firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: firewall:dce357a3df587e6ae9b3cb95fc290fbda9ddd6f4
Branches Tags
firewall:master
...
compare: firewall:master
Branches Tags
firewall:master

12 Commits
dce357a3df ... master

Author SHA1 Message Date
Christoph
63889b0dc9 LDAP(S): forgot to configure ldap/ldaps standard ports. 2025-08-10 01:56:31 +02:00
Christoph
abef59c769 Allow LDAP/LDAPS out only. 2025-08-10 01:50:23 +02:00
Christoph
9fd36a8236 Add support for MNDP and mDNS traffic. 2025-02-16 18:48:22 +01:00
Christoph
24d91d38c6 Add support for MNDP and mDNS traffic. 2025-02-16 18:40:50 +01:00
Christoph
71e01e8413 logging_ipv[46].conf: add missing parameter 'log_blocked_ip'. 2025-02-15 10:59:53 +01:00
Christoph
aab8585d90 Fix error creating 'smtpd_additional_listen_port_arr'. 2025-01-27 23:10:29 +01:00
Christoph
e6984a622c post_decalrations.conf: fix error creating array 'smtpd_additional_outgoung_port_arr'. 2025-01-27 22:58:30 +01:00
Christoph
409ace650e Merge branch 'master' of https://git.oopen.de/firewall/ipt-server 2025-01-27 22:18:55 +01:00
Christoph
877814caf0 Add support for aditional smtp ports - OUT AND IN. 2025-01-27 22:15:40 +01:00
Christoph
54ce58a52e replace 'default_ports.conf' with 'default_settings.conf'. 2025-01-27 14:49:47 +01:00
Christoph
40591462ce Merge branch 'master' of https://git.oopen.de/firewall/ipt-server 2024-12-27 17:27:57 +01:00
Christoph
3d65233059 ipt-firewall-server: fix error at munin role. 2024-12-27 17:27:28 +01:00
9 changed files with 477 additions and 14 deletions
Expand all files Collapse all files

2
README.install
View File

@ -18,7 +18,7 @@ cp -a /usr/local/src/ipt-server/ip6t-firewall-server /usr/local/sbin/
# - # -
mkdir /etc/ipt-firewall mkdir /etc/ipt-firewall
cp /usr/local/src/ipt-server/conf/default_ports.conf \ cp /usr/local/src/ipt-server/conf/default_settings.conf \
/usr/local/src/ipt-server/conf/include_functions.conf \ /usr/local/src/ipt-server/conf/include_functions.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv4.conf \ /usr/local/src/ipt-server/conf/load_modules_ipv4.conf \
/usr/local/src/ipt-server/conf/load_modules_ipv6.conf \ /usr/local/src/ipt-server/conf/load_modules_ipv6.conf \

4
conf/default_settings.conf
View File

@ -25,6 +25,10 @@ standard_ident_port=113
standard_ipp_port=631 standard_ipp_port=631
standard_irc_port=6667 standard_irc_port=6667
standard_jabber_port=5222 standard_jabber_port=5222
standard_ldap_port=389
standard_ldaps_port=636
standard_mdns_port=5353
standard_mndp_port=5678
standard_mumble_port=64738 standard_mumble_port=64738
standard_munin_port=4949 standard_munin_port=4949
standard_mysql_port=3306 standard_mysql_port=3306

4
conf/logging_ipv4.conf
View File

@ -23,6 +23,8 @@ log_syn_flood=false
log_port_scanning=false log_port_scanning=false
log_ssh_brute_force=false log_ssh_brute_force=false
log_fragments=false log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false log_new_not_sync=false
log_syn_with_suspicious_mss=false log_syn_with_suspicious_mss=false
log_invalid_packets=false log_invalid_packets=false
@ -40,6 +42,8 @@ log_prohibited=false
log_voip=false log_voip=false
log_rejected=true log_rejected=true
log_blocked_ip=false
log_ssh=false log_ssh=false
# - logging messages # - logging messages

8
conf/logging_ipv6.conf
View File

@ -23,6 +23,8 @@ log_syn_flood=false
log_port_scanning=false log_port_scanning=false
log_ssh_brute_force=false log_ssh_brute_force=false
log_fragments=false log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false log_new_not_sync=false
log_syn_with_suspicious_mss=false log_syn_with_suspicious_mss=false
log_invalid_packets=false log_invalid_packets=false
@ -40,6 +42,8 @@ log_prohibited=false
log_voip=false log_voip=false
log_rejected=true log_rejected=true
log_blocked_ip=false
log_ssh=false log_ssh=false
# - logging messages # - logging messages
@ -51,5 +55,9 @@ log_prefix="[ IPv6 ]"
# - Log all traffic for givven ip address # - Log all traffic for givven ip address
# --- # ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips="" log_ips=""

68
conf/main_ipv4.conf.sample
View File

@ -36,6 +36,61 @@ do_not_firewall_lx_guest_systems=false
drop_icmp=false drop_icmp=false
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
# ------------- # -------------
# --- Allow all outgoing traffic # --- Allow all outgoing traffic
# ------------- # -------------
@ -360,6 +415,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
smtpd_ips="" smtpd_ips=""
forward_smtpd_ips="" forward_smtpd_ips=""
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
#
# blank separated list of ports
#
smtpd_additional_outgoung_ports=""
# - Mail Services (smtps/pop(s)/imap(s) # - Mail Services (smtps/pop(s)/imap(s)
# - # -
mail_server_ips="" mail_server_ips=""

68
conf/main_ipv6.conf.sample
View File

@ -36,6 +36,61 @@ do_not_firewall_lx_guest_systems=false
drop_icmp=false drop_icmp=false
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
# ------------- # -------------
# --- Allow all outgoing traffic # --- Allow all outgoing traffic
# ------------- # -------------
@ -376,6 +431,19 @@ mm_udp_ports_out="$stansard_mattermost_udp_ports_out"
smtpd_ips="" smtpd_ips=""
forward_smtpd_ips="" forward_smtpd_ips=""
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic
#
# blank separated list of ports
#
smtpd_additional_outgoung_ports=""
# - Mail Services (smtps/pop(s)/imap(s) # - Mail Services (smtps/pop(s)/imap(s)
# - # -
mail_server_ips="" mail_server_ips=""

19
conf/post_decalrations.conf
View File

@ -313,6 +313,25 @@ for _ip in $forward_smtpd_ips ; do
done done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# --- # ---
# - IP Addresses XMPP Service (Jabber - Prosody) # - IP Addresses XMPP Service (Jabber - Prosody)
# --- # ---

159
ip6t-firewall-server
View File

@ -547,9 +547,9 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: " $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: " $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
fi fi
fi fi
@ -719,6 +719,75 @@ else
fi fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && $drop_mndp ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Don't allow spoofing out from this server # - Don't allow spoofing out from this server
# --- # ---
@ -1671,6 +1740,29 @@ done
echo_done echo_done
# ---
# - Mail (additional smtp ports OUT)
# ---
echononl "\t\tMail (additional smtp ports OUT)"
if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Mail SMTP Server (Port 25) including Spam Control # - Mail SMTP Server (Port 25) including Spam Control
# --- # ---
@ -1727,6 +1819,29 @@ else
fi fi
# ---
# - Mail (additional smtp ports IN)
# ---
echononl "\t\tMail (additional smtp ports IN)"
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server) # - Mailservice (Submission/SMTPS/POP/IMAP Server)
# --- # ---
@ -2371,6 +2486,38 @@ else
fi fi
# ---
# - LDAP out only
# ---
echononl "\t\tLDAP out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - LDAPS out only
# ---
echononl "\t\tLDAPS out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# --- # ---
# - Whois out only # - Whois out only
# --- # ---
@ -2620,11 +2767,11 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
#$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " $ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " $ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " $ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
if $kernel_forward_between_interfaces ; then if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: " #$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): " $ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "

157
ipt-firewall-server
View File

@ -675,9 +675,9 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:" $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:" $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::"
fi fi
fi fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP $ipt -A INPUT -i $_dev -s $_ip -j DROP
@ -863,6 +863,72 @@ else
fi fi
# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mndp || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Drop Multicast DNS Traffic
# -------------
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
echononl "\tDrop Multicast DNS Traffic"
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
for _dev in ${ext_if_arr[@]} ; do
if $log_mdns || $log_all ; then
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
$ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
fi
fi
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Don't allow spoofing from that server # - Don't allow spoofing from that server
# --- # ---
@ -1837,6 +1903,29 @@ done
echo_done echo_done
# ---
# - Mail (additional smtp ports OUT)
# ---
echononl "\t\tMail (additional smtp ports OUT)"
if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Mail SMTP Server (Port 25) including Spam Control # - Mail SMTP Server (Port 25) including Spam Control
# --- # ---
@ -1893,6 +1982,29 @@ else
fi fi
# ---
# - Mail (additional smtp ports IN)
# ---
echononl "\t\tMail (additional smtp ports IN)"
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server) # - Mailservice (Submission/SMTPS/POP/IMAP Server)
# --- # ---
@ -2535,6 +2647,38 @@ else
fi fi
# ---
# - LDAP out only
# ---
echononl "\t\tLDAP out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - LDAPS out only
# ---
echononl "\t\tLDAPS out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# --- # ---
@ -2781,15 +2925,16 @@ echo
echononl "\tLogging all rejected traffic" echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
if $kernel_activate_forwarding ; then if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
fi fi
echo_done echo_done
else else
echo_skipped echo_skipped