firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ip6t-firewall-server,ipt-firewall-server: move 'Loopback device generally allowed' to an earlier point in the script.

Browse Source
This commit is contained in:
Christoph 2024-04-08 21:07:51 +02:00
parent d857756be7
commit 1062208237
2 changed files with 118 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
ip6t-firewall-server
View File

@ -288,7 +288,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
for _ip in ${lxc_guest_ip_arr[@]} ; do
$ip6t -I FORWARD -p all -d $_ip -j ACCEPT
$ip6t -I FORWARD -p all -s $_ip -j ACCEPT
@ -477,7 +477,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
is_valid_mask=false
ipv6=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
@ -502,7 +502,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
ipv6="${_addr[0]}"
# Test mask if given
#
#
if [[ -n "${_addr[1]}" ]] ; then
mask="${_addr[1]}"
@ -513,7 +513,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
no_valid_ipv6_arr+=("$given_ipv6")
else
if [[ $mask -gt 128 ]]; then
@ -534,7 +534,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
is_valid_ipv6=true
fi
if $is_valid_ipv6 && $is_valid_mask; then
_ip="${ipv6}/${mask}"
@ -574,7 +574,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
else
echo_skipped
fi
# -------------
@ -625,14 +625,14 @@ echo_done
echononl "\tBlock packets with bogus TCP flags"
if $log_invalid_flags || $log_all ; then
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
@ -753,6 +753,22 @@ done
echo_done
# -------------
# --- Traffic generally allowed
# -------------
echo
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Protection against syn-flooding
@ -834,7 +850,7 @@ fi
# ---
echononl "\tLimit RST packets"
if $limit_rst_packets ; then
if $limit_rst_packets ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
@ -915,8 +931,8 @@ fi
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@ -977,26 +993,8 @@ done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
@ -1038,7 +1036,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
@ -1129,7 +1127,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# -------------
# ---- Allow extern Service
# ---- Allow extern Service
# -------------
echononl "\t\tAllow extern Service"
@ -1168,7 +1166,7 @@ echo
# -------------
# ---- Allow (non-standard) local Services
# ---- Allow (non-standard) local Services
# -------------
echononl "\t\tAllow (non-standard) local Services"
@ -1238,9 +1236,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
else
echo_skipped
fi
# ---
# - DNS out only
# ---
@ -1279,7 +1277,7 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1288,13 +1286,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1683,7 +1681,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1691,7 +1689,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1734,7 +1732,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1742,7 +1740,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1838,7 +1836,7 @@ $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
@ -1905,7 +1903,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
@ -1938,7 +1936,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
@ -1954,7 +1952,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
@ -1979,7 +1977,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
@ -2010,7 +2008,7 @@ fi
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
@ -2128,7 +2126,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incoming Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
@ -2274,7 +2272,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2291,8 +2289,8 @@ for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -2326,7 +2324,7 @@ echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
@ -2342,7 +2340,7 @@ echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done
@ -2358,7 +2356,7 @@ echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
@ -2485,7 +2483,7 @@ else
fi
echo
echo
# ---
# - UNIX Traceroute

121
ipt-firewall-server
View File

@ -148,7 +148,7 @@ echo
# --- Activate IP Forwarding
# -------------
## - IP Forwarding deaktivieren.
## - IP Forwarding deaktivieren.
## -
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
## -
@ -212,13 +212,13 @@ if ! $host_is_vm ; then
fi
## - Ignore Broadcast Pings
## -
## -
if $kernel_ignore_broadcast_ping ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Deactivate Source Routed Packets
## -
## -
if $kernel_deactivate_source_route ; then
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $asr
@ -241,9 +241,9 @@ if ! $host_is_vm ; then
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - NUMBER OF CONNECTIONS TO TRACK
@ -348,7 +348,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
for _ip in ${lxc_guest_ip_arr[@]} ; do
$ipt -I FORWARD -p all -d $_ip -j ACCEPT
$ipt -I FORWARD -p all -s $_ip -j ACCEPT
@ -532,7 +532,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
@ -699,7 +699,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
else
echo_skipped
fi
# -------------
@ -906,6 +906,22 @@ done
echo_done
# -------------
# --- Traffic generally allowed
# -------------
echo
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Protection against syn-flooding
@ -987,7 +1003,7 @@ fi
# ---
echononl "\tLimit RST packets"
if $limit_rst_packets ; then
if $limit_rst_packets ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
@ -1068,8 +1084,8 @@ fi
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@ -1130,25 +1146,6 @@ done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
@ -1192,7 +1189,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
@ -1251,7 +1248,7 @@ else
fi
# - unprotected_ifs
# -
# -
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false
@ -1295,7 +1292,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# -------------
# ---- Allow extern Service
# ---- Allow extern Service
# -------------
echononl "\t\tAllow extern Service"
@ -1334,7 +1331,7 @@ echo
# -------------
# ---- Allow (non-standard) local Services
# ---- Allow (non-standard) local Services
# -------------
echononl "\t\tAllow (non-standard) local Services"
@ -1406,9 +1403,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
else
echo_skipped
fi
# ---
# - DNS out only
# ---
@ -1444,10 +1441,10 @@ echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1456,13 +1453,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1856,7 +1853,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1864,7 +1861,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1886,7 +1883,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1894,7 +1891,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -2011,7 +2008,7 @@ $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
@ -2077,7 +2074,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
@ -2110,7 +2107,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
@ -2126,7 +2123,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
@ -2151,7 +2148,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
@ -2181,7 +2178,7 @@ fi
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# # - Kontrollverbindung
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
@ -2216,7 +2213,7 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]}
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
@ -2299,7 +2296,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
@ -2445,7 +2442,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2462,8 +2459,8 @@ for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -2499,7 +2496,7 @@ echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
@ -2515,7 +2512,7 @@ echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done
@ -2531,7 +2528,7 @@ echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
@ -2653,7 +2650,7 @@ else
fi
echo
echo
# ---
# - UNIX Traceroute
@ -2801,6 +2798,6 @@ exit 0
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
#
# -
# -
# ---------- Ende Portforwarding ---------- #