Add support for MatterMost (MM) service.

2023-01-24 17:42:27 +01:00 · 2023-01-24 17:42:27 +01:00 · 486789c6b5
commit 486789c6b5
parent 9f016b1776
6 changed files with 273 additions and 62 deletions
--- a/conf/default_ports.conf
+++ b/conf/default_ports.conf
@ -39,6 +39,11 @@ standard_wireguard_port=51820
 standard_whois_port=43
 standard_xymon_port=1984

+# - Mattermost (MM) Service
+# -
+stansard_mattermost_udp_ports_in="8443"
+stansard_mattermost_udp_ports_out="3478"
+
 # - IPsec - Internet Security Association and
 # -  Key Management Protocol
 standard_isakmp_port=500
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -322,6 +322,17 @@ forward_http_server_ips=""
 http_ports="$standard_http_ports"


+# - Mattermost (MM) Service
+# -
+mm_server_ips=""
+forward_mm_server_ips=""
+
+# - UDP Ports IN and OUT used by MM Servive
+# -
+mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
+mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
+
+
 # - Mail SMTP Server 
 # -
 smtpd_ips=""
@ -620,6 +631,40 @@ create_traffic_counter=true
 create_iperf_rules=true


+# -------------
+# - Protection against ...
+# -------------
+
+# - Protection against syn-flooding
+# -
+protection_against_syn_flooding=true
+
+# - Protection against port scanning
+# -
+protection_against_port_scanning=true
+
+# - Protection against SSH brute-force attacks
+# -
+protection_against_ssh_brute_force_attacks=true
+
+
+# -------------
+# - Limit Connections
+# -------------
+
+# - Limit connections per source IP
+# -
+limit_connections_per_source_IP=true
+
+# - Limit RST packets
+# -
+limit_rst_packets=true
+
+# - Limit new TCP connections per second per source IP
+# -
+limit_new_tcp_connections_per_seconds_per_source_IP=true
+
+
 # -------------
 # --- Router ?
 # -------------
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -338,6 +338,17 @@ forward_http_server_ips=""
 http_ports="$standard_http_ports"


+# - Mattermost (MM) Service
+# -
+mm_server_ips="$ext_1_ip"
+forward_mm_server_ips=""
+
+# - UDP Ports IN and OUT used by MM Servive
+# -
+mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
+mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
+
+
 # - Mail SMTP Server 
 # -
 smtpd_ips=""
@ -636,6 +647,40 @@ create_traffic_counter=true
 create_iperf_rules=true


+# -------------
+# - Protection against ...
+# -------------
+
+# - Protection against syn-flooding
+# -
+protection_against_syn_flooding=true
+
+# - Protection against port scanning
+# -
+protection_against_port_scanning=true
+
+# - Protection against SSH brute-force attacks
+# -
+protection_against_ssh_brute_force_attacks=true
+
+
+# -------------
+# - Limit Connections
+# -------------
+
+# - Limit connections per source IP
+# -
+limit_connections_per_source_IP=true
+
+# - Limit RST packets
+# -
+limit_rst_packets=true
+
+# - Limit new TCP connections per second per source IP
+# -
+limit_new_tcp_connections_per_seconds_per_source_IP=true
+
+
 # -------------
 # --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
 # -------------
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -240,6 +240,20 @@ for _ip in $forward_http_server_ips ; do
   forward_http_server_ip_arr+=("$_ip")
 done

+# ---
+# - IP Addresses MatterMost Service
+# ---
+# local
+declare -a mm_server_ip_arr
+for _ip in $mm_server_ips ; do
+   mm_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mm_server_ip_arr
+for _ip in $forward_mm_server_ips ; do
+   forward_mm_server_ip_arr+=("$_ip")
+done
+
 # ---
 # - IP Addresses FTP Server
 # ---
--- a/113
+++ b/113
@ -740,13 +740,17 @@ echo_done

 echo
 echononl "\tProtection against syn-flooding"
-$ip6t -N syn-flood
-$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
-if $log_syn_flood || $log_all ; then
-   $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
+if $protection_against_syn_flooding ; then
+   $ip6t -N syn-flood
+   $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
+   if $log_syn_flood || $log_all ; then
+      $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: "
+   fi
+   $ip6t -A syn-flood -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A syn-flood -j DROP
-echo_done


 # ---
@ -754,13 +758,17 @@ echo_done
 # ---

 echononl "\tProtection against port scanning"
-$ip6t -N port-scanning
-$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
-if $log_port_scanning || $log_all ; then
-   $ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
+if $protection_against_port_scanning ; then
+   $ip6t -N port-scanning
+   $ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
+   if $log_port_scanning || $log_all ; then
+      $ip6t -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
+   fi
+   $ip6t -A port-scanning -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A port-scanning -j DROP
-echo_done


 # ---
@ -768,12 +776,16 @@ echo_done
 # ---

 echononl "\tProtection against SSH brute-force attacks"
-$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
-if $log_ssh_brute_force || $log_all ; then
-   $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
+if $protection_against_ssh_brute_force_attacks ; then
+   $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
+   if $log_ssh_brute_force || $log_all ; then
+      $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
+   fi
+   $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
-echo_done


 # ---
@ -781,11 +793,15 @@ echo_done
 # ---

 echononl "\tLimit connections per source IP"
-if $log_rejected || $log_all ; then
-   $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
+if $limit_connections_per_source_IP ; then
+   if $log_rejected || $log_all ; then
+      $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
+   fi
+   $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
-echo_done


 # ---
@ -793,12 +809,16 @@ echo_done
 # ---

 echononl "\tLimit RST packets"
-$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
-if $log_rejected || $log_all ; then
-   $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
+if $limit_rst_packets ; then 
+   $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
+   if $log_rejected || $log_all ; then
+      $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
+   fi
+   $ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
-echo_done


 # ---
@ -806,12 +826,16 @@ echo_done
 # ---

 echononl "\tLimit new TCP connections per second per source IP"
-$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
-if $log_rejected || $log_all ; then
-   $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
+if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
+   $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
+   if $log_rejected || $log_all ; then
+      $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
+   fi
+   $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-echo_done


 # ---
@ -1747,6 +1771,33 @@ else
 fi


+# ---
+# - Mattermost Service
+# ---
+
+echononl "\t\tMattermost (MM) Service"
+if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]]  ; then
+
+   if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
+      for _ip in ${mm_server_ip_arr[@]} ; do
+         $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
+         $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
+      done
+
+      if  [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
+         for _ip in ${forward_mm_server_ip_arr[@]} ; do
+            $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
+            $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
+         done
+      fi
+   fi
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - FTP out only"
 # ---
--- a/113
+++ b/113
@ -893,13 +893,17 @@ echo_done

 echo
 echononl "\tProtection against syn-flooding"
-$ipt -N syn-flood
-$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
-if $log_syn_flood || $log_all ; then
-   $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
+if $protection_against_syn_flooding ; then
+   $ipt -N syn-flood
+   $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
+   if $log_syn_flood || $log_all ; then
+      $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
+   fi
+   $ipt -A syn-flood -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A syn-flood -j DROP
-echo_done


 # ---
@ -907,13 +911,17 @@ echo_done
 # ---

 echononl "\tProtection against port scanning"
-$ipt -N port-scanning
-$ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
-if $log_port_scanning || $log_all ; then
-   $ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
+if $protection_against_port_scanning ; then
+   $ipt -N port-scanning
+   $ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
+   if $log_port_scanning || $log_all ; then
+      $ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:"
+   fi
+   $ipt -A port-scanning -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A port-scanning -j DROP
-echo_done


 # ---
@ -921,12 +929,16 @@ echo_done
 # ---

 echononl "\tProtection against SSH brute-force attacks"
-$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
-if $log_ssh_brute_force || $log_all ; then
-   $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
+if $protection_against_ssh_brute_force_attacks ; then
+   $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
+   if $log_ssh_brute_force || $log_all ; then
+      $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
+   fi
+   $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
-echo_done


 # ---
@ -934,11 +946,15 @@ echo_done
 # ---

 echononl "\tLimit connections per source IP"
-if $log_rejected || $log_all ; then
-   $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
+if $limit_connections_per_source_IP ; then
+   if $log_rejected || $log_all ; then
+      $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
+   fi
+   $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
-echo_done


 # ---
@ -946,12 +962,16 @@ echo_done
 # ---

 echononl "\tLimit RST packets"
-$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
-if $log_rejected || $log_all ; then
-   $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
+if $limit_rst_packets ; then 
+   $ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
+   if $log_rejected || $log_all ; then
+      $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
+   fi
+   $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
-echo_done


 # ---
@ -959,12 +979,16 @@ echo_done
 # ---

 echononl "\tLimit new TCP connections per second per source IP"
-$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
-if $log_rejected || $log_all ; then
-   $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
+if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
+   $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
+   if $log_rejected || $log_all ; then
+      $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
+   fi
+   $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
+   echo_done
+else
+   echo_skipped
 fi
-$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
-echo_done


 # ---
@ -1920,6 +1944,33 @@ else
 fi


+# ---
+# - Mattermost Service
+# ---
+
+echononl "\t\tMattermost (MM) Service"
+if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]]  ; then
+
+   if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
+      for _ip in ${mm_server_ip_arr[@]} ; do
+         $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
+         $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
+      done
+
+      if  [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
+         for _ip in ${forward_mm_server_ip_arr[@]} ; do
+            $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
+            $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
+         done
+      fi
+   fi
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - FTP out only"
 # ---