#!/usr/bin/env bash ## ---------------------------------------------------------------- ## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server ## ---------------------------------------------------------------- # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules # ------------- # - Prevent bridged traffic getting pushed through the # - host's iptables rules # - # - Note: Maybe youe have also to activate forwarding # - # - Set: kernel_activate_forwarding=true # - do_not_firewall_bridged_traffic=false # ------------- # --- Allow all outgoing traffic # ------------- # - unprotected_ifs # - # - Posiible values are 'true' and 'false' # - allow_all_outgoing_traffic=false # ------------- # --- Interfaces completly blocked # ------------- # - Interfaces to block (note: they will all be blocked) # - # - Example: eth1 is used for DSL Line, that becomes an extra # - interface (maybe ppp0). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="eth1" # - blocked_ifs="" # ------------- # --- Interfaces not firewalled # ------------- # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - unprotected_ifs="" # ------------- # ---- Allow Forwarding (private) IPs / IP-Ranges # ------------- # - Maybe useful in case of virtual hosts with private addresses or # - if using a vpn network to forward into private areas. # - # - Note: this rules takes affect before rules to protect against # - unwanted packages e.g. blocking private addresses on # - externel interfaces. # - # - Note: you can specify networks using CIDR notation # - like "192.168.2.0/24" # - forward_private_ips="" # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- # - restrict_local_service_to_net # - # - restrict_local_service_to_net="ext-net:local-address:port:protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some extern netwoks access to special local # - services. # - # - Example: # - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036 # - allow access from 86.73.85.0/24 to https service at 83.223.86.98 # - # - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp # - 86.73.85.0/24:83.223.86.98:443:tcp" # - # - Blank separated list # - restrict_local_service_to_net="" # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- # - restrict_local_net_to_net # - # - restrict_local_net_to_net=": [:] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 # - 83.223.86.96/32:86.223.73.0/24" # - # - Blank separated list # - restrict_local_net_to_net="" # ------------- # ---- Allow extern Service # ------------- # - allow_ext_service # - # - allow_ext_service=":: [:: [ .. # - # - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp' # - are allowed # - # - Example: # - allow_ext_service=" # - 80.152.216.128:9998:tcp # - 80.152.216.128:8443:tcp # - " # - # - Blank separated list # - allow_ext_service="" # ------------- # ---- Allow extern IP-Address/Network # ------------- # - allow_ext_net # - # - allow_ext_net=" [ [ ..! # - # - Allow all traffic to the given extern network/ip-address. # - # - Example: # - allow_ext_net="80.152.216.128 84.140.157.102" # - # - Blank separated list # - allow_ext_net="" # ------------- # ---- Allow (non-standard) local Services # ------------- # - allow_local_service # - # - allow_local_service=" [: [.." # - # - Allow all traffic to given local service # - # - Example: # - allow_local_service="8443:tcp 8080:tcp" # - # - Blank separated list # - allow_local_service="" # ------------- # ---- Allow local Services from given (extern) network # ------------- # - allow_local_service_from_networks # - # - allow_local_service_from_networks=" [: [.." # - # - Allow all traffic to given local service from given (extern) network # - # - Example: # - allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp" # - # - Blank separated list # - allow_local_service_from_networks="" # ------------- # --- Services local Network # ------------- # - VPN Server # - vpn_server_ips="" forward_vpn_server_ips="" # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" # local NTP Server # local_ntp_service=false # NPT Port used by local service # ntp_port="$standard_ntp_port" # Network allowed for NTP requests # # Note: if not set no port will be open! # ntp_allowed_net="" # DHCP Server # # Comma seperated Interface list for DHCP services # dhcp_server_ifs="" # - DNS Server # - # - Note: # - leave empty if you support only DNS Resolver Service # - dns_server_ips="" forward_dns_server_ips="" # - local DNS Resolver # - local_resolver_service=false # - Resolover Port used by local service # - resolver_port="$standard_dns_port" # - Network allowed for DNS requests # - # - Note: if not set no port will be open! # - # - Example: # - resolver_allowed_networks="192.68.11.64/27 194.150.169.139" # - # - # Open DNS Resolver # - resolver_allowed_net="0.0.0.0/0" # - resolver_allowed_networks="" # - SSH Server # - ssh_server_ips="" forward_ssh_server_ips="" # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="$standard_ssh_port" # - HTTP(S) Server # - http_server_ips="" forward_http_server_ips="" # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" # - Mail SMTP Server # - smtpd_ips="" forward_smtpd_ips="" # - Mail Services (smtps/pop(s)/imap(s) # - mail_server_ips="" forward_mail_server_ips="" # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" forward_mail_client_ips="" # - Dovecot auth service # - dovecot_auth_service=false # - Port listen for dovecot auth requests # - dovecot_auth_port="$dovecot_external_auth_port" # - Client Network(s) allowed to connect to dovecot's auth service # - # - Example: # - dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139" # - dovecot_auth_allowed_networks="" # - FTP Server # - ftp_server_ips="" forward_ftp_server_ips="" # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" # - XMPP Service (Jabber - Prosody) # - xmpp_server_ips="" forward_xmpp_server_ips="" # - Ports used by XMpp (Prosody) service # - # - 5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt # - 5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet) # - 5269 ein- und ausgehend, für Verbindungen zu anderen Servern # - # - WebSocket (support is provided by mod_websocket) # - 5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen) # - xmmp_tcp_in_ports="5222 5223 5269" xmmp_tcp_out_ports="5269" # - XMPP Remote Dovecote Out Service # - # - Example: # - xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444" # - xmmp_remote_out_services="" # - Mumble Server # - mumble_server_ips="" forward_mumble_server_ips="" # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" # - Jitsi Video Conferencing Server # - jitsi_server_ips="" forward_jitsi_server_ips="" # - Jitsi (incomming) Ports # - # - comma separated list of ports/port ranges) # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" jitsi_udp_port_range="$standard_jitsi_udp_port_range" # - Jitsi (outgoing) Ports (STUN Services) # - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" # - Jitsi Dovecot Authentication # - jitsi_dovecot_auth=false jitsi_dovecot_host="" jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - nc_turn_server_ips="" forward_nc_turn_server_ips="" # - Ports used by local TURN Server (Stun Server) # - # - comma separated list # - nc_turn_ports="$standard_turn_service_ports" nc_turn_udp_ports="$standard_turn_service_udp_ports" # - TFTP Server # - # - NOT YET IMPLEMENTED # - tftp_server_ips="" # - Munin Server # - munin_server_ips="" forward_munin_server_ips="" # - Port used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" # - Remote Munin Server # - munin_remote_ip="138.201.33.54" munin_local_port="4949" # - XyMon Server # - # - NOT YET IMPLEMENTED # - xymon_server_ips="" local_xymon_client=false # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" # ------------- # - Protocols Out # ------------- # - Rsync Protocol # - # - Needed for some integrated provider of clamav-unofficial-sigs # - rsync_out_ips="" forward_rsync_out_ips="" rsync_ports="873" # ------------- # --- Allow special Ports (OUT) # ------------- # - TCP Ports tcp_out_ports="" forward_tcp_out_ports="" # - UDP Ports udp_out_ports="" forward_udp_out_ports="" # ------------- # --- Block IP's / IP-Ranges # ------------- # - 222.184.0.0/13 CHINANET-JS # - 61.160.0.0/16 - CHINANET-JS # - 116.8.0.0/14 CHINANET-GX # - blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" # ------------- # --- Block Ports # ------------- # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 113 135 137:139 445" block_udp_ports="111 137:139" # ------------- # - Some special stuff # ------------- create_traffic_counter=true create_iperf_rules=true # ------------- # --- Router ? # ------------- # - Activate forwarding # - # - Enable/disable forwarding to and between interfaces # - kernel_activate_forwarding=false # - Activate kernel support for dynamic IP adresses # - (not needed in case of static IP) # - # - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt # - # - The values for the ip_dynaddr sysctl are [*]: # - # - 1: To enable: # - 2: To enable verbosity: # - 4: To enable RST-provoking: # - 8: To enable asymetric routing work-around [**] # - # - [*] At boot, by default no address rewriting is attempted. # - [**] This code is currently totaly untested. # - # - Flags can be combined by adding them. Common settings # - would be: # - # - To enable rewriting in quiet mode: # - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr # - To enable rewriting in verbose mode: # - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr # - To enable quiet RST-provoking mode (1+4): # - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr # - ... # - kernel_support_dynaddr=false dynaddr_flag="5" # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ------------- # - Reduce DoS'ing ability by reducing timeouts # - kernel_reduce_timeouts=true # - Hardening TCP/IP Stack Against SYN Floods # - # - Enable syn cookies prevents against the common 'syn flood attack' # - kernel_tcp_syncookies=true # - Protection against ICMP bogus error responses # - kernel_protect_against_icmp_bogus_messages=true # - Ignore Broadcast Pings # - kernel_ignore_broadcast_ping=true # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true # - Activate Reverse Path Filtering (Antispoofing) # - # - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen # - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, # - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat # - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für # - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle # - nicht voll funktionsfähig ist. # - kernel_activate_rp_filter=true # - Logging of spoofed (source routed" and "redirect") packets # - kernel_log_martians=false