526 lines
10 KiB
Bash
526 lines
10 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
|
|
# -----------
|
|
# --- Define Arrays
|
|
# -----------
|
|
|
|
# ---
|
|
# - IP Addresses to log
|
|
# ---
|
|
declare -a log_ip_arr
|
|
for _ip in $log_ips ; do
|
|
log_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP-Addresses (Host, Guests (VServer, LX_Container)
|
|
# ---
|
|
declare -a ext_ip_arr
|
|
for _ip in $ext_ips ; do
|
|
host_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Extern Interfaces
|
|
# ---
|
|
declare -a ext_if_arr
|
|
for _dev in $ext_ifs ; do
|
|
ext_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - VPN Interfaces
|
|
# ---
|
|
declare -a vpn_if_arr
|
|
for _dev in $vpn_ifs ; do
|
|
vpn_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - WireGuard Interfaces
|
|
# ---
|
|
declare -a wg_if_arr
|
|
for _dev in $wg_ifs ; do
|
|
wg_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Local Network Interfaces
|
|
# ---
|
|
declare -a local_if_arr
|
|
for _dev in $local_ifs ; do
|
|
local_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Network Interfaces completly blocked
|
|
# ---
|
|
declare -a blocked_if_arr
|
|
for _dev in $blocked_ifs ; do
|
|
blocked_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Network Interfaces not firewalled
|
|
# ---
|
|
declare -a unprotected_if_arr
|
|
for _dev in $unprotected_ifs ; do
|
|
unprotected_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Restrict local Servive to given IP-Address/Network
|
|
# ---
|
|
declare -a restrict_local_service_to_net_arr
|
|
for _val in $restrict_local_service_to_net ; do
|
|
restrict_local_service_to_net_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Restrict local Network to given IP-Address/Network
|
|
# ---
|
|
declare -a restrict_local_net_to_net_arr
|
|
for _val in $restrict_local_net_to_net ; do
|
|
restrict_local_net_to_net_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Allow extern Service
|
|
# ---
|
|
declare -a allow_ext_service_arr
|
|
for _val in $allow_ext_service ; do
|
|
allow_ext_service_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Allow extern IP-Address/Network
|
|
# ---
|
|
declare -a allow_ext_net_arr
|
|
for _net in $allow_ext_net ; do
|
|
allow_ext_net_arr+=("$_net")
|
|
done
|
|
|
|
# ---
|
|
# - Allow (non-standard) local Services
|
|
# ---
|
|
declare -a allow_local_service_arr
|
|
for _val in $allow_local_service ; do
|
|
allow_local_service_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Allow (non-standard) local Services from specified network
|
|
# ---
|
|
declare -a allow_local_service_from_network_arr
|
|
for _service in $allow_local_service_from_networks ; do
|
|
allow_local_service_from_network_arr+=("$_service")
|
|
done
|
|
|
|
# ---
|
|
# - Generally block ports
|
|
# ---
|
|
declare -a block_tcp_port_arr
|
|
for _port in $block_tcp_ports ; do
|
|
block_tcp_port_arr+=("$_port")
|
|
done
|
|
|
|
declare -a block_udp_port_arr
|
|
for _port in $block_udp_ports ; do
|
|
block_udp_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Private IPs / IP-Ranges allowed to forward
|
|
# ---
|
|
declare -a forward_private_ip_arr
|
|
for _ip in $forward_private_ips ; do
|
|
forward_private_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Network Interfaces DHCP Service
|
|
# ---
|
|
declare -a dhcp_server_if_arr
|
|
for _dev in $dhcp_server_ifs ; do
|
|
dhcp_server_if_arr+=($_dev)
|
|
done
|
|
declare -a dhcp_client_if_arr
|
|
for _dev in $dhcp_client_ifs ; do
|
|
dhcp_client_if_arr+=($_dev)
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses DNS Server
|
|
# ---
|
|
# - local
|
|
declare -a dns_server_ip_arr
|
|
for _ip in $dns_server_ips ; do
|
|
dns_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_dns_server_ip_arr
|
|
for _ip in $forward_dns_server_ips ; do
|
|
forward_dns_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Netwoks allowed access to local DNS Resolver
|
|
# ---
|
|
declare -a resolver_allowed_network_arr
|
|
for _net in $resolver_allowed_networks ; do
|
|
resolver_allowed_network_arr+=("$_net")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses VPN Server
|
|
# ---
|
|
# local
|
|
declare -a vpn_server_ip_arr
|
|
for _ip in $vpn_server_ips ; do
|
|
vpn_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_vpn_server_ip_arr
|
|
for _ip in $forward_vpn_server_ips ; do
|
|
forward_vpn_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses WireGuard Service
|
|
# ---
|
|
# local
|
|
declare -a wireguard_server_ip_arr
|
|
for _ip in $wireguard_server_ips ; do
|
|
wireguard_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_wireguard_server_ip_arr
|
|
for _ip in $forward_wireguard_server_ips ; do
|
|
forward_wireguard_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses SSH Server
|
|
# ---
|
|
# local
|
|
declare -a ssh_server_ip_arr
|
|
for _ip in $ssh_server_ips ; do
|
|
ssh_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_ssh_server_ip_arr
|
|
for _ip in $forward_ssh_server_ips ; do
|
|
forward_ssh_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses HTTP Server
|
|
# ---
|
|
# local
|
|
declare -a http_server_ip_arr
|
|
for _ip in $http_server_ips ; do
|
|
http_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_http_server_ip_arr
|
|
for _ip in $forward_http_server_ips ; do
|
|
forward_http_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses FTP Server
|
|
# ---
|
|
# local
|
|
declare -a ftp_server_ip_arr
|
|
for _ip in $ftp_server_ips ; do
|
|
ftp_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_ftp_server_ip_arr
|
|
for _ip in $forward_ftp_server_ips ; do
|
|
forward_ftp_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Mail SMTP Server
|
|
# ---
|
|
# local
|
|
declare -a smtpd_ips_arr
|
|
for _ip in $smtpd_ips ; do
|
|
smtpd_ips_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_smtpd_ip_arr
|
|
for _ip in $forward_smtpd_ips ; do
|
|
forward_smtpd_ip_arr+=("$_ip")
|
|
done
|
|
|
|
|
|
# ---
|
|
# - IP Addresses XMPP Service (Jabber - Prosody)
|
|
# ---
|
|
declare -a xmpp_server_ip_arr
|
|
for _ip in $xmpp_server_ips ; do
|
|
xmpp_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
declare -a forward_xmpp_server_ip_arr
|
|
for _ip in $forward_xmpp_server_ips ; do
|
|
forward_xmpp_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - XMPP Remote Dovecote Out Service
|
|
# ---
|
|
declare -a xmmp_remote_out_service_arr
|
|
for _val in $xmmp_remote_out_services ; do
|
|
xmmp_remote_out_service_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Mail Services (smtps/pop(s)/imap(s)
|
|
# ---
|
|
# local
|
|
declare -a mail_server_ips_arr
|
|
for _ip in $mail_server_ips ; do
|
|
mail_server_ips_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_mail_server_ip_arr
|
|
for _ip in $forward_mail_server_ips ; do
|
|
forward_mail_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Mail client (smtps/pop(s)/imap(s)
|
|
# ---
|
|
# local
|
|
declare -a mail_client_ips_arr
|
|
for _ip in $mail_client_ips ; do
|
|
mail_client_ips_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_mail_client_ip_arr
|
|
for _ip in $forward_mail_client_ips ; do
|
|
forward_mail_client_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - (local) Dovecot auth service
|
|
# ---
|
|
declare -a dovecot_auth_allowed_network_arr
|
|
for _port in $dovecot_auth_allowed_networks ; do
|
|
dovecot_auth_allowed_network_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Mumble Server
|
|
# ---
|
|
# local
|
|
declare -a mumble_server_ip_arr
|
|
for _ip in $mumble_server_ips ; do
|
|
mumble_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_mumble_server_ip_arr
|
|
for _ip in $forward_mumble_server_ips ; do
|
|
forward_mumble_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Jitsi Video Conferencing Server
|
|
# ---
|
|
declare -a jitsi_server_ip_arr
|
|
for _ip in $jitsi_server_ips ; do
|
|
jitsi_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_jitsi_server_ip_arr
|
|
for _ip in $forward_jitsi_server_ips ; do
|
|
forward_jitsi_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Remote Jibri Server
|
|
# ---
|
|
declare -a jitsi_jibri_remote_ip_arr
|
|
for _ip in $jitsi_jibri_remote_ips ; do
|
|
jitsi_jibri_remote_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Jibri Recording / Streaming Server
|
|
# ---
|
|
declare -a jibri_server_ip_arr
|
|
for _ip in $jibri_server_ips ; do
|
|
jibri_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_jibri_server_ip_arr
|
|
for _ip in $forward_jibri_server_ips ; do
|
|
forward_jibri_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
|
|
# ---
|
|
# local
|
|
declare -a nc_turn_server_ip_arr
|
|
for _ip in $nc_turn_server_ips ; do
|
|
nc_turn_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_nc_turn_server_ip_arr
|
|
for _ip in $forward_nc_turn_server_ips ; do
|
|
forward_nc_turn_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Telephone Systems
|
|
# ---
|
|
declare -a tel_sys_ip_arr
|
|
for _ip in $tel_sys_ips ; do
|
|
tel_sys_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Munin
|
|
# ---
|
|
# local
|
|
declare -a munin_server_ip_arr
|
|
for _ip in $munin_server_ips ; do
|
|
munin_server_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_munin_server_ip_arr
|
|
for _ip in $forward_munin_server_ips ; do
|
|
forward_munin_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses XyMon
|
|
# ---
|
|
declare -a xymon_server_ip_arr
|
|
for _ip in $xymon_server_ips ; do
|
|
xymon_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Rsync Out
|
|
# ---
|
|
# local
|
|
declare -a rsync_out_ip_arr
|
|
for _ip in $rsync_out_ips ; do
|
|
rsync_out_ip_arr+=("$_ip")
|
|
done
|
|
# DMZ
|
|
declare -a forward_rsync_out_ip_arr
|
|
for _ip in $forward_rsync_out_ips ; do
|
|
forward_rsync_out_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - SSH Ports
|
|
# ---
|
|
declare -a ssh_port_arr
|
|
for _port in $ssh_ports ; do
|
|
ssh_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - XMPP Service (Jabber - Prosody)
|
|
# ---
|
|
declare -a xmmp_tcp_in_port_arr
|
|
for _port in $xmmp_tcp_in_ports ; do
|
|
xmmp_tcp_in_port_arr+=("$_port")
|
|
done
|
|
|
|
declare -a xmmp_tcp_out_port_arr
|
|
for _port in $xmmp_tcp_out_ports ; do
|
|
xmmp_tcp_out_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - VPN Ports
|
|
# ---
|
|
# local
|
|
declare -a vpn_port_arr
|
|
for _port in $vpn_ports ; do
|
|
vpn_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Wireguard Ports (local Service)
|
|
# ---
|
|
# local
|
|
declare -a wireguard_server_port_arr
|
|
for _port in $wireguard_server_ports ; do
|
|
wireguard_server_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Wireguard out Ports
|
|
# ---
|
|
# local
|
|
declare -a wireguard_out_port_port_arr
|
|
for _port in $wireguard_out_ports ; do
|
|
wireguard_out_port_port_arr+=("$_port")
|
|
done
|
|
|
|
|
|
# ---
|
|
# - Rsync Out Ports
|
|
# --
|
|
declare -a rsync_port_arr
|
|
for _port in $rsync_ports ; do
|
|
rsync_port_arr+=("$_port")
|
|
done
|
|
|
|
|
|
# ---
|
|
# - Special TCP Ports OUT
|
|
# ---
|
|
# local
|
|
declare -a tcp_out_port_arr
|
|
for _port in $tcp_out_ports ; do
|
|
tcp_out_port_arr+=("$_port")
|
|
done
|
|
# DMZ
|
|
declare -a forward_tcp_out_port_arr
|
|
for _port in $forward_tcp_out_ports ; do
|
|
forward_tcp_out_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Special UDP Ports OUT
|
|
# ---
|
|
# local
|
|
declare -a udp_out_port_arr
|
|
for _port in $udp_out_ports ; do
|
|
udp_out_port_arr+=("$_port")
|
|
done
|
|
# DMZ
|
|
declare -a forward_udp_out_port_arr
|
|
for _port in $forward_udp_out_ports ; do
|
|
forward_udp_out_port_arr+=("$_port")
|
|
done
|
|
|
|
|
|
# ---
|
|
# - Portforwrds TCP
|
|
# ---
|
|
declare -a portforward_tcp_arr
|
|
for _str in $portforward_tcp ; do
|
|
portforward_tcp_arr+=("$_str")
|
|
done
|
|
|
|
# ---
|
|
# - Portforwrds UDP
|
|
# ---
|
|
declare -a portforward_udp_arr
|
|
for _str in $portforward_udp ; do
|
|
portforward_udp_arr+=("$_str")
|
|
done
|
|
|