From 4967e6549d1d66303114eb213442ec750e7bc57a Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 7 Mar 2019 19:31:12 +0100 Subject: [PATCH] New: allow_all_outgoing_traffic (true/false) --- conf/load_modules_ipv4.conf | 2 +- conf/load_modules_ipv6.conf | 3 ++ conf/main_ipv4.conf.sample | 90 +++++++++++++++++++++---------------- conf/main_ipv6.conf.sample | 11 +++++ ip6t-firewall-server | 17 +++++++ ipt-firewall-server | 23 ++++++++++ 6 files changed, 106 insertions(+), 40 deletions(-) diff --git a/conf/load_modules_ipv4.conf b/conf/load_modules_ipv4.conf index 669d836..b1b9e5b 100644 --- a/conf/load_modules_ipv4.conf +++ b/conf/load_modules_ipv4.conf @@ -55,5 +55,5 @@ nf_nat_ftp # - Note: # - netfilter userspace logging daemon (ulogd/ulogd2) is required # - -nf_log +nf_log_common nf_log_ipv4 diff --git a/conf/load_modules_ipv6.conf b/conf/load_modules_ipv6.conf index 2c55689..675a88a 100644 --- a/conf/load_modules_ipv6.conf +++ b/conf/load_modules_ipv6.conf @@ -7,3 +7,6 @@ ip6table_filter ip6t_REJECT ip6table_mangle + +nf_log_common +nf_log_ipv6 diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index f6d6d3a..95cdf6c 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -5,6 +5,46 @@ ## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server ## ---------------------------------------------------------------- + +# ------------- +# --- Define Ports for Services +# ------------- + +# - Web Server Ports +# - +http_ports="80,443" + +# - FTP Servers Passive Portrange +# - +ftp_passive_port_range="50000:50400" + +# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) +# - +mail_user_ports="587,465,110,995,143,993" + +# - SSH Ports +# - +# - comma separated list +ssh_ports="22" + +# - VPN Service +vpn_ports="1194 1195" + +# - Mumble Server +# - +mumble_ports="64738" + +# - XyMon Service (usually TCP port 1984) +# - +# - NOT YET IMPLEMENTED +# - +xymon_port=1984 + +# - Munin Server Port (usually TCP port 4949) +# - +munin_remote_port="4949" + + # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules # ------------- @@ -16,6 +56,17 @@ do_not_firewall_bridged_traffic=false +# ------------- +# --- Allow all outgoing traffic +# ------------- + +# - unprotected_ifs +# - +# - Posiible values are 'true' and 'false' +# - +allow_all_outgoing_traffic=false + + # ------------- # --- Interfaces completly blocked # ------------- @@ -58,45 +109,6 @@ unprotected_ifs="" forward_private_ips="" -# ------------- -# --- Define Ports for Services -# ------------- - -# - Web Server Ports -# - -http_ports="80,443" - -# - FTP Servers Passive Portrange -# - -ftp_passive_port_range="50000:50400" - -# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) -# - -mail_user_ports="587,465,110,995,143,993" - -# - SSH Ports -# - -# - comma separated list -ssh_ports="22" - -# - VPN Service -vpn_ports="1194 1195" - -# - Mumble Server -# - -mumble_ports="64738" - -# - XyMon Service (usually TCP port 1984) -# - -# - NOT YET IMPLEMENTED -# - -xymon_port=1984 - -# - Munin Server Port (usually TCP port 4949) -# - -munin_remote_port="4949" - - # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 8f03723..c02d9ee 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -35,6 +35,17 @@ loopback="::1/128" do_not_firewall_bridged_traffic=false +# ------------- +# --- Allow all outgoing traffic +# ------------- + +# - unprotected_ifs +# - +# - Posiible values are 'true' and 'false' +# - +allow_all_outgoing_traffic=false + + # ------------- # --- Interfaces completly blocked # ------------- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 4009a1c..0613a2a 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -780,6 +780,23 @@ fi echo_done +# ------------- +# --- Allow all outgoing traffic +# ------------- +echononl "\tAllow all outgoing traffic.." +if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + # --- # - Permit all traffic through VPN lines # --- diff --git a/ipt-firewall-server b/ipt-firewall-server index 18d628a..1f643fc 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1016,6 +1016,29 @@ fi echo_done +# ------------- +# --- Allow all outgoing traffic +# ------------- +echononl "\tAllow all outgoing traffic.." +if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + +# - unprotected_ifs +# - +# - Posiible values are 'true' and 'false' +# - +allow_all_outgoing_traffic=false + + # --- # - Permit all traffic through VPN lines # ---