#!/usr/bin/env bash # ----------- # --- Define Arrays # ----------- # --- # NAT (Masquerade) Network interfaces # --- declare -a nat_device_arr=() for _dev in $nat_devices ; do if ! containsElement $_dev "${nat_device_arr[@]}" ; then nat_device_arr+=("$_dev") fi done # --- # IP Addresses LX Guest System # --- declare -a lxc_guest_ip_arr=() for _ip in $lxc_guest_ips ; do lxc_guest_ip_arr+=("$_ip") done # --- # local Interfaces # --- declare -a local_ip_arr=() for _ip in $local_ips ; do local_ip_arr+=("$_ip") done # --- # - IP Addresses to log # --- declare -a log_ip_arr for _ip in $log_ips ; do log_ip_arr+=("$_ip") done # --- # - LOG CGI script Traffic out # --- declare -a cgi_script_user_arr=() for _user in $cgi_script_users ; do cgi_script_user_arr+=($_user) done # --- # - IP-Addresses (Host, Guests (VServer, LX_Container) # --- declare -a ext_ip_arr for _ip in $ext_ips ; do host_ip_arr+=("$_ip") done # --- # - Extern Interfaces # --- declare -a ext_if_arr for _dev in $ext_ifs ; do ext_if_arr+=("$_dev") done # --- # - VPN Interfaces # --- declare -a vpn_if_arr for _dev in $vpn_ifs ; do vpn_if_arr+=("$_dev") done # --- # - WireGuard Interfaces # --- declare -a wg_if_arr for _dev in $wg_ifs ; do wg_if_arr+=("$_dev") done # --- # - Local Network Interfaces # --- declare -a local_if_arr for _dev in $local_ifs ; do local_if_arr+=("$_dev") done # --- # - Network Interfaces completly blocked # --- declare -a blocked_if_arr for _dev in $blocked_ifs ; do blocked_if_arr+=("$_dev") done # --- # - Network Interfaces not firewalled # --- declare -a unprotected_if_arr for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done # --- # - Restrict local Servive to given IP-Address/Network # --- declare -a restrict_local_service_to_net_arr for _val in $restrict_local_service_to_net ; do restrict_local_service_to_net_arr+=("$_val") done # --- # - Restrict local Network to given IP-Address/Network # --- declare -a restrict_local_net_to_net_arr for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done # --- # - Allow extern Service # --- declare -a allow_ext_service_arr for _val in $allow_ext_service ; do allow_ext_service_arr+=("$_val") done # --- # - Allow extern IP-Address/Network # --- declare -a allow_ext_net_arr for _net in $allow_ext_net ; do allow_ext_net_arr+=("$_net") done # --- # - Allow (non-standard) local Services # --- declare -a allow_local_service_arr for _val in $allow_local_service ; do allow_local_service_arr+=("$_val") done # --- # - Allow (non-standard) local Services from specified network # --- declare -a allow_local_service_from_network_arr for _service in $allow_local_service_from_networks ; do allow_local_service_from_network_arr+=("$_service") done # --- # - Generally block ports # --- declare -a block_tcp_port_arr for _port in $block_tcp_ports ; do block_tcp_port_arr+=("$_port") done declare -a block_udp_port_arr for _port in $block_udp_ports ; do block_udp_port_arr+=("$_port") done # --- # - Private IPs / IP-Ranges allowed to forward # --- declare -a forward_private_ip_arr for _ip in $forward_private_ips ; do forward_private_ip_arr+=("$_ip") done # --- # - Network Interfaces DHCP Service # --- declare -a dhcp_server_if_arr for _dev in $dhcp_server_ifs ; do dhcp_server_if_arr+=($_dev) done declare -a dhcp_client_if_arr for _dev in $dhcp_client_ifs ; do dhcp_client_if_arr+=($_dev) done # --- # - IP Addresses DNS Server # --- # - local declare -a dns_server_ip_arr for _ip in $dns_server_ips ; do dns_server_ip_arr+=("$_ip") done # DMZ declare -a forward_dns_server_ip_arr for _ip in $forward_dns_server_ips ; do forward_dns_server_ip_arr+=("$_ip") done # --- # - Netwoks allowed access to local DNS Resolver # --- declare -a resolver_allowed_network_arr for _net in $resolver_allowed_networks ; do resolver_allowed_network_arr+=("$_net") done # --- # - IP Addresses VPN Server # --- # local declare -a vpn_server_ip_arr for _ip in $vpn_server_ips ; do vpn_server_ip_arr+=("$_ip") done # DMZ declare -a forward_vpn_server_ip_arr for _ip in $forward_vpn_server_ips ; do forward_vpn_server_ip_arr+=("$_ip") done # --- # - IP Addresses WireGuard Service # --- # local declare -a wireguard_server_ip_arr for _ip in $wireguard_server_ips ; do wireguard_server_ip_arr+=("$_ip") done # DMZ declare -a forward_wireguard_server_ip_arr for _ip in $forward_wireguard_server_ips ; do forward_wireguard_server_ip_arr+=("$_ip") done # --- # - IP Addresses SSH Server # --- # local declare -a ssh_server_ip_arr for _ip in $ssh_server_ips ; do ssh_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ssh_server_ip_arr for _ip in $forward_ssh_server_ips ; do forward_ssh_server_ip_arr+=("$_ip") done # --- # - IP Addresses HTTP Server # --- # local declare -a http_server_ip_arr for _ip in $http_server_ips ; do http_server_ip_arr+=("$_ip") done # DMZ declare -a forward_http_server_ip_arr for _ip in $forward_http_server_ips ; do forward_http_server_ip_arr+=("$_ip") done # --- # - IP Addresses MatterMost Service # --- # local declare -a mm_server_ip_arr for _ip in $mm_server_ips ; do mm_server_ip_arr+=("$_ip") done # DMZ declare -a forward_mm_server_ip_arr for _ip in $forward_mm_server_ips ; do forward_mm_server_ip_arr+=("$_ip") done # --- # - IP Addresses FTP Server # --- # local declare -a ftp_server_ip_arr for _ip in $ftp_server_ips ; do ftp_server_ip_arr+=("$_ip") done # DMZ declare -a forward_ftp_server_ip_arr for _ip in $forward_ftp_server_ips ; do forward_ftp_server_ip_arr+=("$_ip") done # --- # - Mail SMTP Server # --- # local declare -a smtpd_ips_arr for _ip in $smtpd_ips ; do smtpd_ips_arr+=("$_ip") done # DMZ declare -a forward_smtpd_ip_arr for _ip in $forward_smtpd_ips ; do forward_smtpd_ip_arr+=("$_ip") done # --- # Additional SMTP Listen Ports # --- declare -a smtpd_additional_listen_port_arr for _port in $smtpd_additional_listen_ports ; do smtpd_additional_listen_port_arr+=("$_port") done # --- # Additional SMTP Outgoing Ports # --- declare -a smtpd_additional_outgoung_port_arr for _port in $smtpd_additional_outgoung_ports ; do smtpd_additional_outgoung_port_arr+=("$_port") done # --- # - IP Addresses XMPP Service (Jabber - Prosody) # --- declare -a xmpp_server_ip_arr for _ip in $xmpp_server_ips ; do xmpp_server_ip_arr+=("$_ip") done declare -a forward_xmpp_server_ip_arr for _ip in $forward_xmpp_server_ips ; do forward_xmpp_server_ip_arr+=("$_ip") done # --- # - XMPP Remote Dovecote Out Service # --- declare -a xmmp_remote_out_service_arr for _val in $xmmp_remote_out_services ; do xmmp_remote_out_service_arr+=("$_val") done # --- # - Mail Services (smtps/pop(s)/imap(s) # --- # local declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_server_ip_arr for _ip in $forward_mail_server_ips ; do forward_mail_server_ip_arr+=("$_ip") done # --- # - Mail client (smtps/pop(s)/imap(s) # --- # local declare -a mail_client_ips_arr for _ip in $mail_client_ips ; do mail_client_ips_arr+=("$_ip") done # DMZ declare -a forward_mail_client_ip_arr for _ip in $forward_mail_client_ips ; do forward_mail_client_ip_arr+=("$_ip") done # --- # - (local) Dovecot auth service # --- declare -a dovecot_auth_allowed_network_arr for _ip in $dovecot_auth_allowed_networks ; do dovecot_auth_allowed_network_arr+=("$_ip") done # --- # - IP Addresses Mumble Server # --- # local declare -a mumble_server_ip_arr for _ip in $mumble_server_ips ; do mumble_server_ip_arr+=("$_ip") done # DMZ declare -a forward_mumble_server_ip_arr for _ip in $forward_mumble_server_ips ; do forward_mumble_server_ip_arr+=("$_ip") done # --- # - IP Addresses Jitsi Video Conferencing Server # --- declare -a jitsi_server_ip_arr for _ip in $jitsi_server_ips ; do jitsi_server_ip_arr+=("$_ip") done # DMZ declare -a forward_jitsi_server_ip_arr for _ip in $forward_jitsi_server_ips ; do forward_jitsi_server_ip_arr+=("$_ip") done # --- # - IP Addresses Remote Jibri Server # --- declare -a jitsi_jibri_remote_ip_arr for _ip in $jitsi_jibri_remote_ips ; do jitsi_jibri_remote_ip_arr+=("$_ip") done # --- # - IP Addresses Jibri Recording / Streaming Server # --- declare -a jibri_server_ip_arr for _ip in $jibri_server_ips ; do jibri_server_ip_arr+=("$_ip") done # DMZ declare -a forward_jibri_server_ip_arr for _ip in $forward_jibri_server_ips ; do forward_jibri_server_ip_arr+=("$_ip") done # --- # - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app) # --- # local declare -a nc_turn_server_ip_arr for _ip in $nc_turn_server_ips ; do nc_turn_server_ip_arr+=("$_ip") done # DMZ declare -a forward_nc_turn_server_ip_arr for _ip in $forward_nc_turn_server_ips ; do forward_nc_turn_server_ip_arr+=("$_ip") done # --- # - IP Addresses Telephone Systems # --- declare -a tel_sys_ip_arr for _ip in $tel_sys_ips ; do tel_sys_ip_arr+=("$_ip") done # --- # - Prometheus Monitoring - local Server # --- declare -a prometheus_local_server_ip_arr for _ip in $prometheus_local_server_ips ; do prometheus_local_server_ip_arr+=("$_ip") done # --- # - Prometheus Monitoring - local Client # --- declare -a prometheus_local_client_ip_arr for _ip in $prometheus_local_client_ips; do prometheus_local_client_ip_arr+=("$_ip") done declare -a prometheus_remote_server_ip_arr for _ip in $prometheus_remote_server_ips ; do prometheus_remote_server_ip_arr+=("$_ip") done # --- # - IP Addresses Munin # --- # local declare -a munin_server_ip_arr for _ip in $munin_server_ips ; do munin_server_ip_arr+=("$_ip") done # DMZ declare -a forward_munin_server_ip_arr for _ip in $forward_munin_server_ips ; do forward_munin_server_ip_arr+=("$_ip") done # --- # - IP Addresses XyMon # --- declare -a xymon_server_ip_arr for _ip in $xymon_server_ips ; do xymon_server_ip_arr+=("$_ip") done # --- # - IP Addresses Rsync Out # --- # local declare -a rsync_out_ip_arr for _ip in $rsync_out_ips ; do rsync_out_ip_arr+=("$_ip") done # DMZ declare -a forward_rsync_out_ip_arr for _ip in $forward_rsync_out_ips ; do forward_rsync_out_ip_arr+=("$_ip") done # --- # - SSH Ports # --- declare -a ssh_port_arr for _port in $ssh_ports ; do ssh_port_arr+=("$_port") done # --- # - XMPP Service (Jabber - Prosody) # --- declare -a xmmp_tcp_in_port_arr for _port in $xmmp_tcp_in_ports ; do xmmp_tcp_in_port_arr+=("$_port") done declare -a xmmp_tcp_out_port_arr for _port in $xmmp_tcp_out_ports ; do xmmp_tcp_out_port_arr+=("$_port") done # --- # - VPN Ports # --- # local declare -a vpn_port_arr for _port in $vpn_ports ; do vpn_port_arr+=("$_port") done # --- # - Wireguard Ports (local Service) # --- # local declare -a wireguard_server_port_arr for _port in $wireguard_server_ports ; do wireguard_server_port_arr+=("$_port") done # --- # - Wireguard out Ports # --- # local declare -a wireguard_out_port_port_arr for _port in $wireguard_out_ports ; do wireguard_out_port_port_arr+=("$_port") done # --- # - Rsync Out Ports # -- declare -a rsync_port_arr for _port in $rsync_ports ; do rsync_port_arr+=("$_port") done # --- # - Special TCP Ports OUT # --- # local declare -a tcp_out_port_arr for _port in $tcp_out_ports ; do tcp_out_port_arr+=("$_port") done # DMZ declare -a forward_tcp_out_port_arr for _port in $forward_tcp_out_ports ; do forward_tcp_out_port_arr+=("$_port") done # --- # - Special UDP Ports OUT # --- # local declare -a udp_out_port_arr for _port in $udp_out_ports ; do udp_out_port_arr+=("$_port") done # DMZ declare -a forward_udp_out_port_arr for _port in $forward_udp_out_ports ; do forward_udp_out_port_arr+=("$_port") done # --- # - Portforwrds TCP # --- declare -a portforward_tcp_arr for _str in $portforward_tcp ; do portforward_tcp_arr+=("$_str") done # --- # - Portforwrds UDP # --- declare -a portforward_udp_arr for _str in $portforward_udp ; do portforward_udp_arr+=("$_str") done