diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 2c64e29..0c104d5 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -12,10 +12,6 @@ CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf -if [[ -z "$fail2ban_client" ]]; then - fail2ban_client="$(which fail2ban-client)" -fi - # ------------- Load Kernel Modules ------------- # @@ -102,9 +98,9 @@ fi # if ! $host_is_vm # ------------- Stop Fail2Ban if installed ------------- # -if [ -x "$fail2ban_client" ]; then +if [ -x "$fail2ban_init_script" ]; then echononl "\tStopping fail2ban.." - $fail2ban_client stop > /dev/null 2>&1 + $fail2ban_init_script stop > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else @@ -531,39 +527,20 @@ fi echo_done -# --- -# - VPN -# --- +# --- +# - Permit all traffic through VPN lines +# --- echononl "\tPermit all traffic through VPN lines.." -if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then - if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${vpn_server_ip_arr[@]} ; do - for _port in ${vpn_port_arr[@]} ; do - $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT - done - done - - for _vpn_if in ${vpn_if_arr[@]} ; do - $ip6t -A INPUT -i $_vpn_if -j ACCEPT - $ip6t -A OUTPUT -o $_vpn_if -j ACCEPT - if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_vpn_if -j ACCEPT - $ip6t -A FORWARD -o $_vpn_if -j ACCEPT - fi - done +for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_vpn_if -j ACCEPT + $ip6t -A FORWARD -o $_vpn_if -j ACCEPT fi - - if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then - for _ip in ${forward_vpn_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT - done - fi - - echo_done -else - echo_skipped -fi +done +echo_done echo @@ -779,6 +756,46 @@ else fi +# --- +# - VPN +# --- + +echononl "\t\tVPN Service only out" +if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tVPN Services.." +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + # --- # - Rsync Out # --- @@ -1213,7 +1230,7 @@ echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then - if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do @@ -1364,10 +1381,10 @@ echo_done # ------------- Start Fail2Ban if installed # ------------- -if [ -x "$fail2ban_client" ]; then +if [ -x "$fail2ban_init_script" ]; then echo echononl "\tStarting fail2ban.." - $fail2ban_client start > /dev/null 2>&1 + $fail2ban_init_script start > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else diff --git a/ipt-firewall-server b/ipt-firewall-server index 20b24cd..48378e8 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -10,12 +10,7 @@ # Short-Description: IPv4 Firewall ### END INIT INFO -CONFIG_DIR="/etc/ipt-firewall" -CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf" - -if [[ -z "$fail2ban_client" ]]; then - fail2ban_client="$(which fail2ban-client)" -fi +CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf # ------------- Load Kernel Modules ------------- @@ -182,9 +177,9 @@ fi # ------------- Stop Fail2Ban if installed ------------- # -if [ -x "$fail2ban_client" ]; then +if [ -x "$fail2ban_init_script" ]; then echononl "\tStopping fail2ban.." - $fail2ban_client stop > /dev/null 2>&1 + $fail2ban_init_script stop > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else @@ -328,188 +323,6 @@ done echo_done # Block IPs / Networks / Interfaces.. - -# --- -# - Block IPs/Netwoks reading from file 'ban_ipv4.list'" -# --- - -echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." - -if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then - - declare -a octets - declare -i index - - while IFS='' read -r _line || [[ -n $_line ]] ; do - - is_valid_ipv4=true - is_valid_mask=true - ipv4="" - mask="" - - # Ignore comment lines - # - [[ $_line =~ ^[[:space:]]{0,}# ]] && continue - - # Ignore blank lines - # - [[ $_line =~ ^[[:space:]]*$ ]] && continue - - # Remove leading whitespace characters - # - _line="${_line#"${_line%%[![:space:]]*}"}" - - - # Catch IPv4 Address - # - given_ipv4="$(echo $_line | cut -d ' ' -f1)" - - - # Splitt Ipv4 address from possible given CIDR number - # - IFS='/' read -ra _addr <<< "$given_ipv4" - _ipv4="${_addr[0]}" - - if [[ -n "${_addr[1]}" ]] ; then - _mask="${_addr[1]}" - test_netmask=false - - # Is 'mask' a valid CIDR number? If not, test agains a valid netmask - # - if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then - - # Its not a vaild mask number, but naybe a valit netmask. - # - test_netmask=true - else - if [[ $_mask -gt 32 ]]; then - - # Its not a vaild cidr number, but naybe a valit netmask. - # - test_netmask=true - else - - # OK, we have a vaild cidr number between '0' and '32' - # - mask=$_mask - fi - fi - - # Test if given '_mask' is a valid netmask. - # - if $test_netmask ; then - octets=( ${_mask//\./ } ) - - # Complete netmask if necessary - # - while [[ ${#octets[@]} -lt 4 ]]; do - octets+=(0) - done - - [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false - - index=0 - for octet in ${octets[@]} ; do - if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then - if [[ $octet -gt 255 ]] ; then - is_valid_mask=false - fi - if [[ $index -gt 0 ]] ; then - mask="${mask}.${octet}" - else - mask="${octet}" - fi - - else - is_valid_mask=false - fi - - ((index++)) - done - fi - - adjust_mask=false - else - mask=32 - adjust_mask=true - fi - - # Splitt given address into their octets - # - octets=( ${_ipv4//\./ } ) - - # Complete IPv4 address if necessary - # - while [[ ${#octets[@]} -lt 4 ]]; do - octets+=(0) - - # Only adjust CIDR number if not given - # - if $adjust_mask ; then - mask="$(expr $mask - 8)" - fi - done - - # Pre-check if given IPv4 Address seems to be a valid address - # - [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false - - # Check if given IPv4 Address is a valid address - # - if $is_valid_ipv4 ; then - index=0 - for octet in ${octets[@]} ; do - if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then - if [[ $octet -gt 255 ]] ; then - is_valid_ipv4=false - fi - if [[ $index -gt 0 ]] ; then - ipv4="${ipv4}.${octet}" - else - ipv4="${octet}" - fi - - else - is_valid_ipv4=false - fi - - ((index++)) - done - fi - - if $is_valid_ipv4 && $is_valid_mask; then - - _ip="${ipv4}/${mask}" - - for _dev in ${ext_if_arr[@]} ; do - if $log_blocked_ip || $log_all ; then - $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level - fi - fi - $ipt -A INPUT -i $_dev -s $_ip -j DROP - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j DROP - fi - done - - - else - msg="$msg '${given_ipv4}'" - fi - - done < "${CONFIG_DIR}/ban_ipv4.list" - echo_done - - if [[ -n "$msg" ]]; then - warn "Ignored:$msg" - fi -else - echo_skipped -fi - - # --- # - Allow Forwarding certain private Addresses # --- @@ -904,39 +717,20 @@ fi echo_done -# --- -# - VPN -# --- +# --- +# - Permit all traffic through VPN lines +# --- echononl "\tPermit all traffic through VPN lines.." -if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then - if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then - for _ip in ${vpn_server_ip_arr[@]} ; do - for _port in ${vpn_port_arr[@]} ; do - $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT - done - done - - for _vpn_if in ${vpn_if_arr[@]} ; do - $ipt -A INPUT -i $_vpn_if -j ACCEPT - $ipt -A OUTPUT -o $_vpn_if -j ACCEPT - if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_vpn_if -j ACCEPT - $ipt -A FORWARD -o $_vpn_if -j ACCEPT - fi - done +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_vpn_if -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -j ACCEPT fi - - if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then - for _ip in ${forward_vpn_server_ip_arr[@]} ; do - $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT - done - fi - - echo_done -else - echo_skipped -fi +done +echo_done echo @@ -1154,6 +948,48 @@ else fi +# --- +# - VPN +# --- + +echononl "\t\tVPN Service only out" +if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + +echononl "\t\tVPN Services.." +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + # --- # - Rsync Out # --- @@ -1588,7 +1424,7 @@ echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then - if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do @@ -1738,14 +1574,13 @@ echo_done # ------------- # ------------- Start Fail2Ban if installed # ------------- -if [ -x "$fail2ban_client" ]; then + +if [ -x "$fail2ban_init_script" ]; then echo echononl "\tStarting fail2ban.." - $fail2ban_client start > /dev/null 2>&1 + $fail2ban_init_script start > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done - elif [ "$?" = "255" ]; then - echo_skipped else echo_failed fi