diff --git a/conf/post_declarations.conf b/conf/post_declarations.conf new file mode 100644 index 0000000..e6a8137 --- /dev/null +++ b/conf/post_declarations.conf @@ -0,0 +1,621 @@ +#!/usr/bin/env bash + + +# ----------- +# --- Define Arrays +# ----------- + +# --- +# NAT (Masquerade) Network interfaces +# --- + +declare -a nat_device_arr=() +for _dev in $nat_devices ; do + if ! containsElement $_dev "${nat_device_arr[@]}" ; then + nat_device_arr+=("$_dev") + fi +done + + +# --- +# IP Addresses LX Guest System +# --- + +declare -a lxc_guest_ip_arr=() +for _ip in $lxc_guest_ips ; do + lxc_guest_ip_arr+=("$_ip") +done + + +# --- +# local Interfaces +# --- + +declare -a local_ip_arr=() +for _ip in $local_ips ; do + local_ip_arr+=("$_ip") +done + + +# --- +# - IP Addresses to log +# --- +declare -a log_ip_arr +for _ip in $log_ips ; do + log_ip_arr+=("$_ip") +done + + +# --- +# - LOG CGI script Traffic out +# --- +declare -a cgi_script_user_arr=() +for _user in $cgi_script_users ; do + cgi_script_user_arr+=($_user) +done + + +# --- +# - IP-Addresses (Host, Guests (VServer, LX_Container) +# --- +declare -a ext_ip_arr +for _ip in $ext_ips ; do + host_ip_arr+=("$_ip") +done + +# --- +# - Extern Interfaces +# --- +declare -a ext_if_arr +for _dev in $ext_ifs ; do + ext_if_arr+=("$_dev") +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - WireGuard Interfaces +# --- +declare -a wg_if_arr +for _dev in $wg_ifs ; do + wg_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + +# --- +# - Allow extern Service +# --- +declare -a allow_ext_service_arr +for _val in $allow_ext_service ; do + allow_ext_service_arr+=("$_val") +done + +# --- +# - Allow extern IP-Address/Network +# --- +declare -a allow_ext_net_arr +for _net in $allow_ext_net ; do + allow_ext_net_arr+=("$_net") +done + +# --- +# - Allow (non-standard) local Services +# --- +declare -a allow_local_service_arr +for _val in $allow_local_service ; do + allow_local_service_arr+=("$_val") +done + +# --- +# - Allow (non-standard) local Services from specified network +# --- +declare -a allow_local_service_from_network_arr +for _service in $allow_local_service_from_networks ; do + allow_local_service_from_network_arr+=("$_service") +done + +# --- +# - Generally block ports +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - Network Interfaces DHCP Service +# --- +declare -a dhcp_server_if_arr +for _dev in $dhcp_server_ifs ; do + dhcp_server_if_arr+=($_dev) +done +declare -a dhcp_client_if_arr +for _dev in $dhcp_client_ifs ; do + dhcp_client_if_arr+=($_dev) +done + +# --- +# - IP Addresses DNS Server +# --- +# - local +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_dns_server_ip_arr +for _ip in $forward_dns_server_ips ; do + forward_dns_server_ip_arr+=("$_ip") +done + +# --- +# - Netwoks allowed access to local DNS Resolver +# --- +declare -a resolver_allowed_network_arr +for _net in $resolver_allowed_networks ; do + resolver_allowed_network_arr+=("$_net") +done + +# --- +# - IP Addresses VPN Server +# --- +# local +declare -a vpn_server_ip_arr +for _ip in $vpn_server_ips ; do + vpn_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_vpn_server_ip_arr +for _ip in $forward_vpn_server_ips ; do + forward_vpn_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses WireGuard Service +# --- +# local +declare -a wireguard_server_ip_arr +for _ip in $wireguard_server_ips ; do + wireguard_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_wireguard_server_ip_arr +for _ip in $forward_wireguard_server_ips ; do + forward_wireguard_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses SSH Server +# --- +# local +declare -a ssh_server_ip_arr +for _ip in $ssh_server_ips ; do + ssh_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ssh_server_ip_arr +for _ip in $forward_ssh_server_ips ; do + forward_ssh_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses HTTP Server +# --- +# local +declare -a http_server_ip_arr +for _ip in $http_server_ips ; do + http_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_http_server_ip_arr +for _ip in $forward_http_server_ips ; do + forward_http_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses MatterMost Service +# --- +# local +declare -a mm_server_ip_arr +for _ip in $mm_server_ips ; do + mm_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_mm_server_ip_arr +for _ip in $forward_mm_server_ips ; do + forward_mm_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +# local +declare -a ftp_server_ip_arr +for _ip in $ftp_server_ips ; do + ftp_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ftp_server_ip_arr +for _ip in $forward_ftp_server_ips ; do + forward_ftp_server_ip_arr+=("$_ip") +done + +# --- +# - Mail SMTP Server +# --- +# local +declare -a smtpd_ips_arr +for _ip in $smtpd_ips ; do + smtpd_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_smtpd_ip_arr +for _ip in $forward_smtpd_ips ; do + forward_smtpd_ip_arr+=("$_ip") +done + + +# --- +# Additional SMTP Listen Ports +# --- +declare -a smtpd_additional_listen_port_arr +for _port in $smtpd_additional_listen_ports ; do + smtpd_additional_listen_port_arr+=("$_port") +done + + +# --- +# Additional SMTP Outgoing Ports +# --- +declare -a smtpd_additional_outgoung_port_arr +for _port in $smtpd_additional_outgoung_ports ; do + smtpd_additional_outgoung_port_arr+=("$_port") +done + + + +# --- +# - IP Addresses XMPP Service (Jabber - Prosody) +# --- +declare -a xmpp_server_ip_arr +for _ip in $xmpp_server_ips ; do + xmpp_server_ip_arr+=("$_ip") +done + +declare -a forward_xmpp_server_ip_arr +for _ip in $forward_xmpp_server_ips ; do + forward_xmpp_server_ip_arr+=("$_ip") +done + +# --- +# - XMPP Remote Dovecote Out Service +# --- +declare -a xmmp_remote_out_service_arr +for _val in $xmmp_remote_out_services ; do + xmmp_remote_out_service_arr+=("$_val") +done + +# --- +# - Mail Services (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_server_ips_arr +for _ip in $mail_server_ips ; do + mail_server_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_server_ip_arr +for _ip in $forward_mail_server_ips ; do + forward_mail_server_ip_arr+=("$_ip") +done + +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_client_ip_arr +for _ip in $forward_mail_client_ips ; do + forward_mail_client_ip_arr+=("$_ip") +done + +# --- +# - (local) Dovecot auth service +# --- +declare -a dovecot_auth_allowed_network_arr +for _ip in $dovecot_auth_allowed_networks ; do + dovecot_auth_allowed_network_arr+=("$_ip") +done + +# --- +# - IP Addresses Mumble Server +# --- +# local +declare -a mumble_server_ip_arr +for _ip in $mumble_server_ips ; do + mumble_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_mumble_server_ip_arr +for _ip in $forward_mumble_server_ips ; do + forward_mumble_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Jitsi Video Conferencing Server +# --- +declare -a jitsi_server_ip_arr +for _ip in $jitsi_server_ips ; do + jitsi_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_jitsi_server_ip_arr +for _ip in $forward_jitsi_server_ips ; do + forward_jitsi_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Remote Jibri Server +# --- +declare -a jitsi_jibri_remote_ip_arr +for _ip in $jitsi_jibri_remote_ips ; do + jitsi_jibri_remote_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Jibri Recording / Streaming Server +# --- +declare -a jibri_server_ip_arr +for _ip in $jibri_server_ips ; do + jibri_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_jibri_server_ip_arr +for _ip in $forward_jibri_server_ips ; do + forward_jibri_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app) +# --- +# local +declare -a nc_turn_server_ip_arr +for _ip in $nc_turn_server_ips ; do + nc_turn_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_nc_turn_server_ip_arr +for _ip in $forward_nc_turn_server_ips ; do + forward_nc_turn_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Telephone Systems +# --- +declare -a tel_sys_ip_arr +for _ip in $tel_sys_ips ; do + tel_sys_ip_arr+=("$_ip") +done + +# --- +# - Prometheus Monitoring - local Server +# --- +declare -a prometheus_local_server_ip_arr +for _ip in $prometheus_local_server_ips ; do + prometheus_local_server_ip_arr+=("$_ip") +done + +# --- +# - Prometheus Monitoring - local Client +# --- +declare -a prometheus_local_client_ip_arr +for _ip in $prometheus_local_client_ips; do + prometheus_local_client_ip_arr+=("$_ip") +done +declare -a prometheus_remote_server_ip_arr +for _ip in $prometheus_remote_server_ips ; do + prometheus_remote_server_ip_arr+=("$_ip") +done + + +# --- +# - IP Addresses Munin +# --- +# local +declare -a munin_server_ip_arr +for _ip in $munin_server_ips ; do + munin_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_munin_server_ip_arr +for _ip in $forward_munin_server_ips ; do + forward_munin_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_rsync_out_ip_arr +for _ip in $forward_rsync_out_ips ; do + forward_rsync_out_ip_arr+=("$_ip") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - XMPP Service (Jabber - Prosody) +# --- +declare -a xmmp_tcp_in_port_arr +for _port in $xmmp_tcp_in_ports ; do + xmmp_tcp_in_port_arr+=("$_port") +done + +declare -a xmmp_tcp_out_port_arr +for _port in $xmmp_tcp_out_ports ; do + xmmp_tcp_out_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +# local +declare -a vpn_port_arr +for _port in $vpn_ports ; do + vpn_port_arr+=("$_port") +done + +# --- +# - Wireguard Ports (local Service) +# --- +# local +declare -a wireguard_server_port_arr +for _port in $wireguard_server_ports ; do + wireguard_server_port_arr+=("$_port") +done + +# --- +# - Wireguard out Ports +# --- +# local +declare -a wireguard_out_port_port_arr +for _port in $wireguard_out_ports ; do + wireguard_out_port_port_arr+=("$_port") +done + + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + + +# --- +# - Special TCP Ports OUT +# --- +# local +declare -a tcp_out_port_arr +for _port in $tcp_out_ports ; do + tcp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_tcp_out_port_arr +for _port in $forward_tcp_out_ports ; do + forward_tcp_out_port_arr+=("$_port") +done + +# --- +# - Special UDP Ports OUT +# --- +# local +declare -a udp_out_port_arr +for _port in $udp_out_ports ; do + udp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_udp_out_port_arr +for _port in $forward_udp_out_ports ; do + forward_udp_out_port_arr+=("$_port") +done + + +# --- +# - Portforwrds TCP +# --- +declare -a portforward_tcp_arr +for _str in $portforward_tcp ; do + portforward_tcp_arr+=("$_str") +done + +# --- +# - Portforwrds UDP +# --- +declare -a portforward_udp_arr +for _str in $portforward_udp ; do + portforward_udp_arr+=("$_str") +done + diff --git a/ipt-firewall-server b/ipt-firewall-server index b45cdd5..ea05b4b 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -13,7 +13,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_main=${ipt_conf_dir}/main_ipv4.conf -conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf +conf_post_declarations=${ipt_conf_dir}/post_declarations.conf conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" @@ -225,7 +225,7 @@ if ! is_container ; then ## - Logging of spoofed (source routed" and "redirect") packets ## - if $kernel_log_martians ; then - echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi ## - Keine ICMP Umleitungspakete akzeptieren. @@ -478,12 +478,13 @@ fi echononl "\tAllow forwarding (private) IPs / IP-Ranges.." if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then for _ip in ${forward_private_ip_arr[@]}; do + # NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through). if $log_forwarding_priv_ip || $log_all ; then - $ipt -t mangle -A PREROUTING -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " - $ipt -t mangle -A PREROUTING -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " + $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: " + $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: " fi - $ipt -t mangle -A PREROUTING -d $_ip -j ACCEPT - $ipt -t mangle -A PREROUTING -s $_ip -j ACCEPT + $ipt -A FORWARD -d $_ip -j ACCEPT + $ipt -A FORWARD -s $_ip -j ACCEPT done echo_done else