diff --git a/ip6t-firewall-server b/ip6t-firewall-server index cda504d..a090652 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -288,7 +288,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems" if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then for _ip in ${lxc_guest_ip_arr[@]} ; do - + $ip6t -I FORWARD -p all -d $_ip -j ACCEPT $ip6t -I FORWARD -p all -s $_ip -j ACCEPT @@ -477,7 +477,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then is_valid_mask=false ipv6="" mask="" - + # Ignore comment lines # [[ $_line =~ ^[[:space:]]{0,}# ]] && continue @@ -502,7 +502,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then ipv6="${_addr[0]}" # Test mask if given - # + # if [[ -n "${_addr[1]}" ]] ; then mask="${_addr[1]}" @@ -513,7 +513,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then # Its not a vaild mask number, but naybe a valit netmask. # no_valid_ipv6_arr+=("$given_ipv6") - + else if [[ $mask -gt 128 ]]; then @@ -534,7 +534,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then is_valid_ipv6=true fi - + if $is_valid_ipv6 && $is_valid_mask; then _ip="${ipv6}/${mask}" @@ -574,7 +574,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then else echo_skipped fi - + # ------------- @@ -625,14 +625,14 @@ echo_done echononl "\tBlock packets with bogus TCP flags" if $log_invalid_flags || $log_all ; then - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" - $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" @@ -753,6 +753,22 @@ done echo_done +# ------------- +# --- Traffic generally allowed +# ------------- + +echo +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ip6t -A INPUT -i lo -j ACCEPT +$ip6t -A OUTPUT -o lo -j ACCEPT + +echo_done + # --- # - Protection against syn-flooding @@ -834,7 +850,7 @@ fi # --- echononl "\tLimit RST packets" -if $limit_rst_packets ; then +if $limit_rst_packets ; then $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT if $log_rejected || $log_all ; then $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " @@ -915,8 +931,8 @@ fi # --- iPerf # ------------- -# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. -# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." @@ -977,26 +993,8 @@ done echo_done echo - - -# ------------- -# --- Traffic generally allowed -# ------------- - -echononl "\tLoopback device generally allowed.." - -# --- -# - Loopback device -# --- - -$ip6t -A INPUT -i lo -j ACCEPT -$ip6t -A OUTPUT -o lo -j ACCEPT - -echo_done -echo - # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- @@ -1038,7 +1036,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then _deny_net_arr=() - + for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do @@ -1129,7 +1127,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" # ------------- -# ---- Allow extern Service +# ---- Allow extern Service # ------------- echononl "\t\tAllow extern Service" @@ -1168,7 +1166,7 @@ echo # ------------- -# ---- Allow (non-standard) local Services +# ---- Allow (non-standard) local Services # ------------- echononl "\t\tAllow (non-standard) local Services" @@ -1238,9 +1236,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then else echo_skipped fi - - + + # --- # - DNS out only # --- @@ -1279,7 +1277,7 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT @@ -1288,13 +1286,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - $ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi - + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_dns_server_ip_arr[@]} ; do # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT @@ -1683,7 +1681,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_server_ips_arr[@]} ; do - # mail ports + # mail ports # $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1691,7 +1689,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_mail_server_ip_arr[@]} ; do - # mail ports + # mail ports # $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1734,7 +1732,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_client_ips_arr[@]} ; do - # mail ports + # mail ports # $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1742,7 +1740,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_mail_client_ip_arr[@]} ; do - # mail ports + # mail ports # $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1838,7 +1836,7 @@ $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp declare -i j=1 for _dev in ${ext_if_arr[@]} ; do - + # - (1) # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. @@ -1905,7 +1903,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - (Re)define helper # - # - !! Note: !! - # - for both, local FTP server (ftp_server_ip_arr) + # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - $ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp @@ -1938,7 +1936,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT @@ -1954,7 +1952,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_ftp_server_ip_arr[@]} ; do - + # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic @@ -1979,7 +1977,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ @@ -2010,7 +2008,7 @@ fi # $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT -# # - Kontrollverbindung +# # - Kontrollverbindung # $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi @@ -2128,7 +2126,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incoming Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do - if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then + if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT fi $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT @@ -2274,7 +2272,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT fi done @@ -2291,8 +2289,8 @@ for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT fi done @@ -2326,7 +2324,7 @@ echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT fi done @@ -2342,7 +2340,7 @@ echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT fi done @@ -2358,7 +2356,7 @@ echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then - if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do @@ -2485,7 +2483,7 @@ else fi -echo +echo # --- # - UNIX Traceroute diff --git a/ipt-firewall-server b/ipt-firewall-server index e9d4b12..5e9e6ec 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -148,7 +148,7 @@ echo # --- Activate IP Forwarding # ------------- -## - IP Forwarding deaktivieren. +## - IP Forwarding deaktivieren. ## - ## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise ## - @@ -212,13 +212,13 @@ if ! $host_is_vm ; then fi ## - Ignore Broadcast Pings - ## - + ## - if $kernel_ignore_broadcast_ping ; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ## - Deactivate Source Routed Packets - ## - + ## - if $kernel_deactivate_source_route ; then for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do echo 0 > $asr @@ -241,9 +241,9 @@ if ! $host_is_vm ; then ## - Keine ICMP Umleitungspakete akzeptieren. ## - - ## - Diese können zur Veränderung der Routing Tables verwendet - ## - werden, möglicherweise mit einem böswilligen Ziel. - ## - + ## - Diese können zur Veränderung der Routing Tables verwendet + ## - werden, möglicherweise mit einem böswilligen Ziel. + ## - #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ## - NUMBER OF CONNECTIONS TO TRACK @@ -348,7 +348,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems" if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then for _ip in ${lxc_guest_ip_arr[@]} ; do - + $ipt -I FORWARD -p all -d $_ip -j ACCEPT $ipt -I FORWARD -p all -s $_ip -j ACCEPT @@ -532,7 +532,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then is_valid_mask=true ipv4="" mask="" - + # Ignore comment lines # [[ $_line =~ ^[[:space:]]{0,}# ]] && continue @@ -699,7 +699,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then else echo_skipped fi - + # ------------- @@ -906,6 +906,22 @@ done echo_done +# ------------- +# --- Traffic generally allowed +# ------------- + +echo +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ipt -A INPUT -i lo -j ACCEPT +$ipt -A OUTPUT -o lo -j ACCEPT + +echo_done + # --- # - Protection against syn-flooding @@ -987,7 +1003,7 @@ fi # --- echononl "\tLimit RST packets" -if $limit_rst_packets ; then +if $limit_rst_packets ; then $ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT if $log_rejected || $log_all ; then $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " @@ -1068,8 +1084,8 @@ fi # --- iPerf # ------------- -# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. -# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." @@ -1130,25 +1146,6 @@ done echo_done echo - - -# ------------- -# --- Traffic generally allowed -# ------------- - -echononl "\tLoopback device generally allowed.." - -# --- -# - Loopback device -# --- - -$ipt -A INPUT -i lo -j ACCEPT -$ipt -A OUTPUT -o lo -j ACCEPT - -echo_done - - -echo # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network @@ -1192,7 +1189,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then _deny_net_arr=() - + for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do @@ -1251,7 +1248,7 @@ else fi # - unprotected_ifs -# - +# - # - Posiible values are 'true' and 'false' # - allow_all_outgoing_traffic=false @@ -1295,7 +1292,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" # ------------- -# ---- Allow extern Service +# ---- Allow extern Service # ------------- echononl "\t\tAllow extern Service" @@ -1334,7 +1331,7 @@ echo # ------------- -# ---- Allow (non-standard) local Services +# ---- Allow (non-standard) local Services # ------------- echononl "\t\tAllow (non-standard) local Services" @@ -1406,9 +1403,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then else echo_skipped fi - - + + # --- # - DNS out only # --- @@ -1444,10 +1441,10 @@ echononl "\t\tDNS Service" if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${dns_server_ips[@]} ; do - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT @@ -1456,13 +1453,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi - + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_dns_server_ip_arr[@]} ; do - # dns requests + # dns requests # # Note: - # If the total size of the DNS record is larger than 512 bytes, + # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT @@ -1856,7 +1853,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_server_ips_arr[@]} ; do - # mail ports + # mail ports # $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1864,7 +1861,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mail_server_ip_arr[@]} ; do - # mail ports + # mail ports # $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1886,7 +1883,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_client_ips_arr[@]} ; do - # mail ports + # mail ports # $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -1894,7 +1891,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mail_client_ip_arr[@]} ; do - # mail ports + # mail ports # $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done @@ -2011,7 +2008,7 @@ $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp declare -i j=1 for _dev in ${ext_if_arr[@]} ; do - + # - (1) # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. @@ -2077,7 +2074,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - (Re)define helper # - # - !! Note: !! - # - for both, local FTP server (ftp_server_ip_arr) + # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp @@ -2110,7 +2107,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT @@ -2126,7 +2123,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_ftp_server_ip_arr[@]} ; do - + # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic @@ -2151,7 +2148,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - + # - $ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT $ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ @@ -2181,7 +2178,7 @@ fi # $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT -# # - Kontrollverbindung +# # - Kontrollverbindung # $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi @@ -2216,7 +2213,7 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} for _port in ${xmmp_tcp_in_port_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT done - + for _port in ${xmmp_tcp_out_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT done @@ -2299,7 +2296,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do - if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then + if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT fi $ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT @@ -2445,7 +2442,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT fi done @@ -2462,8 +2459,8 @@ for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT fi done @@ -2499,7 +2496,7 @@ echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT fi done @@ -2515,7 +2512,7 @@ echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT fi done @@ -2531,7 +2528,7 @@ echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then - if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do @@ -2653,7 +2650,7 @@ else fi -echo +echo # --- # - UNIX Traceroute @@ -2801,6 +2798,6 @@ exit 0 #$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443 #$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE # -# - +# - # ---------- Ende Portforwarding ---------- #