#!/usr/bin/env bash ## ---------------------------------------------------------------- ## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server ## ---------------------------------------------------------------- # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules # ------------- # - Prevent bridged traffic getting pushed through the # - host's iptables rules # - # - Note: Maybe youe have also to activate forwarding # - # - Set: kernel_forward_between_interfaces=true # - do_not_firewall_bridged_traffic=false # ------------- # --- Allow all outgoing traffic # ------------- # - unprotected_ifs # - # - Posiible values are 'true' and 'false' # - allow_all_outgoing_traffic=false # ------------- # --- Interfaces completly blocked # ------------- # - Interfaces to block (note: they will all be blocked) # - # - Example: eth1 is used for DSL Line, that becomes an extra # - interface (maybe ppp0). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="eth1" # - blocked_ifs="" # ------------- # --- Interfaces not firewalled # ------------- # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - unprotected_ifs="" # ------------- # ---- Allow Forwarding (private) IPs / IP-Ranges # ------------- # - Maybe useful in case of virtual hosts with private addresses or # - if using a vpn network to forward into private areas. # - # - Note: this rules takes affect before rules to protect against # - unwanted packages e.g. blocking private addresses on # - externel interfaces. # - # - Note: you can specify networks using CIDR notation # - like "192.168.2.0/24" # - forward_private_ips="" # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- # - restrict_local_service_to_net # - # - restrict_local_service_to_net="ext-netr,local-address,port,protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some extern netwoks access to special local # - services. # - # - Example: # - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 # - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c # - # - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" # - # - Blank separated list # - restrict_local_service_to_net="" # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- # - restrict_local_net_to_net # - # - restrict_local_net_to_net=", [,] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" # - # - Blank separated list # - restrict_local_net_to_net="" # ------------- # ---- Allow extern Service # ------------- # - allow_ext_service # - # - allow_ext_service=",, [,, [ .. # - # - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' # - are allowed # - # - Example: # - - allow_ext_service=" # - 2a01:4f8:221:3b4e::247,8443,tcp # - 2a01:30:0:13:211:84ff:feb7:7f9c,8443,tcp # - " # - - allow_ext_service=" # - ::/0,8443,tcp # - ::/0,8080,tcp # - " # - # - Note: # - ===== # - To allow traffic on a certain port to all extern networks, set extern network to '::/0' # - # - Blank separated list # - allow_ext_service="" # ------------- # ---- Allow extern IP-Address/Network # ------------- # - allow_ext_net # - # - allow_ext_net=" [ [ ..! # - # - Allow all traffic to the given extern network/ip-address. # - # - Example: # - - allow_ext_net="2a01:4f8:221:3b4e::247 2a01:30:0:13:211:84ff:feb7:7f9c" # - - allow_ext_net="::/0" # - # - Note: # - ===== # - To allow traffic to all extern networks, set extern network to '::/0' # - # - Blank separated list # - allow_ext_net="" # ------------- # ---- Allow (non-standard) local Services # ------------- # - allow_local_service # - # - allow_local_service=": [: [.." # - # - Allow all traffic to given local service # - # - Example: # - allow_local_service="8443:tcp 8080:tcp" # - # - Blank separated list # - allow_local_service="" # ------------- # ---- Allow local Services from given (extern) network # ------------- # - allow_local_service_from_networks # - # - allow_local_service_from_networks=" [, [.." # - # - Allow all traffic to given local service from given (extern) network # - # - Example: # - allow_local_service="2001:678:a40:3000::/64,8443,tcp 2001:678:a40:3000::/64,8080,tcp" # - # - Blank separated list # - allow_local_service_from_networks="" # ------------- # --- Services local Network # ------------- # - VPN Server # - vpn_server_ips="" forward_vpn_server_ips="" # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" # local NTP Server # local_ntp_service=false # NPT Port used by local service # ntp_port="$standard_ntp_port" # Network allowed for NTP requests # # Note: if not set no port will be open! # # Example: # ntp_allowed_net="2001:678:a40:3000::/64" # ntp_allowed_net="" # DHCP Server # # Comma seperated Interface list for DHCP services # dhcp_server_ifs="" # - DNS Server dns_server_ips="" forward_dns_server_ips="" # - local DNS Resolver # - local_resolver_service=false # Resolover Port used by local service # - resolver_port="$standard_dns_port" # - Network allowed for DNS requests # - # - Note: if not set no port will be open! # - # - Example: # - resolver_allowed_net="2001:678:a40:3000::/64 2001:678:a40:4000::/64" # - resolver_allowed_networks="" # - SSH Server # - ssh_server_ips="" forward_ssh_server_ips="" # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="$standard_ssh_port" # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" # - Mail SMTP Server # - smtpd_ips="" forward_smtpd_ips="" # - Mail Services (smtps/pop(s)/imap(s) # - mail_server_ips="" forward_mail_server_ips="" # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" forward_mail_client_ips="" # - (local) Dovecot auth service # - dovecot_auth_service=false # - Port listen for dovecot auth requests # - dovecot_auth_port=44444 # - Client Network(s) allowed to connect to dovecot's auth service # - # - Example: # - dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7" # - dovecot_auth_allowed_networks="" # - FTP Server # - ftp_server_ips="" forward_ftp_server_ips="" # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" # - XMPP Service (Jabber - Prosody) # - xmpp_server_ips="" forward_xmpp_server_ips="" # - Ports used by XMpp (Prosody) service # - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern # - # - WebSocket (support is provided by mod_websocket) # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) # - xmmp_tcp_in_ports="5222 5223 5269" xmmp_tcp_out_ports="5269" # - XMPP Remote Dovecote Out Service # - # - Example: # - - xmmp_remote_out_services=" # - 2a01:4f8:221:3b4e::247,44444 # - 2a01:30:0:13:2f7:50ff:fed2:cef7,44444 # - " # - xmmp_remote_out_services="" # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" # - Jitsi Video Conferencing Server # - jitsi_server_ips="" forward_jitsi_server_ips="" # - Jitsi (incomming) Ports # - # - comma separated list of ports/port ranges) # - jitsi_tcp_ports="$standard_http_ports" jitsi_udp_port_range="1000:2000" # - TFTP Server # - # - NOT YET IMPLEMENTED # - tftp_server_ips="" # - Munin Server # - munin_server_ips="" forward_munin_server_ips="" # - Port used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" # - Remote Munin Server # - munin_remote_ip="2a01:4f8:171:3493::54" munin_local_port="4949" # - XyMon Server # - # - NOT YET IMPLEMENTED # - xymon_server_ips="" local_xymon_client=false # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" # ------------- # - Protocols Out # ------------- # - Rsync Protocol # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" forward_rsync_out_ips="" rsync_ports="873" # ------------- # --- Allow special Ports (OUT) # ------------- # - TCP Ports tcp_out_ports="" forward_tcp_out_ports="" # - UDP Ports udp_out_ports="" forward_udp_out_ports="" # ------------- # --- Block IP's / IP-Ranges # ------------- blocked_ips="" # ------------- # --- Block Ports # ------------- # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 113 135 137:139 445" block_udp_ports="111 137:139" # ------------- # - Some special stuff # ------------- create_traffic_counter=true create_iperf_rules=true # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ------------- # - Disable ip forwarding between interfaces # - kernel_forward_between_interfaces=false # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true