firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Complete the last commit.

Browse Source
This commit is contained in:
Christoph
2019-03-07 05:07:46 +01:00
parent 040f453e6d
commit 15accbe3a6
10 changed files with 4283 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

244
ip6t-firewall-server
View File

@ -10,43 +10,137 @@
# Short-Description: IPv6 Firewall
### END INIT INFO
CONFIG_DIR="/etc/ipt-firewall"
CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf"
# -------------
# - Settings
# -------------
ipt_conf_dir="/etc/ipt-firewall"
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
ip6t=$(which ip6tables)
if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)"
fi
# ------------- Load Kernel Modules -------------
#
# Load appropriate modules.
if ! $host_is_vm ; then
/sbin/modprobe ip6_tables
/sbin/modprobe ip6table_filter
/sbin/modprobe ip6t_REJECT
# -------------
# - Some checks and preloads..
# -------------
if [[ -z "$ip6t" ]] ; then
echo ""
echo -e "\tip6tables was not found on this server!"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
fi
#
# ------------- End: Load Kernel Modules -------------
if [[ ! -f "$inc_functions_file" ]] ; then
echo ""
echo -e "\tMissing include file '$inc_functions_file'"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
else
source $inc_functions_file
fi
# - Check if running inside a container
# -
host_is_vm=false
# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
# - returns "container=lxc"
# -
r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
if [[ -n "$r_val" ]] ; then
host_is_vm=true
else
# ---
# - For other container types we need a few more tricks
# ---
# Detect old-style libvirt
[ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
# Detect vserver
if ! $host_is_vm ; then
VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
[ "${VXID:-0}" -gt 1 ] && host_is_vm=true
fi
fi
if [[ ! -f "$load_modules_file" ]] ; then
warn "No modules for loading configured. Missing file '$load_modules_file'!"
else
if ! $host_is_vm ; then
while read -r module ; do
if ! lsmod | grep -q -E "^$module\s+" ; then
/sbin/modprobe $module > /dev/null 2>&1
if [[ "$?" != "0" ]]; then
warn "Loading module '$module' failed!"
fi
fi
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
fi
fi
if [[ ! -f "$conf_logging" ]]; then
fatal "Missing configuration for logging - file '$conf_logging'"
else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'"
else
source $conf_interfaces
fi
if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'"
else
source $conf_main
fi
if [[ ! -f "$conf_post_declarations" ]]; then
fatal "Missing post declarations - file '$conf_post_declarations'"
else
source $conf_post_declarations
fi
echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# -------------
# --- Activate IP Forwarding
@ -173,6 +267,26 @@ fi
echo
# -------------
# ---- Log given IP Addresses
# -------------
echononl "\tLog given IPv6 Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: "
$ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: "
$ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: "
$ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: "
done
echo_done
else
echo_skipped
fi
# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
@ -196,10 +310,10 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
fi
$ip6t -A INPUT -i $_dev -j ACCEPT
$ip6t -A OUTPUT -o $_dev -j ACCEPT
@ -224,9 +338,9 @@ echononl "\tBlock IPs / Networks / Interfaces.."
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: "
fi
fi
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
@ -244,11 +358,11 @@ done
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
$ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
$ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: "
fi
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j DROP
@ -351,9 +465,9 @@ if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
if $kernel_activate_forwarding ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
fi
fi
@ -415,7 +529,7 @@ echononl "\tProtections against several attacks / unwanted packages.."
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
$ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
fi
$ip6t -A syn-flood -j DROP
@ -425,10 +539,10 @@ $ip6t -A syn-flood -j DROP
# ---
if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: "
fi
fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
@ -443,9 +557,9 @@ fi
# ---
if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
$ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
$ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: "
fi
fi
$ip6t -A INPUT -m state --state INVALID -j DROP
@ -460,13 +574,13 @@ fi
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: "
fi
fi
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
@ -487,9 +601,9 @@ done
# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
$ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
$ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): "
fi
done
fi
@ -504,11 +618,11 @@ done
# - private Adressen auf externen interface verwerfen
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
$ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
fi
fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
@ -601,17 +715,17 @@ echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
if $kernel_forward_between_interfaces ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: "
done
fi
fi
@ -1693,14 +1807,14 @@ echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
fi
echo_done
else