firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ip6t-firewall-server: replace '-m statet --state ..' with '-m conntrack --ctstate ..'.

Browse Source
This commit is contained in:
Christoph
2026-01-19 16:10:52 +01:00
parent 73122fb0ce
commit 3d27513b81
1 changed files with 152 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
ip6t-firewall-server
View File

@@ -15,7 +15,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_post_declarations=${ipt_conf_dir}/post_declarations.conf
conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list" conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
@@ -392,11 +392,11 @@ echo_done
# --- # ---
echononl "\tPermit all traffic through VPN lines.." echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do for _vpn_if in ${vpn_if_arr[@]} ; do
$ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT $ip6t -A FORWARD -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
echo_done echo_done
@@ -1341,7 +1341,7 @@ if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_ext_service_arr[@]}" ; do for _val in "${allow_ext_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -1359,7 +1359,7 @@ echononl "\t\tAllow extern IP-Address/Network"
if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do for _dev in "${ext_if_arr[@]}" ; do
for _net in "${allow_ext_net_arr[@]}" ; do for _net in "${allow_ext_net_arr[@]}" ; do
$ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p all -d $_net -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -1380,7 +1380,7 @@ if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_local_service_arr[@]}" ; do for _val in "${allow_local_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -1399,7 +1399,7 @@ if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_local_service_from_network_arr[@]}" ; do for _val in "${allow_local_service_from_network_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -1455,14 +1455,14 @@ echononl "\t\tDNS out only"
# - # -
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s) # - out from local and virtual mashine(s)
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
# - forward from virtual mashine(s) # - forward from virtual mashine(s)
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -1485,10 +1485,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes, # If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP. # it will be sent over TCP, not UDP.
# #
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
# Zonetransfer # Zonetransfer
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -1500,10 +1500,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes, # If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP. # it will be sent over TCP, not UDP.
# #
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
# Zonetransfer # Zonetransfer
$ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
echo_done echo_done
@@ -1540,9 +1540,9 @@ echononl "\t\tSSH out only"
# ausgehende Anfragen # ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then
@@ -1550,10 +1550,10 @@ for _dev in ${ext_if_arr[@]} ; do
[[ "$_port" = "$standard_ssh_port" ]] && continue [[ "$_port" = "$standard_ssh_port" ]] && continue
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -1563,17 +1563,17 @@ done
if [[ ${#local_if_arr[@]} -gt 0 ]] ; then if [[ ${#local_if_arr[@]} -gt 0 ]] ; then
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT
if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then
for _port in ${ssh_port_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do
[[ "$_port" = "$standard_ssh_port" ]] && continue [[ "$_port" = "$standard_ssh_port" ]] && continue
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
fi fi
@@ -1593,7 +1593,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_ip_arr[@]} ; do for _ip in ${ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -1601,7 +1601,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -
if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ssh_server_ip_arr[@]} ; do for _ip in ${forward_ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -1621,7 +1621,7 @@ if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
@@ -1635,14 +1635,14 @@ if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${vpn_server_ip_arr[@]} ; do for _ip in ${vpn_server_ip_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_vpn_server_ip_arr[@]} ; do for _ip in ${forward_vpn_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -1661,7 +1661,7 @@ if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${wireguard_out_port_port_arr[@]} ; do for _port in ${wireguard_out_port_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
@@ -1675,14 +1675,14 @@ if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_wireguard_server_
if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${wireguard_server_ip_arr[@]} ; do for _ip in ${wireguard_server_ip_arr[@]} ; do
for _port in ${wireguard_server_port_arr[@]} ; do for _port in ${wireguard_server_port_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
if [[ ${#forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_wireguard_server_ip_arr[@]} ; do for _ip in ${forward_wireguard_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -1704,7 +1704,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt
for _port in ${rsync_port_arr[@]} ; do for _port in ${rsync_port_arr[@]} ; do
for _ip in ${rsync_out_ip_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
@@ -1714,7 +1714,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt
for _port in ${rsync_port_arr[@]} ; do for _port in ${rsync_port_arr[@]} ; do
for _ip in ${forward_rsync_out_ip_arr[@]} ; do for _ip in ${forward_rsync_out_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
@@ -1733,9 +1733,9 @@ fi
echononl "\t\tTelnet (only OUT)" echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -1749,9 +1749,9 @@ echo_done
echononl "\t\tMySQL (only OUT)" echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -1766,7 +1766,7 @@ echononl "\t\tLocal Prometheus Service"
if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${prometheus_local_server_ip_arr[@]} ; do for _ip in ${prometheus_local_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m conntrack --ctstate NEW -j ACCEPT
done done
echo_done echo_done
else else
@@ -1783,7 +1783,7 @@ echononl "\t\tLocal Prometheus Client"
if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${prometheus_local_client_ip_arr[@]} ; do for _ip in ${prometheus_local_client_ip_arr[@]} ; do
for _ip in ${prometheus_remote_server_ip_arr[@]} ; do for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -1800,9 +1800,9 @@ echononl "\t\tMunin remote service"
if [ "X$munin_remote_ip" != "X" ]; then if [ "X$munin_remote_ip" != "X" ]; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
echo_done echo_done
@@ -1822,13 +1822,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_server_ip_arr[@]} ; do for _ip in ${munin_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_munin_server_ip_arr[@]} ; do for _ip in ${forward_munin_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -1845,9 +1845,9 @@ fi
echononl "\t\tMail (SMTP OUT)" echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -1864,9 +1864,9 @@ if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
done done
@@ -1887,19 +1887,19 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do for _ip in ${smtpd_ips_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
# #
# Razor2 (TCP Port 2703) # Razor2 (TCP Port 2703)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo) # DEPRECATED: TCP Port 7 (echo)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT
# #
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
# #
# - DCC (port udp:6277) # - DCC (port udp:6277)
$ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT
# if DCC Server is running (port tcp:6277) # if DCC Server is running (port tcp:6277)
$ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
@@ -1908,19 +1908,19 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
# #
# Razor2 (TCP Port 2703) # Razor2 (TCP Port 2703)
$ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo) # DEPRECATED: TCP Port 7 (echo)
$ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT
# #
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT
# #
# DCC (port udp:6277) # DCC (port udp:6277)
$ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT
# if DCC Server is running (port tcp:6277) # if DCC Server is running (port tcp:6277)
$ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
@@ -1943,9 +1943,9 @@ if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_listen_port_arr[@]} ; do for _port in ${smtpd_additional_listen_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
done done
@@ -1968,7 +1968,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
for _ip in ${mail_server_ips_arr[@]} ; do for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports # mail ports
# #
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]
@@ -1976,7 +1976,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
for _ip in ${forward_mail_server_ip_arr[@]} ; do for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports # mail ports
# #
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
@@ -1996,7 +1996,7 @@ if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then
if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then
for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do
$ip6t -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m conntrack --ctstate NEW -j ACCEPT
done done
echo_done echo_done
else else
@@ -2019,7 +2019,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
for _ip in ${mail_client_ips_arr[@]} ; do for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports # mail ports
# #
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
@@ -2027,7 +2027,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
for _ip in ${forward_mail_client_ip_arr[@]} ; do for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports # mail ports
# #
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then
@@ -2044,9 +2044,9 @@ fi
echononl "\t\tHTTP(S) out only" echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2063,12 +2063,12 @@ if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]}
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${http_server_ip_arr[@]} ; do for _ip in ${http_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
done done
if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_http_server_ip_arr[@]} ; do for _ip in ${forward_http_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
fi fi
@@ -2088,14 +2088,14 @@ if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mm_server_ip_arr[@]} ; do for _ip in ${mm_server_ip_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
done done
if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mm_server_ip_arr[@]} ; do for _ip in ${forward_mm_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
fi fi
@@ -2126,7 +2126,7 @@ for _dev in ${ext_if_arr[@]} ; do
# - # -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# - # -
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW \
-m recent --name ftp6data_out_$j --rdest --set -j ACCEPT -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT
# - (2) # - (2)
@@ -2137,7 +2137,7 @@ for _dev in ${ext_if_arr[@]} ; do
# - # -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# - # -
$ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ $ip6t -A OUTPUT -o $_dev -p tcp -m conntrack --ctstate NEW --dport 1024: \
-m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT -m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
((j++)) ((j++))
@@ -2155,18 +2155,18 @@ echo_done
# #
#for _dev in ${ext_if_arr[@]} ; do #for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# # (Datenkanal passiv) # # (Datenkanal passiv)
# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# # (Kontrollverbindung) # # (Kontrollverbindung)
# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# if $kernel_forward_between_interfaces ; then # if $kernel_forward_between_interfaces ; then
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# # (Datenkanal passiv) # # (Datenkanal passiv)
# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# # (Kontrollverbindung) # # (Kontrollverbindung)
# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT
# fi # fi
#done #done
# #
@@ -2212,7 +2212,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - # -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# - # -
$ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
# - (2) # - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@@ -2222,7 +2222,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - # -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# - # -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
@@ -2253,7 +2253,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - # -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# - # -
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2) # - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@@ -2263,9 +2263,9 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - # -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# - # -
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections # - Accept (helper ftp) related connections
@@ -2290,22 +2290,22 @@ fi
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do # for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# # Datenkanal (passiver modus) # # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# # - Kontrollverbindung # # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# done # done
# fi # fi
# #
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do # for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv) # # (Datenkanal aktiv)
# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT
# # Datenkanal (passiver modus) # # Datenkanal (passiver modus)
# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# # - Kontrollverbindung # # - Kontrollverbindung
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# done # done
# fi # fi
# #
@@ -2326,11 +2326,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]}
if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${xmpp_server_ip_arr[@]} ; do for _ip in ${xmpp_server_ip_arr[@]} ; do
for _port in ${xmmp_tcp_in_port_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2339,11 +2339,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]}
if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_xmpp_server_ip_arr[@]} ; do for _ip in ${forward_xmpp_server_ip_arr[@]} ; do
for _port in ${xmmp_tcp_in_port_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2364,7 +2364,7 @@ if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do for _dev in "${ext_if_arr[@]}" ; do
for _val in "${xmmp_remote_out_service_arr[@]}" ; do for _val in "${xmmp_remote_out_service_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}" IFS=',' read -a _val_arr <<< "${_val}"
$ip6t -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done done
done done
echo_done echo_done
@@ -2383,15 +2383,15 @@ echononl "\t\tMumble Service"
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mumble_server_ip_arr[@]} ; do for _ip in ${mumble_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mumble_server_ip_arr[@]} ; do for _ip in ${forward_mumble_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -2412,18 +2412,18 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi fi
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_jitsi_server_ip_arr[@]} ; do for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi fi
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -2436,15 +2436,15 @@ echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do for _ip in ${jitsi_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_jitsi_server_ip_arr[@]} ; do for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
echo_done echo_done
@@ -2456,11 +2456,11 @@ echononl "\t\tJitsi Meet Dovecot Authentication"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
$ip6t -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
echo_done echo_done
else else
@@ -2475,7 +2475,7 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \
&& $jitsi_jibri_remote_auth \ && $jitsi_jibri_remote_auth \
&& [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then && [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
done done
echo_done echo_done
@@ -2496,17 +2496,17 @@ if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@
else else
if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jibri_server_ip_arr[@]} ; do for _ip in ${jibri_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_jibri_server_ip_arr[@]} ; do for _ip in ${forward_jibri_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -2527,17 +2527,17 @@ if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_a
if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${nc_turn_server_ip_arr[@]} ; do for _ip in ${nc_turn_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
@@ -2555,9 +2555,9 @@ fi
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2571,11 +2571,11 @@ echo_done
echononl "\t\tNTP out only" echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2607,9 +2607,9 @@ fi
echononl "\t\tLDAP out only" echononl "\t\tLDAP out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2623,9 +2623,9 @@ echo_done
echononl "\t\tLDAPS out only" echononl "\t\tLDAPS out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2639,9 +2639,9 @@ echo_done
echononl "\t\tWhois out only" echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2655,9 +2655,9 @@ echo_done
echononl "\t\tPGP/GPG Key server - out only" echononl "\t\tPGP/GPG Key server - out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2671,9 +2671,9 @@ echo_done
echononl "\t\tGIT out only" echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@@ -2693,7 +2693,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2701,7 +2701,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2722,7 +2722,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${udp_out_port_arr[@]} ; do for _port in ${udp_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2730,7 +2730,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt
if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
for _port in ${forward_udp_out_port_arr[@]} ; do for _port in ${forward_udp_out_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
done done
done done
fi fi
@@ -2830,11 +2830,11 @@ echononl "\t\tUNIX Traceroute"
# die option -I und versenden dann ebenfalls icmp-echo-request pakete # die option -I und versenden dann ebenfalls icmp-echo-request pakete
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
$ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT
fi fi
done done