ip6t-firewall-server,ipt-firewall-server: move 'Loopback device generally allowed' to an earlier point in the script.
This commit is contained in:
parent
d857756be7
commit
1062208237
@ -288,7 +288,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
|
|||||||
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
|
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
|
||||||
|
|
||||||
for _ip in ${lxc_guest_ip_arr[@]} ; do
|
for _ip in ${lxc_guest_ip_arr[@]} ; do
|
||||||
|
|
||||||
$ip6t -I FORWARD -p all -d $_ip -j ACCEPT
|
$ip6t -I FORWARD -p all -d $_ip -j ACCEPT
|
||||||
$ip6t -I FORWARD -p all -s $_ip -j ACCEPT
|
$ip6t -I FORWARD -p all -s $_ip -j ACCEPT
|
||||||
|
|
||||||
@ -477,7 +477,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
|||||||
is_valid_mask=false
|
is_valid_mask=false
|
||||||
ipv6=""
|
ipv6=""
|
||||||
mask=""
|
mask=""
|
||||||
|
|
||||||
# Ignore comment lines
|
# Ignore comment lines
|
||||||
#
|
#
|
||||||
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
|
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
|
||||||
@ -502,7 +502,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
|||||||
ipv6="${_addr[0]}"
|
ipv6="${_addr[0]}"
|
||||||
|
|
||||||
# Test mask if given
|
# Test mask if given
|
||||||
#
|
#
|
||||||
if [[ -n "${_addr[1]}" ]] ; then
|
if [[ -n "${_addr[1]}" ]] ; then
|
||||||
mask="${_addr[1]}"
|
mask="${_addr[1]}"
|
||||||
|
|
||||||
@ -513,7 +513,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
|||||||
# Its not a vaild mask number, but naybe a valit netmask.
|
# Its not a vaild mask number, but naybe a valit netmask.
|
||||||
#
|
#
|
||||||
no_valid_ipv6_arr+=("$given_ipv6")
|
no_valid_ipv6_arr+=("$given_ipv6")
|
||||||
|
|
||||||
else
|
else
|
||||||
if [[ $mask -gt 128 ]]; then
|
if [[ $mask -gt 128 ]]; then
|
||||||
|
|
||||||
@ -534,7 +534,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
|||||||
is_valid_ipv6=true
|
is_valid_ipv6=true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
if $is_valid_ipv6 && $is_valid_mask; then
|
if $is_valid_ipv6 && $is_valid_mask; then
|
||||||
|
|
||||||
_ip="${ipv6}/${mask}"
|
_ip="${ipv6}/${mask}"
|
||||||
@ -574,7 +574,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
|||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
@ -625,14 +625,14 @@ echo_done
|
|||||||
|
|
||||||
echononl "\tBlock packets with bogus TCP flags"
|
echononl "\tBlock packets with bogus TCP flags"
|
||||||
if $log_invalid_flags || $log_all ; then
|
if $log_invalid_flags || $log_all ; then
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
|
||||||
@ -753,6 +753,22 @@ done
|
|||||||
echo_done
|
echo_done
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Traffic generally allowed
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
echo
|
||||||
|
echononl "\tLoopback device generally allowed.."
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# - Loopback device
|
||||||
|
# ---
|
||||||
|
|
||||||
|
$ip6t -A INPUT -i lo -j ACCEPT
|
||||||
|
$ip6t -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
|
echo_done
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Protection against syn-flooding
|
# - Protection against syn-flooding
|
||||||
@ -834,7 +850,7 @@ fi
|
|||||||
# ---
|
# ---
|
||||||
|
|
||||||
echononl "\tLimit RST packets"
|
echononl "\tLimit RST packets"
|
||||||
if $limit_rst_packets ; then
|
if $limit_rst_packets ; then
|
||||||
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||||
if $log_rejected || $log_all ; then
|
if $log_rejected || $log_all ; then
|
||||||
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||||
@ -915,8 +931,8 @@ fi
|
|||||||
# --- iPerf
|
# --- iPerf
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
||||||
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
||||||
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
||||||
|
|
||||||
echononl "\tCreate \"iPerf\" rules.."
|
echononl "\tCreate \"iPerf\" rules.."
|
||||||
@ -977,26 +993,8 @@ done
|
|||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Traffic generally allowed
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
echononl "\tLoopback device generally allowed.."
|
|
||||||
|
|
||||||
# ---
|
|
||||||
# - Loopback device
|
|
||||||
# ---
|
|
||||||
|
|
||||||
$ip6t -A INPUT -i lo -j ACCEPT
|
|
||||||
$ip6t -A OUTPUT -o lo -j ACCEPT
|
|
||||||
|
|
||||||
echo_done
|
|
||||||
|
|
||||||
|
|
||||||
echo
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||||
# -------------
|
# -------------
|
||||||
@ -1038,7 +1036,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
|
|||||||
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
_deny_net_arr=()
|
_deny_net_arr=()
|
||||||
|
|
||||||
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
||||||
IFS=',' read -a _val_arr <<< "${_val}"
|
IFS=',' read -a _val_arr <<< "${_val}"
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
@ -1129,7 +1127,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
|
|||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Allow extern Service
|
# ---- Allow extern Service
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
echononl "\t\tAllow extern Service"
|
echononl "\t\tAllow extern Service"
|
||||||
@ -1168,7 +1166,7 @@ echo
|
|||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Allow (non-standard) local Services
|
# ---- Allow (non-standard) local Services
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
echononl "\t\tAllow (non-standard) local Services"
|
echononl "\t\tAllow (non-standard) local Services"
|
||||||
@ -1238,9 +1236,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
|
|||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - DNS out only
|
# - DNS out only
|
||||||
# ---
|
# ---
|
||||||
@ -1279,7 +1277,7 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
|
|||||||
# dns requests
|
# dns requests
|
||||||
#
|
#
|
||||||
# Note:
|
# Note:
|
||||||
# If the total size of the DNS record is larger than 512 bytes,
|
# If the total size of the DNS record is larger than 512 bytes,
|
||||||
# it will be sent over TCP, not UDP.
|
# it will be sent over TCP, not UDP.
|
||||||
#
|
#
|
||||||
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
@ -1288,13 +1286,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
|
|||||||
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||||
for _ip in ${forward_dns_server_ip_arr[@]} ; do
|
for _ip in ${forward_dns_server_ip_arr[@]} ; do
|
||||||
# dns requests
|
# dns requests
|
||||||
#
|
#
|
||||||
# Note:
|
# Note:
|
||||||
# If the total size of the DNS record is larger than 512 bytes,
|
# If the total size of the DNS record is larger than 512 bytes,
|
||||||
# it will be sent over TCP, not UDP.
|
# it will be sent over TCP, not UDP.
|
||||||
#
|
#
|
||||||
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
@ -1683,7 +1681,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
|
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${mail_server_ips_arr[@]} ; do
|
for _ip in ${mail_server_ips_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1691,7 +1689,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||||
for _ip in ${forward_mail_server_ip_arr[@]} ; do
|
for _ip in ${forward_mail_server_ip_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1734,7 +1732,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
|
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${mail_client_ips_arr[@]} ; do
|
for _ip in ${mail_client_ips_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1742,7 +1740,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||||
for _ip in ${forward_mail_client_ip_arr[@]} ; do
|
for _ip in ${forward_mail_client_ip_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1838,7 +1836,7 @@ $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
|||||||
declare -i j=1
|
declare -i j=1
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
|
|
||||||
# - (1)
|
# - (1)
|
||||||
# -
|
# -
|
||||||
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
||||||
@ -1905,7 +1903,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - (Re)define helper
|
# - (Re)define helper
|
||||||
# -
|
# -
|
||||||
# - !! Note: !!
|
# - !! Note: !!
|
||||||
# - for both, local FTP server (ftp_server_ip_arr)
|
# - for both, local FTP server (ftp_server_ip_arr)
|
||||||
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
||||||
# -
|
# -
|
||||||
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
||||||
@ -1938,7 +1936,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
@ -1954,7 +1952,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
|
||||||
|
|
||||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||||
|
|
||||||
# =====
|
# =====
|
||||||
# -
|
# -
|
||||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||||
@ -1979,7 +1977,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
||||||
@ -2010,7 +2008,7 @@ fi
|
|||||||
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
|
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
|
||||||
# # Datenkanal (passiver modus)
|
# # Datenkanal (passiver modus)
|
||||||
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||||
# # - Kontrollverbindung
|
# # - Kontrollverbindung
|
||||||
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
|
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
|
||||||
# done
|
# done
|
||||||
# fi
|
# fi
|
||||||
@ -2128,7 +2126,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incoming Ports"
|
|||||||
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${jitsi_server_ip_arr[@]} ; do
|
for _ip in ${jitsi_server_ip_arr[@]} ; do
|
||||||
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
|
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
|
||||||
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
|
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
|
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
|
||||||
@ -2274,7 +2272,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2291,8 +2289,8 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2326,7 +2324,7 @@ echononl "\t\tWhois out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2342,7 +2340,7 @@ echononl "\t\tGIT out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_forward_between_interfaces ; then
|
if $kernel_forward_between_interfaces ; then
|
||||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2358,7 +2356,7 @@ echononl "\t\tSpecial TCP Ports OUT"
|
|||||||
|
|
||||||
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
|
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
|
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
for _port in ${tcp_out_port_arr[@]} ; do
|
for _port in ${tcp_out_port_arr[@]} ; do
|
||||||
@ -2485,7 +2483,7 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - UNIX Traceroute
|
# - UNIX Traceroute
|
||||||
|
|||||||
@ -148,7 +148,7 @@ echo
|
|||||||
# --- Activate IP Forwarding
|
# --- Activate IP Forwarding
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
## - IP Forwarding deaktivieren.
|
## - IP Forwarding deaktivieren.
|
||||||
## -
|
## -
|
||||||
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
|
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
|
||||||
## -
|
## -
|
||||||
@ -212,13 +212,13 @@ if ! $host_is_vm ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
## - Ignore Broadcast Pings
|
## - Ignore Broadcast Pings
|
||||||
## -
|
## -
|
||||||
if $kernel_ignore_broadcast_ping ; then
|
if $kernel_ignore_broadcast_ping ; then
|
||||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## - Deactivate Source Routed Packets
|
## - Deactivate Source Routed Packets
|
||||||
## -
|
## -
|
||||||
if $kernel_deactivate_source_route ; then
|
if $kernel_deactivate_source_route ; then
|
||||||
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
|
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
|
||||||
echo 0 > $asr
|
echo 0 > $asr
|
||||||
@ -241,9 +241,9 @@ if ! $host_is_vm ; then
|
|||||||
|
|
||||||
## - Keine ICMP Umleitungspakete akzeptieren.
|
## - Keine ICMP Umleitungspakete akzeptieren.
|
||||||
## -
|
## -
|
||||||
## - Diese können zur Veränderung der Routing Tables verwendet
|
## - Diese können zur Veränderung der Routing Tables verwendet
|
||||||
## - werden, möglicherweise mit einem böswilligen Ziel.
|
## - werden, möglicherweise mit einem böswilligen Ziel.
|
||||||
## -
|
## -
|
||||||
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
||||||
|
|
||||||
## - NUMBER OF CONNECTIONS TO TRACK
|
## - NUMBER OF CONNECTIONS TO TRACK
|
||||||
@ -348,7 +348,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
|
|||||||
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
|
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
|
||||||
|
|
||||||
for _ip in ${lxc_guest_ip_arr[@]} ; do
|
for _ip in ${lxc_guest_ip_arr[@]} ; do
|
||||||
|
|
||||||
$ipt -I FORWARD -p all -d $_ip -j ACCEPT
|
$ipt -I FORWARD -p all -d $_ip -j ACCEPT
|
||||||
$ipt -I FORWARD -p all -s $_ip -j ACCEPT
|
$ipt -I FORWARD -p all -s $_ip -j ACCEPT
|
||||||
|
|
||||||
@ -532,7 +532,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
|
|||||||
is_valid_mask=true
|
is_valid_mask=true
|
||||||
ipv4=""
|
ipv4=""
|
||||||
mask=""
|
mask=""
|
||||||
|
|
||||||
# Ignore comment lines
|
# Ignore comment lines
|
||||||
#
|
#
|
||||||
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
|
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
|
||||||
@ -699,7 +699,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
|
|||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
@ -906,6 +906,22 @@ done
|
|||||||
echo_done
|
echo_done
|
||||||
|
|
||||||
|
|
||||||
|
# -------------
|
||||||
|
# --- Traffic generally allowed
|
||||||
|
# -------------
|
||||||
|
|
||||||
|
echo
|
||||||
|
echononl "\tLoopback device generally allowed.."
|
||||||
|
|
||||||
|
# ---
|
||||||
|
# - Loopback device
|
||||||
|
# ---
|
||||||
|
|
||||||
|
$ipt -A INPUT -i lo -j ACCEPT
|
||||||
|
$ipt -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
|
echo_done
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - Protection against syn-flooding
|
# - Protection against syn-flooding
|
||||||
@ -987,7 +1003,7 @@ fi
|
|||||||
# ---
|
# ---
|
||||||
|
|
||||||
echononl "\tLimit RST packets"
|
echononl "\tLimit RST packets"
|
||||||
if $limit_rst_packets ; then
|
if $limit_rst_packets ; then
|
||||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
|
||||||
if $log_rejected || $log_all ; then
|
if $log_rejected || $log_all ; then
|
||||||
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
|
||||||
@ -1068,8 +1084,8 @@ fi
|
|||||||
# --- iPerf
|
# --- iPerf
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
|
||||||
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
|
||||||
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
|
||||||
|
|
||||||
echononl "\tCreate \"iPerf\" rules.."
|
echononl "\tCreate \"iPerf\" rules.."
|
||||||
@ -1130,25 +1146,6 @@ done
|
|||||||
|
|
||||||
echo_done
|
echo_done
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
|
||||||
# -------------
|
|
||||||
# --- Traffic generally allowed
|
|
||||||
# -------------
|
|
||||||
|
|
||||||
echononl "\tLoopback device generally allowed.."
|
|
||||||
|
|
||||||
# ---
|
|
||||||
# - Loopback device
|
|
||||||
# ---
|
|
||||||
|
|
||||||
$ipt -A INPUT -i lo -j ACCEPT
|
|
||||||
$ipt -A OUTPUT -o lo -j ACCEPT
|
|
||||||
|
|
||||||
echo_done
|
|
||||||
|
|
||||||
|
|
||||||
echo
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
||||||
@ -1192,7 +1189,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
|
|||||||
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
_deny_net_arr=()
|
_deny_net_arr=()
|
||||||
|
|
||||||
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
|
||||||
IFS=':' read -a _val_arr <<< "${_val}"
|
IFS=':' read -a _val_arr <<< "${_val}"
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
@ -1251,7 +1248,7 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# - unprotected_ifs
|
# - unprotected_ifs
|
||||||
# -
|
# -
|
||||||
# - Posiible values are 'true' and 'false'
|
# - Posiible values are 'true' and 'false'
|
||||||
# -
|
# -
|
||||||
allow_all_outgoing_traffic=false
|
allow_all_outgoing_traffic=false
|
||||||
@ -1295,7 +1292,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
|
|||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Allow extern Service
|
# ---- Allow extern Service
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
echononl "\t\tAllow extern Service"
|
echononl "\t\tAllow extern Service"
|
||||||
@ -1334,7 +1331,7 @@ echo
|
|||||||
|
|
||||||
|
|
||||||
# -------------
|
# -------------
|
||||||
# ---- Allow (non-standard) local Services
|
# ---- Allow (non-standard) local Services
|
||||||
# -------------
|
# -------------
|
||||||
|
|
||||||
echononl "\t\tAllow (non-standard) local Services"
|
echononl "\t\tAllow (non-standard) local Services"
|
||||||
@ -1406,9 +1403,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
|
|||||||
else
|
else
|
||||||
echo_skipped
|
echo_skipped
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - DNS out only
|
# - DNS out only
|
||||||
# ---
|
# ---
|
||||||
@ -1444,10 +1441,10 @@ echononl "\t\tDNS Service"
|
|||||||
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${dns_server_ips[@]} ; do
|
for _ip in ${dns_server_ips[@]} ; do
|
||||||
# dns requests
|
# dns requests
|
||||||
#
|
#
|
||||||
# Note:
|
# Note:
|
||||||
# If the total size of the DNS record is larger than 512 bytes,
|
# If the total size of the DNS record is larger than 512 bytes,
|
||||||
# it will be sent over TCP, not UDP.
|
# it will be sent over TCP, not UDP.
|
||||||
#
|
#
|
||||||
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
@ -1456,13 +1453,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
|
|||||||
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||||
for _ip in ${forward_dns_server_ip_arr[@]} ; do
|
for _ip in ${forward_dns_server_ip_arr[@]} ; do
|
||||||
# dns requests
|
# dns requests
|
||||||
#
|
#
|
||||||
# Note:
|
# Note:
|
||||||
# If the total size of the DNS record is larger than 512 bytes,
|
# If the total size of the DNS record is larger than 512 bytes,
|
||||||
# it will be sent over TCP, not UDP.
|
# it will be sent over TCP, not UDP.
|
||||||
#
|
#
|
||||||
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
|
||||||
@ -1856,7 +1853,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
|
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${mail_server_ips_arr[@]} ; do
|
for _ip in ${mail_server_ips_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1864,7 +1861,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||||
for _ip in ${forward_mail_server_ip_arr[@]} ; do
|
for _ip in ${forward_mail_server_ip_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1886,7 +1883,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
|
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${mail_client_ips_arr[@]} ; do
|
for _ip in ${mail_client_ips_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -1894,7 +1891,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
|
|||||||
|
|
||||||
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||||
for _ip in ${forward_mail_client_ip_arr[@]} ; do
|
for _ip in ${forward_mail_client_ip_arr[@]} ; do
|
||||||
# mail ports
|
# mail ports
|
||||||
#
|
#
|
||||||
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -2011,7 +2008,7 @@ $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
|||||||
declare -i j=1
|
declare -i j=1
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
|
|
||||||
# - (1)
|
# - (1)
|
||||||
# -
|
# -
|
||||||
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
|
||||||
@ -2077,7 +2074,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - (Re)define helper
|
# - (Re)define helper
|
||||||
# -
|
# -
|
||||||
# - !! Note: !!
|
# - !! Note: !!
|
||||||
# - for both, local FTP server (ftp_server_ip_arr)
|
# - for both, local FTP server (ftp_server_ip_arr)
|
||||||
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
# - and forward to FTP server (forward_ftp_server_ip_arr)
|
||||||
# -
|
# -
|
||||||
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
|
||||||
@ -2110,7 +2107,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
|
|
||||||
@ -2126,7 +2123,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
|
||||||
|
|
||||||
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
|
||||||
|
|
||||||
# =====
|
# =====
|
||||||
# -
|
# -
|
||||||
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
|
||||||
@ -2151,7 +2148,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
|
|||||||
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
|
||||||
# -
|
# -
|
||||||
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
|
||||||
# -
|
# -
|
||||||
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
|
||||||
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
|
||||||
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
|
||||||
@ -2181,7 +2178,7 @@ fi
|
|||||||
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
|
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
|
||||||
# # Datenkanal (passiver modus)
|
# # Datenkanal (passiver modus)
|
||||||
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
||||||
# # - Kontrollverbindung
|
# # - Kontrollverbindung
|
||||||
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
|
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
|
||||||
# done
|
# done
|
||||||
# fi
|
# fi
|
||||||
@ -2216,7 +2213,7 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]}
|
|||||||
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
|
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
|
||||||
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
|
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
|
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -2299,7 +2296,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports"
|
|||||||
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
|
||||||
for _ip in ${jitsi_server_ip_arr[@]} ; do
|
for _ip in ${jitsi_server_ip_arr[@]} ; do
|
||||||
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
|
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
|
||||||
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
|
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
|
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
|
||||||
@ -2445,7 +2442,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2462,8 +2459,8 @@ for _dev in ${ext_if_arr[@]} ; do
|
|||||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2499,7 +2496,7 @@ echononl "\t\tWhois out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2515,7 +2512,7 @@ echononl "\t\tGIT out only"
|
|||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
||||||
if $kernel_activate_forwarding ; then
|
if $kernel_activate_forwarding ; then
|
||||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2531,7 +2528,7 @@ echononl "\t\tSpecial TCP Ports OUT"
|
|||||||
|
|
||||||
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
|
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
|
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
|
||||||
|
|
||||||
for _dev in ${ext_if_arr[@]} ; do
|
for _dev in ${ext_if_arr[@]} ; do
|
||||||
for _port in ${tcp_out_port_arr[@]} ; do
|
for _port in ${tcp_out_port_arr[@]} ; do
|
||||||
@ -2653,7 +2650,7 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
# ---
|
# ---
|
||||||
# - UNIX Traceroute
|
# - UNIX Traceroute
|
||||||
@ -2801,6 +2798,6 @@ exit 0
|
|||||||
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
|
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
|
||||||
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
|
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
|
||||||
#
|
#
|
||||||
# -
|
# -
|
||||||
# ---------- Ende Portforwarding ---------- #
|
# ---------- Ende Portforwarding ---------- #
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user