firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rename post_decalrations.conf -> post_declarations.conf; fix error in handling IPv4 'forward_private_ip_arr'. Fix error setting '/proc/sys/net/ipv4/conf/all/log_martians'.

Browse Source
This commit is contained in:
Christoph
2026-01-19 16:43:40 +01:00
parent 3d27513b81
commit a5b66b755b
2 changed files with 628 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

621
conf/post_declarations.conf Normal file
View File

@@ -0,0 +1,621 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# NAT (Masquerade) Network interfaces
# ---
declare -a nat_device_arr=()
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# IP Addresses LX Guest System
# ---
declare -a lxc_guest_ip_arr=()
for _ip in $lxc_guest_ips ; do
lxc_guest_ip_arr+=("$_ip")
done
# ---
# local Interfaces
# ---
declare -a local_ip_arr=()
for _ip in $local_ips ; do
local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - LOG CGI script Traffic out
# ---
declare -a cgi_script_user_arr=()
for _user in $cgi_script_users ; do
cgi_script_user_arr+=($_user)
done
# ---
# - IP-Addresses (Host, Guests (VServer, LX_Container)
# ---
declare -a ext_ip_arr
for _ip in $ext_ips ; do
host_ip_arr+=("$_ip")
done
# ---
# - Extern Interfaces
# ---
declare -a ext_if_arr
for _dev in $ext_ifs ; do
ext_if_arr+=("$_dev")
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - WireGuard Interfaces
# ---
declare -a wg_if_arr
for _dev in $wg_ifs ; do
wg_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Restrict local Servive to given IP-Address/Network
# ---
declare -a restrict_local_service_to_net_arr
for _val in $restrict_local_service_to_net ; do
restrict_local_service_to_net_arr+=("$_val")
done
# ---
# - Restrict local Network to given IP-Address/Network
# ---
declare -a restrict_local_net_to_net_arr
for _val in $restrict_local_net_to_net ; do
restrict_local_net_to_net_arr+=("$_val")
done
# ---
# - Allow extern Service
# ---
declare -a allow_ext_service_arr
for _val in $allow_ext_service ; do
allow_ext_service_arr+=("$_val")
done
# ---
# - Allow extern IP-Address/Network
# ---
declare -a allow_ext_net_arr
for _net in $allow_ext_net ; do
allow_ext_net_arr+=("$_net")
done
# ---
# - Allow (non-standard) local Services
# ---
declare -a allow_local_service_arr
for _val in $allow_local_service ; do
allow_local_service_arr+=("$_val")
done
# ---
# - Allow (non-standard) local Services from specified network
# ---
declare -a allow_local_service_from_network_arr
for _service in $allow_local_service_from_networks ; do
allow_local_service_from_network_arr+=("$_service")
done
# ---
# - Generally block ports
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - Network Interfaces DHCP Service
# ---
declare -a dhcp_server_if_arr
for _dev in $dhcp_server_ifs ; do
dhcp_server_if_arr+=($_dev)
done
declare -a dhcp_client_if_arr
for _dev in $dhcp_client_ifs ; do
dhcp_client_if_arr+=($_dev)
done
# ---
# - IP Addresses DNS Server
# ---
# - local
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_dns_server_ip_arr
for _ip in $forward_dns_server_ips ; do
forward_dns_server_ip_arr+=("$_ip")
done
# ---
# - Netwoks allowed access to local DNS Resolver
# ---
declare -a resolver_allowed_network_arr
for _net in $resolver_allowed_networks ; do
resolver_allowed_network_arr+=("$_net")
done
# ---
# - IP Addresses VPN Server
# ---
# local
declare -a vpn_server_ip_arr
for _ip in $vpn_server_ips ; do
vpn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_vpn_server_ip_arr
for _ip in $forward_vpn_server_ips ; do
forward_vpn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses WireGuard Service
# ---
# local
declare -a wireguard_server_ip_arr
for _ip in $wireguard_server_ips ; do
wireguard_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_wireguard_server_ip_arr
for _ip in $forward_wireguard_server_ips ; do
forward_wireguard_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses SSH Server
# ---
# local
declare -a ssh_server_ip_arr
for _ip in $ssh_server_ips ; do
ssh_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ssh_server_ip_arr
for _ip in $forward_ssh_server_ips ; do
forward_ssh_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses HTTP Server
# ---
# local
declare -a http_server_ip_arr
for _ip in $http_server_ips ; do
http_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_http_server_ip_arr
for _ip in $forward_http_server_ips ; do
forward_http_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses MatterMost Service
# ---
# local
declare -a mm_server_ip_arr
for _ip in $mm_server_ips ; do
mm_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mm_server_ip_arr
for _ip in $forward_mm_server_ips ; do
forward_mm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
# local
declare -a ftp_server_ip_arr
for _ip in $ftp_server_ips ; do
ftp_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ftp_server_ip_arr
for _ip in $forward_ftp_server_ips ; do
forward_ftp_server_ip_arr+=("$_ip")
done
# ---
# - Mail SMTP Server
# ---
# local
declare -a smtpd_ips_arr
for _ip in $smtpd_ips ; do
smtpd_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_smtpd_ip_arr
for _ip in $forward_smtpd_ips ; do
forward_smtpd_ip_arr+=("$_ip")
done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# ---
# - IP Addresses XMPP Service (Jabber - Prosody)
# ---
declare -a xmpp_server_ip_arr
for _ip in $xmpp_server_ips ; do
xmpp_server_ip_arr+=("$_ip")
done
declare -a forward_xmpp_server_ip_arr
for _ip in $forward_xmpp_server_ips ; do
forward_xmpp_server_ip_arr+=("$_ip")
done
# ---
# - XMPP Remote Dovecote Out Service
# ---
declare -a xmmp_remote_out_service_arr
for _val in $xmmp_remote_out_services ; do
xmmp_remote_out_service_arr+=("$_val")
done
# ---
# - Mail Services (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_server_ips_arr
for _ip in $mail_server_ips ; do
mail_server_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_server_ip_arr
for _ip in $forward_mail_server_ips ; do
forward_mail_server_ip_arr+=("$_ip")
done
# ---
# - Mail client (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_client_ips_arr
for _ip in $mail_client_ips ; do
mail_client_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_client_ip_arr
for _ip in $forward_mail_client_ips ; do
forward_mail_client_ip_arr+=("$_ip")
done
# ---
# - (local) Dovecot auth service
# ---
declare -a dovecot_auth_allowed_network_arr
for _ip in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_ip")
done
# ---
# - IP Addresses Mumble Server
# ---
# local
declare -a mumble_server_ip_arr
for _ip in $mumble_server_ips ; do
mumble_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mumble_server_ip_arr
for _ip in $forward_mumble_server_ips ; do
forward_mumble_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jitsi Video Conferencing Server
# ---
declare -a jitsi_server_ip_arr
for _ip in $jitsi_server_ips ; do
jitsi_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jitsi_server_ip_arr
for _ip in $forward_jitsi_server_ips ; do
forward_jitsi_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Remote Jibri Server
# ---
declare -a jitsi_jibri_remote_ip_arr
for _ip in $jitsi_jibri_remote_ips ; do
jitsi_jibri_remote_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jibri Recording / Streaming Server
# ---
declare -a jibri_server_ip_arr
for _ip in $jibri_server_ips ; do
jibri_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jibri_server_ip_arr
for _ip in $forward_jibri_server_ips ; do
forward_jibri_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
# ---
# local
declare -a nc_turn_server_ip_arr
for _ip in $nc_turn_server_ips ; do
nc_turn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_nc_turn_server_ip_arr
for _ip in $forward_nc_turn_server_ips ; do
forward_nc_turn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Telephone Systems
# ---
declare -a tel_sys_ip_arr
for _ip in $tel_sys_ips ; do
tel_sys_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Server
# ---
declare -a prometheus_local_server_ip_arr
for _ip in $prometheus_local_server_ips ; do
prometheus_local_server_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Client
# ---
declare -a prometheus_local_client_ip_arr
for _ip in $prometheus_local_client_ips; do
prometheus_local_client_ip_arr+=("$_ip")
done
declare -a prometheus_remote_server_ip_arr
for _ip in $prometheus_remote_server_ips ; do
prometheus_remote_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Munin
# ---
# local
declare -a munin_server_ip_arr
for _ip in $munin_server_ips ; do
munin_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_munin_server_ip_arr
for _ip in $forward_munin_server_ips ; do
forward_munin_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_rsync_out_ip_arr
for _ip in $forward_rsync_out_ips ; do
forward_rsync_out_ip_arr+=("$_ip")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - XMPP Service (Jabber - Prosody)
# ---
declare -a xmmp_tcp_in_port_arr
for _port in $xmmp_tcp_in_ports ; do
xmmp_tcp_in_port_arr+=("$_port")
done
declare -a xmmp_tcp_out_port_arr
for _port in $xmmp_tcp_out_ports ; do
xmmp_tcp_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
# local
declare -a vpn_port_arr
for _port in $vpn_ports ; do
vpn_port_arr+=("$_port")
done
# ---
# - Wireguard Ports (local Service)
# ---
# local
declare -a wireguard_server_port_arr
for _port in $wireguard_server_ports ; do
wireguard_server_port_arr+=("$_port")
done
# ---
# - Wireguard out Ports
# ---
# local
declare -a wireguard_out_port_port_arr
for _port in $wireguard_out_ports ; do
wireguard_out_port_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Special TCP Ports OUT
# ---
# local
declare -a tcp_out_port_arr
for _port in $tcp_out_ports ; do
tcp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_tcp_out_port_arr
for _port in $forward_tcp_out_ports ; do
forward_tcp_out_port_arr+=("$_port")
done
# ---
# - Special UDP Ports OUT
# ---
# local
declare -a udp_out_port_arr
for _port in $udp_out_ports ; do
udp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_udp_out_port_arr
for _port in $forward_udp_out_ports ; do
forward_udp_out_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done

13
ipt-firewall-server
View File

@@ -13,7 +13,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_post_declarations=${ipt_conf_dir}/post_declarations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
@@ -225,7 +225,7 @@ if ! is_container ; then
## - Logging of spoofed (source routed" and "redirect") packets ## - Logging of spoofed (source routed" and "redirect") packets
## - ## -
if $kernel_log_martians ; then if $kernel_log_martians ; then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi fi
## - Keine ICMP Umleitungspakete akzeptieren. ## - Keine ICMP Umleitungspakete akzeptieren.
@@ -478,12 +478,13 @@ fi
echononl "\tAllow forwarding (private) IPs / IP-Ranges.." echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${forward_private_ip_arr[@]}; do for _ip in ${forward_private_ip_arr[@]}; do
# NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through).
if $log_forwarding_priv_ip || $log_all ; then if $log_forwarding_priv_ip || $log_all ; then
$ipt -t mangle -A PREROUTING -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
$ipt -t mangle -A PREROUTING -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
fi fi
$ipt -t mangle -A PREROUTING -d $_ip -j ACCEPT $ipt -A FORWARD -d $_ip -j ACCEPT
$ipt -t mangle -A PREROUTING -s $_ip -j ACCEPT $ipt -A FORWARD -s $_ip -j ACCEPT
done done
echo_done echo_done
else else