From 350f2dc4877a778db4855b942cb550a8dc8d91be Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 14 Jul 2017 03:35:39 +0200 Subject: [PATCH] Add Mail Client Rules. --- ip6t-firewall-server | 38 ++++++++++++++++++++++++++++---- ip6t-firewall-server.conf.sample | 27 ++++++++++++++++++++--- ipt-firewall-server | 38 ++++++++++++++++++++++++++++---- ipt-firewall-server.conf.sample | 27 ++++++++++++++++++++--- 4 files changed, 116 insertions(+), 14 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 71ef454..64c7387 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -819,10 +819,10 @@ echo_done # --- -# - Mail (SMTP Server) +# - Mail SMTP Server (Port 25) including Spam Control # --- -echononl "\t\tMail (SMTP Server including Spam Control)" +echononl "\t\tMail SMTP Server (Port 25) including Spam Control" if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then @@ -875,10 +875,10 @@ fi # --- -# - Mail (POP/IMAP Server) +# - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- -echononl "\t\tMail (POP/IMAP Server)" +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then @@ -904,6 +904,36 @@ else fi +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mail_client_ip_arr[@]} ; do + # mail ports + # + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + # --- # - HTTP(S) OUT # --- diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample index 33468b7..7cd3735 100644 --- a/ip6t-firewall-server.conf.sample +++ b/ip6t-firewall-server.conf.sample @@ -126,10 +126,12 @@ forward_private_ips="" # --- Define Ports for Services # ------------- -# - Is this a Web Server ? +# - Web Server Ports +# - http_ports="80,443" -# - Is this a Mailserver (POP/IMAP) +# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) +# - mail_user_ports="587,465,110,995,143,993" # - SSH Ports @@ -216,6 +218,11 @@ forward_smtpd_ips="" mail_server_ips="" forward_mail_server_ips="" +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" +forward_mail_client_ips="" + # - FTP Server # - ftp_server_ips="" @@ -529,7 +536,7 @@ for _ip in $forward_smtpd_ips ; do done # --- -# - Mail POP/IMAP Server +# - Mail Services (smtps/pop(s)/imap(s) # --- # local declare -a mail_server_ips_arr @@ -542,6 +549,20 @@ for _ip in $forward_mail_server_ips ; do forward_mail_server_ip_arr+=("$_ip") done +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_client_ip_arr +for _ip in $forward_mail_client_ips ; do + forward_mail_client_ip_arr+=("$_ip") +done + # --- # - IP Addresses Mumble Server # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index e33cf98..acf72e6 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1009,10 +1009,10 @@ echo_done # --- -# - Mail (SMTP Server) +# - Mail SMTP Server (Port 25) including Spam Control # --- -echononl "\t\tMail (SMTP Server including Spam Control)" +echononl "\t\tMail SMTP Server (Port 25) including Spam Control" if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then @@ -1065,10 +1065,10 @@ fi # --- -# - Mail (POP/IMAP Server) +# - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- -echononl "\t\tMail (POP/IMAP Server)" +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then @@ -1094,6 +1094,36 @@ else fi +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mail_client_ip_arr[@]} ; do + # mail ports + # + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + # --- # - HTTP(S) OUT # --- diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample index 83c347f..4899eea 100644 --- a/ipt-firewall-server.conf.sample +++ b/ipt-firewall-server.conf.sample @@ -126,10 +126,12 @@ forward_private_ips="" # --- Define Ports for Services # ------------- -# - Is this a Web Server ? +# - Web Server Ports +# - http_ports="80,443" -# - Is this a Mailserver (POP/IMAP) +# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) +# - mail_user_ports="587,465,110,995,143,993" # - SSH Ports @@ -219,6 +221,11 @@ forward_smtpd_ips="" mail_server_ips="" forward_mail_server_ips="" +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" +forward_mail_client_ips="" + # - FTP Server # - ftp_server_ips="" @@ -613,7 +620,7 @@ for _ip in $forward_smtpd_ips ; do done # --- -# - Mail POP/IMAP Server +# - Mail Services (smtps/pop(s)/imap(s) # --- # local declare -a mail_server_ips_arr @@ -626,6 +633,20 @@ for _ip in $forward_mail_server_ips ; do forward_mail_server_ip_arr+=("$_ip") done +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_client_ip_arr +for _ip in $forward_mail_client_ips ; do + forward_mail_client_ip_arr+=("$_ip") +done + # --- # - IP Addresses Mumble Server # ---