diff --git a/conf/default_ports.conf b/conf/default_ports.conf new file mode 100644 index 0000000..91c2877 --- /dev/null +++ b/conf/default_ports.conf @@ -0,0 +1,90 @@ +#!/usr/bin/env bash + +# ------------- +# --- Default Ports for Services out +# ------------- + +standard_checkmk_port=6556 +standard_cpan_wait_port=1404 +standard_cups_port=$standard_ipp_port +standard_dns_port=53 +standard_ftp_port=21 +standard_ftp_data_port=20 +standard_git_port=9418 +standard_hbci_port=3000 +standard_http_port=80 +standard_https_port=443 +standard_ident_port=113 +standard_ipp_port=631 +standard_irc_port=6667 +standard_jabber_port=5222 +standard_mumble_port=64738 +standard_munin_port=4949 +standard_mysql_port=3306 +standard_ntp_port=123 +standard_pgp_keyserver_port=11371 +standard_print_port=9100 +standard_print_raw_port=515 +standard_remote_console_port=5900 +standard_silc_port=706 +standard_smtp_port=25 +standard_snmp_port=161 +standard_snmp_trap_port=162 +standard_ssh_port=22 +standard_telnet_port=23 +standard_tftp_udp_port=69 +standard_timeserver_port=37 +standard_vpn_port=1194 +standard_whois_port=43 +standard_xymon_port=1984 + +# - IPsec - Internet Security Association and +# - Key Management Protocol +standard_isakmp_port=500 +standard_ipsec_nat_t=4500 + + +# - Comma separated lists +# - +standard_http_ports="80,443" +standard_mailuser_ports="587,465,110,995,143,993" + + +# ------------- +# --- Predefined Ports +# ------------- + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + + +# ------------- +# --- Some IPv4-Address Configuration +# ------------- + +# - Loopback +loopback_ipv4="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + + +# ------------- +# --- Some IPv6-Address Configuration +# ------------- + +# unique local address (ULA) - private address block +ula_block="fc00::/7" + +# - Loopback +loopback_ipv6="::1/128" + diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 728d644..b7d6c8b 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -10,6 +10,9 @@ # --- Prevent bridged traffic getting pushed through the host's iptables rules # ------------- +# - Prevent bridged traffic getting pushed through the +# - host's iptables rules +# - # - Note: Maybe youe have also to activate forwarding # - # - Set: kernel_activate_forwarding=true @@ -189,6 +192,13 @@ allow_local_service="" vpn_server_ips="" forward_vpn_server_ips="" +# - VPN Port(s) used by local Services +# - +# - blank separated list +# - +vpn_ports="$standard_vpn_port" + + # DHCP Server # # Comma seperated Interface list for DHCP services @@ -204,11 +214,25 @@ forward_dns_server_ips="" ssh_server_ips="" forward_ssh_server_ips="" +# - SSH Port(s) used by local Services +# - +# - comma separated list +# - +ssh_ports="$standard_ssh_port" + + # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" +# - HTTP(S) Ports used by local Services +# - +# - comma separated list +# - +http_ports="$standard_http_ports" + + # - Mail SMTP Server # - smtpd_ips="" @@ -219,6 +243,13 @@ forward_smtpd_ips="" mail_server_ips="" forward_mail_server_ips="" +# - Client Ports used by local Mail Services +# - +# - comma separated list +# - +mail_user_ports="$standard_mailuser_ports" + + # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" @@ -229,11 +260,25 @@ forward_mail_client_ips="" ftp_server_ips="" forward_ftp_server_ips="" +# - FTP passive port range use by local ftp service(s) +# - +# - example: ftp_passive_port_range="50000:50400" +# - +ftp_passive_port_range="50000:50400" + + # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" +# - Ports used by local Munmle Services +# - +# - comma separated list +# - +mumble_ports="$standard_mumble_port" + + # - TFTP Server # - # - NOT YET IMPLEMENTED @@ -245,6 +290,13 @@ tftp_server_ips="" munin_server_ips="" forward_munin_server_ips="" +# - Port used by clients hosted on this (local) Munin Services +# - +# - !! Only one port is possible !! +# - +munin_remote_port="$standard_munin_port" + + # - Remote Munin Server # - munin_remote_ip="138.201.33.54" @@ -257,6 +309,13 @@ munin_local_port="4949" xymon_server_ips="" local_xymon_client=false +# - Port used by local Xymon Services +# - +# - !! Only one port is possible !! +# - +xymon_port="$standard_xymon_port" + + # ------------- # - Protocols Out diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index fbde9a4..466fd01 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -205,6 +205,13 @@ allow_local_service="" vpn_server_ips="" forward_vpn_server_ips="" +# - VPN Port(s) used by local Services +# - +# - blank separated list +# - +vpn_ports="$standard_vpn_port" + + # DHCP Server # # Comma seperated Interface list for DHCP services @@ -220,11 +227,25 @@ forward_dns_server_ips="" ssh_server_ips="" forward_ssh_server_ips="" +# - SSH Port(s) used by local Services +# - +# - comma separated list +# - +ssh_ports="$standard_ssh_port" + + # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" +# - HTTP(S) Ports used by local Services +# - +# - comma separated list +# - +http_ports="$standard_http_ports" + + # - Mail SMTP Server # - smtpd_ips="" @@ -235,6 +256,13 @@ forward_smtpd_ips="" mail_server_ips="" forward_mail_server_ips="" +# - Client Ports used by local Mail Services +# - +# - comma separated list +# - +mail_user_ports="$standard_mailuser_ports" + + # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" @@ -245,11 +273,25 @@ forward_mail_client_ips="" ftp_server_ips="" forward_ftp_server_ips="" +# - FTP passive port range use by local ftp service(s) +# - +# - example: ftp_passive_port_range="50000:50400" +# - +ftp_passive_port_range="50000:50400" + + # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" +# - Ports used by local Munmle Services +# - +# - comma separated list +# - +mumble_ports="$standard_mumble_port" + + # - TFTP Server # - # - NOT YET IMPLEMENTED @@ -261,6 +303,13 @@ tftp_server_ips="" munin_server_ips="" forward_munin_server_ips="" +# - Ports used by clients hosted on this (local) Munin Services +# - +# - !! Only one port is possible !! +# - +munin_remote_port="$standard_munin_port" + + # - Remote Munin Server # - munin_remote_ip="2a01:4f8:171:3493::54" @@ -273,6 +322,13 @@ munin_local_port="4949" xymon_server_ips="" local_xymon_client=false +# - Ports used by clients hosted on this (local) Munin Services +# - +# - !! Only one port is possible !! +# - +munin_remote_port="$standard_munin_port" + + # ------------- # - Protocols Out diff --git a/conf/ports.conf b/conf/ports.conf deleted file mode 100644 index 5ea02aa..0000000 --- a/conf/ports.conf +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/env bash - - -# ------------- -# --- Define Ports for Services -# ------------- - -# - Web Server Ports -# - -http_ports="80,443" - -# - FTP Servers Passive Portrange -# - -ftp_passive_port_range="50000:50400" - -# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) -# - -mail_user_ports="587,465,110,995,143,993" - -# - SSH Ports -# - -# - comma separated list -ssh_ports="22" - -# - VPN Service -vpn_ports="1194 1195" - -# - Mumble Server -# - -mumble_ports="64738" - -# - XyMon Service (usually TCP port 1984) -# - -# - NOT YET IMPLEMENTED -# - -xymon_port=1984 - -# - Munin Server Port (usually TCP port 4949) -# - -munin_remote_port="4949" - - -# ------------- -# --- Predefined Ports -# ------------- - -# - unpriviligierte Ports -# - -unprivports="1024:65535" - - -# ------------- -# --- Some IPv4-Address Configuration -# ------------- - -# - Loopback -loopback_ipv4="127.0.0.0/8" - -# - Private Networks -priv_class_a="10.0.0.0/8" -priv_class_b="172.16.0.0/12" -priv_class_c="192.168.0.0/16" - -# - Multicast Addresse -class_d_multicast="224.0.0.0/4" - -# Reserved Addresse -class_e_reserved="240.0.0.0/5" - - -# ------------- -# --- Some IPv6-Address Configuration -# ------------- - -# unique local address (ULA) - private address block -ula_block="fc00::/7" - -# - Loopback -loopback_ipv6="::1/128" diff --git a/ip6t-firewall-server b/ip6t-firewall-server index e297acb..e23b661 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -22,8 +22,8 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf" load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf conf_logging=${ipt_conf_dir}/logging_ipv6.conf -conf_ports=${ipt_conf_dir}/ports.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf conf_main=${ipt_conf_dir}/main_ipv6.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list" @@ -112,10 +112,10 @@ else source $conf_logging fi -if [[ ! -f "$conf_ports" ]]; then - fatal "Missing configuration for default_ports - file '$conf_ports'" +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" else - source $conf_ports + source $conf_default_ports fi if [[ ! -f "$conf_interfaces" ]]; then @@ -981,14 +981,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if $kernel_forward_between_interfaces ; then # - forward from virtual mashine(s) - $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT fi done @@ -1011,10 +1011,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT - $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT # Zonetransfer - $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi @@ -1026,10 +1026,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT # Zonetransfer - $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi echo_done @@ -1046,14 +1046,14 @@ echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT fi done for _dev in ${local_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT done echo_done @@ -1169,9 +1169,9 @@ fi echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT fi done @@ -1185,9 +1185,9 @@ echo_done echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT fi done @@ -1247,9 +1247,9 @@ fi echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT fi done @@ -1266,7 +1266,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT @@ -1287,7 +1287,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_smtpd_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT @@ -1379,9 +1379,9 @@ fi echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT fi done @@ -1422,7 +1422,7 @@ echononl "\t\tFTP out only (using CT target)" # - (Re)define helper # - -$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp +$ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp # - Used for different ftpdata recent lists 'ftp6data_out_$j' # - @@ -1434,7 +1434,7 @@ for _dev in ${ext_if_arr[@]} ; do # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - - $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT # - (2) @@ -1463,18 +1463,18 @@ echo_done # #for _dev in ${ext_if_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # (Datenkanal passiv) # $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # if $kernel_forward_between_interfaces ; then # # (Datenkanal aktiv) -# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # (Datenkanal passiv) # $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # fi #done # @@ -1499,7 +1499,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - - $ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then @@ -1561,7 +1561,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the @@ -1598,22 +1598,22 @@ fi # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # for _ip in ${ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung -# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi # # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then # for _ip in ${forward_ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung -# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi # @@ -1658,9 +1658,9 @@ fi echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT fi done @@ -1674,11 +1674,11 @@ echo_done echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT fi done @@ -1692,9 +1692,9 @@ echo_done echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT fi done @@ -1708,9 +1708,9 @@ echo_done echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT fi done diff --git a/ipt-firewall-server b/ipt-firewall-server index 6190082..0cac96b 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -22,8 +22,8 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf" load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf conf_logging=${ipt_conf_dir}/logging_ipv4.conf -conf_ports=${ipt_conf_dir}/ports.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf +conf_default_ports=${ipt_conf_dir}/default_ports.conf conf_main=${ipt_conf_dir}/main_ipv4.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" @@ -112,10 +112,10 @@ else source $conf_logging fi -if [[ ! -f "$conf_ports" ]]; then - fatal "Missing configuration for default_ports - file '$conf_ports'" +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" else - source $conf_ports + source $conf_default_ports fi if [[ ! -f "$conf_interfaces" ]]; then @@ -1225,14 +1225,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding ; then # - forward from virtual mashine(s) - $ipt -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT fi done @@ -1255,10 +1255,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT - $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT # Zonetransfer - $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi @@ -1270,10 +1270,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT # Zonetransfer - $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT done fi echo_done @@ -1290,14 +1290,14 @@ echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT fi done for _dev in ${local_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT done echo_done @@ -1415,9 +1415,9 @@ fi echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT fi done @@ -1431,9 +1431,9 @@ echo_done echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT fi done @@ -1493,9 +1493,9 @@ fi echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT fi done @@ -1512,7 +1512,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT @@ -1533,7 +1533,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_smtpd_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT @@ -1625,9 +1625,9 @@ fi echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT fi done @@ -1668,7 +1668,7 @@ echononl "\t\tFTP out only (using CT target)" # - (Re)define helper # - -$ipt -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp +$ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp # - Used for different ftpdata recent lists 'ftpdata_out_$j' # - @@ -1680,7 +1680,7 @@ for _dev in ${ext_if_arr[@]} ; do # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - - $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \ + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT # - (2) @@ -1709,18 +1709,18 @@ echo_done # #for _dev in ${ext_if_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # (Datenkanal passiv) # $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -# $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # if $kernel_activate_forwarding ; then # # (Datenkanal aktiv) -# $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # (Datenkanal passiv) # $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -# $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT # fi #done # @@ -1744,7 +1744,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - - $ipt -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp + $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then @@ -1765,7 +1765,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + $ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the @@ -1806,7 +1806,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + $ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the @@ -1842,22 +1842,22 @@ fi # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # for _ip in ${ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung -# $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi # # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # for _ip in ${forward_ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) # $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung -# $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT # done # fi # @@ -1902,9 +1902,9 @@ fi echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT fi done @@ -1918,11 +1918,11 @@ echo_done echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT fi done @@ -1936,9 +1936,9 @@ echo_done echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT fi done @@ -1952,9 +1952,9 @@ echo_done echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT fi done