
||||
munin_local_port="4949"
|
||||
|
||||
# - XyMon Server
|
||||
# -
|
||||
# - NOT YET IMPLEMENTED
|
||||
# -
|
||||
xymon_server_ips=""
|
||||
local_xymon_client=false
|
||||
|
||||
|
||||
# -------------
|
||||
# - Protocols Out
|
||||
# -------------
|
||||
|
||||
# - Rsync Protocol
|
||||
# -
|
||||
# - Needed for some integrated provider of clamav-unofficial-sigs
|
||||
# -
|
||||
rsync_out_ips=""
|
||||
forward_rsync_out_ips=""
|
||||
rsync_ports="873"
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow special Ports (OUT)
|
||||
# -------------
|
||||
|
||||
# - TCP Ports
|
||||
tcp_out_ports=""
|
||||
forward_tcp_out_ports=""
|
||||
|
||||
# - UDP Ports
|
||||
udp_out_ports=""
|
||||
forward_udp_out_ports=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Block IP's / IP-Ranges
|
||||
# -------------
|
||||
|
||||
blocked_ips=""
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Block Ports
|
||||
# -------------
|
||||
|
||||
# - Generally (for all interfaces) block this ports
|
||||
# -
|
||||
# - Portmapper
|
||||
# - tcp 111
|
||||
# - udp 111
|
||||
# -
|
||||
# - Authentication tap ident
|
||||
# - tcp 113
|
||||
# -
|
||||
# - Location Service
|
||||
# - tcp 135
|
||||
# -
|
||||
# - Windows Stuff
|
||||
# - tcp 137:139
|
||||
# - udp 137:139
|
||||
# - tcp 445
|
||||
# -
|
||||
block_tcp_ports="111 113 135 137:139 445"
|
||||
block_udp_ports="111 137:139"
|
||||
|
||||
|
||||
# -------------
|
||||
# - Some special stuff
|
||||
# -------------
|
||||
|
||||
create_traffic_counter=true
|
||||
create_iperf_rules=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
|
||||
# -------------
|
||||
|
||||
# - Disable ip forwarding between interfaces
|
||||
# -
|
||||
kernel_forward_between_interfaces=false
|
||||
|
||||
# - Deactivate Source Routed Packets
|
||||
# -
|
||||
kernel_deactivate_source_route=true
|
||||
|
||||
# - Deactivate sending ICMP redirects
|
||||
# -
|
||||
# - ICMP redirects are used by routers to specify better routing paths out of
|
||||
# - one network, based on the host choice, so basically it affects the way
|
||||
# - packets are routed and destinations.
|
||||
# -
|
||||
kernel_dont_accept_redirects=true
|
||||
|
357
conf/post_decalrations.conf
Normal file
357
conf/post_decalrations.conf
Normal file
@ -0,0 +1,357 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
|
||||
# -----------
|
||||
# --- Define Arrays
|
||||
# -----------
|
||||
|
||||
# ---
|
||||
# - IP Addresses to log
|
||||
# ---
|
||||
declare -a log_ip_arr
|
||||
for _ip in $log_ips ; do
|
||||
log_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP-Addresses (Host, Guests (VServer, LX_Container)
|
||||
# ---
|
||||
declare -a ext_ip_arr
|
||||
for _ip in $ext_ips ; do
|
||||
host_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Extern Interfaces
|
||||
# ---
|
||||
declare -a ext_if_arr
|
||||
for _dev in $ext_ifs ; do
|
||||
ext_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Interfaces
|
||||
# ---
|
||||
declare -a vpn_if_arr
|
||||
for _dev in $vpn_ifs ; do
|
||||
vpn_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Local Network Interfaces
|
||||
# ---
|
||||
declare -a local_if_arr
|
||||
for _dev in $local_ifs ; do
|
||||
local_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces completly blocked
|
||||
# ---
|
||||
declare -a blocked_if_arr
|
||||
for _dev in $blocked_ifs ; do
|
||||
blocked_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces not firewalled
|
||||
# ---
|
||||
declare -a unprotected_if_arr
|
||||
for _dev in $unprotected_ifs ; do
|
||||
unprotected_if_arr+=("$_dev")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Servive to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_service_to_net_arr
|
||||
for _val in $restrict_local_service_to_net ; do
|
||||
restrict_local_service_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Restrict local Network to given IP-Address/Network
|
||||
# ---
|
||||
declare -a restrict_local_net_to_net_arr
|
||||
for _val in $restrict_local_net_to_net ; do
|
||||
restrict_local_net_to_net_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern Service
|
||||
# ---
|
||||
declare -a allow_ext_service_arr
|
||||
for _val in $allow_ext_service ; do
|
||||
allow_ext_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow extern IP-Address/Network
|
||||
# ---
|
||||
declare -a allow_ext_net_arr
|
||||
for _net in $allow_ext_net ; do
|
||||
allow_ext_net_arr+=("$_net")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Allow (non-standard) local Services
|
||||
# ---
|
||||
declare -a allow_local_service_arr
|
||||
for _val in $allow_local_service ; do
|
||||
allow_local_service_arr+=("$_val")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Generally block ports
|
||||
# ---
|
||||
declare -a block_tcp_port_arr
|
||||
for _port in $block_tcp_ports ; do
|
||||
block_tcp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
declare -a block_udp_port_arr
|
||||
for _port in $block_udp_ports ; do
|
||||
block_udp_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Private IPs / IP-Ranges allowed to forward
|
||||
# ---
|
||||
declare -a forward_private_ip_arr
|
||||
for _ip in $forward_private_ips ; do
|
||||
forward_private_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Network Interfaces DHCP Service
|
||||
# ---
|
||||
declare -a dhcp_if_arr
|
||||
for _dev in $dhcp_server_ifs ; do
|
||||
dhcp_if_arr+=($_dev)
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses DNS Server
|
||||
# ---
|
||||
# - local
|
||||
declare -a dns_server_ip_arr
|
||||
for _ip in $dns_server_ips ; do
|
||||
dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_dns_server_ip_arr
|
||||
for _ip in $forward_dns_server_ips ; do
|
||||
forward_dns_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses VPN Server
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_server_ip_arr
|
||||
for _ip in $vpn_server_ips ; do
|
||||
vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_vpn_server_ip_arr
|
||||
for _ip in $forward_vpn_server_ips ; do
|
||||
forward_vpn_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses SSH Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ssh_server_ip_arr
|
||||
for _ip in $ssh_server_ips ; do
|
||||
ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ssh_server_ip_arr
|
||||
for _ip in $forward_ssh_server_ips ; do
|
||||
forward_ssh_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses HTTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a http_server_ip_arr
|
||||
for _ip in $http_server_ips ; do
|
||||
http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_http_server_ip_arr
|
||||
for _ip in $forward_http_server_ips ; do
|
||||
forward_http_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses FTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a ftp_server_ip_arr
|
||||
for _ip in $ftp_server_ips ; do
|
||||
ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_ftp_server_ip_arr
|
||||
for _ip in $forward_ftp_server_ips ; do
|
||||
forward_ftp_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail SMTP Server
|
||||
# ---
|
||||
# local
|
||||
declare -a smtpd_ips_arr
|
||||
for _ip in $smtpd_ips ; do
|
||||
smtpd_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_smtpd_ip_arr
|
||||
for _ip in $forward_smtpd_ips ; do
|
||||
forward_smtpd_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail Services (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_server_ips_arr
|
||||
for _ip in $mail_server_ips ; do
|
||||
mail_server_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_server_ip_arr
|
||||
for _ip in $forward_mail_server_ips ; do
|
||||
forward_mail_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Mail client (smtps/pop(s)/imap(s)
|
||||
# ---
|
||||
# local
|
||||
declare -a mail_client_ips_arr
|
||||
for _ip in $mail_client_ips ; do
|
||||
mail_client_ips_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mail_client_ip_arr
|
||||
for _ip in $forward_mail_client_ips ; do
|
||||
forward_mail_client_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Mumble Server
|
||||
# ---
|
||||
# local
|
||||
declare -a mumble_server_ip_arr
|
||||
for _ip in $mumble_server_ips ; do
|
||||
mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_mumble_server_ip_arr
|
||||
for _ip in $forward_mumble_server_ips ; do
|
||||
forward_mumble_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Telephone Systems
|
||||
# ---
|
||||
declare -a tel_sys_ip_arr
|
||||
for _ip in $tel_sys_ips ; do
|
||||
tel_sys_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Munin
|
||||
# ---
|
||||
# local
|
||||
declare -a munin_server_ip_arr
|
||||
for _ip in $munin_server_ips ; do
|
||||
munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_munin_server_ip_arr
|
||||
for _ip in $forward_munin_server_ips ; do
|
||||
forward_munin_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses XyMon
|
||||
# ---
|
||||
declare -a xymon_server_ip_arr
|
||||
for _ip in $xymon_server_ips ; do
|
||||
xymon_server_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - IP Addresses Rsync Out
|
||||
# ---
|
||||
# local
|
||||
declare -a rsync_out_ip_arr
|
||||
for _ip in $rsync_out_ips ; do
|
||||
rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_rsync_out_ip_arr
|
||||
for _ip in $forward_rsync_out_ips ; do
|
||||
forward_rsync_out_ip_arr+=("$_ip")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - SSH Ports
|
||||
# ---
|
||||
declare -a ssh_port_arr
|
||||
for _port in $ssh_ports ; do
|
||||
ssh_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - VPN Ports
|
||||
# ---
|
||||
# local
|
||||
declare -a vpn_port_arr
|
||||
for _port in $vpn_ports ; do
|
||||
vpn_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Rsync Out Ports
|
||||
# --
|
||||
declare -a rsync_port_arr
|
||||
for _port in $rsync_ports ; do
|
||||
rsync_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
# ---
|
||||
# - Special TCP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a tcp_out_port_arr
|
||||
for _port in $tcp_out_ports ; do
|
||||
tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_tcp_out_port_arr
|
||||
for _port in $forward_tcp_out_ports ; do
|
||||
forward_tcp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
# ---
|
||||
# - Special UDP Ports OUT
|
||||
# ---
|
||||
# local
|
||||
declare -a udp_out_port_arr
|
||||
for _port in $udp_out_ports ; do
|
||||
udp_out_port_arr+=("$_port")
|
||||
done
|
||||
# DMZ
|
||||
declare -a forward_udp_out_port_arr
|
||||
for _port in $forward_udp_out_ports ; do
|
||||
forward_udp_out_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user