ipt-server/conf/main_ipv4.conf.sample

#!/usr/bin/env bash

  
## ----------------------------------------------------------------
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
## ----------------------------------------------------------------


# -------------
# --- Define Ports for Services
# -------------

# - Web Server Ports
# -
http_ports="80,443"

# - FTP Servers Passive Portrange
# -
ftp_passive_port_range="50000:50400"

# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
# -
mail_user_ports="587,465,110,995,143,993"

# - SSH Ports
# -
# - comma separated list
ssh_ports="22"

# - VPN Service
vpn_ports="1194 1195"

# - Mumble Server
# -
mumble_ports="64738"

# - XyMon Service (usually TCP port 1984)
# -
# - NOT YET IMPLEMENTED
# -
xymon_port=1984

# - Munin Server Port (usually TCP port 4949)
# -
munin_remote_port="4949"


# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------

# - Note: Maybe youe have also to activate forwarding
# -
# -    Set: kernel_activate_forwarding=true
# -
do_not_firewall_bridged_traffic=false


# -------------
# --- Allow all outgoing traffic
# -------------

# - unprotected_ifs
# - 
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false


# -------------
# --- Interfaces completly blocked
# -------------

# - Interfaces to block (note: they will all be blocked)
# -
# - Example: eth1 is used for DSL Line, that becomes an extra 
# - interface (maybe ppp0). A further use of eth1 (which would 
# - be possible) is not configured at time, so you can block it.
# -   blocked_ifs="eth1"
# -
blocked_ifs=""


# -------------
# --- Interfaces not firewalled
# -------------

# - Note:
# - Can be (for example) an interface, whose (complete) traffic is 
# - protected by a firewall on an other system in the local area 
# -
unprotected_ifs=""


# -------------
# ---- Allow Forwarding (private) IPs / IP-Ranges
# -------------

# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# -       unwanted packages e.g. blocking private addresses on
# -       externel interfaces.
# -       
# - Note: you can specify networks using CIDR notation
# -       like "192.168.2.0/24"
# -
forward_private_ips=""


# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------

# - restrict_local_service_to_net
# - 
# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
# -
# - Note:
# - =====
# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -    - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some extern netwoks access to special local 
# - services.
# -
# - Example:
# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
# -
# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
# -
# - Blank separated list
# -
restrict_local_service_to_net=""


# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------

# - restrict_local_net_to_net
# -
# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# -    - Traffic recieved on natted interfaces will be ommitted!
# -    - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
# -                               83.223.86.96/32:86.223.73.0/24"
# - 
# - Blank separated list
# -
restrict_local_net_to_net=""


# -------------
# ---- Allow extern Service 
# -------------

# - allow_ext_service
# -
# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
# -
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
# - are allowed
# -
# - Example:
# -    allow_ext_service="
# -       80.152.216.128:9998:tcp 
# -       80.152.216.128:8443:tcp
# -    "
# -
# - Blank separated list
# -
allow_ext_service=""


# -------------
# ---- Allow extern IP-Address/Network
# -------------

# - allow_ext_net
# -
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
# -
# - Allow all traffic to the given extern network/ip-address.
# -
# - Example:
# -    allow_ext_net="80.152.216.128 84.140.157.102"
# -
# - Blank separated list
# -
allow_ext_net=""


# -------------
# ---- Allow (non-standard) local Services 
# -------------

# - allow_local_service
# -
# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
# -
# - Allow all traffic to given local service
# -
# - Example:
# -    allow_local_service="8443:tcp 8080:tcp"
# -
# - Blank separated list
# -
allow_local_service=""


# -------------
# --- Services local Network
# -------------

# - VPN Server
# -
vpn_server_ips=""
forward_vpn_server_ips=""

# DHCP Server
#
# Comma seperated Interface list for DHCP services
#
dhcp_server_ifs=""

# - DNS Server 
dns_server_ips=""
forward_dns_server_ips=""

# - SSH Server
# -
ssh_server_ips=""
forward_ssh_server_ips=""

# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""

# - Mail SMTP Server 
# -
smtpd_ips=""
forward_smtpd_ips=""

# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
forward_mail_server_ips=""

# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
forward_mail_client_ips=""

# - FTP Server
# -
ftp_server_ips=""
forward_ftp_server_ips=""

# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""

# - TFTP Server
# -
# - NOT YET IMPLEMENTED
# -
tftp_server_ips=""

# - Munin Server
# -
munin_server_ips=""
forward_munin_server_ips=""

# - Remote Munin Server
# -
munin_remote_ip="83.223.86.99"
munin_local_port="4949"

# - XyMon Server
# -
# - NOT YET IMPLEMENTED
# -
xymon_server_ips=""
local_xymon_client=false


# -------------
# - Protocols Out
# -------------

# - Rsync Protocol
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
rsync_out_ips=""
forward_rsync_out_ips=""
rsync_ports="873"


# -------------
# --- Allow special Ports (OUT)
# -------------

# - TCP Ports
tcp_out_ports=""
forward_tcp_out_ports=""

# - UDP Ports
udp_out_ports=""
forward_udp_out_ports=""


# -------------
# --- Block IP's / IP-Ranges
# -------------

# -    222.184.0.0/13 CHINANET-JS
# -    61.160.0.0/16 - CHINANET-JS
# -    116.8.0.0/14 CHINANET-GX
# -
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"


# -------------
# --- Block Ports
# -------------

# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 113 135 137:139 445"
block_udp_ports="111 137:139"


# -------------
# - Some special stuff
# -------------

create_traffic_counter=true
create_iperf_rules=true


# -------------
# --- Router ?
# -------------

# - Activate forwarding
# -
# - Enable/disable forwarding to and between interfaces
# -
kernel_activate_forwarding=false

# - Activate kernel support for dynamic IP adresses
# - (not needed in case of static IP)
# -
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
# -
# - The values for the ip_dynaddr sysctl are [*]:
# -
# -   1:  To enable:
# -   2:  To enable verbosity:
# -   4:  To enable RST-provoking:
# -   8:  To enable asymetric routing work-around [**]
# -
# -  [*] At boot, by default no address rewriting is attempted.
# -  [**] This code is currently totaly untested.
# -
# - Flags can be combined by adding them. Common settings
# - would be:
# -
# - To enable rewriting in quiet mode:
# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable rewriting in verbose mode:
# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable quiet RST-provoking mode (1+4):
# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# - ...
# -
kernel_support_dynaddr=false
dynaddr_flag="5"


# -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# -------------

# - Reduce DoS'ing ability by reducing timeouts
# -
kernel_reduce_timeouts=true

# - Hardening TCP/IP Stack Against SYN Floods
# -
# - Enable syn cookies prevents against the common 'syn flood attack'
# -
kernel_tcp_syncookies=true

# - Protection against ICMP bogus error responses
# -
kernel_protect_against_icmp_bogus_messages=true

# - Ignore Broadcast Pings
# -
kernel_ignore_broadcast_ping=true

# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true

# - Deactivate sending ICMP redirects
# -
# - ICMP redirects are used by routers to specify better routing paths out of 
# - one network, based on the host choice, so basically it affects the way 
# - packets are routed and destinations. 
# -
kernel_dont_accept_redirects=true

# - Activate Reverse Path Filtering (Antispoofing)
# -
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
# - nicht voll funktionsfähig ist. 
# -
kernel_activate_rp_filter=true

# - Logging of spoofed (source routed" and "redirect") packets
# -
kernel_log_martians=false


# -------------
# --- Some further Ports/IP-Address Configuration
# -------------

# - unpriviligierte Ports
# -
unprivports="1024:65535"

# - Loopback
loopback="127.0.0.0/8"

# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"

# - Multicast Addresse
class_d_multicast="224.0.0.0/4"

# Reserved Addresse
class_e_reserved="240.0.0.0/5"