commit f6ec6c7517dfb4dfbb8757309064bc3715495afd Author: Christoph Date: Sun Feb 12 16:07:07 2017 +0100 Initial import diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..689be27 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +ip6t-firewall-server.conf +ipt-firewall-server.conf +BAK/* diff --git a/README.bridge b/README.bridge new file mode 100644 index 0000000..06c789c --- /dev/null +++ b/README.bridge @@ -0,0 +1,14 @@ + + +# --- +# - Prevent bridged traffic getting pushed through the host's iptables rules +# --- +$ipt -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT + +# - Note: Maybe youe have also to activate forwarding +# - +# - IPv4: +# - echo 1 > /proc/sys/net/ipv4/ip_forward +# - +# - IPv6: +# - echo 1 > /proc/sys/net/ipv6/conf/all/forwarding diff --git a/README.systemd.server b/README.systemd.server new file mode 100644 index 0000000..2215bf1 --- /dev/null +++ b/README.systemd.server @@ -0,0 +1,63 @@ + +## - Create a systemd service +## - + +# IPv4 +# +cat <> /etc/systemd/system/ipt-firewall.service +[Unit] +Description=IPv4 Firewall with iptables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ipt-firewall-server start +ExecStop=/usr/local/sbin/ipt-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target +EOF + +# IPv6 +# +cat <> /etc/systemd/system/ip6t-firewall.service +[Unit] +Description=IPv6 Firewall with ip6tables +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ip6t-firewall-server start +ExecStop=/usr/local/sbin/ip6t-firewall-server stop +User=root + +[Install] +WantedBy=multi-user.target +EOF + + +## - Eanable script (for autostart at boot time) +## - +systemctl enable ipt-firewall.service +systemctl enable ip6t-firewall.service + +## - Reload systemd configuration +## - +systemctl daemon-reload + + +## - Start Services +## - +systemctl start ipt-firewall +systemctl start ip6t-firewall + + +## - Add to /etc/rc.local +## - +## - sleep 2 +## - systemctl restart ipt-firewall || /bin/true +## - systemctl restart ip6t-firewall || /bin/true + diff --git a/ip6t-firewall-server b/ip6t-firewall-server new file mode 100755 index 0000000..ea39c52 --- /dev/null +++ b/ip6t-firewall-server @@ -0,0 +1,1250 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: ip6t-firewall +# Required-Start: $local_fs $remote_fs $syslog $network $time +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv6 Firewall +### END INIT INFO + +CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf + + +# ------------- Load Kernel Modules ------------- +# +# Load appropriate modules. +if ! $host_is_vm ; then + /sbin/modprobe ip6_tables + /sbin/modprobe ip6table_filter + /sbin/modprobe ip6t_REJECT +fi +# +# ------------- End: Load Kernel Modules ------------- + + +echo +echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" +echo + +## -------------------------------------------------------------------------- +## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf +## -------------------------------------------------------------------------- + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +if ! $host_is_vm ; then + + # --- + # - Disable ip forwarding between interfaces + # --- + if $kernel_forward_between_interfaces ; then + echononl "\tActivate Forwarding.." + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + else + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo 0 > /proc/sys/net/ipv6/conf/all/forwarding + fi + + echo_done + +fi + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if ! $host_is_vm ; then + + # --- + # - Deactivate Source Routed Packets + # --- + for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do + if $kernel_deactivate_source_route ; then + echo 0 > $asr + fi + done + + + # --- + # - Deactivate sending ICMP redirects + # --- + if $kernel_dont_accept_redirects ; then + echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects + fi + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped + +fi # if ! $host_is_vm + + +# ------------- Stop Fail2Ban if installed ------------- +# +if [ -x "$fail2ban_init_script" ]; then + echononl "\tStopping fail2ban.." + $fail2ban_init_script stop > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_warning + fi +fi +# +# ------------- Ende: Stop Fail2Ban if installed ------------- + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + + +echo +echononl "\tFlushing firewall iptable (IPv6).." + +# - default policies +# - +$ip6t -P INPUT ACCEPT +$ip6t -P OUTPUT ACCEPT +$ip6t -P FORWARD ACCEPT + +## - flush chains +## - +$ip6t -F +$ip6t -F INPUT +$ip6t -F OUTPUT +$ip6t -F FORWARD +$ip6t -F -t mangle +$ip6t -F -t nat +$ip6t -F -t raw +$ip6t -X +$ip6t -Z + +echo_done # Flushing firewall iptable (IPv6).. +echo + + + +# ------------- +# ------------ Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + exit 0;; +esac + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + $ip6t -A INPUT -i $_dev -j ACCEPT + $ip6t -A OUTPUT -o $_dev -j ACCEPT + $ip6t -A FORWARD -i $_dev -j ACCEPT + $ip6t -A FORWARD -o $_dev -j ACCEPT + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_if -j DROP + $ip6t -A FORWARD -o $_if -j DROP + fi + $ip6t -A INPUT -i $_if -j DROP + $ip6t -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + echononl "\tAllow forwarding (private) IPs / IP-Ranges.." + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -d $_ip -j ACCEPT + $ip6t -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +fi + + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + + +# --- +# - Protection against syn-flooding +# --- + +$ip6t -N syn-flood +$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN +if $log_syn_flood || $log_all ; then + $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level +fi +$ip6t -A syn-flood -j DROP + + +# --- +# - drop new packages without syn flag +# --- + +if $log_new_not_sync || $log_all ; then + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + fi +fi +$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP +$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP +fi + + +# --- +# - drop invalid packages +# --- + +if $log_invalid_state || $log_all ; then + $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + fi +fi +$ip6t -A INPUT -m state --state INVALID -j DROP +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -m state --state INVALID -j DROP +fi + + +# --- +# - ungewöhnliche Flags verwerfen +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi +done + + +# --- +# - Refuse private addresses on extern interfaces +# --- + +# - Refuse spoofed packets pretending to be from your IP address. +if $log_spoofed || $log_all ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + fi + done +fi +for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP + if $kernel_forward_between_interfaces ; then + $ipi6t -A FORWARD -s $_ip -d $_ip -j DROP + fi +done + + +# - private Adressen auf externen interface verwerfen +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + fi + fi + $ip6t -A INPUT -i $_dev -s $ula_block -j DROP + $ip6t -A INPUT -i $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -i $_dev -s $loopback -j DROP + fi + + # Don't allow spoofing from that server + $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP + $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP + $ip6t -A FORWARD -o $_dev -s $loopback -j DROP + fi +done + +echo_done + + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + +case $1 in + sto*) + #echononl "Stopping firewall iptable (IPv6).." + echo + echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" + echo + exit 0;; +esac + + +echo + +# ------------- +# --- Traffic Counter (used by munin) +# ------------- + +echononl "\tCreate Traffic Counter (used by munin)" +if $create_traffic_counter ; then + for _ip in ${ext_ip_arr[@]} ; do + $ip6t -A INPUT -d $_ip + $ip6t -A INPUT -s $_ip + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -d $_ip + $ip6t -A FORWARD -s $_ip + fi + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Generally prohibited +# ------------- + +echononl "\tGenerally prohibited traffic.." + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_forward_between_interfaces ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_forward_between_interfaces ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ip6t -A INPUT -i lo -j ACCEPT +$ip6t -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + +# --- +# - VPN +# --- + +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + echononl "\tPermit all traffic through VPN lines.." + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ip6t -A INPUT -i $_vpn_if -j ACCEPT + $ip6t -A OUTPUT -o $_vpn_if -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_vpn_if -j ACCEPT + $ip6t -A FORWARD -o $_vpn_if -j ACCEPT + fi + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Services +# ------------- + +echo +echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_if_arr[@]} ; do + # - in + $ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) + if $kernel_forward_between_interfaces ; then + # - forward from virtual mashine(s) + $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + + +# --- +# - DNS Service +# --- + +echononl "\t\tDNS Service" + +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ips[@]} ; do + # dns requests + $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_dns_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +# ausgehende Anfragen +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + fi +done + +for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT +done + +echo_done + + +# --- +# - SSH Service +# --- + +echononl "\t\tSSH Service" + +if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync Out +# --- + +echononl "\t\tRsync (only OUT)" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${rsync_out_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${forward_rsync_out_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Munin remote service +# --- + +echononl "\t\tMunin remote service" + +if [ "X$munin_remote_ip" != "X" ]; then + for _dev in ${ext_if_arr[@]} ; do + $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Munin local service +# --- + +echononl "\t\tMunin local service" + + +if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_munin_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (SMTP OUT) +# --- + +echononl "\t\tMail (SMTP OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Mail (SMTP Server) +# --- + +echononl "\t\tMail (SMTP Server including Spam Control)" + +if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then + + for _ip in ${smtpd_ips_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # - DCC (port udp:6277) + $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_smtpd_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # DCC (port udp:6277) + $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (POP/IMAP Server) +# --- + +echononl "\t\tMail (POP/IMAP Server)" + +if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_ips_arr[@]} ; do + # mail ports + # + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mail_server_ip_arr[@]} ; do + # mail ports + # + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) (local) Webserver" + +if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + + if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_http_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + fi + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP out only" +# --- + +echononl "\t\tFTP out only" + +for _dev in ${ext_if_arr[@]} ; do + # (Datenkanal aktiv) + $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT + # (Datenkanal passiv) + $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT + # (Kontrollverbindung) + $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + # (Datenkanal aktiv) + $ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT + # (Datenkanal passiv) + $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT + # (Kontrollverbindung) + $ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - FTP Server" +# --- + +echononl "\t\tFTP Server" + +if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ftp_server_ip_arr[@]} ; do + # (Datenkanal aktiv) + $ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT + # Datenkanal (passiver modus) + $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT + # - Kontrollverbindung + $ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_ftp_server_ip_arr[@]} ; do + # (Datenkanal aktiv) + $ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT + # Datenkanal (passiver modus) + $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT + # - Kontrollverbindung + $ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mumble Service +# --- + +echononl "\t\tMumble Service" + + +if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then + if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mumble_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_forward_between_interfaces ; then + for _ip in ${forward_mumble_server_ip_arr[@]} ; do + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - NTP out only" +# --- + +echononl "\t\tNTP out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + fi +done + +echo_done +echo + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${forward_udp_out_port_arr[@]} ; do + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - UNIX Traceroute +# --- + +echononl "\t\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# --- +# - Ping +# --- + +echononl "\t\tPing" + +$ip6t -A INPUT -p ipv6-icmp -j ACCEPT +$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT +if $kernel_forward_between_interfaces ; then + $ip6t -A FORWARD -p ipv6-icmp -j ACCEPT +fi + +#for _dev in ${ext_if_arr[@]} ; do +# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT +# fi +#done +#for _dev in ${local_if_arr[@]} ; do +# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT +# if $kernel_forward_between_interfaces ; then +# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT +# fi +#done + +echo_done + + +# --- +# - log all rejected traffic +# --- + +echo +echononl "\tLogging all rejected traffic" + +if $log_rejected || $log_all ; then + #$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + if $kernel_forward_between_interfaces ; then + #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop all other +# --- + +echo +echononl "\tDrop all other on all interfaces" + +$ip6t -A INPUT -j DROP +$ip6t -A OUTPUT -j DROP +$ip6t -A FORWARD -j DROP + +echo_done + + + +# ------------- +# ------------- Start Fail2Ban if installed +# ------------- + +if [ -x "$fail2ban_init_script" ]; then + echo + echononl "\tStarting fail2ban.." + $fail2ban_init_script start > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_failed + fi +fi + +echo +exit 0 + diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample new file mode 100644 index 0000000..5b5f752 --- /dev/null +++ b/ip6t-firewall-server.conf.sample @@ -0,0 +1,690 @@ +#!/usr/bin/env bash + +## - Configuration file for firewall script IPv4 +## - ipt-firewall-gateway +## - ipt-firewall-flush +## - + +####################################################################### +# -------------------------- Configuration -------------------------- # + +# ------------- +# --- Define programs +# ------------- + +ip6t="/sbin/ip6tables" +fail2ban_init_script="" + + +# ------------- +# --- Logging +# ------------- + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=true + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv6:" + + +# ------------- +# --- Network Interfaces +# ------------- + +# - External interface(s) +# +ext_if_1="" +ext_if_2="" +ext_if_3="" + +ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" + +# - is this a virtuel system ? +host_is_vm=false + +# - Extern Interfaces Static Lines +# - (comma separated list) +#ext_if_static="eth0" + +# - VPN Interfaces +# - (comma separated list) +vpn_ifs="" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3" + + +# ------------- +# --- Interfaces completly blocked +# ------------- + +# - Interfaces to block (note: they will all be blocked) +# - +# - Example: eth1 is used for DSL Line, that becomes an extra +# - interface (maybe ppp0). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - blocked_ifs="eth1" +# - +blocked_ifs="" + + +# ------------- +# --- Interfaces not firewalled +# ------------- + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +unprotected_ifs="" + + +# ------------- +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ------------- + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + +# ------------- +# --- Define Ports for Services +# ------------- + +# - Is this a Web Server ? +http_ports="80,443" + +# - Is this a Mailserver (POP/IMAP) +mail_user_ports="587,465,110,995,143,993" + +# - SSH Ports +# - +# - comma separated list +ssh_ports="22" + +# - VPN Service +vpn_ports="1194 1195" +# - Mumble Server +# - +mumble_ports="64738" + +# - XyMon Service (usually TCP port 1984) +# - +# - NOT YET IMPLEMENTED +# - +xymon_port=1984 + +# - Munin Server Port (usually TCP port 4949) +# - +munin_remote_port="4949" + + +# ------------- +# --- IP-Addresses +# ------------- + +# - Extern IP Addresses on this Host +# - +# NOT IN USE +ext_1_ip="" +# NOT IN USE +ext_2_ip="" +# NOT IN USE +ext_3_ip="" + +ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" + +# NOT IN USE +local_1_ip="" +# NOT IN USE +local_2_ip="" +# NOT IN USE +local_2_ip="" + + +# ------------- +# --- Services local Network +# ------------- + +# DHCP Server +# +# Comma seperated Interface list for DHCP services +# +dhcp_server_ifs="" + +# - DNS Server +dns_server_ips="" +forward_dns_server_ips="" + +# - SSH Server +# - +ssh_server_ips="" +forward_ssh_server_ips="" + +# - HTTP(S) Server +# - +http_server_ips="" +forward_http_server_ips="" + +# - Mail SMTP Server +# - +smtpd_ips="" +forward_smtpd_ips="" + +# - Mail Services (smtps/pop(s)/imap(s) +# - +mail_server_ips="" +forward_mail_server_ips="" + +# - FTP Server +# - +ftp_server_ips="" +forward_ftp_server_ips="" + +# - Mumble Server +# - +mumble_server_ips="" +forward_mumble_server_ips="" + +# - TFTP Server +# - +# - NOT YET IMPLEMENTED +# - +tftp_server_ips="" + +# - Munin Server +# - +munin_server_ips="" +forward_munin_server_ips="" + +# - Remote Munin Server +# - +munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4" +munin_local_port="4949" + +# - XyMon Server +# - +# - NOT YET IMPLEMENTED +# - +xymon_server_ips="" +local_xymon_client=false + + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +forward_rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# --- Allow special Ports (OUT) +# ------------- + +# - TCP Ports +tcp_out_ports="" +forward_tcp_out_ports="" + +# - UDP Ports +udp_out_ports="" +forward_udp_out_ports="" + + +# ------------- +# --- Block IP's / IP-Ranges +# ------------- + +blocked_ips="" + + +# ------------- +# --- Block Ports +# ------------- + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 113 135 137:139 445" +block_udp_ports="111 137:139" + + +# ------------- +# - Some special stuff +# ------------- + +create_traffic_counter=true +create_iperf_rules=true + + +# ------------- +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ------------- + +# - Disable ip forwarding between interfaces +# - +kernel_forward_between_interfaces=false + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + + +# ------------- +# --- Some further Ports/IP-Address Configuration +# ------------- + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# unique local address (ULA) - private address block +ula_block="fc00::/7" + +# - Loopback +loopback="::1/128" + + +# ----------------------- End: Configuration ----------------------- # +###################################################################### + + +## ==================================== +## - Don't make changes after this Line +## ==================================== + + + +# ----------- +# --- Define Arrays +# ----------- + + +# --- +# - IP-Addresses (Host, Guests (VServer, LX_Container) +# --- +declare -a ext_ip_arr +for _ip in $ext_ips ; do + host_ip_arr+=("$_ip") +done + +# --- +# - Extern Interfaces +# --- +declare -a ext_if_arr +for _dev in $ext_ifs ; do + ext_if_arr+=("$_dev") +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Generally block ports +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - Network Interfaces DHCP Service +# --- +declare -a dhcp_if_arr +for _dev in $dhcp_server_ifs ; do + dhcp_if_arr+=($_dev) +done + +# --- +# - IP Addresses DNS Server +# --- +# - local +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_dns_server_ip_arr +for _ip in $forward_dns_server_ips ; do + forward_dns_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses VPN Server +# --- +# local +declare -a vpn_server_ip_arr +for _ip in $vpn_server_ips ; do + vpn_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_vpn_server_ip_arr +for _ip in $forward_vpn_server_ips ; do + forward_vpn_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses SSH Server +# --- +# local +declare -a ssh_server_ip_arr +for _ip in $ssh_server_ips ; do + ssh_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ssh_server_ip_arr +for _ip in $forward_ssh_server_ips ; do + forward_ssh_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses HTTP Server +# --- +# local +declare -a http_server_ip_arr +for _ip in $http_server_ips ; do + http_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_http_server_ip_arr +for _ip in $forward_http_server_ips ; do + forward_http_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +# local +declare -a ftp_server_ip_arr +for _ip in $ftp_server_ips ; do + ftp_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ftp_server_ip_arr +for _ip in $forward_ftp_server_ips ; do + forward_ftp_server_ip_arr+=("$_ip") +done + +# --- +# - Mail SMTP Server +# --- +# local +declare -a smtpd_ips_arr +for _ip in $smtpd_ips ; do + smtpd_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_smtpd_ip_arr +for _ip in $forward_smtpd_ips ; do + forward_smtpd_ip_arr+=("$_ip") +done + +# --- +# - Mail POP/IMAP Server +# --- +# local +declare -a mail_server_ips_arr +for _ip in $mail_server_ips ; do + mail_server_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_server_ip_arr +for _ip in $forward_mail_server_ips ; do + forward_mail_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Mumble Server +# --- +# local +declare -a mumble_server_ip_arr +for _ip in $mumble_server_ips ; do + mumble_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_mumble_server_ip_arr +for _ip in $forward_mumble_server_ips ; do + forward_mumble_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Telephone Systems +# --- +declare -a tel_sys_ip_arr +for _ip in $tel_sys_ips ; do + tel_sys_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Munin +# --- +# local +declare -a munin_server_ip_arr +for _ip in $munin_server_ips ; do + munin_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_munin_server_ip_arr +for _ip in $forward_munin_server_ips ; do + forward_munin_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_rsync_out_ip_arr +for _ip in $forward_rsync_out_ips ; do + forward_rsync_out_ip_arr+=("$_ip") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +# local +declare -a vpn_port_arr +for _port in $vpn_ports ; do + vpn_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + + +# --- +# - Special TCP Ports OUT +# --- +# local +declare -a tcp_out_port_arr +for _port in $tcp_out_ports ; do + tcp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_tcp_out_port_arr +for _port in $forward_tcp_out_ports ; do + forward_tcp_out_port_arr+=("$_port") +done + +# --- +# - Special UDP Ports OUT +# --- +# local +declare -a udp_out_port_arr +for _port in $udp_out_ports ; do + udp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_udp_out_port_arr +for _port in $forward_udp_out_ports ; do + forward_udp_out_port_arr+=("$_port") +done + + + +# ------------- +# --- Some functions +# ------------- +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} +echo_done() { + echo -e "\033[75G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[75G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" +} + +## - Check if a given array (parameter 2) contains a given string (parameter 1) +## - +containsElement () { + local e + for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done + return 1 +} + + diff --git a/ipt-firewall-server b/ipt-firewall-server new file mode 100755 index 0000000..89e370d --- /dev/null +++ b/ipt-firewall-server @@ -0,0 +1,1477 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: ipt-firewall +# Required-Start: $local_fs $remote_fs $syslog $network +# Required-Stop: $local_fs $remote_fs $syslog $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: IPv4 Firewall +### END INIT INFO + +CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf + + +# ------------- Load Kernel Modules ------------- +# +## - Load appropriate modules. +## - +if ! $host_is_vm ; then + /sbin/modprobe ip_tables > /dev/null 2>&1 + /sbin/modprobe iptable_nat > /dev/null 2>&1 + + # - Note:! + # - Since Kernel 4.7 the automatic conntrack helper assignment + # - is disabled by default (net.netfilter.nf_conntrack_helper = 0). + # - Enable it by setting this variable in file /etc/sysctl.conf: + # - + # - net.netfilter.nf_conntrack_helper = 1 + # - + # - Reboot or type "sysctl -p" + + ## - Load module for FTP Connection tracking and NAT + ## - + /sbin/modprobe ip_conntrack > /dev/null 2>&1 + /sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1 + /sbin/modprobe ip_nat_ftp > /dev/null 2>&1 + + ## - Load modules for SIP VOIP + ## - + #/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1 + #/sbin/modprobe nf_nat_sip > /dev/null 2>&1 +fi +# +# ------------- End: Load Kernel Modules ------------- + + +echo +echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" +echo + +## -------------------------------------------------------------------------- +## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf +## -------------------------------------------------------------------------- + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi + + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +## - IP Forwarding deaktivieren. +## - +## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise +## - +## - Only needed, if hosts acts as a router. +## - +if $kernel_activate_forwarding ; then + echo 1 > /proc/sys/net/ipv4/ip_forward + echononl "\tActivate Forwarding.." + echo_done +else + echo 0 > /proc/sys/net/ipv4/ip_forward + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo_done +fi + +if $kernel_support_dynaddr ; then + echononl "\tActivate kernel support for dynamic addresses.." + if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then + echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr + echo_done + else + echo_failed + fi +else + echo 0 > /proc/sys/net/ipv4/ip_dynaddr + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo_done +fi + + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if ! $host_is_vm ; then + ## - Reduce DoS'ing ability by reducing timeouts + ## - + if $kernel_reduce_timeouts ; then + echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout + echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time + echo 1 > /proc/sys/net/ipv4/tcp_window_scaling + echo 0 > /proc/sys/net/ipv4/tcp_sack + fi + + + ## - SYN COOKIES + ## - + if $kernel_tcp_syncookies ; then + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog + echo 3 > /proc/sys/net/ipv4/tcp_synack_retries + fi + + ## - Protection against ICMP bogus error responses + ## - + if $kernel_protect_against_icmp_bogus_messages ; then + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + fi + + ## - Ignore Broadcast Pings + ## - + if $kernel_ignore_broadcast_ping ; then + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + fi + + ## - Deactivate Source Routed Packets + ## - + if $kernel_deactivate_source_route ; then + for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do + echo 0 > $asr + done + fi + + ## - Deactivate sending ICMP redirects + ## - + if $kernel_dont_accept_redirects ; then + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 1 > $rp_filter + done + fi + + ## - Logging of spoofed (source routed" and "redirect") packets + ## - + if $kernel_log_martians ; then + echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + fi + + ## - Keine ICMP Umleitungspakete akzeptieren. + ## - + ## - Diese können zur Veränderung der Routing Tables verwendet + ## - werden, möglicherweise mit einem böswilligen Ziel. + ## - + #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects + + ## - NUMBER OF CONNECTIONS TO TRACK + ## - + #echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped +fi + + +# ------------- Stop Fail2Ban if installed ------------- +# +if [ -x "$fail2ban_init_script" ]; then + echononl "\tStopping fail2ban.." + $fail2ban_init_script stop > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_warning + fi +fi +# +# ------------- Ende: Stop Fail2Ban if installed ------------- + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + + +echo +echononl "\tFlushing firewall iptable (IPv4).." + +# - default policies +# - +$ipt -P INPUT ACCEPT +$ipt -P OUTPUT ACCEPT +$ipt -P FORWARD ACCEPT + +## - flush chains +## - +$ipt -F +$ipt -F INPUT +$ipt -F OUTPUT +$ipt -F FORWARD +$ipt -F -t mangle +$ipt -F -t nat +$ipt -F -t raw +$ipt -X +$ipt -Z + +echo_done # Flushing firewall iptable (IPv6).. +echo + + + +# ------------- +# ------------ Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + exit 0;; +esac + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + $ipt -A INPUT -i $_dev -j ACCEPT + $ipt -A OUTPUT -o $_dev -j ACCEPT + $ipt -A FORWARD -i $_dev -j ACCEPT + $ipt -A FORWARD -o $_dev -j ACCEPT + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j DROP + $ipt -A FORWARD -o $_if -j DROP + fi + $ipt -A INPUT -i $_if -j DROP + $ipt -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + echononl "\tAllow forwarding (private) IPs / IP-Ranges.." + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip -j ACCEPT + $ipt -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +fi + + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + + +# --- +# - Protection against syn-flooding +# --- + +$ipt -N syn-flood +$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN +if $log_syn_flood || $log_all ; then + $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level +fi +$ipt -A syn-flood -j DROP + + +# --- +# - Drop Fragments +# --- + +# I have to say that fragments scare me more than anything. +# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" +# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such +# fragments is very OS-dependent (see this paper for details). +# I am not going to trust any fragments. +# Log fragments just to see if we get any, and deny them too + +for _dev in ${ext_if_arr[@]} ; do + if $log_fragments || $log_all ; then + $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -f -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j DROP + fi +done + + +# --- +# - drop new packages without syn flag +# --- + +if $log_new_not_sync || $log_all ; then + $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + fi +fi +$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP +$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP +fi + + +# --- +# - drop invalid packages +# --- + +if $log_invalid_state || $log_all ; then + $ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + fi +fi +$ipt -A INPUT -m state --state INVALID -j DROP +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -m state --state INVALID -j DROP +fi + + +# --- +# - ungewöhnliche Flags verwerfen +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi +done + + +# --- +# - Refuse private addresses on extern interfaces +# --- + +# Refuse spoofed packets pretending to be from your IP address. +if $log_spoofed || $log_all ; then + # input + for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + fi + done +fi +for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -d $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -s $_ip -d $_ip -j DROP + fi +done + + +# Refuse packets claiming to be from a +# Class A private network +# Class B private network +# Class C private network +# loopback interface +# Class D multicast address +# Class E reserved IP address +# broadcast address +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + # + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + fi + fi + # Refuse packets claiming to be from a Class A private network. + $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP + # Retfuse packets claiming to be from a Class C private network. + $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A INPUT -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP + if $kernel_activate_forwarding ; then + # Refuse packets claiming to be from a Class A private network. + $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP + # Refuse packets claiming to be from a Class C private network. + $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A FORWARD -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + fi +done + + +# --- +# - Refuse packets claiming to be to the loopback interface. +# --- + +# Refusing packets claiming to be to the loopback interface protects against +# source quench, whereby a machine can be told to slow itself down by an icmp source +# quench to the loopback. +for _dev in ${ext_if_arr[@]} ; do + if $log_to_lo || $log_all ; then + $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -d $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j DROP + fi +done + + +# --- +# - Don't allow spoofing from that server +# --- + +for _dev in ${ext_if_arr[@]} ; do + if $log_spoofed_out || $log_all ; then + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A FORWARD -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + fi + fi + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP + $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP + $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP + $ipt -A FORWARD -o $_dev -s $loopback -j DROP + fi +done + +echo_done + + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + +case $1 in + sto*) + #echononl "Stopping firewall iptable (IPv4).." + echo + echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" + echo + exit 0;; +esac + + +echo + +# ------------- +# --- Traffic Counter (used by munin) +# ------------- + +echononl "\tCreate Traffic Counter (used by munin)" +if $create_traffic_counter ; then + for _ip in ${ext_ip_arr[@]} ; do + $ipt -A INPUT -d $_ip + $ipt -A INPUT -s $_ip + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip + $ipt -A FORWARD -s $_ip + fi + done + echo_done +else + echo_skipped +fi + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Generally prohibited +# ------------- + +echononl "\tGenerally prohibited traffic.." + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_activate_forwarding ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_activate_forwarding ; then + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ipt -A INPUT -i lo -j ACCEPT +$ipt -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT +fi + +echo_done + +# --- +# - VPN +# --- + +if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then + echononl "\tPermit all traffic through VPN lines.." + if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${vpn_server_ip_arr[@]} ; do + for _port in ${vpn_port_arr[@]} ; do + $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_vpn_if -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -j ACCEPT + fi + done + fi + + if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_vpn_server_ip_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Services +# ------------- + +echo +echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_if_arr[@]} ; do + # - in + $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_activate_forwarding ; then + # - forward from virtual mashine(s) + $ipt -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + + +# --- +# - DNS Service +# --- + +echononl "\t\tDNS Service" + +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ips[@]} ; do + # dns requests + $ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_dns_server_ip_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + # Zonetransfer + $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +# ausgehende Anfragen +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT + fi +done + +for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT +done + +echo_done + + +# --- +# - SSH Service +# --- + +echononl "\t\tSSH Service" + +if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_ssh_server_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync Out +# --- + +echononl "\t\tRsync (only OUT)" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${rsync_out_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _port in ${rsync_port_arr[@]} ; do + + for _ip in ${forward_rsync_out_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + done + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Munin remote service +# --- + +echononl "\t\tMunin remote service" + +if [ "X$munin_remote_ip" != "X" ]; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Munin local service +# --- + +echononl "\t\tMunin local service" + + +if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_munin_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (SMTP OUT) +# --- + +echononl "\t\tMail (SMTP OUT)" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Mail (SMTP Server) +# --- + +echononl "\t\tMail (SMTP Server including Spam Control)" + +if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then + + for _ip in ${smtpd_ips_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # - DCC (port udp:6277) + $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_smtpd_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT + # + # Razor2 (TCP Port 2703) + $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + # DEPRECATED: TCP Port 7 (echo) + $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + # + # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) + $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + # + # DCC (port udp:6277) + $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + # if DCC Server is running (port tcp:6277) + $ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail (POP/IMAP Server) +# --- + +echononl "\t\tMail (POP/IMAP Server)" + +if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_ips_arr[@]} ; do + # mail ports + # + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] + + if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mail_server_ip_arr[@]} ; do + # mail ports + # + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + done + fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) (local) Webserver" + +if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then + + if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + + if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_http_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + done + fi + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP out only" +# --- + +echononl "\t\tFTP out only" + +for _dev in ${ext_if_arr[@]} ; do + # (Datenkanal aktiv) + $ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT + # (Datenkanal passiv) + $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT + # (Kontrollverbindung) + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + # (Datenkanal aktiv) + $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT + # (Datenkanal passiv) + $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT + # (Kontrollverbindung) + $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - FTP Server" +# --- + +echononl "\t\tFTP Server" + +if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ftp_server_ip_arr[@]} ; do + # (Datenkanal aktiv) + $ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT + # Datenkanal (passiver modus) + $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT + # - Kontrollverbindung + $ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_ftp_server_ip_arr[@]} ; do + # (Datenkanal aktiv) + $ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT + # Datenkanal (passiver modus) + $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT + # - Kontrollverbindung + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Mumble Service +# --- + +echononl "\t\tMumble Service" + + +if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then + if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mumble_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_activate_forwarding ; then + for _ip in ${forward_mumble_server_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - NTP out only" +# --- + +echononl "\t\tNTP out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT + fi +done + +echo_done +echo + + +# --- +# - Special TCP Ports OUT +# --- + +echononl "\t\tSpecial TCP Ports OUT" + +if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${tcp_out_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Special UDP Ports OUT +# --- + +echononl "\t\tSpecial UDP Ports OUT" + +if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${udp_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${forward_udp_out_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + done + done + fi + + echo_done +else + echo_skipped +fi + +echo + + +# --- +# - UNIX Traceroute +# --- + +echononl "\t\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# --- +# - Ping +# --- + +echononl "\t\tPing" + +$ipt -A INPUT -p icmp -j ACCEPT +$ipt -A OUTPUT -p icmp -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p icmp -j ACCEPT +fi + +#for _dev in ${ext_if_arr[@]} ; do +# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT +# if $kernel_activate_forwarding ; then +# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT +# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT +# fi +#done +#for _dev in ${local_if_arr[@]} ; do +# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT +# if $kernel_activate_forwarding ; then +# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT +# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT +# fi +#done + +echo_done + + +# --- +# - log all rejected traffic +# --- + +echo +echononl "\tLogging all rejected traffic" + +if $log_rejected || $log_all ; then + #$ipt -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + if $kernel_activate_forwarding ; then + #$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + $ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop all other +# --- + +echo +echononl "\tDrop all other on all interfaces" + +$ipt -A INPUT -j DROP +$ipt -A OUTPUT -j DROP +$ipt -A FORWARD -j DROP + +echo_done + + + +# ------------- +# ------------- Start Fail2Ban if installed +# ------------- + +if [ -x "$fail2ban_init_script" ]; then + echo + echononl "\tStarting fail2ban.." + $fail2ban_init_script start > /dev/null 2>&1 + if [ "$?" = "0" ];then + echo_done + else + echo_failed + fi +fi + +echo +exit 0 + + + +# ------------ Portforwarding ------------- # +# - +# - !! NOTICE: +# - you need also portforwarding enabled at the kernel +# - echo 1 >/proc/sys/net/ipv4/ip_forward +# +# +# ---------------------------------------------- +# : --> ::80 +# ---------------------------------------------- +# +#$ipt -A FORWARD [-i ] -p tcp --dport -d -j ACCEPT +#$ipt -A FORWARD [-o ] -p tcp --sport -s -j ACCEPT +# +#$ipt -t nat -A PREROUTING [-i ] -p tcp --dport [-d ] -j DNAT --to-destination : +#$ipt -t nat -A POSTROUTING -d -j MASQUERADE +# +# +# ----------------------------------------------- +# www-alt.oopen.de --> www-neu.oopen.de +# +# 46.4.129.3:80 --> 83.223.86.130:80 +# 46.4.129.3:443 --> 83.223.86.130:443 +# ----------------------------------------------- +# +#$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT +#$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT +# +#$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80 +#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443 +#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE +# +# - +# ---------- Ende Portforwarding ---------- # + diff --git a/ipt-firewall-server.conf.sample b/ipt-firewall-server.conf.sample new file mode 100644 index 0000000..83c347f --- /dev/null +++ b/ipt-firewall-server.conf.sample @@ -0,0 +1,807 @@ +#!/usr/bin/env bash + +## - Configuration file for firewall script IPv4 +## - ipt-firewall-gateway +## - ipt-firewall-flush +## - + +####################################################################### +# -------------------------- Configuration -------------------------- # + +# ------------- +# --- Define programs +# ------------- + +ipt="/sbin/iptables" +fail2ban_init_script="/etc/init.d/fail2ban" + + +# ------------- +# --- Logging +# ------------- + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=true + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv4:" + + +# ------------- +# --- Network Interfaces +# ------------- + +# - External interface(s) +# +ext_if_1="" +ext_if_2="" +ext_if_3="" + +ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" + +# - is this a virtuel system ? +host_is_vm=false + +# - Extern Interfaces Static Lines +# - (comma separated list) +#ext_if_static="eth0" + +# - VPN Interfaces +# - (comma separated list) +vpn_ifs="" + +# - Local Interfaces +local_if_1="" +local_if_2="" +local_if_3="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3" + + +# ------------- +# --- Interfaces completly blocked +# ------------- + +# - Interfaces to block (note: they will all be blocked) +# - +# - Example: eth1 is used for DSL Line, that becomes an extra +# - interface (maybe ppp0). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - blocked_ifs="eth1" +# - +blocked_ifs="" + + +# ------------- +# --- Interfaces not firewalled +# ------------- + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +unprotected_ifs="" + + +# ------------- +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ------------- + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + +# ------------- +# --- Define Ports for Services +# ------------- + +# - Is this a Web Server ? +http_ports="80,443" + +# - Is this a Mailserver (POP/IMAP) +mail_user_ports="587,465,110,995,143,993" + +# - SSH Ports +# - +# - comma separated list +ssh_ports="22" + +# - VPN Service +vpn_ports="1194 1195" + +# - Mumble Server +# - +mumble_ports="64738" + +# - XyMon Service (usually TCP port 1984) +# - +# - NOT YET IMPLEMENTED +# - +xymon_port=1984 + +# - Munin Server Port (usually TCP port 4949) +# - +munin_remote_port="4949" + + +# ------------- +# --- Network Interfaces +# ------------- + +# - Extern IP Addresses on this Host +# - +# NOT IN USE +ext_1_ip="" +# NOT IN USE +ext_2_ip="" +# NOT IN USE +ext_3_ip="" + +ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" + +# NOT IN USE +local_1_ip="" +# NOT IN USE +local_2_ip="" +# NOT IN USE +local_2_ip="" + +broadcast_ips="" + + +# ------------- +# --- Services local Network +# ------------- + +# - VPN Server +# - +vpn_server_ips="" +forward_vpn_server_ips="" + +# DHCP Server +# +# Comma seperated Interface list for DHCP services +# +dhcp_server_ifs="" + +# - DNS Server +dns_server_ips="" +forward_dns_server_ips="" + +# - SSH Server +# - +ssh_server_ips="" +forward_ssh_server_ips="" + +# - HTTP(S) Server +# - +http_server_ips="" +forward_http_server_ips="" + +# - Mail SMTP Server +# - +smtpd_ips="" +forward_smtpd_ips="" + +# - Mail Services (smtps/pop(s)/imap(s) +# - +mail_server_ips="" +forward_mail_server_ips="" + +# - FTP Server +# - +ftp_server_ips="" +forward_ftp_server_ips="" + +# - Mumble Server +# - +mumble_server_ips="" +forward_mumble_server_ips="" + +# - TFTP Server +# - +# - NOT YET IMPLEMENTED +# - +tftp_server_ips="" + +# - Munin Server +# - +munin_server_ips="" +forward_munin_server_ips="" + +# - Remote Munin Server +# - +munin_remote_ip="83.223.86.99" +munin_local_port="4949" + +# - XyMon Server +# - +# - NOT YET IMPLEMENTED +# - +xymon_server_ips="" +local_xymon_client=false + + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +forward_rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# --- Allow special Ports (OUT) +# ------------- + +# - TCP Ports +tcp_out_ports="" +forward_tcp_out_ports="" + +# - UDP Ports +udp_out_ports="" +forward_udp_out_ports="" + + +# ------------- +# --- Block IP's / IP-Ranges +# ------------- + +# - 222.184.0.0/13 CHINANET-JS +# - 61.160.0.0/16 - CHINANET-JS +# - 116.8.0.0/14 CHINANET-GX +# - +blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" + + +# ------------- +# --- Block Ports +# ------------- + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 113 135 137:139 445" +block_udp_ports="111 137:139" + + +# ------------- +# - Some special stuff +# ------------- + +create_traffic_counter=true +create_iperf_rules=true + + +# ------------- +# --- Router ? +# ------------- + +# - Activate forwarding +# - +# - Enable/disable forwarding to and between interfaces +# - +kernel_activate_forwarding=false + +# - Activate kernel support for dynamic IP adresses +# - (not needed in case of static IP) +# - +# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt +# - +# - The values for the ip_dynaddr sysctl are [*]: +# - +# - 1: To enable: +# - 2: To enable verbosity: +# - 4: To enable RST-provoking: +# - 8: To enable asymetric routing work-around [**] +# - +# - [*] At boot, by default no address rewriting is attempted. +# - [**] This code is currently totaly untested. +# - +# - Flags can be combined by adding them. Common settings +# - would be: +# - +# - To enable rewriting in quiet mode: +# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable rewriting in verbose mode: +# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable quiet RST-provoking mode (1+4): +# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr +# - ... +# - +kernel_support_dynaddr=false +dynaddr_flag="5" + + +# ------------- +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ------------- + +# - Reduce DoS'ing ability by reducing timeouts +# - +kernel_reduce_timeouts=true + +# - Hardening TCP/IP Stack Against SYN Floods +# - +# - Enable syn cookies prevents against the common 'syn flood attack' +# - +kernel_tcp_syncookies=true + +# - Protection against ICMP bogus error responses +# - +kernel_protect_against_icmp_bogus_messages=true + +# - Ignore Broadcast Pings +# - +kernel_ignore_broadcast_ping=true + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + +# - Activate Reverse Path Filtering (Antispoofing) +# - +# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen +# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, +# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat +# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für +# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle +# - nicht voll funktionsfähig ist. +# - +kernel_activate_rp_filter=true + +# - Logging of spoofed (source routed" and "redirect") packets +# - +kernel_log_martians=false + + +# ------------- +# --- Some further Ports/IP-Address Configuration +# ------------- + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# - Loopback +loopback="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + + +# ----------------------- End: Configuration ----------------------- # +###################################################################### + + +## ==================================== +## - Don't make changes after this Line +## ==================================== + + + +# ----------- +# --- Define Arrays +# ----------- + + +# --- +# - IP-Addresses (Host, Guests (VServer, LX_Container) +# --- +declare -a ext_ip_arr +for _ip in $ext_ips ; do + host_ip_arr+=("$_ip") +done + +# --- +# - Extern Interfaces +# --- +declare -a ext_if_arr +for _dev in $ext_ifs ; do + ext_if_arr+=("$_dev") +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Generally block ports +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - Network Interfaces DHCP Service +# --- +declare -a dhcp_if_arr +for _dev in $dhcp_server_ifs ; do + dhcp_if_arr+=($_dev) +done + +# --- +# - IP Addresses DNS Server +# --- +# - local +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_dns_server_ip_arr +for _ip in $forward_dns_server_ips ; do + forward_dns_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses VPN Server +# --- +# local +declare -a vpn_server_ip_arr +for _ip in $vpn_server_ips ; do + vpn_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_vpn_server_ip_arr +for _ip in $forward_vpn_server_ips ; do + forward_vpn_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses SSH Server +# --- +# local +declare -a ssh_server_ip_arr +for _ip in $ssh_server_ips ; do + ssh_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ssh_server_ip_arr +for _ip in $forward_ssh_server_ips ; do + forward_ssh_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses HTTP Server +# --- +# local +declare -a http_server_ip_arr +for _ip in $http_server_ips ; do + http_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_http_server_ip_arr +for _ip in $forward_http_server_ips ; do + forward_http_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +# local +declare -a ftp_server_ip_arr +for _ip in $ftp_server_ips ; do + ftp_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_ftp_server_ip_arr +for _ip in $forward_ftp_server_ips ; do + forward_ftp_server_ip_arr+=("$_ip") +done + +# --- +# - Mail SMTP Server +# --- +# local +declare -a smtpd_ips_arr +for _ip in $smtpd_ips ; do + smtpd_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_smtpd_ip_arr +for _ip in $forward_smtpd_ips ; do + forward_smtpd_ip_arr+=("$_ip") +done + +# --- +# - Mail POP/IMAP Server +# --- +# local +declare -a mail_server_ips_arr +for _ip in $mail_server_ips ; do + mail_server_ips_arr+=("$_ip") +done +# DMZ +declare -a forward_mail_server_ip_arr +for _ip in $forward_mail_server_ips ; do + forward_mail_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Mumble Server +# --- +# local +declare -a mumble_server_ip_arr +for _ip in $mumble_server_ips ; do + mumble_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_mumble_server_ip_arr +for _ip in $forward_mumble_server_ips ; do + forward_mumble_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Telephone Systems +# --- +declare -a tel_sys_ip_arr +for _ip in $tel_sys_ips ; do + tel_sys_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Munin +# --- +# local +declare -a munin_server_ip_arr +for _ip in $munin_server_ips ; do + munin_server_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_munin_server_ip_arr +for _ip in $forward_munin_server_ips ; do + forward_munin_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done +# DMZ +declare -a forward_rsync_out_ip_arr +for _ip in $forward_rsync_out_ips ; do + forward_rsync_out_ip_arr+=("$_ip") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +# local +declare -a vpn_port_arr +for _port in $vpn_ports ; do + vpn_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + + +# --- +# - Special TCP Ports OUT +# --- +# local +declare -a tcp_out_port_arr +for _port in $tcp_out_ports ; do + tcp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_tcp_out_port_arr +for _port in $forward_tcp_out_ports ; do + forward_tcp_out_port_arr+=("$_port") +done + +# --- +# - Special UDP Ports OUT +# --- +# local +declare -a udp_out_port_arr +for _port in $udp_out_ports ; do + udp_out_port_arr+=("$_port") +done +# DMZ +declare -a forward_udp_out_port_arr +for _port in $forward_udp_out_ports ; do + forward_udp_out_port_arr+=("$_port") +done + + + +# ------------- +# --- Some functions +# ------------- +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} +echo_done() { + echo -e "\033[75G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[75G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" +} + + +fatal (){ + echo "" + echo -e "fatal Error: $*" + echo "" + echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m" + echo "" + exit 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +## - Check if a given array (parameter 2) contains a given string (parameter 1) +## - +containsElement () { + local e + for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done + return 1 +} + +