#!/usr/bin/env bash ## - Configuration file for firewall script IPv4 ## - ipt-firewall-gateway ## - ipt-firewall-flush ## - ####################################################################### # -------------------------- Configuration -------------------------- # # ------------- # --- Define programs # ------------- ipt="/sbin/iptables" fail2ban_client="$(which fail2ban-client)" # ------------- # --- Logging # ------------- log_all=false log_syn_flood=false log_fragments=false log_new_not_sync=false log_invalid_state=false log_invalid_flags=false log_spoofed=false log_spoofed_out=false log_to_lo=false log_not_wanted=false log_blocked=false log_unprotected=false log_prohibited=false log_voip=false log_rejected=false log_ssh=false # - Log using the specified syslog level. 7 (debug) is a good choice # - unless you specifically need something else. # - log_level=debug # - logging messages # - log_prefix="IPv4:" # ------------- # --- Network Interfaces # ------------- # - External interface(s) # ext_if_1="" ext_if_2="" ext_if_3="" ext_ifs="$ext_if_1 $ext_if_2 $ext_if_3" # - is this a virtuel system ? host_is_vm=false # - Prevent bridged traffic getting pushed through the # - host's iptables rules # - # - Note: Maybe youe have also to activate forwarding # - # - Set: kernel_activate_forwarding=true # - do_not_firewall_bridged_traffic=false # - VPN Interfaces # - (comma separated list) vpn_ifs="" # - Local Interfaces local_if_1="" local_if_2="" local_if_3="" local_ifs="$local_if_1 $local_if_2 $local_if_3" # ------------- # --- Interfaces completly blocked # ------------- # - Interfaces to block (note: they will all be blocked) # - # - Example: eth1 is used for DSL Line, that becomes an extra # - interface (maybe ppp0). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="eth1" # - blocked_ifs="" # ------------- # --- Interfaces not firewalled # ------------- # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - unprotected_ifs="" # ------------- # ---- Allow Forwarding (private) IPs / IP-Ranges # ------------- # - Maybe useful in case of virtual hosts with private addresses or # - if using a vpn network to forward into private areas. # - # - Note: this rules takes affect before rules to protect against # - unwanted packages e.g. blocking private addresses on # - externel interfaces. # - # - Note: you can specify networks using CIDR notation # - like "192.168.2.0/24" # - forward_private_ips="" # ------------- # --- Define Ports for Services # ------------- # - Web Server Ports # - http_ports="80,443" # - FTP Servers Passive Portrange # - ftp_passive_port_range="50000:50400" # - Mail Client Ports (Submission/SMTPS/POPS/IMAPS) # - mail_user_ports="587,465,110,995,143,993" # - SSH Ports # - # - comma separated list ssh_ports="22" # - VPN Service vpn_ports="1194 1195" # - Mumble Server # - mumble_ports="64738" # - XyMon Service (usually TCP port 1984) # - # - NOT YET IMPLEMENTED # - xymon_port=1984 # - Munin Server Port (usually TCP port 4949) # - munin_remote_port="4949" # ------------- # --- Network Interfaces # ------------- # - Extern IP Addresses on this Host # - # NOT IN USE ext_1_ip="" # NOT IN USE ext_2_ip="" # NOT IN USE ext_3_ip="" ext_ips="$ext_1_ip $ext_2_ip $ext_3_ip" # NOT IN USE local_1_ip="" # NOT IN USE local_2_ip="" # NOT IN USE local_2_ip="" broadcast_ips="" # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- # - restrict_local_service_to_net # - # - restrict_local_service_to_net="ext-net:local-address:port:protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some extern netwoks access to special local # - services. # - # - Example: # - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036 # - allow access from 86.73.85.0/24 to https service at 83.223.86.98 # - # - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp # - 86.73.85.0/24:83.223.86.98:443:tcp" # - # - Blank separated list # - restrict_local_service_to_net="" # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- # - restrict_local_net_to_net # - # - restrict_local_net_to_net=": [:] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 # - 83.223.86.96/32:86.223.73.0/24" # - # - Blank separated list # - restrict_local_net_to_net="" # ------------- # ---- Allow extern Service # ------------- # - allow_ext_service # - # - allow_ext_service=":: [:: [ .. # - # - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' # - are allowed # - # - Example: # - - allow_ext_service=" # - 80.152.216.128:9998:tcp # - 80.152.216.128:8443:tcp # - " # - - allow_ext_service=" # - 0/0:8443:tcp # - 0/0:8080:tcp # - " # - # - Note: # - ===== # - To allow traffic on a certain port to all extern networks, set extern network to '0/0' # - # - Blank separated list # - allow_ext_service="" # ------------- # ---- Allow extern IP-Address/Network # ------------- # - allow_ext_net # - # - allow_ext_net=" [ [ ..! # - # - Allow all traffic to the given extern network/ip-address. # - # - Example: # - - allow_ext_net="80.152.216.128 84.140.157.102" # - - allow_ext_net="0/0" # - # - Note: # - ===== # - To allow traffic to all extern networks, set extern network to '0/0' # - # - Blank separated list # - allow_ext_net="" # ------------- # ---- Allow (non-standard) local Services # ------------- # - allow_local_service # - # - allow_local_service=" [: [.." # - # - Allow all traffic to given local service # - # - Example: # - allow_local_service="8443:tcp 8080:tcp" # - # - Blank separated list # - allow_local_service="" # ------------- # --- Services local Network # ------------- # - VPN Server # - vpn_server_ips="" forward_vpn_server_ips="" # DHCP Server # # Comma seperated Interface list for DHCP services # dhcp_server_ifs="" # - DNS Server dns_server_ips="" forward_dns_server_ips="" # - SSH Server # - ssh_server_ips="" forward_ssh_server_ips="" # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" # - Mail SMTP Server # - smtpd_ips="" forward_smtpd_ips="" # - Mail Services (smtps/pop(s)/imap(s) # - mail_server_ips="" forward_mail_server_ips="" # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" forward_mail_client_ips="" # - FTP Server # - ftp_server_ips="" forward_ftp_server_ips="" # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" # - TFTP Server # - # - NOT YET IMPLEMENTED # - tftp_server_ips="" # - Munin Server # - munin_server_ips="" forward_munin_server_ips="" # - Remote Munin Server # - munin_remote_ip="83.223.86.99" munin_local_port="4949" # - XyMon Server # - # - NOT YET IMPLEMENTED # - xymon_server_ips="" local_xymon_client=false # ------------- # - Protocols Out # ------------- # - Rsync Protocol # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" forward_rsync_out_ips="" rsync_ports="873" # ------------- # --- Allow special Ports (OUT) # ------------- # - TCP Ports tcp_out_ports="" forward_tcp_out_ports="" # - UDP Ports udp_out_ports="" forward_udp_out_ports="" # ------------- # --- Block IP's / IP-Ranges # ------------- # - 222.184.0.0/13 CHINANET-JS # - 61.160.0.0/16 - CHINANET-JS # - 116.8.0.0/14 CHINANET-GX # - blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" # ------------- # --- Block Ports # ------------- # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 113 135 137:139 445" block_udp_ports="111 137:139" # ------------- # - Some special stuff # ------------- create_traffic_counter=true create_iperf_rules=true # ------------- # --- Router ? # ------------- # - Activate forwarding # - # - Enable/disable forwarding to and between interfaces # - kernel_activate_forwarding=false # - Activate kernel support for dynamic IP adresses # - (not needed in case of static IP) # - # - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt # - # - The values for the ip_dynaddr sysctl are [*]: # - # - 1: To enable: # - 2: To enable verbosity: # - 4: To enable RST-provoking: # - 8: To enable asymetric routing work-around [**] # - # - [*] At boot, by default no address rewriting is attempted. # - [**] This code is currently totaly untested. # - # - Flags can be combined by adding them. Common settings # - would be: # - # - To enable rewriting in quiet mode: # - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr # - To enable rewriting in verbose mode: # - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr # - To enable quiet RST-provoking mode (1+4): # - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr # - ... # - kernel_support_dynaddr=false dynaddr_flag="5" # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ------------- # - Reduce DoS'ing ability by reducing timeouts # - kernel_reduce_timeouts=true # - Hardening TCP/IP Stack Against SYN Floods # - # - Enable syn cookies prevents against the common 'syn flood attack' # - kernel_tcp_syncookies=true # - Protection against ICMP bogus error responses # - kernel_protect_against_icmp_bogus_messages=true # - Ignore Broadcast Pings # - kernel_ignore_broadcast_ping=true # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true # - Activate Reverse Path Filtering (Antispoofing) # - # - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen # - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, # - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat # - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für # - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle # - nicht voll funktionsfähig ist. # - kernel_activate_rp_filter=true # - Logging of spoofed (source routed" and "redirect") packets # - kernel_log_martians=false # ------------- # --- Some further Ports/IP-Address Configuration # ------------- # - unpriviligierte Ports # - unprivports="1024:65535" # - Loopback loopback="127.0.0.0/8" # - Private Networks priv_class_a="10.0.0.0/8" priv_class_b="172.16.0.0/12" priv_class_c="192.168.0.0/16" # - Multicast Addresse class_d_multicast="224.0.0.0/4" # Reserved Addresse class_e_reserved="240.0.0.0/5" # ----------------------- End: Configuration ----------------------- # ###################################################################### ## ==================================== ## - Don't make changes after this Line ## ==================================== # ----------- # --- Define Arrays # ----------- # --- # - IP-Addresses (Host, Guests (VServer, LX_Container) # --- declare -a ext_ip_arr for _ip in $ext_ips ; do host_ip_arr+=("$_ip") done # --- # - Extern Interfaces # --- declare -a ext_if_arr for _dev in $ext_ifs ; do ext_if_arr+=("$_dev") done # --- # - VPN Interfaces # --- declare -a vpn_if_arr for _dev in $vpn_ifs ; do vpn_if_arr+=("$_dev") done # --- # - Local Network Interfaces # --- declare -a local_if_arr for _dev in $local_ifs ; do local_if_arr+=("$_dev") done # --- # - Network Interfaces completly blocked # --- declare -a blocked_if_arr for _dev in $blocked_ifs ; do blocked_if_arr+=("$_dev") done # --- # - Network Interfaces not firewalled # --- declare -a unprotected_if_arr for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done # --- # - Restrict local Servive to given IP-Address/Network # --- declare -a restrict_local_service_to_net_arr for _val in $restrict_local_service_to_net ; do restrict_local_service_to_net_arr+=("$_val") done # --- # - Restrict local Network to given IP-Address/Network # --- declare -a restrict_local_net_to_net_arr for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done # --- # - Allow extern Service # --- declare -a allow_ext_service_arr for _val in $allow_ext_service ; do allow_ext_service_arr+=("$_val") done # --- # - Allow extern IP-Address/Network # --- declare -a allow_ext_net_arr for _net in $allow_ext_net ; do allow_ext_net_arr+=("$_net") done # --- # - Allow (non-standard) local Services # --- declare -a allow_local_service_arr for _val in $allow_local_service ; do allow_local_service_arr+=("$_val") done # --- # - Generally block ports # --- declare -a block_tcp_port_arr for _port in $block_tcp_ports ; do block_tcp_port_arr+=("$_port") done declare -a block_udp_port_arr for _port in $block_udp_ports ; do block_udp_port_arr+=("$_port") done # --- # - Private IPs / IP-Ranges allowed to forward # --- declare -a forward_private_ip_arr for _ip in $forward_private_ips ; do forward_private_ip_arr+=("$_ip") done # --- # - Network Interfaces DHCP Service # --- declare -a dhcp_if_arr for _dev in $dhcp_server_ifs ; do dhcp_if_arr+=($_dev) done # --- # - IP Addresses DNS Server # --- # - local declare -a dns_server_ip_arr for _ip in $dns_server_ips ; do dns_server_ip_arr+=("$_ip") done # DMZ declare -a forward_dns_server_ip_arr for _ip in $forward_dns_server_ips ; do forward_dns_server_ip_arr+=("$_ip") done # --- # - IP Addresses VPN Server # --- # local declare -a vpn_server_ip_arr for _ip in $vpn_server_ips ; do vpn_server_ip_arr+=("$_ip") done # DMZ declare -a forward_vpn_server_ip_arr for _ip in $forward_vpn_server_ips ; do forward_vpn_server_ip_arr+=("$_ip") done # --- # - IP Addresses SSH Server # --- # local declare -a ssh_server_ip_arr for _ip in $ssh_server_ips ; do ssh_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ssh_server_ip_arr for _ip in $forward_ssh_server_ips ; do forward_ssh_server_ip_arr+=("$_ip") done # --- # - IP Addresses HTTP Server # --- # local declare -a http_server_ip_arr for _ip in $http_server_ips ; do http_server_ip_arr+=("$_ip") done # DMZ declare -a forward_http_server_ip_arr for _ip in $forward_http_server_ips ; do forward_http_server_ip_arr+=("$_ip") done # --- # - IP Addresses FTP Server # --- # local declare -a ftp_server_ip_arr for _ip in $ftp_server_ips ; do ftp_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ftp_server_ip_arr for _ip in $forward_ftp_server_ips ; do forward_ftp_server_ip_arr+=("$_ip") done # --- # - Mail SMTP Server # --- # local declare -a smtpd_ips_arr for _ip in $smtpd_ips ; do smtpd_ips_arr+=("$_ip") done # DMZ declare -a forward_smtpd_ip_arr for _ip in $forward_smtpd_ips ; do forward_smtpd_ip_arr+=("$_ip") done # --- # - Mail Services (smtps/pop(s)/imap(s) # --- # local declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_server_ip_arr for _ip in $forward_mail_server_ips ; do forward_mail_server_ip_arr+=("$_ip") done # --- # - Mail client (smtps/pop(s)/imap(s) # --- # local declare -a mail_client_ips_arr for _ip in $mail_client_ips ; do mail_client_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_client_ip_arr for _ip in $forward_mail_client_ips ; do forward_mail_client_ip_arr+=("$_ip") done # --- # - IP Addresses Mumble Server # --- # local declare -a mumble_server_ip_arr for _ip in $mumble_server_ips ; do mumble_server_ip_arr+=("$_ip") done # DMZ declare -a forward_mumble_server_ip_arr for _ip in $forward_mumble_server_ips ; do forward_mumble_server_ip_arr+=("$_ip") done # --- # - IP Addresses Telephone Systems # --- declare -a tel_sys_ip_arr for _ip in $tel_sys_ips ; do tel_sys_ip_arr+=("$_ip") done # --- # - IP Addresses Munin # --- # local declare -a munin_server_ip_arr for _ip in $munin_server_ips ; do munin_server_ip_arr+=("$_ip") done # DMZ declare -a forward_munin_server_ip_arr for _ip in $forward_munin_server_ips ; do forward_munin_server_ip_arr+=("$_ip") done # --- # - IP Addresses XyMon # --- declare -a xymon_server_ip_arr for _ip in $xymon_server_ips ; do xymon_server_ip_arr+=("$_ip") done # --- # - IP Addresses Rsync Out # --- # local declare -a rsync_out_ip_arr for _ip in $rsync_out_ips ; do rsync_out_ip_arr+=("$_ip") done # DMZ declare -a forward_rsync_out_ip_arr for _ip in $forward_rsync_out_ips ; do forward_rsync_out_ip_arr+=("$_ip") done # --- # - SSH Ports # --- declare -a ssh_port_arr for _port in $ssh_ports ; do ssh_port_arr+=("$_port") done # --- # - VPN Ports # --- # local declare -a vpn_port_arr for _port in $vpn_ports ; do vpn_port_arr+=("$_port") done # --- # - Rsync Out Ports # -- declare -a rsync_port_arr for _port in $rsync_ports ; do rsync_port_arr+=("$_port") done # --- # - Special TCP Ports OUT # --- # local declare -a tcp_out_port_arr for _port in $tcp_out_ports ; do tcp_out_port_arr+=("$_port") done # DMZ declare -a forward_tcp_out_port_arr for _port in $forward_tcp_out_ports ; do forward_tcp_out_port_arr+=("$_port") done # --- # - Special UDP Ports OUT # --- # local declare -a udp_out_port_arr for _port in $udp_out_ports ; do udp_out_port_arr+=("$_port") done # DMZ declare -a forward_udp_out_port_arr for _port in $forward_udp_out_ports ; do forward_udp_out_port_arr+=("$_port") done # ------------- # --- Some functions # ------------- echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } echo_done() { echo -e "\033[75G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[75G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[75G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" } fatal (){ echo "" echo -e "fatal Error: $*" echo "" echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m" echo "" exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done return 1 }