#!/usr/bin/env bash ## - Configuration file for firewall script IPv6 ## - ipt-firewall-gateway ## - ipt-firewall-flush ## - ####################################################################### # -------------------------- Configuration -------------------------- # # ------------- # --- Define programs # ------------- ip6t="/sbin/ip6tables" fail2ban_client="$(which fail2ban-client)" # ------------- # --- Logging # ------------- log_all=false log_syn_flood=false log_fragments=false log_new_not_sync=false log_invalid_state=false log_invalid_flags=false log_spoofed=false log_spoofed_out=false log_to_lo=false log_not_wanted=false log_blocked=false log_unprotected=false log_prohibited=false log_voip=false log_rejected=false log_ssh=false # - Log using the specified syslog level. 7 (debug) is a good choice # - unless you specifically need something else. # - log_level=debug # - logging messages # - log_prefix="IPv6:" # ------------- # --- Network Interfaces # ------------- # - External interface(s) # ext_if_1="" ext_if_2="" ext_if_3="" ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - is this a virtuel system ? host_is_vm=false # - Prevent bridged traffic getting pushed through the # - host's iptables rules # - # - Note: Maybe youe have also to activate forwarding # - # - Set: kernel_forward_between_interfaces=true # - do_not_firewall_bridged_traffic=false # - VPN Interfaces # - (comma separated list) vpn_ifs="" # - Local Interfaces local_if_1="" local_if_2="" local_if_3="" local_ifs="$local_if_1 $local_if_2 $local_if_3" # ------------- # --- Interfaces completly blocked # ------------- # - Interfaces to block (note: they will all be blocked) # - # - Example: eth1 is used for DSL Line, that becomes an extra # - interface (maybe ppp0). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="eth1" # - blocked_ifs="" # ------------- # --- Interfaces not firewalled # ------------- # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - unprotected_ifs="" # ------------- # ---- Allow Forwarding (private) IPs / IP-Ranges # ------------- # - Maybe useful in case of virtual hosts with private addresses or # - if using a vpn network to forward into private areas. # - # - Note: this rules takes affect before rules to protect against # - unwanted packages e.g. blocking private addresses on # - externel interfaces. # - # - Note: you can specify networks using CIDR notation # - like "192.168.2.0/24" # - forward_private_ips="" # ------------- # --- Define Ports for Services # ------------- # - Web Server Ports # - http_ports="80,443" # - FTP Servers Passive Portrange # - ftp_passive_port_range="50000:50400" # - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) # - mail_user_ports="587,465,110,995,143,993" # - SSH Ports # - # - comma separated list ssh_ports="22" # - VPN Service vpn_ports="1194 1195" # - Mumble Server # - mumble_ports="64738" # - XyMon Service (usually TCP port 1984) # - # - NOT YET IMPLEMENTED # - xymon_port=1984 # - Munin Server Port (usually TCP port 4949) # - munin_remote_port="4949" # ------------- # --- IP-Addresses # ------------- # - Extern IP Addresses on this Host # - # NOT IN USE ext_1_ip="" # NOT IN USE ext_2_ip="" # NOT IN USE ext_3_ip="" ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" # NOT IN USE local_1_ip="" # NOT IN USE local_2_ip="" # NOT IN USE local_2_ip="" # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- # - restrict_local_service_to_net # - # - restrict_local_service_to_net="ext-netr,local-address,port,protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some extern netwoks access to special local # - services. # - # - Example: # - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 # - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c # - # - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" # - # - Blank separated list # - restrict_local_service_to_net="" # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- # - restrict_local_net_to_net # - # - restrict_local_net_to_net=", [,] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" # - # - Blank separated list # - restrict_local_net_to_net="" # ------------- # ---- Allow extern Service # ------------- # - allow_ext_service # - # - allow_ext_service=",, [,, [ .. # - # - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' # - are allowed # - # - Example: # - - allow_ext_service=" # - 2a01:4f8:221:3b4e::247,8443,tcp # - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp # - " # - - allow_ext_service=" # - ::/0,8443,tcp # - ::/0,8080,tcp # - " # - # - Note: # - ===== # - To allow traffic on a certain port to all extern networks, set extern network to '::/0' # - # - Blank separated list # - allow_ext_service="" # ------------- # ---- Allow extern IP-Address/Network # ------------- # - allow_ext_net # - # - allow_ext_net=" [ [ ..! # - # - Allow all traffic to the given extern network/ip-address. # - # - Example: # - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c" # - - allow_ext_net="::/0" # - # - Note: # - ===== # - To allow traffic to all extern networks, set extern network to '::/0' # - # - Blank separated list # - allow_ext_net="" # ------------- # ---- Allow (non-standard) local Services # ------------- # - allow_local_service # - # - allow_local_service=": [: [.." # - # - Allow all traffic to given local service # - # - Example: # - allow_local_service="8443:tcp 8080:tcp" # - # - Blank separated list # - allow_local_service="" # ------------- # --- Services local Network # ------------- # - VPN Server # - vpn_server_ips="" forward_vpn_server_ips="" # DHCP Server # # Comma seperated Interface list for DHCP services # dhcp_server_ifs="" # - DNS Server dns_server_ips="" forward_dns_server_ips="" # - SSH Server # - ssh_server_ips="" forward_ssh_server_ips="" # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" # - Mail SMTP Server # - smtpd_ips="" forward_smtpd_ips="" # - Mail Services (smtps/pop(s)/imap(s) # - mail_server_ips="" forward_mail_server_ips="" # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" forward_mail_client_ips="" # - FTP Server # - ftp_server_ips="" forward_ftp_server_ips="" # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" # - TFTP Server # - # - NOT YET IMPLEMENTED # - tftp_server_ips="" # - Munin Server # - munin_server_ips="" forward_munin_server_ips="" # - Remote Munin Server # - munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4" munin_local_port="4949" # - XyMon Server # - # - NOT YET IMPLEMENTED # - xymon_server_ips="" local_xymon_client=false # ------------- # - Protocols Out # ------------- # - Rsync Protocol # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" forward_rsync_out_ips="" rsync_ports="873" # ------------- # --- Allow special Ports (OUT) # ------------- # - TCP Ports tcp_out_ports="" forward_tcp_out_ports="" # - UDP Ports udp_out_ports="" forward_udp_out_ports="" # ------------- # --- Block IP's / IP-Ranges # ------------- blocked_ips="" # ------------- # --- Block Ports # ------------- # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 113 135 137:139 445" block_udp_ports="111 137:139" # ------------- # - Some special stuff # ------------- create_traffic_counter=true create_iperf_rules=true # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ------------- # - Disable ip forwarding between interfaces # - kernel_forward_between_interfaces=false # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true # ------------- # --- Some further Ports/IP-Address Configuration # ------------- # - unpriviligierte Ports # - unprivports="1024:65535" # unique local address (ULA) - private address block ula_block="fc00::/7" # - Loopback loopback="::1/128" # ----------------------- End: Configuration ----------------------- # ###################################################################### ## ==================================== ## - Don't make changes after this Line ## ==================================== # ----------- # --- Define Arrays # ----------- # --- # - IP-Addresses (Host, Guests (VServer, LX_Container) # --- declare -a ext_ip_arr for _ip in $ext_ips ; do host_ip_arr+=("$_ip") done # --- # - Extern Interfaces # --- declare -a ext_if_arr for _dev in $ext_ifs ; do ext_if_arr+=("$_dev") done # --- # - VPN Interfaces # --- declare -a vpn_if_arr for _dev in $vpn_ifs ; do vpn_if_arr+=("$_dev") done # --- # - Local Network Interfaces # --- declare -a local_if_arr for _dev in $local_ifs ; do local_if_arr+=("$_dev") done # --- # - Network Interfaces completly blocked # --- declare -a blocked_if_arr for _dev in $blocked_ifs ; do blocked_if_arr+=("$_dev") done # --- # - Network Interfaces not firewalled # --- declare -a unprotected_if_arr for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done # --- # - Restrict local Servive to given IP-Address/Network # --- declare -a restrict_local_service_to_net_arr for _val in $restrict_local_service_to_net ; do restrict_local_service_to_net_arr+=("$_val") done # --- # - Restrict local Network to given IP-Address/Network # --- declare -a restrict_local_net_to_net_arr for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done # --- # - Allow extern Service # --- declare -a allow_ext_service_arr for _val in $allow_ext_service ; do allow_ext_service_arr+=("$_val") done # --- # - Allow extern IP-Address/Network # --- declare -a allow_ext_net_arr for _net in $allow_ext_net ; do allow_ext_net_arr+=("$_net") done # --- # - Allow (non-standard) local Services # --- declare -a allow_local_service_arr for _val in $allow_local_service ; do allow_local_service_arr+=("$_val") done # --- # - Generally block ports # --- declare -a block_tcp_port_arr for _port in $block_tcp_ports ; do block_tcp_port_arr+=("$_port") done declare -a block_udp_port_arr for _port in $block_udp_ports ; do block_udp_port_arr+=("$_port") done # --- # - Private IPs / IP-Ranges allowed to forward # --- declare -a forward_private_ip_arr for _ip in $forward_private_ips ; do forward_private_ip_arr+=("$_ip") done # --- # - Network Interfaces DHCP Service # --- declare -a dhcp_if_arr for _dev in $dhcp_server_ifs ; do dhcp_if_arr+=($_dev) done # --- # - IP Addresses DNS Server # --- # - local declare -a dns_server_ip_arr for _ip in $dns_server_ips ; do dns_server_ip_arr+=("$_ip") done # DMZ declare -a forward_dns_server_ip_arr for _ip in $forward_dns_server_ips ; do forward_dns_server_ip_arr+=("$_ip") done # --- # - IP Addresses VPN Server # --- # local declare -a vpn_server_ip_arr for _ip in $vpn_server_ips ; do vpn_server_ip_arr+=("$_ip") done # DMZ declare -a forward_vpn_server_ip_arr for _ip in $forward_vpn_server_ips ; do forward_vpn_server_ip_arr+=("$_ip") done # --- # - IP Addresses SSH Server # --- # local declare -a ssh_server_ip_arr for _ip in $ssh_server_ips ; do ssh_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ssh_server_ip_arr for _ip in $forward_ssh_server_ips ; do forward_ssh_server_ip_arr+=("$_ip") done # --- # - IP Addresses HTTP Server # --- # local declare -a http_server_ip_arr for _ip in $http_server_ips ; do http_server_ip_arr+=("$_ip") done # DMZ declare -a forward_http_server_ip_arr for _ip in $forward_http_server_ips ; do forward_http_server_ip_arr+=("$_ip") done # --- # - IP Addresses FTP Server # --- # local declare -a ftp_server_ip_arr for _ip in $ftp_server_ips ; do ftp_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ftp_server_ip_arr for _ip in $forward_ftp_server_ips ; do forward_ftp_server_ip_arr+=("$_ip") done # --- # - Mail SMTP Server # --- # local declare -a smtpd_ips_arr for _ip in $smtpd_ips ; do smtpd_ips_arr+=("$_ip") done # DMZ declare -a forward_smtpd_ip_arr for _ip in $forward_smtpd_ips ; do forward_smtpd_ip_arr+=("$_ip") done # --- # - Mail Services (smtps/pop(s)/imap(s) # --- # local declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_server_ip_arr for _ip in $forward_mail_server_ips ; do forward_mail_server_ip_arr+=("$_ip") done # --- # - Mail client (smtps/pop(s)/imap(s) # --- # local declare -a mail_client_ips_arr for _ip in $mail_client_ips ; do mail_client_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_client_ip_arr for _ip in $forward_mail_client_ips ; do forward_mail_client_ip_arr+=("$_ip") done # --- # - IP Addresses Mumble Server # --- # local declare -a mumble_server_ip_arr for _ip in $mumble_server_ips ; do mumble_server_ip_arr+=("$_ip") done # DMZ declare -a forward_mumble_server_ip_arr for _ip in $forward_mumble_server_ips ; do forward_mumble_server_ip_arr+=("$_ip") done # --- # - IP Addresses Telephone Systems # --- declare -a tel_sys_ip_arr for _ip in $tel_sys_ips ; do tel_sys_ip_arr+=("$_ip") done # --- # - IP Addresses Munin # --- # local declare -a munin_server_ip_arr for _ip in $munin_server_ips ; do munin_server_ip_arr+=("$_ip") done # DMZ declare -a forward_munin_server_ip_arr for _ip in $forward_munin_server_ips ; do forward_munin_server_ip_arr+=("$_ip") done # --- # - IP Addresses XyMon # --- declare -a xymon_server_ip_arr for _ip in $xymon_server_ips ; do xymon_server_ip_arr+=("$_ip") done # --- # - IP Addresses Rsync Out # --- # local declare -a rsync_out_ip_arr for _ip in $rsync_out_ips ; do rsync_out_ip_arr+=("$_ip") done # DMZ declare -a forward_rsync_out_ip_arr for _ip in $forward_rsync_out_ips ; do forward_rsync_out_ip_arr+=("$_ip") done # --- # - SSH Ports # --- declare -a ssh_port_arr for _port in $ssh_ports ; do ssh_port_arr+=("$_port") done # --- # - VPN Ports # --- # local declare -a vpn_port_arr for _port in $vpn_ports ; do vpn_port_arr+=("$_port") done # --- # - Rsync Out Ports # -- declare -a rsync_port_arr for _port in $rsync_ports ; do rsync_port_arr+=("$_port") done # --- # - Special TCP Ports OUT # --- # local declare -a tcp_out_port_arr for _port in $tcp_out_ports ; do tcp_out_port_arr+=("$_port") done # DMZ declare -a forward_tcp_out_port_arr for _port in $forward_tcp_out_ports ; do forward_tcp_out_port_arr+=("$_port") done # --- # - Special UDP Ports OUT # --- # local declare -a udp_out_port_arr for _port in $udp_out_ports ; do udp_out_port_arr+=("$_port") done # DMZ declare -a forward_udp_out_port_arr for _port in $forward_udp_out_ports ; do forward_udp_out_port_arr+=("$_port") done # ------------- # --- Some functions # ------------- echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } echo_done() { echo -e "\033[75G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[75G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[75G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" } fatal (){ echo "" echo -e "fatal Error: $*" echo "" echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m" echo "" exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done return 1 }