Initial import

.gitignore

@@ -0,0 +1,3 @@
+ip6t-firewall-server.conf
+ipt-firewall-server.conf
+BAK/*

README.bridge

@@ -0,0 +1,14 @@
+
+
+# ---
+# - Prevent bridged traffic getting pushed through the host's iptables rules
+# ---
+$ipt -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
+
+# - Note: Maybe youe have also to activate forwarding
+# -
+# - IPv4:
+# -    echo 1 > /proc/sys/net/ipv4/ip_forward
+# -
+# - IPv6:
+# -    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

README.systemd.server

@@ -0,0 +1,63 @@
+
+## - Create a systemd service
+## -
+
+# IPv4
+#
+cat <<EOF >> /etc/systemd/system/ipt-firewall.service
+[Unit]
+Description=IPv4 Firewall with iptables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ipt-firewall-server start
+ExecStop=/usr/local/sbin/ipt-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# IPv6
+#
+cat <<EOF >> /etc/systemd/system/ip6t-firewall.service
+[Unit]
+Description=IPv6 Firewall with ip6tables
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ip6t-firewall-server start
+ExecStop=/usr/local/sbin/ip6t-firewall-server stop
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+
+## - Eanable script (for autostart at boot time)
+## -
+systemctl enable ipt-firewall.service
+systemctl enable ip6t-firewall.service
+
+## - Reload systemd configuration
+## -
+systemctl daemon-reload
+
+
+## - Start Services
+## -
+systemctl start ipt-firewall
+systemctl start ip6t-firewall
+
+
+## - Add to /etc/rc.local
+## -
+## -    sleep 2
+## -    systemctl restart ipt-firewall || /bin/true
+## -    systemctl restart ip6t-firewall || /bin/true
+

ip6t-firewall-server.conf.sample

@@ -0,0 +1,690 @@
+#!/usr/bin/env bash
+
+## - Configuration file for firewall script IPv4
+## -    ipt-firewall-gateway
+## -    ipt-firewall-flush
+## -
+
+#######################################################################
+# -------------------------- Configuration -------------------------- #
+
+# -------------
+# --- Define programs
+# -------------
+
+ip6t="/sbin/ip6tables"
+fail2ban_init_script=""
+
+
+# -------------
+# --- Logging
+# -------------
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv6:"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1=""
+ext_if_2=""
+ext_if_3=""
+
+ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
+
+# - is this a virtuel system ?
+host_is_vm=false
+
+# - Extern Interfaces Static Lines
+# -    (comma separated list)
+#ext_if_static="eth0"
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs=""
+   
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3"
+
+
+# -------------
+# --- Interfaces completly blocked
+# -------------
+
+# - Interfaces to block (note: they will all be blocked)
+# -
+# - Example: eth1 is used for DSL Line, that becomes an extra 
+# - interface (maybe ppp0). A further use of eth1 (which would 
+# - be possible) is not configured at time, so you can block it.
+# -   blocked_ifs="eth1"
+# -
+blocked_ifs=""
+
+
+# -------------
+# --- Interfaces not firewalled
+# -------------
+
+# - Note:
+# - Can be (for example) an interface, whose (complete) traffic is 
+# - protected by a firewall on an other system in the local area 
+# -
+unprotected_ifs=""
+
+
+# -------------
+# ---- Allow Forwarding (private) IPs / IP-Ranges
+# -------------
+
+# - Maybe useful in case of virtual hosts with private addresses or
+# - if using a vpn network to forward into private areas.
+# -
+# - Note: this rules takes affect before rules to protect against
+# -       unwanted packages e.g. blocking private addresses on
+# -       externel interfaces.
+# -       
+# - Note: you can specify networks using CIDR notation
+# -       like "192.168.2.0/24"
+# -
+forward_private_ips=""
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Is this a Web Server ?
+http_ports="80,443"
+
+# - Is this a Mailserver (POP/IMAP)
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
+# -------------
+# --- IP-Addresses
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""
+
+
+# -------------
+# --- Services local Network
+# -------------
+
+# DHCP Server
+#
+# Comma seperated Interface list for DHCP services
+#
+dhcp_server_ifs=""
+
+# - DNS Server 
+dns_server_ips=""
+forward_dns_server_ips=""
+
+# - SSH Server
+# -
+ssh_server_ips=""
+forward_ssh_server_ips=""
+
+# - HTTP(S) Server
+# -
+http_server_ips=""
+forward_http_server_ips=""
+
+# - Mail SMTP Server 
+# -
+smtpd_ips=""
+forward_smtpd_ips=""
+
+# - Mail Services (smtps/pop(s)/imap(s)
+# -
+mail_server_ips=""
+forward_mail_server_ips=""
+
+# - FTP Server
+# -
+ftp_server_ips=""
+forward_ftp_server_ips=""
+
+# - Mumble Server
+# -
+mumble_server_ips=""
+forward_mumble_server_ips=""
+
+# - TFTP Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+tftp_server_ips=""
+
+# - Munin Server
+# -
+munin_server_ips=""
+forward_munin_server_ips=""
+
+# - Remote Munin Server
+# -
+munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
+munin_local_port="4949"
+
+# - XyMon Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_server_ips=""
+local_xymon_client=false
+
+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+rsync_out_ips=""
+forward_rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# --- Allow special Ports (OUT)
+# -------------
+
+# - TCP Ports
+tcp_out_ports=""
+forward_tcp_out_ports=""
+
+# - UDP Ports
+udp_out_ports=""
+forward_udp_out_ports=""
+
+
+# -------------
+# --- Block IP's / IP-Ranges
+# -------------
+
+blocked_ips=""
+
+
+# -------------
+# --- Block Ports
+# -------------
+
+# - Generally (for all interfaces) block this ports
+# -
+# - Portmapper
+# - tcp 111
+# - udp 111
+# -
+# - Authentication tap ident
+# - tcp 113
+# -
+# - Location Service
+# - tcp 135
+# -
+# - Windows Stuff
+# - tcp 137:139
+# - udp 137:139
+# - tcp 445
+# -
+block_tcp_ports="111 113 135 137:139 445"
+block_udp_ports="111 137:139"
+
+
+# -------------
+# - Some special stuff
+# -------------
+
+create_traffic_counter=true
+create_iperf_rules=true
+
+
+# -------------
+# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
+# -------------
+
+# - Disable ip forwarding between interfaces
+# -
+kernel_forward_between_interfaces=false
+
+# - Deactivate Source Routed Packets
+# -
+kernel_deactivate_source_route=true
+
+# - Deactivate sending ICMP redirects
+# -
+# - ICMP redirects are used by routers to specify better routing paths out of 
+# - one network, based on the host choice, so basically it affects the way 
+# - packets are routed and destinations. 
+# -
+kernel_dont_accept_redirects=true
+
+
+# -------------
+# --- Some further Ports/IP-Address Configuration
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+# unique local address (ULA) - private address block
+ula_block="fc00::/7"
+
+# - Loopback
+loopback="::1/128"
+
+
+# ----------------------- End: Configuration ----------------------- #
+######################################################################
+
+
+## ====================================
+## - Don't make changes after this Line
+## ====================================
+
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+
+# ---
+# - IP-Addresses (Host, Guests (VServer, LX_Container)
+# ---
+declare -a ext_ip_arr
+for _ip in $ext_ips ; do
+   host_ip_arr+=("$_ip")
+done
+
+# ---
+# - Extern Interfaces
+# ---
+declare -a ext_if_arr
+for _dev in $ext_ifs ; do
+   ext_if_arr+=("$_dev")
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Generally block ports
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Interfaces DHCP Service
+# ---
+declare -a dhcp_if_arr
+for _dev in $dhcp_server_ifs ; do
+   dhcp_if_arr+=($_dev)
+done
+
+# ---
+# - IP Addresses DNS Server
+# ---
+# - local
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_dns_server_ip_arr
+for _ip in $forward_dns_server_ips ; do
+   forward_dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses VPN Server
+# ---
+# local
+declare -a vpn_server_ip_arr
+for _ip in $vpn_server_ips ; do
+   vpn_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_vpn_server_ip_arr
+for _ip in $forward_vpn_server_ips ; do
+   forward_vpn_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses SSH Server
+# ---
+# local
+declare -a ssh_server_ip_arr
+for _ip in $ssh_server_ips ; do
+   ssh_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ssh_server_ip_arr
+for _ip in $forward_ssh_server_ips ; do
+   forward_ssh_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses HTTP Server
+# ---
+# local
+declare -a http_server_ip_arr
+for _ip in $http_server_ips ; do
+   http_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_http_server_ip_arr
+for _ip in $forward_http_server_ips ; do
+   forward_http_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+# local
+declare -a ftp_server_ip_arr
+for _ip in $ftp_server_ips ; do
+   ftp_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ftp_server_ip_arr
+for _ip in $forward_ftp_server_ips ; do
+   forward_ftp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail SMTP Server
+# ---
+# local
+declare -a smtpd_ips_arr
+for _ip in $smtpd_ips ; do
+   smtpd_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_smtpd_ip_arr
+for _ip in $forward_smtpd_ips ; do
+   forward_smtpd_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail POP/IMAP Server
+# ---
+# local
+declare -a mail_server_ips_arr
+for _ip in $mail_server_ips ; do
+   mail_server_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_server_ip_arr
+for _ip in $forward_mail_server_ips ; do
+   forward_mail_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mumble Server
+# ---
+# local
+declare -a mumble_server_ip_arr
+for _ip in $mumble_server_ips ; do
+   mumble_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mumble_server_ip_arr
+for _ip in $forward_mumble_server_ips ; do
+   forward_mumble_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Telephone Systems
+# ---
+declare -a tel_sys_ip_arr
+for _ip in $tel_sys_ips ; do
+   tel_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Munin
+# ---
+# local
+declare -a munin_server_ip_arr
+for _ip in $munin_server_ips ; do
+   munin_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_munin_server_ip_arr
+for _ip in $forward_munin_server_ips ; do
+   forward_munin_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_rsync_out_ip_arr
+for _ip in $forward_rsync_out_ips ; do
+   forward_rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+# local
+declare -a vpn_port_arr
+for _port in $vpn_ports ; do
+   vpn_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+
+# ---
+# - Special TCP Ports OUT
+# ---
+# local
+declare -a tcp_out_port_arr
+for _port in $tcp_out_ports ; do
+   tcp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_tcp_out_port_arr
+for _port in $forward_tcp_out_ports ; do
+   forward_tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - Special UDP Ports OUT
+# ---
+# local
+declare -a udp_out_port_arr
+for _port in $udp_out_ports ; do
+   udp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_udp_out_port_arr
+for _port in $forward_udp_out_ports ; do
+   forward_udp_out_port_arr+=("$_port")
+done
+
+
+
+# -------------
+# --- Some functions
+# -------------
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   echo -e "\033[75G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[75G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+
+

ipt-firewall-server.conf.sample

@@ -0,0 +1,807 @@
+#!/usr/bin/env bash
+
+## - Configuration file for firewall script IPv4
+## -    ipt-firewall-gateway
+## -    ipt-firewall-flush
+## -
+
+#######################################################################
+# -------------------------- Configuration -------------------------- #
+
+# -------------
+# --- Define programs
+# -------------
+
+ipt="/sbin/iptables"
+fail2ban_init_script="/etc/init.d/fail2ban"
+
+
+# -------------
+# --- Logging
+# -------------
+
+log_all=false
+
+log_syn_flood=false
+log_fragments=false
+log_new_not_sync=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_ssh=false
+
+# - Log using the specified syslog level. 7 (debug) is a good choice 
+# - unless you specifically need something else. 
+# -
+log_level=debug
+
+# - logging messages
+# -
+log_prefix="IPv4:"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - External interface(s)
+#
+ext_if_1=""
+ext_if_2=""
+ext_if_3=""
+
+ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3"
+
+# - is this a virtuel system ?
+host_is_vm=false
+
+# - Extern Interfaces Static Lines
+# -    (comma separated list)
+#ext_if_static="eth0"
+
+# - VPN Interfaces
+# -    (comma separated list)
+vpn_ifs=""
+   
+# - Local Interfaces
+local_if_1=""
+local_if_2=""
+local_if_3=""
+
+local_ifs="$local_if_1 $local_if_2 $local_if_3"
+
+
+# -------------
+# --- Interfaces completly blocked
+# -------------
+
+# - Interfaces to block (note: they will all be blocked)
+# -
+# - Example: eth1 is used for DSL Line, that becomes an extra 
+# - interface (maybe ppp0). A further use of eth1 (which would 
+# - be possible) is not configured at time, so you can block it.
+# -   blocked_ifs="eth1"
+# -
+blocked_ifs=""
+
+
+# -------------
+# --- Interfaces not firewalled
+# -------------
+
+# - Note:
+# - Can be (for example) an interface, whose (complete) traffic is 
+# - protected by a firewall on an other system in the local area 
+# -
+unprotected_ifs=""
+
+
+# -------------
+# ---- Allow Forwarding (private) IPs / IP-Ranges
+# -------------
+
+# - Maybe useful in case of virtual hosts with private addresses or
+# - if using a vpn network to forward into private areas.
+# -
+# - Note: this rules takes affect before rules to protect against
+# -       unwanted packages e.g. blocking private addresses on
+# -       externel interfaces.
+# -       
+# - Note: you can specify networks using CIDR notation
+# -       like "192.168.2.0/24"
+# -
+forward_private_ips=""
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Is this a Web Server ?
+http_ports="80,443"
+
+# - Is this a Mailserver (POP/IMAP)
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
+# -------------
+# --- Network Interfaces
+# -------------
+
+# - Extern IP Addresses on this Host
+# -
+# NOT IN USE
+ext_1_ip=""
+# NOT IN USE
+ext_2_ip=""
+# NOT IN USE
+ext_3_ip=""
+
+ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip"
+
+# NOT IN USE
+local_1_ip=""
+# NOT IN USE
+local_2_ip=""
+# NOT IN USE
+local_2_ip=""
+
+broadcast_ips=""
+
+
+# -------------
+# --- Services local Network
+# -------------
+
+# - VPN Server
+# -
+vpn_server_ips=""
+forward_vpn_server_ips=""
+
+# DHCP Server
+#
+# Comma seperated Interface list for DHCP services
+#
+dhcp_server_ifs=""
+
+# - DNS Server 
+dns_server_ips=""
+forward_dns_server_ips=""
+
+# - SSH Server
+# -
+ssh_server_ips=""
+forward_ssh_server_ips=""
+
+# - HTTP(S) Server
+# -
+http_server_ips=""
+forward_http_server_ips=""
+
+# - Mail SMTP Server 
+# -
+smtpd_ips=""
+forward_smtpd_ips=""
+
+# - Mail Services (smtps/pop(s)/imap(s)
+# -
+mail_server_ips=""
+forward_mail_server_ips=""
+
+# - FTP Server
+# -
+ftp_server_ips=""
+forward_ftp_server_ips=""
+
+# - Mumble Server
+# -
+mumble_server_ips=""
+forward_mumble_server_ips=""
+
+# - TFTP Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+tftp_server_ips=""
+
+# - Munin Server
+# -
+munin_server_ips=""
+forward_munin_server_ips=""
+
+# - Remote Munin Server
+# -
+munin_remote_ip="83.223.86.99"
+munin_local_port="4949"
+
+# - XyMon Server
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_server_ips=""
+local_xymon_client=false
+
+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+rsync_out_ips=""
+forward_rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# --- Allow special Ports (OUT)
+# -------------
+
+# - TCP Ports
+tcp_out_ports=""
+forward_tcp_out_ports=""
+
+# - UDP Ports
+udp_out_ports=""
+forward_udp_out_ports=""
+
+
+# -------------
+# --- Block IP's / IP-Ranges
+# -------------
+
+# -    222.184.0.0/13 CHINANET-JS
+# -    61.160.0.0/16 - CHINANET-JS
+# -    116.8.0.0/14 CHINANET-GX
+# -
+blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
+
+
+# -------------
+# --- Block Ports
+# -------------
+
+# - Generally (for all interfaces) block this ports
+# -
+# - Portmapper
+# - tcp 111
+# - udp 111
+# -
+# - Authentication tap ident
+# - tcp 113
+# -
+# - Location Service
+# - tcp 135
+# -
+# - Windows Stuff
+# - tcp 137:139
+# - udp 137:139
+# - tcp 445
+# -
+block_tcp_ports="111 113 135 137:139 445"
+block_udp_ports="111 137:139"
+
+
+# -------------
+# - Some special stuff
+# -------------
+
+create_traffic_counter=true
+create_iperf_rules=true
+
+
+# -------------
+# --- Router ?
+# -------------
+
+# - Activate forwarding
+# -
+# - Enable/disable forwarding to and between interfaces
+# -
+kernel_activate_forwarding=false
+
+# - Activate kernel support for dynamic IP adresses
+# - (not needed in case of static IP)
+# -
+# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
+# -
+# - The values for the ip_dynaddr sysctl are [*]:
+# -
+# -   1:  To enable:
+# -   2:  To enable verbosity:
+# -   4:  To enable RST-provoking:
+# -   8:  To enable asymetric routing work-around [**]
+# -
+# -  [*] At boot, by default no address rewriting is attempted.
+# -  [**] This code is currently totaly untested.
+# -
+# - Flags can be combined by adding them. Common settings
+# - would be:
+# -
+# - To enable rewriting in quiet mode:
+# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable rewriting in verbose mode:
+# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable quiet RST-provoking mode (1+4):
+# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
+# - ...
+# -
+kernel_support_dynaddr=false
+dynaddr_flag="5"
+
+
+# -------------
+# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
+# -------------
+
+# - Reduce DoS'ing ability by reducing timeouts
+# -
+kernel_reduce_timeouts=true
+
+# - Hardening TCP/IP Stack Against SYN Floods
+# -
+# - Enable syn cookies prevents against the common 'syn flood attack'
+# -
+kernel_tcp_syncookies=true
+
+# - Protection against ICMP bogus error responses
+# -
+kernel_protect_against_icmp_bogus_messages=true
+
+# - Ignore Broadcast Pings
+# -
+kernel_ignore_broadcast_ping=true
+
+# - Deactivate Source Routed Packets
+# -
+kernel_deactivate_source_route=true
+
+# - Deactivate sending ICMP redirects
+# -
+# - ICMP redirects are used by routers to specify better routing paths out of 
+# - one network, based on the host choice, so basically it affects the way 
+# - packets are routed and destinations. 
+# -
+kernel_dont_accept_redirects=true
+
+# - Activate Reverse Path Filtering (Antispoofing)
+# -
+# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
+# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
+# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
+# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
+# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
+# - nicht voll funktionsfähig ist. 
+# -
+kernel_activate_rp_filter=true
+
+# - Logging of spoofed (source routed" and "redirect") packets
+# -
+kernel_log_martians=false
+
+
+# -------------
+# --- Some further Ports/IP-Address Configuration
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+# - Loopback
+loopback="127.0.0.0/8"
+
+# - Private Networks
+priv_class_a="10.0.0.0/8"
+priv_class_b="172.16.0.0/12"
+priv_class_c="192.168.0.0/16"
+
+# - Multicast Addresse
+class_d_multicast="224.0.0.0/4"
+
+# Reserved Addresse
+class_e_reserved="240.0.0.0/5"
+
+
+# ----------------------- End: Configuration ----------------------- #
+######################################################################
+
+
+## ====================================
+## - Don't make changes after this Line
+## ====================================
+
+
+
+# -----------
+# --- Define Arrays
+# -----------
+
+
+# ---
+# - IP-Addresses (Host, Guests (VServer, LX_Container)
+# ---
+declare -a ext_ip_arr
+for _ip in $ext_ips ; do
+   host_ip_arr+=("$_ip")
+done
+
+# ---
+# - Extern Interfaces
+# ---
+declare -a ext_if_arr
+for _dev in $ext_ifs ; do
+   ext_if_arr+=("$_dev")
+done
+
+# ---
+# - VPN Interfaces
+# ---
+declare -a vpn_if_arr
+for _dev in $vpn_ifs ; do
+   vpn_if_arr+=("$_dev")
+done
+
+# ---
+# - Local Network Interfaces
+# ---
+declare -a local_if_arr
+for _dev in $local_ifs ; do
+   local_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces completly blocked
+# ---
+declare -a blocked_if_arr
+for _dev in $blocked_ifs ; do
+   blocked_if_arr+=("$_dev")
+done
+
+# ---
+# - Network Interfaces not firewalled
+# ---
+declare -a unprotected_if_arr
+for _dev in $unprotected_ifs ; do
+   unprotected_if_arr+=("$_dev")
+done
+
+# ---
+# - Generally block ports
+# ---
+declare -a block_tcp_port_arr
+for _port in $block_tcp_ports ; do
+   block_tcp_port_arr+=("$_port")
+done
+
+declare -a block_udp_port_arr
+for _port in $block_udp_ports ; do
+   block_udp_port_arr+=("$_port")
+done
+
+# ---
+# - Private IPs / IP-Ranges allowed to forward
+# ---
+declare -a forward_private_ip_arr
+for _ip in $forward_private_ips ; do
+   forward_private_ip_arr+=("$_ip")
+done
+
+# ---
+# - Network Interfaces DHCP Service
+# ---
+declare -a dhcp_if_arr
+for _dev in $dhcp_server_ifs ; do
+   dhcp_if_arr+=($_dev)
+done
+
+# ---
+# - IP Addresses DNS Server
+# ---
+# - local
+declare -a dns_server_ip_arr
+for _ip in $dns_server_ips ; do
+   dns_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_dns_server_ip_arr
+for _ip in $forward_dns_server_ips ; do
+   forward_dns_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses VPN Server
+# ---
+# local
+declare -a vpn_server_ip_arr
+for _ip in $vpn_server_ips ; do
+   vpn_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_vpn_server_ip_arr
+for _ip in $forward_vpn_server_ips ; do
+   forward_vpn_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses SSH Server
+# ---
+# local
+declare -a ssh_server_ip_arr
+for _ip in $ssh_server_ips ; do
+   ssh_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ssh_server_ip_arr
+for _ip in $forward_ssh_server_ips ; do
+   forward_ssh_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses HTTP Server
+# ---
+# local
+declare -a http_server_ip_arr
+for _ip in $http_server_ips ; do
+   http_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_http_server_ip_arr
+for _ip in $forward_http_server_ips ; do
+   forward_http_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses FTP Server
+# ---
+# local
+declare -a ftp_server_ip_arr
+for _ip in $ftp_server_ips ; do
+   ftp_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_ftp_server_ip_arr
+for _ip in $forward_ftp_server_ips ; do
+   forward_ftp_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail SMTP Server
+# ---
+# local
+declare -a smtpd_ips_arr
+for _ip in $smtpd_ips ; do
+   smtpd_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_smtpd_ip_arr
+for _ip in $forward_smtpd_ips ; do
+   forward_smtpd_ip_arr+=("$_ip")
+done
+
+# ---
+# - Mail POP/IMAP Server
+# ---
+# local
+declare -a mail_server_ips_arr
+for _ip in $mail_server_ips ; do
+   mail_server_ips_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mail_server_ip_arr
+for _ip in $forward_mail_server_ips ; do
+   forward_mail_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Mumble Server
+# ---
+# local
+declare -a mumble_server_ip_arr
+for _ip in $mumble_server_ips ; do
+   mumble_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_mumble_server_ip_arr
+for _ip in $forward_mumble_server_ips ; do
+   forward_mumble_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Telephone Systems
+# ---
+declare -a tel_sys_ip_arr
+for _ip in $tel_sys_ips ; do
+   tel_sys_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Munin
+# ---
+# local
+declare -a munin_server_ip_arr
+for _ip in $munin_server_ips ; do
+   munin_server_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_munin_server_ip_arr
+for _ip in $forward_munin_server_ips ; do
+   forward_munin_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses XyMon
+# ---
+declare -a xymon_server_ip_arr
+for _ip in $xymon_server_ips ; do
+   xymon_server_ip_arr+=("$_ip")
+done
+
+# ---
+# - IP Addresses Rsync Out
+# ---
+# local
+declare -a rsync_out_ip_arr
+for _ip in $rsync_out_ips ; do
+   rsync_out_ip_arr+=("$_ip")
+done
+# DMZ
+declare -a forward_rsync_out_ip_arr
+for _ip in $forward_rsync_out_ips ; do
+   forward_rsync_out_ip_arr+=("$_ip")
+done
+
+# ---
+# - SSH Ports
+# ---
+declare -a ssh_port_arr
+for _port in $ssh_ports ; do
+   ssh_port_arr+=("$_port")
+done
+
+# ---
+# - VPN Ports
+# ---
+# local
+declare -a vpn_port_arr
+for _port in $vpn_ports ; do
+   vpn_port_arr+=("$_port")
+done
+
+# ---
+# - Rsync Out Ports
+# --
+declare -a rsync_port_arr
+for _port in $rsync_ports ; do
+   rsync_port_arr+=("$_port")
+done
+
+
+# ---
+# - Special TCP Ports OUT
+# ---
+# local
+declare -a tcp_out_port_arr
+for _port in $tcp_out_ports ; do
+   tcp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_tcp_out_port_arr
+for _port in $forward_tcp_out_ports ; do
+   forward_tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - Special UDP Ports OUT
+# ---
+# local
+declare -a udp_out_port_arr
+for _port in $udp_out_ports ; do
+   udp_out_port_arr+=("$_port")
+done
+# DMZ
+declare -a forward_udp_out_port_arr
+for _port in $forward_udp_out_ports ; do
+   forward_udp_out_port_arr+=("$_port")
+done
+
+
+
+# -------------
+# --- Some functions
+# -------------
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+echo_done() {
+   echo -e "\033[75G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[75G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
+}
+
+
+fatal (){
+   echo ""
+   echo -e "fatal Error: $*"
+   echo ""
+   echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   echo ""
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+
+## - Check if a given array (parameter 2) contains a given string (parameter 1)
+## -
+containsElement () {
+   local e
+   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+   return 1
+}
+
+