firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add file 'conf/default_ports.conf'. Remove file 'conf/ports.conf'.

Browse Source
This commit is contained in:
Christoph
2019-06-30 15:29:07 +02:00
parent b3347d273d
commit 57d09ba98d
6 changed files with 304 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
ip6t-firewall-server
View File

@ -22,8 +22,8 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_ports=${ipt_conf_dir}/ports.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
@ -112,10 +112,10 @@ else
source $conf_logging
fi
if [[ ! -f "$conf_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_ports'"
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_ports
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
@ -981,14 +981,14 @@ echononl "\t\tDNS out only"
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
if $kernel_forward_between_interfaces ; then
# - forward from virtual mashine(s)
$ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
fi
done
@ -1011,10 +1011,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
@ -1026,10 +1026,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
echo_done
@ -1046,14 +1046,14 @@ echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
done
echo_done
@ -1169,9 +1169,9 @@ fi
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
fi
done
@ -1185,9 +1185,9 @@ echo_done
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
fi
done
@ -1247,9 +1247,9 @@ fi
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
fi
done
@ -1266,7 +1266,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1287,7 +1287,7 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ;
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
@ -1379,9 +1379,9 @@ fi
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
fi
done
@ -1422,7 +1422,7 @@ echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper
# -
$ip6t -A OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp
$ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
# - Used for different ftpdata recent lists 'ftp6data_out_$j'
# -
@ -1434,7 +1434,7 @@ for _dev in ${ext_if_arr[@]} ; do
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# -
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW \
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftp6data_out_$j --rdest --set -j ACCEPT
# - (2)
@ -1463,18 +1463,18 @@ echo_done
#
#for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# if $kernel_forward_between_interfaces ; then
# # (Datenkanal aktiv)
# $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# fi
#done
#
@ -1499,7 +1499,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
@ -1561,7 +1561,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT
$ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
@ -1598,22 +1598,22 @@ fi
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
@ -1658,9 +1658,9 @@ fi
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -1674,11 +1674,11 @@ echo_done
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -1692,9 +1692,9 @@ echo_done
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
@ -1708,9 +1708,9 @@ echo_done
echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 9418 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done