firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for MatterMost (MM) service.

Browse Source
This commit is contained in:
Christoph 2023-01-24 17:42:27 +01:00
parent 9f016b1776
commit 486789c6b5
6 changed files with 273 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
conf/default_ports.conf
View File

@ -39,6 +39,11 @@ standard_wireguard_port=51820
standard_whois_port=43 standard_whois_port=43
standard_xymon_port=1984 standard_xymon_port=1984
# - Mattermost (MM) Service
# -
stansard_mattermost_udp_ports_in="8443"
stansard_mattermost_udp_ports_out="3478"
# - IPsec - Internet Security Association and # - IPsec - Internet Security Association and
# - Key Management Protocol # - Key Management Protocol
standard_isakmp_port=500 standard_isakmp_port=500

45
conf/main_ipv4.conf.sample
View File

@ -322,6 +322,17 @@ forward_http_server_ips=""
http_ports="$standard_http_ports" http_ports="$standard_http_ports"
# - Mattermost (MM) Service
# -
mm_server_ips=""
forward_mm_server_ips=""
# - UDP Ports IN and OUT used by MM Servive
# -
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
# - Mail SMTP Server # - Mail SMTP Server
# - # -
smtpd_ips="" smtpd_ips=""
@ -620,6 +631,40 @@ create_traffic_counter=true
create_iperf_rules=true create_iperf_rules=true
# -------------
# - Protection against ...
# -------------
# - Protection against syn-flooding
# -
protection_against_syn_flooding=true
# - Protection against port scanning
# -
protection_against_port_scanning=true
# - Protection against SSH brute-force attacks
# -
protection_against_ssh_brute_force_attacks=true
# -------------
# - Limit Connections
# -------------
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
# - Limit RST packets
# -
limit_rst_packets=true
# - Limit new TCP connections per second per source IP
# -
limit_new_tcp_connections_per_seconds_per_source_IP=true
# ------------- # -------------
# --- Router ? # --- Router ?
# ------------- # -------------

45
conf/main_ipv6.conf.sample
View File

@ -338,6 +338,17 @@ forward_http_server_ips=""
http_ports="$standard_http_ports" http_ports="$standard_http_ports"
# - Mattermost (MM) Service
# -
mm_server_ips="$ext_1_ip"
forward_mm_server_ips=""
# - UDP Ports IN and OUT used by MM Servive
# -
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
# - Mail SMTP Server # - Mail SMTP Server
# - # -
smtpd_ips="" smtpd_ips=""
@ -636,6 +647,40 @@ create_traffic_counter=true
create_iperf_rules=true create_iperf_rules=true
# -------------
# - Protection against ...
# -------------
# - Protection against syn-flooding
# -
protection_against_syn_flooding=true
# - Protection against port scanning
# -
protection_against_port_scanning=true
# - Protection against SSH brute-force attacks
# -
protection_against_ssh_brute_force_attacks=true
# -------------
# - Limit Connections
# -------------
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
# - Limit RST packets
# -
limit_rst_packets=true
# - Limit new TCP connections per second per source IP
# -
limit_new_tcp_connections_per_seconds_per_source_IP=true
# ------------- # -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# ------------- # -------------

14
conf/post_decalrations.conf
View File

@ -240,6 +240,20 @@ for _ip in $forward_http_server_ips ; do
forward_http_server_ip_arr+=("$_ip") forward_http_server_ip_arr+=("$_ip")
done done
# ---
# - IP Addresses MatterMost Service
# ---
# local
declare -a mm_server_ip_arr
for _ip in $mm_server_ips ; do
mm_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mm_server_ip_arr
for _ip in $forward_mm_server_ips ; do
forward_mm_server_ip_arr+=("$_ip")
done
# --- # ---
# - IP Addresses FTP Server # - IP Addresses FTP Server
# --- # ---

51
ip6t-firewall-server
View File

@ -740,6 +740,7 @@ echo_done
echo echo
echononl "\tProtection against syn-flooding" echononl "\tProtection against syn-flooding"
if $protection_against_syn_flooding ; then
$ip6t -N syn-flood $ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then if $log_syn_flood || $log_all ; then
@ -747,6 +748,9 @@ if $log_syn_flood || $log_all ; then
fi fi
$ip6t -A syn-flood -j DROP $ip6t -A syn-flood -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -754,6 +758,7 @@ echo_done
# --- # ---
echononl "\tProtection against port scanning" echononl "\tProtection against port scanning"
if $protection_against_port_scanning ; then
$ip6t -N port-scanning $ip6t -N port-scanning
$ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN $ip6t -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then if $log_port_scanning || $log_all ; then
@ -761,6 +766,9 @@ if $log_port_scanning || $log_all ; then
fi fi
$ip6t -A port-scanning -j DROP $ip6t -A port-scanning -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -768,12 +776,16 @@ echo_done
# --- # ---
echononl "\tProtection against SSH brute-force attacks" echononl "\tProtection against SSH brute-force attacks"
if $protection_against_ssh_brute_force_attacks ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then if $log_ssh_brute_force || $log_all ; then
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
fi fi
$ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP $ip6t -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -781,11 +793,15 @@ echo_done
# --- # ---
echononl "\tLimit connections per source IP" echononl "\tLimit connections per source IP"
if $limit_connections_per_source_IP ; then
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: " $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
fi fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset $ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -793,12 +809,16 @@ echo_done
# --- # ---
echononl "\tLimit RST packets" echononl "\tLimit RST packets"
if $limit_rst_packets ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT $ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " $ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
fi fi
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP $ip6t -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -806,12 +826,16 @@ echo_done
# --- # ---
echononl "\tLimit new TCP connections per second per source IP" echononl "\tLimit new TCP connections per second per source IP"
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
fi fi
$ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -1747,6 +1771,33 @@ else
fi fi
# ---
# - Mattermost Service
# ---
echononl "\t\tMattermost (MM) Service"
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mm_server_ip_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mm_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# --- # ---
# - FTP out only" # - FTP out only"
# --- # ---

51
ipt-firewall-server
View File

@ -893,6 +893,7 @@ echo_done
echo echo
echononl "\tProtection against syn-flooding" echononl "\tProtection against syn-flooding"
if $protection_against_syn_flooding ; then
$ipt -N syn-flood $ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then if $log_syn_flood || $log_all ; then
@ -900,6 +901,9 @@ if $log_syn_flood || $log_all ; then
fi fi
$ipt -A syn-flood -j DROP $ipt -A syn-flood -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -907,6 +911,7 @@ echo_done
# --- # ---
echononl "\tProtection against port scanning" echononl "\tProtection against port scanning"
if $protection_against_port_scanning ; then
$ipt -N port-scanning $ipt -N port-scanning
$ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN $ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
if $log_port_scanning || $log_all ; then if $log_port_scanning || $log_all ; then
@ -914,6 +919,9 @@ if $log_port_scanning || $log_all ; then
fi fi
$ipt -A port-scanning -j DROP $ipt -A port-scanning -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -921,12 +929,16 @@ echo_done
# --- # ---
echononl "\tProtection against SSH brute-force attacks" echononl "\tProtection against SSH brute-force attacks"
if $protection_against_ssh_brute_force_attacks ; then
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
if $log_ssh_brute_force || $log_all ; then if $log_ssh_brute_force || $log_all ; then
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:"
fi fi
$ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -934,11 +946,15 @@ echo_done
# --- # ---
echononl "\tLimit connections per source IP" echononl "\tLimit connections per source IP"
if $limit_connections_per_source_IP ; then
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
fi fi
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset $ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -946,12 +962,16 @@ echo_done
# --- # ---
echononl "\tLimit RST packets" echononl "\tLimit RST packets"
if $limit_rst_packets ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT $ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " $ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
fi fi
$ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -959,12 +979,16 @@ echo_done
# --- # ---
echononl "\tLimit new TCP connections per second per source IP" echononl "\tLimit new TCP connections per second per source IP"
if $limit_new_tcp_connections_per_seconds_per_source_IP ; then
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: "
fi fi
$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
echo_done echo_done
else
echo_skipped
fi
# --- # ---
@ -1920,6 +1944,33 @@ else
fi fi
# ---
# - Mattermost Service
# ---
echononl "\t\tMattermost (MM) Service"
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mm_server_ip_arr[@]} ; do
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mm_server_ip_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# --- # ---
# - FTP out only" # - FTP out only"
# --- # ---