firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add file 'conf/default_ports.conf'. Remove file 'conf/ports.conf'.

Browse Source
This commit is contained in:
Christoph 2019-06-30 15:29:07 +02:00
parent b3347d273d
commit 57d09ba98d
6 changed files with 304 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
conf/default_ports.conf Normal file
View File

@ -0,0 +1,90 @@
#!/usr/bin/env bash
# -------------
# --- Default Ports for Services out
# -------------
standard_checkmk_port=6556
standard_cpan_wait_port=1404
standard_cups_port=$standard_ipp_port
standard_dns_port=53
standard_ftp_port=21
standard_ftp_data_port=20
standard_git_port=9418
standard_hbci_port=3000
standard_http_port=80
standard_https_port=443
standard_ident_port=113
standard_ipp_port=631
standard_irc_port=6667
standard_jabber_port=5222
standard_mumble_port=64738
standard_munin_port=4949
standard_mysql_port=3306
standard_ntp_port=123
standard_pgp_keyserver_port=11371
standard_print_port=9100
standard_print_raw_port=515
standard_remote_console_port=5900
standard_silc_port=706
standard_smtp_port=25
standard_snmp_port=161
standard_snmp_trap_port=162
standard_ssh_port=22
standard_telnet_port=23
standard_tftp_udp_port=69
standard_timeserver_port=37
standard_vpn_port=1194
standard_whois_port=43
standard_xymon_port=1984
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"
# -------------
# --- Predefined Ports
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
# - Multicast Addresse
class_d_multicast="224.0.0.0/4"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
# - Loopback
loopback_ipv6="::1/128"

59
conf/main_ipv4.conf.sample
View File

@ -10,6 +10,9 @@
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------
# - Prevent bridged traffic getting pushed through the
# - host's iptables rules
# -
# - Note: Maybe youe have also to activate forwarding
# -
# - Set: kernel_activate_forwarding=true
@ -189,6 +192,13 @@ allow_local_service=""
vpn_server_ips=""
forward_vpn_server_ips=""
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
# DHCP Server
#
# Comma seperated Interface list for DHCP services
@ -204,11 +214,25 @@ forward_dns_server_ips=""
ssh_server_ips=""
forward_ssh_server_ips=""
# - SSH Port(s) used by local Services
# -
# - comma separated list
# -
ssh_ports="$standard_ssh_port"
# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
# - Mail SMTP Server
# -
smtpd_ips=""
@ -219,6 +243,13 @@ forward_smtpd_ips=""
mail_server_ips=""
forward_mail_server_ips=""
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
@ -229,11 +260,25 @@ forward_mail_client_ips=""
ftp_server_ips=""
forward_ftp_server_ips=""
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""
# - Ports used by local Munmle Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
# - TFTP Server
# -
# - NOT YET IMPLEMENTED
@ -245,6 +290,13 @@ tftp_server_ips=""
munin_server_ips=""
forward_munin_server_ips=""
# - Port used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
# - Remote Munin Server
# -
munin_remote_ip="138.201.33.54"
@ -257,6 +309,13 @@ munin_local_port="4949"
xymon_server_ips=""
local_xymon_client=false
# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"
# -------------
# - Protocols Out

56
conf/main_ipv6.conf.sample
View File

@ -205,6 +205,13 @@ allow_local_service=""
vpn_server_ips=""
forward_vpn_server_ips=""
# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"
# DHCP Server
#
# Comma seperated Interface list for DHCP services
@ -220,11 +227,25 @@ forward_dns_server_ips=""
ssh_server_ips=""
forward_ssh_server_ips=""
# - SSH Port(s) used by local Services
# -
# - comma separated list
# -
ssh_ports="$standard_ssh_port"
# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""
# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"
# - Mail SMTP Server
# -
smtpd_ips=""
@ -235,6 +256,13 @@ forward_smtpd_ips=""
mail_server_ips=""
forward_mail_server_ips=""
# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"
# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
@ -245,11 +273,25 @@ forward_mail_client_ips=""
ftp_server_ips=""
forward_ftp_server_ips=""
# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"
# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""
# - Ports used by local Munmle Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"
# - TFTP Server
# -
# - NOT YET IMPLEMENTED
@ -261,6 +303,13 @@ tftp_server_ips=""
munin_server_ips=""
forward_munin_server_ips=""
# - Ports used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
# - Remote Munin Server
# -
munin_remote_ip="2a01:4f8:171:3493::54"
@ -273,6 +322,13 @@ munin_local_port="4949"
xymon_server_ips=""
local_xymon_client=false
# - Ports used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"
# -------------
# - Protocols Out

79
conf/ports.conf
View File

@ -1,79 +0,0 @@
#!/usr/bin/env bash
# -------------
# --- Define Ports for Services
# -------------
# - Web Server Ports
# -
http_ports="80,443"
# - FTP Servers Passive Portrange
# -
ftp_passive_port_range="50000:50400"
# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
# -
mail_user_ports="587,465,110,995,143,993"
# - SSH Ports
# -
# - comma separated list
ssh_ports="22"
# - VPN Service
vpn_ports="1194 1195"
# - Mumble Server
# -
mumble_ports="64738"
# - XyMon Service (usually TCP port 1984)
# -
# - NOT YET IMPLEMENTED
# -
xymon_port=1984
# - Munin Server Port (usually TCP port 4949)
# -
munin_remote_port="4949"
# -------------
# --- Predefined Ports
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
# - Multicast Addresse
class_d_multicast="224.0.0.0/4"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
# - Loopback
loopback_ipv6="::1/128"

98
ip6t-firewall-server
View File

@ -22,8 +22,8 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_ports=${ipt_conf_dir}/ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
@ -112,10 +112,10 @@ else
source $conf_logging
fi
if [[ ! -f "$conf_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_ports'"
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_ports
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
@ -981,14 +981,14 @@ echononl "\t\tDNS out only"
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
if $kernel_forward_between_interfaces ; then
# - forward from virtual mashine(s)
$ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
fi
done
@ -1011,10 +1011,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
@ -1026,10 +1026,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
echo_done
@ -1046,14 +1046,14 @@ echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
done
echo_done
@ -1169,9 +1169,9 @@ fi
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
fi
done
@ -1185,9 +1185,9 @@ echo_done
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
fi
done
@ -1247,9 +1247,9 @@ fi
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
fi
done
@ -1266,7 +1266,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1287,7 +1287,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1379,9 +1379,9 @@ fi
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
fi
done
@ -1422,7 +1422,7 @@ echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper
# -
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
$ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
# - Used for different ftpdata recent lists 'ftp6data_out_$j'
# -
@ -1434,7 +1434,7 @@ for _dev in ${ext_if_arr[@]} ; do
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# -
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftp6data_out_$j --rdest --set -j ACCEPT
# - (2)
@ -1463,18 +1463,18 @@ echo_done
#
#for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# if $kernel_forward_between_interfaces ; then
# # (Datenkanal aktiv)
# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# fi
#done
#
@ -1499,7 +1499,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
@ -1561,7 +1561,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@ -1598,22 +1598,22 @@ fi
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
@ -1658,9 +1658,9 @@ fi
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -1674,11 +1674,11 @@ echo_done
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -1692,9 +1692,9 @@ echo_done
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
@ -1708,9 +1708,9 @@ echo_done
echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done

100
ipt-firewall-server
View File

@ -22,8 +22,8 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_ports=${ipt_conf_dir}/ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
@ -112,10 +112,10 @@ else
source $conf_logging
fi
if [[ ! -f "$conf_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_ports'"
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_ports
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
@ -1225,14 +1225,14 @@ echononl "\t\tDNS out only"
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ipt -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
if $kernel_activate_forwarding ; then
# - forward from virtual mashine(s)
$ipt -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
fi
done
@ -1255,10 +1255,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
@ -1270,10 +1270,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
echo_done
@ -1290,14 +1290,14 @@ echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
done
echo_done
@ -1415,9 +1415,9 @@ fi
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
fi
done
@ -1431,9 +1431,9 @@ echo_done
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
fi
done
@ -1493,9 +1493,9 @@ fi
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
fi
done
@ -1512,7 +1512,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1533,7 +1533,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1625,9 +1625,9 @@ fi
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
fi
done
@ -1668,7 +1668,7 @@ echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper
# -
$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
$ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
# - Used for different ftpdata recent lists 'ftpdata_out_$j'
# -
@ -1680,7 +1680,7 @@ for _dev in ${ext_if_arr[@]} ; do
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# -
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftpdata_out_$j --rdest --set -j ACCEPT
# - (2)
@ -1709,18 +1709,18 @@ echo_done
#
#for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# if $kernel_activate_forwarding ; then
# # (Datenkanal aktiv)
# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# fi
#done
#
@ -1744,7 +1744,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
@ -1765,7 +1765,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
$ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@ -1806,7 +1806,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
$ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@ -1842,22 +1842,22 @@ fi
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
@ -1902,9 +1902,9 @@ fi
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -1918,11 +1918,11 @@ echo_done
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -1936,9 +1936,9 @@ echo_done
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
@ -1952,9 +1952,9 @@ echo_done
echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done