From 15accbe3a6c8d74f230259e73c7d5870e950c0de Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 7 Mar 2019 05:07:46 +0100 Subject: [PATCH] Complete the last commit. --- .../ban_ipv4.list.sample | 0 .../ban_ipv6.list.sample | 0 OLD/ip6t-firewall-server | 1743 ++++++++++++++ .../ip6t-firewall-server.conf.sample | 0 OLD/ipt-firewall-server | 2063 +++++++++++++++++ .../ipt-firewall-server.conf.sample | 0 README.systemd.server | 49 +- README.ulogd | 59 + ip6t-firewall-server | 244 +- ipt-firewall-server | 328 +-- 10 files changed, 4283 insertions(+), 203 deletions(-) rename ban_ipv4.list.sample => OLD/ban_ipv4.list.sample (100%) rename ban_ipv6.list.sample => OLD/ban_ipv6.list.sample (100%) create mode 100755 OLD/ip6t-firewall-server rename ip6t-firewall-server.conf.sample => OLD/ip6t-firewall-server.conf.sample (100%) create mode 100755 OLD/ipt-firewall-server rename ipt-firewall-server.conf.sample => OLD/ipt-firewall-server.conf.sample (100%) create mode 100644 README.ulogd diff --git a/ban_ipv4.list.sample b/OLD/ban_ipv4.list.sample similarity index 100% rename from ban_ipv4.list.sample rename to OLD/ban_ipv4.list.sample diff --git a/ban_ipv6.list.sample b/OLD/ban_ipv6.list.sample similarity index 100% rename from ban_ipv6.list.sample rename to OLD/ban_ipv6.list.sample diff --git a/OLD/ip6t-firewall-server b/OLD/ip6t-firewall-server new file mode 100755 index 0000000..117e719 --- /dev/null +++ b/OLD/ip6t-firewall-server @@ -0,0 +1,1743 @@ +#!/usr/bin/env bash +### BEGIN INIT INFO +# Provides: ip6t-firewall +# Required-Start: $local_fs $remote_fs $syslog $network $time +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv6 Firewall +### END INIT INFO + +CONFIG_DIR="/etc/ipt-firewall" +CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf" + +if [[ -z "$fail2ban_client" ]]; then + fail2ban_client="$(which fail2ban-client)" +fi + + +# ------------- Load Kernel Modules ------------- +# +# Load appropriate modules. +if ! $host_is_vm ; then + /sbin/modprobe ip6_tables + /sbin/modprobe ip6table_filter + /sbin/modprobe ip6t_REJECT +fi +# +# ------------- End: Load Kernel Modules ------------- + + +echo +echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" +echo + +## -------------------------------------------------------------------------- +## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf +## -------------------------------------------------------------------------- + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +if ! $host_is_vm ; then + + # --- + # - Disable ip forwarding between interfaces + # --- + if $kernel_forward_between_interfaces ; then + echononl "\tActivate Forwarding.." + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + else + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo 0 > /proc/sys/net/ipv6/conf/all/forwarding + fi + + echo_done + +fi + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if ! $host_is_vm ; then + + # --- + # - Deactivate Source Routed Packets + # --- + for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do + if $kernel_deactivate_source_route ; then + echo 0 > $asr + fi + done + + + # --- + # - Deactivate sending ICMP redirects + # --- + if $kernel_dont_accept_redirects ; then + echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects + fi + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped + +fi # if ! $host_is_vm + + +# ------------- Stop Fail2Ban if installed ------------- +# +if [ -x "$fail2ban_client" ]; then + echononl "\tStopping fail2ban.." + $fail2ban_client stop > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_warning + fi +fi +# +# ------------- Ende: Stop Fail2Ban if installed ------------- + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + + +echo +echononl "\tFlushing firewall iptable (IPv6).." + +# - default policies +# - +$ip6t -P INPUT ACCEPT +$ip6t -P OUTPUT ACCEPT +$ip6t -P FORWARD ACCEPT + +## - flush chains +## - +$ip6t -F +$ip6t -F INPUT +$ip6t -F OUTPUT +$ip6t -F FORWARD +$ip6t -F -t mangle +$ip6t -F -t nat +$ip6t -F -t raw +$ip6t -X +$ip6t -Z + +echo_done # Flushing firewall iptable (IPv6).. +echo + + + +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +echononl "\tDo not firewall bridged traffic" +if $do_not_firewall_bridged_traffic ; then + + # - Matches if the packet is being bridged and therefore is not being routed. + # - This is only useful in the FORWARD and POSTROUTING chains. + # - + $ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + + # - Matches if the packet has entered through a bridge interface. + # - + $ip6t -I FORWARD -m physdev --physdev-is-in -j ACCEPT + # - Matches if the packet will leave through a bridge interface. + # - + $ip6t -I FORWARD -m physdev --physdev-is-out -j ACCEPT + + echo_done +else + echo_skipped +fi +echo + + + +# ------------- +# ------------ Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + echo + echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m" + echo + exit 0;; +esac + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + $ip6t -A INPUT -i $_dev -j ACCEPT + $ip6t -A OUTPUT -o $_dev -j ACCEPT + $ip6t -A FORWARD -i $_dev -j ACCEPT + $ip6t -A FORWARD -o $_dev -j ACCEPT + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j DROP + $ip6t -A FORWARD -o $_if -j DROP + fi + $ip6t -A INPUT -i $_if -j DROP + $ip6t -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + + +# --- +# - Block IPs/Netwoks reading from file 'ban_ipv6.list'" +# --- + +echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv6.list' .." + +if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then + + declare -a ban_ipv6_arr=() + declare -a no_valid_ipv6=() + + # Regex valid ipv6 address + # + _regex_ipv6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$' + + while IFS='' read -r _line || [[ -n $_line ]] ; do + + is_valid_ipv6=false + is_valid_mask=false + ipv6="" + mask="" + + # Ignore comment lines + # + [[ $_line =~ ^[[:space:]]{0,}# ]] && continue + + # Ignore blank lines + # + [[ $_line =~ ^[[:space:]]*$ ]] && continue + + # Remove leading whitespace characters + # + _line="${_line#"${_line%%[![:space:]]*}"}" + + + # Catch ipv6 Address + # + given_ipv6="$(echo $_line | cut -d ' ' -f1)" + + + # Splitt ipv6 address from possible given CIDR number + # + IFS='/' read -ra _addr <<< "$given_ipv6" + ipv6="${_addr[0]}" + + # Test mask if given + # + if [[ -n "${_addr[1]}" ]] ; then + mask="${_addr[1]}" + + # Is 'mask' a valid CIDR number? If not, test agains a valid netmask + # + if $(test -z "${mask##*[!0-9]*}" > /dev/null 2>&1) ; then + + # Its not a vaild mask number, but naybe a valit netmask. + # + no_valid_ipv6_arr+=("$given_ipv6") + + else + if [[ $mask -gt 128 ]]; then + + # Its not a vaild cidr number, but naybe a valit netmask. + # + no_valid_ipv6_arr+=("$given_ipv6") + else + is_valid_mask=true + fi + fi + else + mask=64 + is_valid_mask=true + fi + + # Check if given ipv6 address is valif + if [[ "$ipv6" =~ ${_regex_ipv6} ]]; then + is_valid_ipv6=true + fi + + + if $is_valid_ipv6 && $is_valid_mask; then + + _ip="${ipv6}/${mask}" + + if containsElement "$_ip" "${ban_ipv6_arr[@]}" ; then + continue + fi + + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + fi + fi + + $ip6t -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j DROP + fi + done + + ban_ipv6_arr+=("$_ip") + + else + if ! containsElement "$given_ipv6" "${no_valid_ipv6_arr[@]}" ; then + no_valid_ipv6_arr+=("$given_ipv6") + fi + fi + + done < "${CONFIG_DIR}/ban_ipv6.list" + echo_done + + if [[ ${#no_valid_ipv6_arr[@]} -gt 0 ]]; then + warn "Ignored: ${no_valid_ipv6_arr[@]}" + fi +else + echo_skipped +fi + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + echononl "\tAllow forwarding (private) IPs / IP-Ranges.." + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -d $_ip -j ACCEPT + $ip6t -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +fi + + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + + +# --- +# - Protection against syn-flooding +# --- + +$ip6t -N syn-flood +$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN +if $log_syn_flood || $log_all ; then + $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level +fi +$ip6t -A syn-flood -j DROP + + +# --- +# - drop new packages without syn flag +# --- + +if $log_new_not_sync || $log_all ; then + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + fi +fi +$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP +$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP +fi + + +# --- +# - drop invalid packages +# --- + +if $log_invalid_state || $log_all ; then + $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + fi +fi +$ip6t -A INPUT -m state --state INVALID -j DROP +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j DROP +fi + + +# --- +# - ungewöhnliche Flags verwerfen +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi +done + + +# --- +# - Refuse private addresses on extern interfaces +# --- + +# - Refuse spoofed packets pretending to be from your IP address. +if $log_spoofed || $log_all ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + fi + done +fi +for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP + fi +done + + +# - private Adressen auf externen interface verwerfen +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $ula_block -j DROP + $ip6t -A INPUT -i $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -i $_dev -s $loopback -j DROP + fi + + # Don't allow spoofing from that server + $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -o $_dev -s $loopback -j DROP + fi +done + +echo_done + + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + +case $1 in + sto*) + #echononl "Stopping firewall iptable (IPv6).." + echo + echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" + echo + exit 0;; +esac + + +echo + +# ------------- +# --- Traffic Counter (used by munin) +# ------------- + +echononl "\tCreate Traffic Counter (used by munin)" +if $create_traffic_counter ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -d $_ip + $ip6t -A INPUT -s $_ip + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -d $_ip + $ip6t -A FORWARD -s $_ip + fi + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Generally prohibited +# ------------- + +echononl "\tGenerally prohibited traffic.." + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_forward_between_interfaces ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_forward_between_interfaces ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ip6t -A INPUT -i lo -j ACCEPT +$ip6t -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + fi +done +echo_done + +echo + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + _deny_service_arr=() + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]}") + fi + done + + done + + for _val in "${_deny_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]}") + fi + done + + done + + for _val in "${_deny_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Services +# ------------- + +echo +echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" + + +# ------------- +# ---- Allow extern Service +# ------------- + +echononl "\t\tAllow extern Service" + +if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_ext_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +echononl "\t\tAllow extern IP-Address/Network" + +if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _net in "${allow_ext_net_arr[@]}" ; do + $ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +echononl "\t\tAllow (non-standard) local Services" + +if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_if_arr[@]} ; do + # - in + $ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) + if $kernel_forward_between_interfaces ; then + # - forward from virtual mashine(s) + $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + + +# --- +# - DNS Service +# --- + +echononl "\t\tDNS Service" + +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ips[@]} ; do + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_dns_server_ip_arr[@]} ; do + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +# ausgehende Anfragen +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + fi +done + +for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT +done + +echo_done + + +# --- +# - SSH Service +# --- + +echononl "\t\tSSH Service" + +if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - VPN +# --- + +echononl "\t\tVPN Service only out" +if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tVPN Services.." +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync Out +# --- + +echononl "\t\tRsync (only OUT)" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${rsync_out_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${forward_rsync_out_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Munin remote service +# --- + +echononl "\t\tMunin remote service" + +if [ "X$munin_remote_ip" != "X" ]; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Munin local service +# --- + +echononl "\t\tMunin local service" + + +if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_munin_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (SMTP OUT) +# --- + +echononl "\t\tMail (SMTP OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Mail SMTP Server (Port 25) including Spam Control +# --- + +echononl "\t\tMail SMTP Server (Port 25) including Spam Control" + +if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then + + for _ip in ${smtpd_ips_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # - DCC (port udp:6277) + $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_smtpd_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # DCC (port udp:6277) + $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mailservice (Submission/SMTPS/POP/IMAP Server) +# --- + +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" + +if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_ips_arr[@]} ; do + # mail ports + # + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mail_server_ip_arr[@]} ; do + # mail ports + # + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mail_client_ip_arr[@]} ; do + # mail ports + # + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) (local) Webserver" + +if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + + if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_http_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + fi + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP out only" +# --- + +echononl "\t\tFTP out only (using CT target)" + +# - (Re)define helper +# - +$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + +# - Used for different ftpdata recent lists 'ftp6data_out_$j' +# - +declare -i j=1 + +for _dev in ${ext_if_arr[@]} ; do + + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. + # - + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$i' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT + + ((j++)) + + # - Accept (helper ftp) related connections + # - + $ip6t -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + +done + +echo_done + + +#echononl "\t\tFTP out only" +# +#for _dev in ${ext_if_arr[@]} ; do +# # (Datenkanal aktiv) +# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# # (Datenkanal aktiv) +# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# fi +#done +# +#echo_done + + +# --- +# - FTP Server" +# --- + +echononl "\t\tFTP Server (using CT target)" + +if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + + # - Used for different ftpdata recent lists 'ftpdata_$i' + # - + declare -i i=1 + + # - (Re)define helper + # - + # - !! Note: !! + # - for both, local FTP server (ftp_server_ip_arr) + # - and forward to FTP server (forward_ftp_server_ip_arr) + # - + $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + + if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then + + for _ip in ${ftp_server_ip_arr[@]} ; do + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ip6t -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + + ((i++)) + + done + fi + + if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + + for _ip in ${forward_ftp_server_ip_arr[@]} ; do + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ip6t -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + + ((i++)) + + done + fi + + echo_done +else + echo_skipped +fi + + +#echononl "\t\tFTP Server" +# +#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then +# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then +# for _ip in ${ftp_server_ip_arr[@]} ; do +# # (Datenkanal aktiv) +# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# # Datenkanal (passiver modus) +# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# # - Kontrollverbindung +# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# done +# fi +# +# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then +# for _ip in ${forward_ftp_server_ip_arr[@]} ; do +# # (Datenkanal aktiv) +# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# # Datenkanal (passiver modus) +# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# # - Kontrollverbindung +# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# done +# fi +# +# echo_done +#else +# echo_skipped +#fi + + +# --- +# - Mumble Service +# --- + +echononl "\t\tMumble Service" + + +if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then + if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mumble_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mumble_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - NTP out only" +# --- + +echononl "\t\tNTP out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + fi +done + +echo_done +echo + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${forward_udp_out_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - UNIX Traceroute +# --- + +echononl "\t\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# --- +# - Ping +# --- + +echononl "\t\tPing" + +$ip6t -A INPUT -p ipv6-icmp -j ACCEPT +$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ipv6-icmp -j ACCEPT +fi + +#for _dev in ${ext_if_arr[@]} ; do +# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT +# fi +#done +#for _dev in ${local_if_arr[@]} ; do +# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT +# fi +#done + +echo_done + + +# --- +# - log all rejected traffic +# --- + +echo +echononl "\tLogging all rejected traffic" + +if $log_rejected || $log_all ; then + #$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop all other +# --- + +echo +echononl "\tDrop all other on all interfaces" + +$ip6t -A INPUT -j DROP +$ip6t -A OUTPUT -j DROP +$ip6t -A FORWARD -j DROP + +echo_done + + + +# ------------- +# ------------- Start Fail2Ban if installed +# ------------- + +if [ -x "$fail2ban_client" ]; then + echo + echononl "\tStarting fail2ban.." + $fail2ban_client start > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_failed + fi +fi + +echo +exit 0 + diff --git a/ip6t-firewall-server.conf.sample b/OLD/ip6t-firewall-server.conf.sample similarity index 100% rename from ip6t-firewall-server.conf.sample rename to OLD/ip6t-firewall-server.conf.sample diff --git a/OLD/ipt-firewall-server b/OLD/ipt-firewall-server new file mode 100755 index 0000000..05f4cf3 --- /dev/null +++ b/OLD/ipt-firewall-server @@ -0,0 +1,2063 @@ +#!/usr/bin/env bash +### BEGIN INIT INFO +# Provides: ipt-firewall +# Required-Start: $local_fs $remote_fs $syslog $network +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv4 Firewall +### END INIT INFO + +CONFIG_DIR="/etc/ipt-firewall" +CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf" + +if [[ -z "$fail2ban_client" ]]; then + fail2ban_client="$(which fail2ban-client)" +fi + + +# ------------- Load Kernel Modules ------------- +# +## - Load appropriate modules. +## - +if ! $host_is_vm ; then + /sbin/modprobe ip_tables > /dev/null 2>&1 + /sbin/modprobe iptable_nat > /dev/null 2>&1 + + # - Note:! + # - Since Kernel 4.7 the automatic conntrack helper assignment + # - is disabled by default (net.netfilter.nf_conntrack_helper = 0). + # - Enable it by setting this variable in file /etc/sysctl.conf: + # - + # - net.netfilter.nf_conntrack_helper = 1 + # - + # - Reboot or type "sysctl -p" + # - + # - !! But this is NOT the recommend method !! + + # --- + # - Load module for FTP Connection tracking and NAT + # --- + + # - Once a helper is loaded, it will treat packets for a given port and all IP addresses. + # - As explained before, this is not optimal and is even a security risk. A better + # - solution is to load the module helper and deactivate their parsing by default. Each + # - helper we need to use is then set by using a call to the CT target. + # - + # - Desactivate the automatic conntrack helper assignment: + # - + # - method 1: modprobe nf_conntrack nf_conntrack_helper=0 + # - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper + # - + # - Note: + # - ===== + # - Each helper we need to use is then set by using a call to the CT target. + # - Example for ftp helper on standardport: + # - + # - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + # - + /sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1 + #echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper + + /sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 + /sbin/modprobe nf_nat > /dev/null 2>&1 + /sbin/modprobe nf_nat_ftp > /dev/null 2>&1 + + ## - Load modules for SIP VOIP + ## - + #/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1 + #/sbin/modprobe nf_nat_sip > /dev/null 2>&1 +fi +# +# ------------- End: Load Kernel Modules ------------- + + +echo +echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" +echo + +## -------------------------------------------------------------------------- +## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf +## -------------------------------------------------------------------------- + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi + + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +## - IP Forwarding deaktivieren. +## - +## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise +## - +## - Only needed, if hosts acts as a router. +## - +if $kernel_activate_forwarding ; then + echo 1 > /proc/sys/net/ipv4/ip_forward + echononl "\tActivate Forwarding.." + echo_done +else + echo 0 > /proc/sys/net/ipv4/ip_forward + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo_done +fi + +if $kernel_support_dynaddr ; then + echononl "\tActivate kernel support for dynamic addresses.." + if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then + echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr + echo_done + else + echo_failed + fi +else + echo 0 > /proc/sys/net/ipv4/ip_dynaddr + echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m" + echo_done +fi + + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if ! $host_is_vm ; then + ## - Reduce DoS'ing ability by reducing timeouts + ## - + if $kernel_reduce_timeouts ; then + echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout + echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time + echo 1 > /proc/sys/net/ipv4/tcp_window_scaling + echo 0 > /proc/sys/net/ipv4/tcp_sack + fi + + + ## - SYN COOKIES + ## - + if $kernel_tcp_syncookies ; then + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog + echo 3 > /proc/sys/net/ipv4/tcp_synack_retries + fi + + ## - Protection against ICMP bogus error responses + ## - + if $kernel_protect_against_icmp_bogus_messages ; then + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + fi + + ## - Ignore Broadcast Pings + ## - + if $kernel_ignore_broadcast_ping ; then + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + fi + + ## - Deactivate Source Routed Packets + ## - + if $kernel_deactivate_source_route ; then + for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do + echo 0 > $asr + done + fi + + ## - Deactivate sending ICMP redirects + ## - + if $kernel_dont_accept_redirects ; then + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 1 > $rp_filter + done + fi + + ## - Logging of spoofed (source routed" and "redirect") packets + ## - + if $kernel_log_martians ; then + echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + fi + + ## - Keine ICMP Umleitungspakete akzeptieren. + ## - + ## - Diese können zur Veränderung der Routing Tables verwendet + ## - werden, möglicherweise mit einem böswilligen Ziel. + ## - + #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects + + ## - NUMBER OF CONNECTIONS TO TRACK + ## - + #echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped +fi + + +# ------------- Stop Fail2Ban if installed ------------- +# +if [ -x "$fail2ban_client" ]; then + echononl "\tStopping fail2ban.." + $fail2ban_client stop > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_warning + fi +fi +# +# ------------- Ende: Stop Fail2Ban if installed ------------- + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + + +echo +echononl "\tFlushing firewall iptable (IPv4).." + +# - default policies +# - +$ipt -P INPUT ACCEPT +$ipt -P OUTPUT ACCEPT +$ipt -P FORWARD ACCEPT + +## - flush chains +## - +$ipt -F +$ipt -F INPUT +$ipt -F OUTPUT +$ipt -F FORWARD +$ipt -F -t mangle +$ipt -F -t nat +$ipt -F -t raw +$ipt -X +$ipt -Z + +echo_done # Flushing firewall iptable (IPv6).. +echo + + + +# ------------- +# --- Prevent bridged traffic getting pushed through the host's iptables rules +# ------------- + +echononl "\tDo not firewall bridged traffic" +if $do_not_firewall_bridged_traffic ; then + + # - Matches if the packet is being bridged and therefore is not being routed. + # - This is only useful in the FORWARD and POSTROUTING chains. + # - + $ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + + # - Matches if the packet has entered through a bridge interface. + # - + $ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT + # - Matches if the packet will leave through a bridge interface. + # - + $ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT + + echo_done +else + echo_skipped +fi +echo + + + +# ------------- +# ------------ Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + echo + echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m" + echo + exit 0;; +esac + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + $ipt -A INPUT -i $_dev -j ACCEPT + $ipt -A OUTPUT -o $_dev -j ACCEPT + $ipt -A FORWARD -i $_dev -j ACCEPT + $ipt -A FORWARD -o $_dev -j ACCEPT + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j DROP + $ipt -A FORWARD -o $_if -j DROP + fi + $ipt -A INPUT -i $_if -j DROP + $ipt -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + + +# --- +# - Block IPs/Netwoks reading from file 'ban_ipv4.list'" +# --- + +echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." + +if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then + + declare -a octets + declare -i index + + while IFS='' read -r _line || [[ -n $_line ]] ; do + + is_valid_ipv4=true + is_valid_mask=true + ipv4="" + mask="" + + # Ignore comment lines + # + [[ $_line =~ ^[[:space:]]{0,}# ]] && continue + + # Ignore blank lines + # + [[ $_line =~ ^[[:space:]]*$ ]] && continue + + # Remove leading whitespace characters + # + _line="${_line#"${_line%%[![:space:]]*}"}" + + + # Catch IPv4 Address + # + given_ipv4="$(echo $_line | cut -d ' ' -f1)" + + + # Splitt Ipv4 address from possible given CIDR number + # + IFS='/' read -ra _addr <<< "$given_ipv4" + _ipv4="${_addr[0]}" + + if [[ -n "${_addr[1]}" ]] ; then + _mask="${_addr[1]}" + test_netmask=false + + # Is 'mask' a valid CIDR number? If not, test agains a valid netmask + # + if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then + + # Its not a vaild mask number, but naybe a valit netmask. + # + test_netmask=true + else + if [[ $_mask -gt 32 ]]; then + + # Its not a vaild cidr number, but naybe a valit netmask. + # + test_netmask=true + else + + # OK, we have a vaild cidr number between '0' and '32' + # + mask=$_mask + fi + fi + + # Test if given '_mask' is a valid netmask. + # + if $test_netmask ; then + octets=( ${_mask//\./ } ) + + # Complete netmask if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + done + + [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false + + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_mask=false + fi + if [[ $index -gt 0 ]] ; then + mask="${mask}.${octet}" + else + mask="${octet}" + fi + + else + is_valid_mask=false + fi + + ((index++)) + done + fi + + adjust_mask=false + else + mask=32 + adjust_mask=true + fi + + # Splitt given address into their octets + # + octets=( ${_ipv4//\./ } ) + + # Complete IPv4 address if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + + # Only adjust CIDR number if not given + # + if $adjust_mask ; then + mask="$(expr $mask - 8)" + fi + done + + # Pre-check if given IPv4 Address seems to be a valid address + # + [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false + + # Check if given IPv4 Address is a valid address + # + if $is_valid_ipv4 ; then + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_ipv4=false + fi + if [[ $index -gt 0 ]] ; then + ipv4="${ipv4}.${octet}" + else + ipv4="${octet}" + fi + + else + is_valid_ipv4=false + fi + + ((index++)) + done + fi + + if $is_valid_ipv4 && $is_valid_mask; then + + _ip="${ipv4}/${mask}" + + if containsElement "$_ip" "${ban_ipv4_arr[@]}" ; then + continue + fi + + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done + + ban_ipv4_arr+=("$_ip") + + else + msg="$msg '${given_ipv4}'" + fi + + done < "${CONFIG_DIR}/ban_ipv4.list" + echo_done + + if [[ -n "$msg" ]]; then + warn "Ignored:$msg" + fi +else + echo_skipped +fi + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + echononl "\tAllow forwarding (private) IPs / IP-Ranges.." + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip -j ACCEPT + $ipt -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +fi + + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + + +# --- +# - Protection against syn-flooding +# --- + +$ipt -N syn-flood +$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN +if $log_syn_flood || $log_all ; then + $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level +fi +$ipt -A syn-flood -j DROP + + +# --- +# - Drop Fragments +# --- + +# I have to say that fragments scare me more than anything. +# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" +# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such +# fragments is very OS-dependent (see this paper for details). +# I am not going to trust any fragments. +# Log fragments just to see if we get any, and deny them too + +for _dev in ${ext_if_arr[@]} ; do + if $log_fragments || $log_all ; then + $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -f -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j DROP + fi +done + + +# --- +# - drop new packages without syn flag +# --- + +if $log_new_not_sync || $log_all ; then + $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + fi +fi +$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP +$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP +fi + + +# --- +# - drop invalid packages +# --- + +if $log_invalid_state || $log_all ; then + $ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + fi +fi +$ipt -A INPUT -m state --state INVALID -j DROP +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m state --state INVALID -j DROP +fi + + +# --- +# - ungewöhnliche Flags verwerfen +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi +done + + +# --- +# - Refuse private addresses on extern interfaces +# --- + +# Refuse spoofed packets pretending to be from your IP address. +if $log_spoofed || $log_all ; then + # input + for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + fi + done +fi +for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -d $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -s $_ip -d $_ip -j DROP + fi +done + + +# Refuse packets claiming to be from a +# Class A private network +# Class B private network +# Class C private network +# loopback interface +# Class D multicast address +# Class E reserved IP address +# broadcast address +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + # + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + fi + fi + # Refuse packets claiming to be from a Class A private network. + $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP + # Retfuse packets claiming to be from a Class C private network. + $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A INPUT -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP + if $kernel_activate_forwarding ; then + # Refuse packets claiming to be from a Class A private network. + $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP + # Refuse packets claiming to be from a Class C private network. + $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A FORWARD -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + fi +done + + +# --- +# - Refuse packets claiming to be to the loopback interface. +# --- + +# Refusing packets claiming to be to the loopback interface protects against +# source quench, whereby a machine can be told to slow itself down by an icmp source +# quench to the loopback. +for _dev in ${ext_if_arr[@]} ; do + if $log_to_lo || $log_all ; then + $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -d $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j DROP + fi +done + + +# --- +# - Don't allow spoofing from that server +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed_out || $log_all ; then + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + fi + fi + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP + $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP + $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP + $ipt -A FORWARD -o $_dev -s $loopback -j DROP + fi +done + +echo_done + + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + +case $1 in + sto*) + #echononl "Stopping firewall iptable (IPv4).." + echo + echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" + echo + exit 0;; +esac + + +echo + +# ------------- +# --- Traffic Counter (used by munin) +# ------------- + +echononl "\tCreate Traffic Counter (used by munin)" +if $create_traffic_counter ; then + for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -d $_ip + $ipt -A INPUT -s $_ip + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip + $ipt -A FORWARD -s $_ip + fi + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Generally prohibited +# ------------- + +echononl "\tGenerally prohibited traffic.." + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_activate_forwarding ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_activate_forwarding ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ipt -A INPUT -i lo -j ACCEPT +$ipt -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + fi +done +echo_done + +echo + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Service to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + _deny_service_arr=() + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT + + if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}") + fi + + done + + done + + for _val in "${_deny_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT + + if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev}:${_val_arr[1]}") + fi + + done + + done + + for _val in "${_deny_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Services +# ------------- + +echo +echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" + + +# ------------- +# ---- Allow extern Service +# ------------- + +echononl "\t\tAllow extern Service" + +if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_ext_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Allow extern IP-Address/Network +# ------------- + +echononl "\t\tAllow extern IP-Address/Network" + +if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _net in "${allow_ext_net_arr[@]}" ; do + $ipt -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# ------------- +# ---- Allow (non-standard) local Services +# ------------- + +echononl "\t\tAllow (non-standard) local Services" + +if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then + for _dev in "${ext_if_arr[@]}" ; do + for _val in "${allow_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_if_arr[@]} ; do + # - in + $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_activate_forwarding ; then + # - forward from virtual mashine(s) + $ipt -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + + +# --- +# - DNS Service +# --- + +echononl "\t\tDNS Service" + +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ips[@]} ; do + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_dns_server_ip_arr[@]} ; do + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +# ausgehende Anfragen +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + fi +done + +for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT +done + +echo_done + + +# --- +# - SSH Service +# --- + +echononl "\t\tSSH Service" + +if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - VPN +# --- + +echononl "\t\tVPN Service only out" +if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tVPN Services.." +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync Out +# --- + +echononl "\t\tRsync (only OUT)" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${rsync_out_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${forward_rsync_out_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Munin remote service +# --- + +echononl "\t\tMunin remote service" + +if [ "X$munin_remote_ip" != "X" ]; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Munin local service +# --- + +echononl "\t\tMunin local service" + + +if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_munin_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (SMTP OUT) +# --- + +echononl "\t\tMail (SMTP OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Mail SMTP Server (Port 25) including Spam Control +# --- + +echononl "\t\tMail SMTP Server (Port 25) including Spam Control" + +if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then + + for _ip in ${smtpd_ips_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # - DCC (port udp:6277) + $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_smtpd_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # DCC (port udp:6277) + $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mailservice (Submission/SMTPS/POP/IMAP Server) +# --- + +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" + +if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_ips_arr[@]} ; do + # mail ports + # + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mail_server_ip_arr[@]} ; do + # mail ports + # + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mail_client_ip_arr[@]} ; do + # mail ports + # + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) (local) Webserver" + +if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + + if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_http_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + fi + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP out only" +# --- + +echononl "\t\tFTP out only (using CT target)" + +# - (Re)define helper +# - +$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp + +# - Used for different ftpdata recent lists 'ftpdata_out_$j' +# - +declare -i j=1 + +for _dev in ${ext_if_arr[@]} ; do + + # - (1) + # - + # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. + # - + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT + + # - (2) + # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update) + # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + -m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT + + ((i++)) + + # - Accept (helper ftp) related connections + # - + $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT + +done + +echo_done + + +#echononl "\t\tFTP out only" +# +#for _dev in ${ext_if_arr[@]} ; do +# # (Datenkanal aktiv) +# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# if $kernel_activate_forwarding ; then +# # (Datenkanal aktiv) +# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# # (Datenkanal passiv) +# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# # (Kontrollverbindung) +# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# fi +#done +# +#echo_done + + +# --- +# - FTP Server" +# --- + +echononl "\t\tFTP Server (using CT target)" + +if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + + # - Used for different ftpdata recent lists 'ftpdata_$i' + declare -i i=1 + + # - (Re)define helper + # - + # - !! Note: !! + # - for both, local FTP server (ftp_server_ip_arr) + # - and forward to FTP server (forward_ftp_server_ip_arr) + # - + $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + + if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then + + for _ip in ${ftp_server_ip_arr[@]} ; do + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + + ((i++)) + + done + fi + + if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + + for _ip in ${forward_ftp_server_ip_arr[@]} ; do + + # ===== + # - + # - ip_conntrack_ftp cannot see the TLS-encrypted traffic + # - ====================================================== + # - + # - Workaround: + # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear + # - (2) accept packets of the formaly created recent list 'ftpdata_$i! + # - + # ===== + + # - (1) + # - + # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. + # - + $ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + + # - (2) + # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the + # - source ip-address was seen within the last 1800 seconds (--seconds 1800). + # - + # - - If matched, the "last seen" timestamp of the source address will be updated (--update). + # - + # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). + # - + $ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + + # - Accept (helper ftp) related connections + # - + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + + ((i++)) + + done + fi + + echo_done +else + echo_skipped +fi + +#echononl "\t\tFTP Server" +# +#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then +# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then +# for _ip in ${ftp_server_ip_arr[@]} ; do +# # (Datenkanal aktiv) +# $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# # Datenkanal (passiver modus) +# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# # - Kontrollverbindung +# $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# done +# fi +# +# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then +# for _ip in ${forward_ftp_server_ip_arr[@]} ; do +# # (Datenkanal aktiv) +# $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# # Datenkanal (passiver modus) +# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# # - Kontrollverbindung +# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# done +# fi +# +# echo_done +#else +# echo_skipped +#fi + + +# --- +# - Mumble Service +# --- + +echononl "\t\tMumble Service" + + +if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then + if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mumble_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mumble_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - NTP out only" +# --- + +echononl "\t\tNTP out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + fi +done + +echo_done +echo + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${forward_udp_out_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - UNIX Traceroute +# --- + +echononl "\t\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# --- +# - Ping +# --- + +echononl "\t\tPing" + +$ipt -A INPUT -p icmp -j ACCEPT +$ipt -A OUTPUT -p icmp -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p icmp -j ACCEPT +fi + +#for _dev in ${ext_if_arr[@]} ; do +# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT +# if $kernel_activate_forwarding ; then +# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT +# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT +# fi +#done +#for _dev in ${local_if_arr[@]} ; do +# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT +# if $kernel_activate_forwarding ; then +# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT +# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT +# fi +#done + +echo_done + + +# --- +# - log all rejected traffic +# --- + +echo +echononl "\tLogging all rejected traffic" + +if $log_rejected || $log_all ; then + #$ipt -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + if $kernel_activate_forwarding ; then + #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop all other +# --- + +echo +echononl "\tDrop all other on all interfaces" + +$ipt -A INPUT -j DROP +$ipt -A OUTPUT -j DROP +$ipt -A FORWARD -j DROP + +echo_done + + + +# ------------- +# ------------- Start Fail2Ban if installed +# ------------- +if [ -x "$fail2ban_client" ]; then + echo + echononl "\tStarting fail2ban.." + $fail2ban_client start > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + elif [ "$?" = "255" ]; then + echo_skipped + else + echo_failed + fi +fi + +echo +exit 0 + + + +# ------------ Portforwarding ------------- # +# - +# - !! NOTICE: +# - you need also portforwarding enabled at the kernel +# - echo 1 >/proc/sys/net/ipv4/ip_forward +# +# +# ---------------------------------------------- +# : --> ::80 +# ---------------------------------------------- +# +#$ipt -A FORWARD [-i ] -p tcp --dport -d -j ACCEPT +#$ipt -A FORWARD [-o ] -p tcp --sport -s -j ACCEPT +# +#$ipt -t nat -A PREROUTING [-i ] -p tcp --dport [-d ] -j DNAT --to-destination : +#$ipt -t nat -A POSTROUTING -d -j MASQUERADE +# +# +# ----------------------------------------------- +# www-alt.oopen.de --> www-neu.oopen.de +# +# 46.4.129.3:80 --> 83.223.86.130:80 +# 46.4.129.3:443 --> 83.223.86.130:443 +# ----------------------------------------------- +# +#$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT +#$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT +# +#$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80 +#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443 +#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE +# +# - +# ---------- Ende Portforwarding ---------- # + diff --git a/ipt-firewall-server.conf.sample b/OLD/ipt-firewall-server.conf.sample similarity index 100% rename from ipt-firewall-server.conf.sample rename to OLD/ipt-firewall-server.conf.sample diff --git a/README.systemd.server b/README.systemd.server index 25f0565..d507ad0 100644 --- a/README.systemd.server +++ b/README.systemd.server @@ -1,26 +1,57 @@ -## - Create a systemd service -## - +# --- +# - Install scripts +# --- # - Copy firewall scripts to /usr/local/sbin # - cp -a /usr/local/src/ipt-server/ipt-firewall-server /usr/local/sbin/ cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/ + + +# --- +# - Configuration +# --- + # - Copy Configuration files to /etc/ipt-firewall # - mkdir /etc/ipt-firewall -cp -a /usr/local/src/ipt-server/ipt-firewall-server.conf.sample /etc/ipt-firewall/ipt-firewall-server.conf -cp -a /usr/local/src/ipt-server/ip6t-firewall-server.conf.sample /etc/ipt-firewall/ip6t-firewall-server.conf -cp -a /usr/local/src/ipt-server/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list -cp -a /usr/local/src/ipt-server/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list +cp /usr/local/src/ipt-server/conf/default_ports.conf \ + /usr/local/src/ipt-server/conf/include_functions.conf \ + /usr/local/src/ipt-server/conf/load_modules_ipv4.conf \ + /usr/local/src/ipt-server/conf/load_modules_ipv6.conf \ + /usr/local/src/ipt-server/conf/logging_ipv4.conf \ + /usr/local/src/ipt-server/conf/logging_ipv6.conf \ + /usr/local/src/ipt-server/conf/post_decalrations.conf /etc/ipt-firewall/ +cp -a /usr/local/src/ipt-server/conf/ban_ipv4.list.sample /etc/ipt-firewall/ban_ipv4.list +cp -a /usr/local/src/ipt-server/conf/ban_ipv6.list.sample /etc/ipt-firewall/ban_ipv6.list -# - Adjust Configuration files +# - IPv4 # - -vim /etc/ipt-firewall/ipt-firewall-server.conf -vim /etc/ipt-firewall/ip6t-firewall-server.conf +# - At least adjust files +# - /etc/ipt-firewall/interfaces_ipv4.conf +# - /etc/ipt-firewall/main_ipv4.conf +# - +cp /usr/local/src/ipt-server/conf/interfaces_ipv4.conf.sample /etc/ipt-firewall/ +cp /usr/local/src/ipt-server/conf/main_ipv4.conf.sample /etc/ipt-firewall/ + +vim /etc/ipt-firewall/interfaces_ipv4.conf +vim /etc/ipt-firewall/main_ipv4.conf + +# - IPv6 +# - +# - At least adjust files +# - /etc/ipt-firewall/interfaces_ipv6.conf +# - /etc/ipt-firewall/main_ipv6.conf +# - +cp /usr/local/src/ipt-server/conf/interfaces_ipv6.conf.sample /etc/ipt-firewall/interfaces_ipv6.conf +cp /usr/local/src/ipt-server/conf/main_ipv6.conf.sample /etc/ipt-firewall/main_ipv6.conf + +vim /etc/ipt-firewall/interfaces_ipv6.conf +vim /etc/ipt-firewall/main_ipv6.conf # IPv4 diff --git a/README.ulogd b/README.ulogd new file mode 100644 index 0000000..094aea1 --- /dev/null +++ b/README.ulogd @@ -0,0 +1,59 @@ +# --- +# - Install netfilter userspace logging daemon. +# --- +apt-get install ulogd2 + +# --- +# - Adjust configuration file '/etc/ulogd.conf' +# --- + +# - (1) +# - +# - Define two new plugin stacks inside '[global]'. +# - +# - directly after the last "plugin="/usr/lib.." statement add: +# - +# - # ==================================================================== +# - # Define two new plugin stacks inside for iptables logging +# - # ==================================================================== +# - # - +# - # - firewall11 - for IPv4 Firewall +# - # - firewall12 - for IPv6 Firewall +# - # - +# - stack=firewall11:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu11:LOGEMU +# - stack=firewall12:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu12:LOGEMU +# - +vim /etc/ulogd.conf + +# - (2) +# - +# - - Define input plugins using above specified netlink group +# - - Define output plugins +# - +cat <> /etc/ulogd.conf + + +# ========================================================= +# Define input plugins using specified netlink group inside +# ========================================================= + +[firewall11] +group=11 + +[firewall12] +group=12 + + +# ===================== +# Define output plugins +# ===================== + +[emu11] +file="/var/log/ulog/iptables.log" +sync=1 + +[emu12] +file="/var/log/ulog/ip6tables.log" +sync=1 + +EOF diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 117e719..570116a 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -10,43 +10,137 @@ # Short-Description: IPv6 Firewall ### END INIT INFO -CONFIG_DIR="/etc/ipt-firewall" -CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf" + +# ------------- +# - Settings +# ------------- + +ipt_conf_dir="/etc/ipt-firewall" + +inc_functions_file="${ipt_conf_dir}/include_functions.conf" + +load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf + +conf_logging=${ipt_conf_dir}/logging_ipv6.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf +conf_main=${ipt_conf_dir}/main_ipv6.conf +conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf + +ip6t=$(which ip6tables) if [[ -z "$fail2ban_client" ]]; then fail2ban_client="$(which fail2ban-client)" fi -# ------------- Load Kernel Modules ------------- -# -# Load appropriate modules. -if ! $host_is_vm ; then - /sbin/modprobe ip6_tables - /sbin/modprobe ip6table_filter - /sbin/modprobe ip6t_REJECT +# ------------- +# - Some checks and preloads.. +# ------------- + + +if [[ -z "$ip6t" ]] ; then + echo "" + echo -e "\tip6tables was not found on this server!" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 fi -# -# ------------- End: Load Kernel Modules ------------- + +if [[ ! -f "$inc_functions_file" ]] ; then + echo "" + echo -e "\tMissing include file '$inc_functions_file'" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +else + source $inc_functions_file +fi + + +# - Check if running inside a container +# - +host_is_vm=false + +# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc' +# - returns "container=lxc" +# - +r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)" +if [[ -n "$r_val" ]] ; then + host_is_vm=true +else + + # --- + # - For other container types we need a few more tricks + # --- + + # Detect old-style libvirt + [ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true + + # Detect vserver + if ! $host_is_vm ; then + VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true + [ "${VXID:-0}" -gt 1 ] && host_is_vm=true + fi +fi + + +if [[ ! -f "$load_modules_file" ]] ; then + warn "No modules for loading configured. Missing file '$load_modules_file'!" +else + + if ! $host_is_vm ; then + + while read -r module ; do + if ! lsmod | grep -q -E "^$module\s+" ; then + /sbin/modprobe $module > /dev/null 2>&1 + if [[ "$?" != "0" ]]; then + warn "Loading module '$module' failed!" + fi + fi + done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) + fi + +fi + +if [[ ! -f "$conf_logging" ]]; then + fatal "Missing configuration for logging - file '$conf_logging'" +else + source $conf_logging +fi + +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" +else + source $conf_default_ports +fi + +if [[ ! -f "$conf_interfaces" ]]; then + fatal "Missing interface configurations - file '$conf_interfaces'" +else + source $conf_interfaces +fi + +if [[ ! -f "$conf_main" ]]; then + fatal "Missing main configurations - file '$conf_main'" +else + source $conf_main +fi + +if [[ ! -f "$conf_post_declarations" ]]; then + fatal "Missing post declarations - file '$conf_post_declarations'" +else + source $conf_post_declarations +fi + echo echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" echo -## -------------------------------------------------------------------------- -## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf -## -------------------------------------------------------------------------- - -if [[ -f "$CONFIG_FILE" ]]; then - source $CONFIG_FILE -else - echo - echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" - echo - exit 1 -fi - # ------------- # --- Activate IP Forwarding @@ -173,6 +267,26 @@ fi echo +# ------------- +# ---- Log given IP Addresses +# ------------- + +echononl "\tLog given IPv6 Addresses" +if [[ ${#log_ip_arr[@]} -gt 0 ]]; then + for _ip in ${log_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: " + $ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: " + $ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: " + $ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: " + done + + echo_done +else + echo_skipped +fi + + + # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) @@ -196,10 +310,10 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then echononl "\tPass through Devices (not firewalled)" for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then - $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " fi $ip6t -A INPUT -i $_dev -j ACCEPT $ip6t -A OUTPUT -o $_dev -j ACCEPT @@ -224,9 +338,9 @@ echononl "\tBlock IPs / Networks / Interfaces.." for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ip6t -A INPUT -i $_dev -s $_ip -j DROP @@ -244,11 +358,11 @@ done for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi - $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_if -j DROP @@ -351,9 +465,9 @@ if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: " if $kernel_activate_forwarding ; then - $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: " fi fi @@ -415,7 +529,7 @@ echononl "\tProtections against several attacks / unwanted packages.." $ip6t -N syn-flood $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then - $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi $ip6t -A syn-flood -j DROP @@ -425,10 +539,10 @@ $ip6t -A syn-flood -j DROP # --- if $log_new_not_sync || $log_all ; then - $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level - $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " fi fi $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP @@ -443,9 +557,9 @@ fi # --- if $log_invalid_state || $log_all ; then - $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " fi fi $ip6t -A INPUT -m state --state INVALID -j DROP @@ -460,13 +574,13 @@ fi for _dev in ${ext_if_arr[@]} ; do if $log_invalid_flags || $log_all ; then - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi fi $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP @@ -487,9 +601,9 @@ done # - Refuse spoofed packets pretending to be from your IP address. if $log_spoofed || $log_all ; then for _ip in ${ext_ip_arr[@]} ; do - $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " fi done fi @@ -504,11 +618,11 @@ done # - private Adressen auf externen interface verwerfen for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then - $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level - $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " + $ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level - $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " + $ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " fi fi $ip6t -A INPUT -i $_dev -s $ula_block -j DROP @@ -601,17 +715,17 @@ echononl "\tGenerally prohibited traffic.." for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then for _port in ${block_tcp_port_arr[@]} ; do - $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done if $kernel_forward_between_interfaces ; then for _port in ${block_tcp_port_arr[@]} ; do - $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done fi fi @@ -1693,14 +1807,14 @@ echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then - #$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - #$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " + #$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " + #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " + $ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " + $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " if $kernel_forward_between_interfaces ; then - #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " + $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " fi echo_done else diff --git a/ipt-firewall-server b/ipt-firewall-server index 05f4cf3..18d628a 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -10,87 +10,137 @@ # Short-Description: IPv4 Firewall ### END INIT INFO -CONFIG_DIR="/etc/ipt-firewall" -CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf" + +# ------------- +# - Settings +# ------------- + +ipt_conf_dir="/etc/ipt-firewall" + +inc_functions_file="${ipt_conf_dir}/include_functions.conf" + +load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf + +conf_logging=${ipt_conf_dir}/logging_ipv4.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf +conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf +conf_main=${ipt_conf_dir}/main_ipv4.conf +conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf + +ipt=$(which iptables) if [[ -z "$fail2ban_client" ]]; then fail2ban_client="$(which fail2ban-client)" fi -# ------------- Load Kernel Modules ------------- -# -## - Load appropriate modules. -## - -if ! $host_is_vm ; then - /sbin/modprobe ip_tables > /dev/null 2>&1 - /sbin/modprobe iptable_nat > /dev/null 2>&1 +# ------------- +# - Some checks and preloads.. +# ------------- - # - Note:! - # - Since Kernel 4.7 the automatic conntrack helper assignment - # - is disabled by default (net.netfilter.nf_conntrack_helper = 0). - # - Enable it by setting this variable in file /etc/sysctl.conf: - # - - # - net.netfilter.nf_conntrack_helper = 1 - # - - # - Reboot or type "sysctl -p" - # - - # - !! But this is NOT the recommend method !! - # --- - # - Load module for FTP Connection tracking and NAT - # --- - - # - Once a helper is loaded, it will treat packets for a given port and all IP addresses. - # - As explained before, this is not optimal and is even a security risk. A better - # - solution is to load the module helper and deactivate their parsing by default. Each - # - helper we need to use is then set by using a call to the CT target. - # - - # - Desactivate the automatic conntrack helper assignment: - # - - # - method 1: modprobe nf_conntrack nf_conntrack_helper=0 - # - method 2: echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper - # - - # - Note: - # - ===== - # - Each helper we need to use is then set by using a call to the CT target. - # - Example for ftp helper on standardport: - # - - # - ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp - # - - /sbin/modprobe nf_conntrack nf_conntrack_helper=0 > /dev/null 2>&1 - #echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper - - /sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 - /sbin/modprobe nf_nat > /dev/null 2>&1 - /sbin/modprobe nf_nat_ftp > /dev/null 2>&1 - - ## - Load modules for SIP VOIP - ## - - #/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1 - #/sbin/modprobe nf_nat_sip > /dev/null 2>&1 +if [[ -z "$ipt" ]] ; then + echo "" + echo -e "\tiptables was not found on this server!" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 fi -# -# ------------- End: Load Kernel Modules ------------- + +if [[ ! -f "$inc_functions_file" ]] ; then + echo "" + echo -e "\tMissing include file '$inc_functions_file'" + echo + echo -e "\tFirewall Script was stopped!" + echo + exit 1 +else + source $inc_functions_file +fi + + +# - Check if running inside a container +# - +host_is_vm=false + +# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc' +# - returns "container=lxc" +# - +r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)" +if [[ -n "$r_val" ]] ; then + host_is_vm=true +else + + # --- + # - For other container types we need a few more tricks + # --- + + # Detect old-style libvirt + [ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true + + # Detect vserver + if ! $host_is_vm ; then + VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true + [ "${VXID:-0}" -gt 1 ] && host_is_vm=true + fi +fi + + +if [[ ! -f "$load_modules_file" ]] ; then + warn "No modules for loading configured. Missing file '$load_modules_file'!" +else + + if ! $host_is_vm ; then + + while read -r module ; do + if ! lsmod | grep -q -E "^$module\s+" ; then + /sbin/modprobe $module > /dev/null 2>&1 + if [[ "$?" != "0" ]]; then + warn "Loading module '$module' failed!" + fi + fi + done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) + fi + +fi + +if [[ ! -f "$conf_logging" ]]; then + fatal "Missing configuration for logging - file '$conf_logging'" +else + source $conf_logging +fi + +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" +else + source $conf_default_ports +fi + +if [[ ! -f "$conf_interfaces" ]]; then + fatal "Missing interface configurations - file '$conf_interfaces'" +else + source $conf_interfaces +fi + +if [[ ! -f "$conf_main" ]]; then + fatal "Missing main configurations - file '$conf_main'" +else + source $conf_main +fi + +if [[ ! -f "$conf_post_declarations" ]]; then + fatal "Missing post declarations - file '$conf_post_declarations'" +else + source $conf_post_declarations +fi + echo echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" echo -## -------------------------------------------------------------------------- -## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf -## -------------------------------------------------------------------------- - -if [[ -f "$CONFIG_FILE" ]]; then - source $CONFIG_FILE -else - echo - echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" - echo - exit 1 -fi - # ------------- @@ -276,6 +326,26 @@ fi echo +# ------------- +# ---- Log given IP Addresses +# ------------- + +echononl "\tLog given IPv4 Addresses" +if [[ ${#log_ip_arr[@]} -gt 0 ]]; then + for _ip in ${log_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: " + $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: " + $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: " + $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: " + done + + echo_done +else + echo_skipped +fi + + + # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) @@ -299,10 +369,10 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then echononl "\tPass through Devices (not firewalled)" for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then - $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" + $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" + $ipt -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" + $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" fi $ipt -A INPUT -i $_dev -j ACCEPT $ipt -A OUTPUT -o $_dev -j ACCEPT @@ -327,9 +397,9 @@ echononl "\tBlock IPs / Networks / Interfaces.." for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:" fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP @@ -347,11 +417,11 @@ done for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" + $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi - $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" + $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j DROP @@ -523,9 +593,9 @@ if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:" fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP @@ -584,7 +654,7 @@ echononl "\tProtections against several attacks / unwanted packages.." $ipt -N syn-flood $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then - $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:" fi $ipt -A syn-flood -j DROP @@ -602,9 +672,9 @@ $ipt -A syn-flood -j DROP for _dev in ${ext_if_arr[@]} ; do if $log_fragments || $log_all ; then - $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" fi fi $ipt -A INPUT -i $_dev -f -j DROP @@ -619,10 +689,10 @@ done # --- if $log_new_not_sync || $log_all ; then - $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level - $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" + $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" fi fi $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP @@ -637,9 +707,9 @@ fi # --- if $log_invalid_state || $log_all ; then - $ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:" fi fi $ipt -A INPUT -m state --state INVALID -j DROP @@ -654,13 +724,13 @@ fi for _dev in ${ext_if_arr[@]} ; do if $log_invalid_flags || $log_all ; then - $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" fi fi $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP @@ -682,9 +752,9 @@ done if $log_spoofed || $log_all ; then # input for _ip in ${ext_ip_arr[@]} ; do - $ipt -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):" fi done fi @@ -706,22 +776,22 @@ done # broadcast address for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then - $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:" + $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:" + $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:" + $ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:" + $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:" + $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:" + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:" # if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:" + $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:" + $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:" + $ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:" + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:" + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:" + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:" fi fi # Refuse packets claiming to be from a Class A private network. @@ -766,9 +836,9 @@ done # quench to the loopback. for _dev in ${ext_if_arr[@]} ; do if $log_to_lo || $log_all ; then - $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:" fi fi $ipt -A INPUT -i $_dev -d $loopback -j DROP @@ -784,15 +854,15 @@ done for _dev in ${ext_if_arr[@]} ; do if $log_spoofed_out || $log_all ; then - $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" + $ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level - $ipt -A FORWARD -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level - $ipt -A FORWARD -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level - $ipt -A FORWARD -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" + $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" + $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" + $ipt -A FORWARD -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" fi fi $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP @@ -881,17 +951,17 @@ echononl "\tGenerally prohibited traffic.." for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then for _port in ${block_tcp_port_arr[@]} ; do - $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done for _port in ${block_udp_port_arr[@]} ; do - $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done if $kernel_activate_forwarding ; then for _port in ${block_tcp_port_arr[@]} ; do - $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done for _port in ${block_udp_port_arr[@]} ; do - $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done fi fi @@ -1975,14 +2045,14 @@ echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then - #$ipt -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - #$ipt -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + #$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + $ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" if $kernel_activate_forwarding ; then - #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level - $ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" + $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" fi echo_done else