ipt-server/conf/main_ipv4.conf.sample

#!/usr/bin/env bash

  
## ----------------------------------------------------------------
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
## ----------------------------------------------------------------


# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------

# - Prevent bridged traffic getting pushed through the
# - host's iptables rules
# -
# - Note: Maybe youe have also to activate forwarding
# -
# -    Set: kernel_activate_forwarding=true
# -
do_not_firewall_bridged_traffic=false


# -------------
# --- Do not firewall traffic from and to LX Gust Systems
# -------------

# - Traffic to hosted LX containers are not firewalled here.
# -
do_not_firewall_lx_guest_systems=false


# -------------
# --- Drop ICMP
# -------------

drop_icmp=false


# -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------

# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
#
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
#
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true


# -------------
# --- Drop Multicast DNS Traffic
# -------------

# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true


# -------------
# --- Allow all outgoing traffic
# -------------

# - allow_all_outgoing_traffic
# - 
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false


# -------------
# --- Interfaces completly blocked
# -------------

# - Interfaces to block (note: they will all be blocked)
# -
# - Example: eth1 is used for DSL Line, that becomes an extra 
# - interface (maybe ppp0). A further use of eth1 (which would 
# - be possible) is not configured at time, so you can block it.
# -   blocked_ifs="eth1"
# -
blocked_ifs=""


# -------------
# --- Interfaces not firewalled
# -------------

# - Note:
# - Can be (for example) an interface, whose (complete) traffic is 
# - protected by a firewall on an other system in the local area 
# -
unprotected_ifs=""


# -------------
# ---- Allow Forwarding (private) IPs / IP-Ranges
# -------------

# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# -       unwanted packages e.g. blocking private addresses on
# -       externel interfaces.
# -       
# - Note: you can specify networks using CIDR notation
# -       like "192.168.2.0/24"
# -
forward_private_ips=""


# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------

# - restrict_local_service_to_net
# - 
# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
# -
# - Note:
# - =====
# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -    - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some extern netwoks access to special local 
# - services.
# -
# - Example:
# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
# -
# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
# -
# - Blank separated list
# -
restrict_local_service_to_net=""


# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------

# - restrict_local_net_to_net
# -
# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# -    - Traffic recieved on natted interfaces will be ommitted!
# -    - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
# -                               83.223.86.96/32:86.223.73.0/24"
# - 
# - Blank separated list
# -
restrict_local_net_to_net=""


# -------------
# ---- Allow extern Service 
# -------------

# - allow_ext_service
# -
# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
# -
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
# - are allowed
# -
# - Example:
# -    allow_ext_service="
# -       80.152.216.128:9998:tcp 
# -       80.152.216.128:8443:tcp
# -    "
# -
# - Blank separated list
# -
allow_ext_service=""


# -------------
# ---- Allow extern IP-Address/Network
# -------------

# - allow_ext_net
# -
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
# -
# - Allow all traffic to the given extern network/ip-address.
# -
# - Example:
# -    allow_ext_net="80.152.216.128 84.140.157.102"
# -
# - Blank separated list
# -
allow_ext_net=""


# -------------
# ---- Allow (non-standard) local Services 
# -------------

# - allow_local_service
# -
# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
# -
# - Allow all traffic to given local service
# -
# - Example:
# -    allow_local_service="8443:tcp 8080:tcp"
# -
# - Blank separated list
# -
allow_local_service=""


# -------------
# ---- Allow local Services from given (extern) network
# -------------

# - allow_local_service_from_networks
# -
# - allow_local_service_from_networks="<ext-net:local-port:protocol> [<ext-net:local-port>:<protocol> [.."
# -
# - Allow all traffic to given local service from given (extern) network
# -
# - Example:
# -    allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp"
# -
# - Blank separated list
# -
allow_local_service_from_networks=""


# -------------
# --- Services local Network
# -------------

# - VPN Server
# -
vpn_server_ips=""
forward_vpn_server_ips=""

# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"


# - WireGuard Service
# -
wireguard_server_ips=""
forward_wireguard_server_ips=""

# - Local WireGuard Ports
# -
# - Blank separated list
# -
wireguard_server_ports="$standard_wireguard_port"

# - Remote WireGuard Ports
# -
wireguard_out_ports="$standard_wireguard_port"


# local NTP Server
#
local_ntp_service=false

# NPT Port used by local service
#
ntp_port="$standard_ntp_port"

# Network allowed for NTP requests
#
# Note: if not set no port will be open!
#
ntp_allowed_net=""


# DHCP Server
#
# Comma seperated list of Interface supporting DHCP services
#
dhcp_server_ifs=""

# DHCP Client
#
# Comma seperated list of Interface, which are dhcp clients
#
dhcp_client_ifs=""


# - DNS Server 
# -
# - Note:
# -    leave empty if you support only DNS Resolver Service
# -
dns_server_ips=""
forward_dns_server_ips=""


# - local DNS Resolver
# -
local_resolver_service=false

# - Resolover Port used by local service
# -
resolver_port="$standard_dns_port"

# - Network allowed for DNS requests
# -
# - Note: if not set no port will be open!
# -
# - Example:
# -    resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
# -
# -    # Open DNS Resolver
# -    resolver_allowed_net="0.0.0.0/0"
# -
resolver_allowed_networks=""


# - SSH Server
# -
ssh_server_ips=""
forward_ssh_server_ips=""

# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="$standard_ssh_port"


# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""

# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"


# - LOG CGI script Traffic out
# -
log_cgi_traffic_out=false

# - cgi_script_users
# -
# - List of CGI script users (suexec user, php-fpm user. ...)
# -
# - Blank separated list
# -
cgi_script_users=""


# - Mattermost (MM) Service
# -
mm_server_ips=""
forward_mm_server_ips=""

# - UDP Ports IN and OUT used by MM Servive
# -
mm_udp_ports_in="$stansard_mattermost_udp_ports_in"
mm_udp_ports_out="$stansard_mattermost_udp_ports_out"


# - Mail SMTP Server 
# -
smtpd_ips=""
forward_smtpd_ips=""

# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""

# Additional Ports for outgoing smtp traffic
#
# blank separated list of ports
#
smtpd_additional_outgoung_ports=""


# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
forward_mail_server_ips=""

# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"


# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
forward_mail_client_ips=""


# - Dovecot auth service
# -
dovecot_auth_service=false

# - Port listen for dovecot auth requests
# -
dovecot_auth_port="$dovecot_external_auth_port"

# - Client Network(s) allowed to connect to dovecot's auth service
# -
# - Example:
# -    dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
# - 
dovecot_auth_allowed_networks=""


# - FTP Server
# -
ftp_server_ips=""
forward_ftp_server_ips=""

# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"


# - XMPP Service (Jabber - Prosody)
# -
xmpp_server_ips=""
forward_xmpp_server_ips=""

# - Ports used by XMpp (Prosody) service
# -
# -    5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt
# -    5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet)
# -    5269 ein- und ausgehend, für Verbindungen zu anderen Servern
# -
# - WebSocket (support is provided by mod_websocket)
# -    5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen)
# -
xmmp_tcp_in_ports="5222 5223 5269"
xmmp_tcp_out_ports="5269"

# - XMPP Remote Dovecote Out Service
# -
# - Example:
# -    xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
# -
xmmp_remote_out_services=""


# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""

# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"


# - Jitsi Video Conferencing Server
# -
jitsi_server_ips=""
forward_jitsi_server_ips=""

# - Jitsi (incomming) Ports
# -
# - comma separated list of ports/port ranges)
# -
jitsi_tcp_ports="$standard_jitsi_tcp_ports"
jitsi_udp_port_range="$standard_jitsi_udp_port_range"

# - Jitsi (outgoing) Ports (STUN Services)
# -
jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446"
jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"

# - Jitsi Dovecot Authentication
# -
jitsi_dovecot_auth=false
jitsi_dovecot_host=""
jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"

# - Jibri extern Client Recording / Streamin
# -
jitsi_jibri_remote_auth=false
# - Remote Jibri servers
# -
# - blank separated list of ipv4 addresses
# -
jitsi_jibri_remote_ips=""
jitsi_jibri_remote_auth_port="$default_jibri_out_port"


# - Jibri Recording / Streaming Service
# -
# - blank separated list of ipv4 addresse
# -
jibri_server_ips=""
# - blank separated list of ipv4 addresse
# -
forward_jibri_server_ips=""
jibri_remote_jitsi_server=""
jibri_remote_auth_port="$default_jibri_out_port"


# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
nc_turn_server_ips=""
forward_nc_turn_server_ips=""

# - Ports used by local TURN Server (Stun Server)
# -
# - comma separated list
# -
nc_turn_ports="$standard_turn_service_ports"
nc_turn_udp_ports="$standard_turn_service_udp_ports"


# - TFTP Server
# -
# - NOT YET IMPLEMENTED
# -
tftp_server_ips=""


# - Prometheus Monitoring - local Server
# -
# - blank separated list of IPv4 addresses
# -
prometheus_local_server_ips=""

# - (Remote) prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_remote_client_ports="$standard_prometheus_ports"


# - Prometheus Monitoring - local Client
# -
# - blank separated list of IPv4 addresses
# -
prometheus_local_client_ips=""

# - Local prometheus ports
# -
# - !! comma separated list of ports
# -
prometheus_local_client_ports="$standard_prometheus_ports"

# - blank separated list of IPv4 addresses
# -
prometheus_remote_server_ips=""


# - Munin Server
# -
munin_server_ips=""
forward_munin_server_ips=""

# - Port used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"


# - Remote Munin Server
# -
munin_remote_ip="37.27.121.227"
munin_local_port="4949"

# - XyMon Server
# -
# - NOT YET IMPLEMENTED
# -
xymon_server_ips=""
local_xymon_client=false

# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"



# -------------
# - Protocols Out
# -------------

# - Rsync Protocol
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
rsync_out_ips=""
forward_rsync_out_ips=""
rsync_ports="873"


# -------------
# --- Allow special Ports (OUT)
# -------------

# - TCP Ports
tcp_out_ports=""
forward_tcp_out_ports=""

# - UDP Ports
udp_out_ports=""
forward_udp_out_ports=""



# =============
# --- Portforwarding
# =============

# - Portforwarding TCP
# -
# - portforward_tcp="<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# -    portforward_tcp="${ext_if_1}:83.223.86.95:9997:192.168.52.25:22
# -                     ${ext_if_1}:${ext_1_ip}:80:83.223.86.98:80
# -                     ${ext_if_1}:${ext_1_ip}:443:83.223.86.98:443
# -                     "
# -
# - Note!
# -    be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES.
# -
# - Blank separated list
# -
portforward_tcp=""


# - Portforwarding UDP
# -
# - portforward_udp="<device-in>:<src-ip>:<udp-port-in>:<ip-to-forward>:<udp-port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# -    portforward_udp="
# -       ${ext_if_1}:${ext_1_ip}:1194:192.168.52.25:1194
# -       ${ext_if_1}:${ext_1_ip}:1195:192.168.53.24:1195
# -    "
# -
# - Blank separated list
# -
portforward_udp=""



# -------------
# --- Block IP's / IP-Ranges
# -------------

# -    222.184.0.0/13 CHINANET-JS
# -    61.160.0.0/16 - CHINANET-JS
# -    116.8.0.0/14 CHINANET-GX
# -
# - !! Moved to 'ban_ipv4.list'
# -
blocked_ips=""


# -------------
# --- Block Ports
# -------------

# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 113 135 137:139 445"
block_udp_ports="111 137:139"


# -------------
# - Some special stuff
# -------------

create_traffic_counter=true
create_iperf_rules=true


# -------------
# - Protection against ...
# -------------

# - Protection against syn-flooding
# -
protection_against_syn_flooding=true

# - Protection against port scanning
# -
protection_against_port_scanning=true

# - Protection against SSH brute-force attacks
# -
protection_against_ssh_brute_force_attacks=true


# -------------
# - Limit Connections
# -------------

# - Limit connections per source IP
# -
limit_connections_per_source_IP=true
per_IP_connection_limit=$default_per_IP_connection_limit

# - Limit RST packets
# -
limit_rst_packets=true

# - Limit new TCP connections per second per source IP
# -
limit_new_tcp_connections_per_seconds_per_source_IP=true


# -------------
# --- Router ?
# -------------

# - Activate forwarding
# -
# - Enable/disable forwarding to and between interfaces
# -
kernel_activate_forwarding=false

# - Activate kernel support for dynamic IP adresses
# - (not needed in case of static IP)
# -
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
# -
# - The values for the ip_dynaddr sysctl are [*]:
# -
# -   1:  To enable:
# -   2:  To enable verbosity:
# -   4:  To enable RST-provoking:
# -   8:  To enable asymetric routing work-around [**]
# -
# -  [*] At boot, by default no address rewriting is attempted.
# -  [**] This code is currently totaly untested.
# -
# - Flags can be combined by adding them. Common settings
# - would be:
# -
# - To enable rewriting in quiet mode:
# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable rewriting in verbose mode:
# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable quiet RST-provoking mode (1+4):
# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# - ...
# -
kernel_support_dynaddr=false
dynaddr_flag="5"


# -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# -------------

# - Reduce DoS'ing ability by reducing timeouts
# -
kernel_reduce_timeouts=true

# - Hardening TCP/IP Stack Against SYN Floods
# -
# - Enable syn cookies prevents against the common 'syn flood attack'
# -
kernel_tcp_syncookies=true

# - Protection against ICMP bogus error responses
# -
kernel_protect_against_icmp_bogus_messages=true

# - Ignore Broadcast Pings
# -
kernel_ignore_broadcast_ping=true

# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true

# - Deactivate sending ICMP redirects
# -
# - ICMP redirects are used by routers to specify better routing paths out of 
# - one network, based on the host choice, so basically it affects the way 
# - packets are routed and destinations. 
# -
kernel_dont_accept_redirects=true

# - Activate Reverse Path Filtering (Antispoofing)
# -
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
# - nicht voll funktionsfähig ist. 
# -
kernel_activate_rp_filter=true

# - Logging of spoofed (source routed" and "redirect") packets
# -
kernel_log_martians=false