firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: firewall:536aea7d976c2dc9354abcd6be229ab615dc7c9f
Branches Tags
firewall:master
..
compare: firewall:master
Branches Tags
firewall:master

27 Commits
536aea7d97 ... master

Author SHA1 Message Date
Christoph
63889b0dc9 LDAP(S): forgot to configure ldap/ldaps standard ports. 2025-08-10 01:56:31 +02:00
Christoph
abef59c769 Allow LDAP/LDAPS out only. 2025-08-10 01:50:23 +02:00
Christoph
9fd36a8236 Add support for MNDP and mDNS traffic. 2025-02-16 18:48:22 +01:00
Christoph
24d91d38c6 Add support for MNDP and mDNS traffic. 2025-02-16 18:40:50 +01:00
Christoph
71e01e8413 logging_ipv[46].conf: add missing parameter 'log_blocked_ip'. 2025-02-15 10:59:53 +01:00
Christoph
aab8585d90 Fix error creating 'smtpd_additional_listen_port_arr'. 2025-01-27 23:10:29 +01:00
Christoph
e6984a622c post_decalrations.conf: fix error creating array 'smtpd_additional_outgoung_port_arr'. 2025-01-27 22:58:30 +01:00
Christoph
409ace650e Merge branch 'master' of https://git.oopen.de/firewall/ipt-server 2025-01-27 22:18:55 +01:00
Christoph
877814caf0 Add support for aditional smtp ports - OUT AND IN. 2025-01-27 22:15:40 +01:00
Christoph
54ce58a52e replace 'default_ports.conf' with 'default_settings.conf'. 2025-01-27 14:49:47 +01:00
Christoph
40591462ce Merge branch 'master' of https://git.oopen.de/firewall/ipt-server 2024-12-27 17:27:57 +01:00
Christoph
3d65233059 ipt-firewall-server: fix error at munin role. 2024-12-27 17:27:28 +01:00
Christoph
dce357a3df /main_ipv4.conf.sample,main_ipv6.conf.sample: Change munin IP address. 2024-12-27 10:53:53 +01:00
Christoph
f0e15b992b Fix error for not firewalled interfaces. 2024-12-24 17:16:35 +01:00
Christoph
e7311a3963 Add Prometheus Service 2024-11-05 17:21:05 +01:00
Christoph
0eca4f3eaf main_ipv[46].conf.sample: add 'per_IP_connection_limit' parameter. 2024-09-26 15:21:17 +02:00
Christoph
830f48ff61 Add support for logging CGI script user. 2024-09-14 01:15:52 +02:00
Christoph
bbabeeab27 Add support for PGP/GPG Key server.. 2024-07-24 17:14:04 +02:00
Christoph
1062208237 ip6t-firewall-server,ipt-firewall-server: move 'Loopback device generally allowed' to an earlier point in the script. 2024-04-08 21:07:51 +02:00
Christoph
d857756be7 ip6t-firewall-server: add '(end of firewall)' to the last reject rule. 2024-04-06 03:20:27 +02:00
Christoph
b183770b91 forgot 'updating conf/include_functions.conf' file. 2024-04-04 19:22:08 +02:00
Christoph
e6566bafeb Some changes in per IP Connection Limit. 2024-04-04 18:57:36 +02:00
Christoph
2532b116b8 Support user settings for sourvce IP connection limit - ff. 2024-04-04 18:34:28 +02:00
Christoph
738809ba95 Support user settings for sourvce IP connection limit. 2024-04-04 15:17:31 +02:00
Christoph
7c00c7783c Add China/Hon Long networks ti nan list. 2024-01-17 11:10:41 +01:00
Christoph
ce0ee2d243 Add variables for lx guest system ip's. 2023-05-02 22:26:40 +02:00
Christoph
8e64cc36ac some minor changes.. 2023-05-02 21:45:43 +02:00
13 changed files with 964 additions and 170 deletions
Expand all files Collapse all files

2
README.install
View File

@ -18,7 +18,7 @@ cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/
# -
mkdir /etc/ipt-firewall
cp /usr/local/src/ipt-server/conf/default_ports.conf \
cp /usr/local/src/ipt-server/conf/default_settings.conf \
/usr/local/src/ipt-server/conf/include_functions.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv4.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv6.conf \

14
conf/ban_ipv4.list.sample
View File

@ -20,3 +20,17 @@
# - 79.171.81.0/255.255.255
# - 79.171.81
# CHINANET-JS
222.184.0.0/13
61.160.0.0/16
# CHINANET-GX
116.8.0.0/14
# BAIDU-HK - Hong Kong
103.235.44.0/22
# UNICOM-HE - China Unicom Hebei province network
110.240.0.0/12
# CMNET - China Mobile Communications Corporation
39.128.0.0/10

15
conf/default_ports.conf → conf/default_settings.conf
View File

@ -1,5 +1,12 @@
#!/usr/bin/env bash
# -------------
# --- Default Parameter / Options
# -------------
default_per_IP_connection_limit=111
# -------------
# --- Default Ports for Services out
# -------------
@ -18,6 +25,10 @@ standard_ident_port=113
standard_ipp_port=631
standard_irc_port=6667
standard_jabber_port=5222
standard_ldap_port=389
standard_ldaps_port=636
standard_mdns_port=5353
standard_mndp_port=5678
standard_mumble_port=64738
standard_munin_port=4949
standard_mysql_port=3306
@ -39,6 +50,10 @@ standard_wireguard_port=51820
standard_whois_port=43
standard_xymon_port=1984
# - Prometheus services
# -
standard_prometheus_ports="9100,9256"
# - Mattermost (MM) Service
# -
stansard_mattermost_udp_ports_in="8443"

16
conf/include_functions.conf
View File

@ -65,4 +65,20 @@ containsElement () {
return 1
}
is_number() {
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
# - also possible
# -
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
#return $([[ ! -z "${1##*[!0-9]*}" ]])
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}

4
conf/interfaces_ipv4.conf.sample
View File

@ -52,7 +52,9 @@ local_1_ip=""
# NOT IN USE
local_2_ip=""
# NOT IN USE
local_2_ip=""
local_3_ip=""
local_ips="$local_1_ip $local_2_ip $local_3_ip"
# -------------

4
conf/interfaces_ipv6.conf.sample
View File

@ -52,7 +52,9 @@ local_1_ip=""
# NOT IN USE
local_2_ip=""
# NOT IN USE
local_2_ip=""
local_3_ip=""
local_ips="$local_1_ip $local_2_ip $local_3_ip"
# -------------

4
conf/logging_ipv4.conf
View File

@ -23,6 +23,8 @@ log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
@ -40,6 +42,8 @@ log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages

8
conf/logging_ipv6.conf
View File

@ -23,6 +23,8 @@ log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
@ -40,6 +42,8 @@ log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
@ -51,5 +55,9 @@ log_prefix="[ IPv6 ]"
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""

121
conf/main_ipv4.conf.sample
View File

@ -36,11 +36,66 @@ do_not_firewall_lx_guest_systems=false
drop_icmp=false
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
# -------------
# --- Allow all outgoing traffic
# -------------
# - unprotected_ifs
# - allow_all_outgoing_traffic
# -
# - Posiible values are 'true' and 'false'
# -
@ -331,6 +386,19 @@ forward_http_server_ips=""
http_ports="$standard_http_ports"
# - LOG CGI script Traffic out
# -
log_cgi_traffic_out=false
# - cgi_script_users
# -
# - List of CGI script users (suexec user, php-fpm user. ...)
# -
# - Blank separated list
# -
cgi_script_users=""
# - Mattermost (MM) Service
# -
mm_server_ips=""
@ -347,6 +415,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
smtpd_ips=""
forward_smtpd_ips=""
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
#
# blank separated list of ports
#
smtpd_additional_outgoung_ports=""
# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
@ -495,6 +576,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports"
# -
tftp_server_ips=""
# - Prometheus Monitoring - local Server
# -
# - blank separated list of IPv4 addresses
# -
prometheus_local_server_ips=""
# - (Remote) prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_remote_client_ports="$standard_prometheus_ports"
# - Prometheus Monitoring - local Client
# -
# - blank separated list of IPv4 addresses
# -
prometheus_local_client_ips=""
# - Local prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_local_client_ports="$standard_prometheus_ports"
# - blank separated list of IPv4 addresses
# -
prometheus_remote_server_ips=""
# - Munin Server
# -
munin_server_ips=""
@ -509,7 +621,7 @@ munin_remote_port="$standard_munin_port"
# - Remote Munin Server
# -
munin_remote_ip="95.217.64.122"
munin_remote_ip="37.27.121.227"
munin_local_port="4949"
# - XyMon Server
@ -604,7 +716,9 @@ portforward_udp=""
# - 61.160.0.0/16 - CHINANET-JS
# - 116.8.0.0/14 CHINANET-GX
# -
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"
# - !! Moved to 'ban_ipv4.list'
# -
blocked_ips=""
# -------------
@ -664,6 +778,7 @@ protection_against_ssh_brute_force_attacks=true
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
per_IP_connection_limit=$default_per_IP_connection_limit
# - Limit RST packets
# -

117
conf/main_ipv6.conf.sample
View File

@ -36,11 +36,66 @@ do_not_firewall_lx_guest_systems=false
drop_icmp=false
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
# -------------
# --- Allow all outgoing traffic
# -------------
# - unprotected_ifs
# - allow_all_outgoing_traffic
# -
# - Posiible values are 'true' and 'false'
# -
@ -347,6 +402,19 @@ forward_http_server_ips=""
http_ports="$standard_http_ports"
# - LOG CGI script Traffic out
# -
log_cgi_traffic_out=false
# - cgi_script_users
# -
# - List of CGI script users (suexec user, php-fpm user. ...)
# -
# - Blank separated list
# -
cgi_script_users=""
# - Mattermost (MM) Service
# -
mm_server_ips=""
@ -363,6 +431,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
smtpd_ips=""
forward_smtpd_ips=""
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
#
# blank separated list of ports
#
smtpd_additional_outgoung_ports=""
# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
@ -514,6 +595,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports"
# -
tftp_server_ips=""
# - Prometheus Monitoring - local Server
# -
# - blank separated list of IPv6 addresses
# -
prometheus_local_server_ips=""
# - (Remote) prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_remote_client_ports="$standard_prometheus_ports"
# - Prometheus Monitoring - local Client
# -
# - blank separated list of IPv6 addresses
# -
prometheus_local_client_ips=""
# - Local prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_local_client_ports="$standard_prometheus_ports"
# - blank separated list of IPv6 addresses
# -
prometheus_remote_server_ips=""
# - Munin Server
# -
munin_server_ips=""
@ -528,7 +640,7 @@ munin_remote_port="$standard_munin_port"
# - Remote Munin Server
# -
munin_remote_ip="2a01:4f9:4a:2b57::122"
munin_remote_ip="2a01:4f9:3070:2bda::227"
munin_local_port="4949"
# - XyMon Server
@ -680,6 +792,7 @@ protection_against_ssh_brute_force_attacks=true
# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
per_IP_connection_limit=$default_per_IP_connection_limit
# - Limit RST packets
# -

74
conf/post_decalrations.conf
View File

@ -17,6 +17,26 @@ for _dev in $nat_devices ; do
done
# ---
# IP Addresses LX Guest System
# ---
declare -a lxc_guest_ip_arr=()
for _ip in $lxc_guest_ips ; do
lxc_guest_ip_arr+=("$_ip")
done
# ---
# local Interfaces
# ---
declare -a local_ip_arr=()
for _ip in $local_ips ; do
local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
@ -25,6 +45,16 @@ for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - LOG CGI script Traffic out
# ---
declare -a cgi_script_user_arr=()
for _user in $cgi_script_users ; do
cgi_script_user_arr+=($_user)
done
# ---
# - IP-Addresses (Host, Guests (VServer, LX_Container)
# ---
@ -283,6 +313,25 @@ for _ip in $forward_smtpd_ips ; do
done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# ---
# - IP Addresses XMPP Service (Jabber - Prosody)
# ---
@ -336,8 +385,8 @@ done
# - (local) Dovecot auth service
# ---
declare -a dovecot_auth_allowed_network_arr
for _port in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_port")
for _ip in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_ip")
done
# ---
@ -410,6 +459,27 @@ for _ip in $tel_sys_ips ; do
tel_sys_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Server
# ---
declare -a prometheus_local_server_ip_arr
for _ip in $prometheus_local_server_ips ; do
prometheus_local_server_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Client
# ---
declare -a prometheus_local_client_ip_arr
for _ip in $prometheus_local_client_ips; do
prometheus_local_client_ip_arr+=("$_ip")
done
declare -a prometheus_remote_server_ip_arr
for _ip in $prometheus_remote_server_ips ; do
prometheus_remote_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Munin
# ---

378
ip6t-firewall-server
View File

@ -23,7 +23,7 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
conf_logging=${ipt_conf_dir}/logging_ipv6.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv6.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list"
@ -112,10 +112,10 @@ else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
if [[ ! -f "$conf_default_settings" ]]; then
fatal "Missing configuration for default_settings - file '$conf_default_settings'"
else
source $conf_default_ports
source $conf_default_settings
fi
if [[ ! -f "$conf_interfaces" ]]; then
@ -288,7 +288,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
for _ip in ${lxc_guest_ip_arr[@]} ; do
$ip6t -I FORWARD -p all -d $_ip -j ACCEPT
$ip6t -I FORWARD -p all -s $_ip -j ACCEPT
@ -372,10 +372,12 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
if $log_unprotected || $log_all ; then
$ip6t -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
$ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: "
fi
$ip6t -t mangle -A PREROUTING -i $_dev -j ACCEPT
$ip6t -A OUTPUT -o $_dev -j ACCEPT
$ip6t -A INPUT -i $_dev -j ACCEPT
$ip6t -A FORWARD -o $_dev -j ACCEPT
done
echo_done
@ -477,7 +479,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
is_valid_mask=false
ipv6=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
@ -502,7 +504,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
ipv6="${_addr[0]}"
# Test mask if given
#
#
if [[ -n "${_addr[1]}" ]] ; then
mask="${_addr[1]}"
@ -513,7 +515,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
no_valid_ipv6_arr+=("$given_ipv6")
else
if [[ $mask -gt 128 ]]; then
@ -534,7 +536,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
is_valid_ipv6=true
fi
if $is_valid_ipv6 && $is_valid_mask; then
_ip="${ipv6}/${mask}"
@ -545,9 +547,9 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
fi
fi
@ -574,7 +576,7 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
else
echo_skipped
fi
# -------------
@ -625,14 +627,14 @@ echo_done
echononl "\tBlock packets with bogus TCP flags"
if $log_invalid_flags || $log_all ; then
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ip6t -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
@ -717,6 +719,75 @@ else
fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && $drop_mndp ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Don't allow spoofing out from this server
# ---
@ -753,6 +824,22 @@ done
echo_done
# -------------
# --- Traffic generally allowed
# -------------
echo
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Protection against syn-flooding
@ -814,10 +901,15 @@ fi
echononl "\tLimit connections per source IP"
if $limit_connections_per_source_IP ; then
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
if ! is_number $per_IP_connection_limit ; then
per_IP_connection_limit=$default_per_IP_connection_limit
fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP: "
fi
$ip6t -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
echo_done
else
echo_skipped
@ -829,7 +921,7 @@ fi
# ---
echononl "\tLimit RST packets"
if $limit_rst_packets ; then
if $limit_rst_packets ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ip6t -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
@ -910,8 +1002,8 @@ fi
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@ -972,26 +1064,8 @@ done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
@ -1033,7 +1107,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=',' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
@ -1074,6 +1148,26 @@ fi
echo_done
# ---
# - LOG CGI script Traffic out
# ---
echo
echononl "\tLOG CGI/PHP traffic out."
if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _user in ${cgi_script_user_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: "
done
done
echo_done
else
echo_skipped
fi
echo
# -------------
# --- Allow all outgoing traffic
# -------------
@ -1124,7 +1218,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# -------------
# ---- Allow extern Service
# ---- Allow extern Service
# -------------
echononl "\t\tAllow extern Service"
@ -1163,7 +1257,7 @@ echo
# -------------
# ---- Allow (non-standard) local Services
# ---- Allow (non-standard) local Services
# -------------
echononl "\t\tAllow (non-standard) local Services"
@ -1233,9 +1327,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
else
echo_skipped
fi
# ---
# - DNS out only
# ---
@ -1274,7 +1368,7 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1283,13 +1377,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
$ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1550,6 +1644,40 @@ done
echo_done
# ---
# - Prometheus Monitoring - local Server
# ---
echononl "\t\tLocal Prometheus Service"
if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${prometheus_local_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Prometheus Monitoring - local client
# ---
echononl "\t\tLocal Prometheus Client"
if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${prometheus_local_client_ip_arr[@]} ; do
for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Munin remote service
# ---
@ -1580,13 +1708,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_munin_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
@ -1612,6 +1740,29 @@ done
echo_done
# ---
# - Mail (additional smtp ports OUT)
# ---
echononl "\t\tMail (additional smtp ports OUT)"
if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Mail SMTP Server (Port 25) including Spam Control
# ---
@ -1668,6 +1819,29 @@ else
fi
# ---
# - Mail (additional smtp ports IN)
# ---
echononl "\t\tMail (additional smtp ports IN)"
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---
@ -1678,7 +1852,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1686,7 +1860,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1729,7 +1903,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1737,7 +1911,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1833,7 +2007,7 @@ $ip6t -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
@ -1900,7 +2074,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ip6t -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
@ -1933,7 +2107,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
@ -1949,7 +2123,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
@ -1974,7 +2148,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
@ -2005,7 +2179,7 @@ fi
# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# # - Kontrollverbindung
# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
@ -2123,7 +2297,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incoming Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
@ -2269,7 +2443,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2286,8 +2460,8 @@ for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -2312,6 +2486,38 @@ else
fi
# ---
# - LDAP out only
# ---
echononl "\t\tLDAP out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - LDAPS out only
# ---
echononl "\t\tLDAPS out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Whois out only
# ---
@ -2321,7 +2527,23 @@ echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - PGP Keyserver out only
# ---
echononl "\t\tPGP/GPG Key server - out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2337,7 +2559,7 @@ echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done
@ -2353,7 +2575,7 @@ echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
@ -2480,7 +2702,7 @@ else
fi
echo
echo
# ---
# - UNIX Traceroute
@ -2545,14 +2767,14 @@ echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
fi
echo_done
else

377
ipt-firewall-server
View File

@ -23,7 +23,7 @@ load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
@ -112,10 +112,10 @@ else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
if [[ ! -f "$conf_default_settings" ]]; then
fatal "Missing configuration for default_settings - file '$conf_default_settings'"
else
source $conf_default_ports
source $conf_default_settings
fi
if [[ ! -f "$conf_interfaces" ]]; then
@ -148,7 +148,7 @@ echo
# --- Activate IP Forwarding
# -------------
## - IP Forwarding deaktivieren.
## - IP Forwarding deaktivieren.
## -
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
## -
@ -212,13 +212,13 @@ if ! $host_is_vm ; then
fi
## - Ignore Broadcast Pings
## -
## -
if $kernel_ignore_broadcast_ping ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Deactivate Source Routed Packets
## -
## -
if $kernel_deactivate_source_route ; then
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $asr
@ -241,9 +241,9 @@ if ! $host_is_vm ; then
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - NUMBER OF CONNECTIONS TO TRACK
@ -348,7 +348,7 @@ echononl "\tDo not firewall traffic from and to LX Gust Systems"
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
for _ip in ${lxc_guest_ip_arr[@]} ; do
$ipt -I FORWARD -p all -d $_ip -j ACCEPT
$ipt -I FORWARD -p all -s $_ip -j ACCEPT
@ -432,10 +432,12 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
if $log_unprotected || $log_all ; then
$ipt -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
fi
$ipt -t mangle -A PREROUTING -i $_dev -j ACCEPT
$ipt -A OUTPUT -o $_dev -j ACCEPT
$ipt -A INPUT -i $_dev -j ACCEPT
$ipt -A FORWARD -o $_dev -j ACCEPT
done
echo_done
@ -532,7 +534,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
@ -673,9 +675,9 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::"
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
@ -699,7 +701,7 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
else
echo_skipped
fi
# -------------
@ -861,6 +863,72 @@ else
fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Don't allow spoofing from that server
# ---
@ -906,6 +974,22 @@ done
echo_done
# -------------
# --- Traffic generally allowed
# -------------
echo
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Protection against syn-flooding
@ -967,10 +1051,15 @@ fi
echononl "\tLimit connections per source IP"
if $limit_connections_per_source_IP ; then
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
if ! is_number $per_IP_connection_limit ; then
per_IP_connection_limit=$default_per_IP_connection_limit
fi
$ipt -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:"
fi
$ipt -A INPUT -p tcp -m connlimit --connlimit-above $per_IP_connection_limit -j REJECT --reject-with tcp-reset
echo_done
else
echo_skipped
@ -982,7 +1071,7 @@ fi
# ---
echononl "\tLimit RST packets"
if $limit_rst_packets ; then
if $limit_rst_packets ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
if $log_rejected || $log_all ; then
$ipt -A INPUT -p tcp --tcp-flags RST RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: "
@ -1063,8 +1152,8 @@ fi
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
@ -1125,25 +1214,6 @@ done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
@ -1187,7 +1257,7 @@ echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
@ -1229,6 +1299,26 @@ fi
echo_done
# ---
# - LOG CGI script Traffic out
# ---
echo
echononl "\tLOG CGI/PHP traffic out."
if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _user in ${cgi_script_user_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: "
done
done
echo_done
else
echo_skipped
fi
echo
# -------------
# --- Allow all outgoing traffic
# -------------
@ -1245,12 +1335,6 @@ else
echo_skipped
fi
# - unprotected_ifs
# -
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false
# ---
# - Don't allow traffic into private networks
@ -1290,7 +1374,7 @@ echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# -------------
# ---- Allow extern Service
# ---- Allow extern Service
# -------------
echononl "\t\tAllow extern Service"
@ -1329,7 +1413,7 @@ echo
# -------------
# ---- Allow (non-standard) local Services
# ---- Allow (non-standard) local Services
# -------------
echononl "\t\tAllow (non-standard) local Services"
@ -1401,9 +1485,9 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then
else
echo_skipped
fi
# ---
# - DNS out only
# ---
@ -1439,10 +1523,10 @@ echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1451,13 +1535,13 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
@ -1723,6 +1807,40 @@ done
echo_done
# ---
# - Prometheus Monitoring - local Server
# ---
echononl "\t\tLocal Prometheus Service"
if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${prometheus_local_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Prometheus Monitoring - local client
# ---
echononl "\t\tLocal Prometheus Client"
if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then
for _ip in ${prometheus_local_client_ip_arr[@]} ; do
for _ip in ${prometheus_remote_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Munin remote service
# ---
@ -1731,9 +1849,9 @@ echononl "\t\tMunin remote service"
if [ "X$munin_remote_ip" != "X" ]; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
$ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
fi
done
echo_done
@ -1785,6 +1903,29 @@ done
echo_done
# ---
# - Mail (additional smtp ports OUT)
# ---
echononl "\t\tMail (additional smtp ports OUT)"
if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Mail SMTP Server (Port 25) including Spam Control
# ---
@ -1841,6 +1982,29 @@ else
fi
# ---
# - Mail (additional smtp ports IN)
# ---
echononl "\t\tMail (additional smtp ports IN)"
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---
@ -1851,7 +2015,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1859,7 +2023,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1881,7 +2045,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -1889,7 +2053,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports
# mail ports
#
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
@ -2006,7 +2170,7 @@ $ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
@ -2072,7 +2236,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
@ -2105,7 +2269,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
@ -2121,7 +2285,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
@ -2146,7 +2310,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
# -
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
@ -2176,7 +2340,7 @@ fi
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# # - Kontrollverbindung
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
@ -2211,7 +2375,7 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]}
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
@ -2294,7 +2458,7 @@ echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
@ -2440,7 +2604,7 @@ echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2457,8 +2621,8 @@ for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
@ -2483,6 +2647,38 @@ else
fi
# ---
# - LDAP out only
# ---
echononl "\t\tLDAP out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - LDAPS out only
# ---
echononl "\t\tLDAPS out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
@ -2494,7 +2690,23 @@ echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - PGP Keyserver out only
# ---
echononl "\t\tPGP/GPG Key server - out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT
fi
done
@ -2510,7 +2722,7 @@ echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done
@ -2526,7 +2738,7 @@ echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
@ -2648,7 +2860,7 @@ else
fi
echo
echo
# ---
# - UNIX Traceroute
@ -2713,15 +2925,16 @@ echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
fi
echo_done
else
echo_skipped
@ -2796,6 +3009,6 @@ exit 0
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
#
# -
# -
# ---------- Ende Portforwarding ---------- #