ipt-server/conf/main_ipv4.conf.sample

#!/usr/bin/env bash

  
## ----------------------------------------------------------------
## --- Main Configurations Ipv4 Firewall Script ipt-firewall-server
## ----------------------------------------------------------------


# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------

# - Prevent bridged traffic getting pushed through the
# - host's iptables rules
# -
# - Note: Maybe youe have also to activate forwarding
# -
# -    Set: kernel_activate_forwarding=true
# -
do_not_firewall_bridged_traffic=false


# -------------
# --- Allow all outgoing traffic
# -------------

# - unprotected_ifs
# - 
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false


# -------------
# --- Interfaces completly blocked
# -------------

# - Interfaces to block (note: they will all be blocked)
# -
# - Example: eth1 is used for DSL Line, that becomes an extra 
# - interface (maybe ppp0). A further use of eth1 (which would 
# - be possible) is not configured at time, so you can block it.
# -   blocked_ifs="eth1"
# -
blocked_ifs=""


# -------------
# --- Interfaces not firewalled
# -------------

# - Note:
# - Can be (for example) an interface, whose (complete) traffic is 
# - protected by a firewall on an other system in the local area 
# -
unprotected_ifs=""


# -------------
# ---- Allow Forwarding (private) IPs / IP-Ranges
# -------------

# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# -       unwanted packages e.g. blocking private addresses on
# -       externel interfaces.
# -       
# - Note: you can specify networks using CIDR notation
# -       like "192.168.2.0/24"
# -
forward_private_ips=""


# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------

# - restrict_local_service_to_net
# - 
# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
# -
# - Note:
# - =====
# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -    - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some extern netwoks access to special local 
# - services.
# -
# - Example:
# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
# -
# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
# -
# - Blank separated list
# -
restrict_local_service_to_net=""


# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------

# - restrict_local_net_to_net
# -
# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# -    - Traffic recieved on natted interfaces will be ommitted!
# -    - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
# -                               83.223.86.96/32:86.223.73.0/24"
# - 
# - Blank separated list
# -
restrict_local_net_to_net=""


# -------------
# ---- Allow extern Service 
# -------------

# - allow_ext_service
# -
# - allow_ext_service="<ext-ip>:<ext_port>:<protocol> [<ext-ip>:<ext_port>:<protocol> [ ..
# -
# - Allow all traffic to the given extern Service. Only protcols 'tcp' and 'udp'
# - are allowed
# -
# - Example:
# -    allow_ext_service="
# -       80.152.216.128:9998:tcp 
# -       80.152.216.128:8443:tcp
# -    "
# -
# - Blank separated list
# -
allow_ext_service=""


# -------------
# ---- Allow extern IP-Address/Network
# -------------

# - allow_ext_net
# -
# - allow_ext_net="<ext-ip> [<ext-ip> [ ..!
# -
# - Allow all traffic to the given extern network/ip-address.
# -
# - Example:
# -    allow_ext_net="80.152.216.128 84.140.157.102"
# -
# - Blank separated list
# -
allow_ext_net=""


# -------------
# ---- Allow (non-standard) local Services 
# -------------

# - allow_local_service
# -
# - allow_local_service="<port:protocol> [<port>:<protocol> [.."
# -
# - Allow all traffic to given local service
# -
# - Example:
# -    allow_local_service="8443:tcp 8080:tcp"
# -
# - Blank separated list
# -
allow_local_service=""


# -------------
# ---- Allow local Services from given (extern) network
# -------------

# - allow_local_service_from_networks
# -
# - allow_local_service_from_networks="<ext-net:local-port:protocol> [<ext-net:local-port>:<protocol> [.."
# -
# - Allow all traffic to given local service from given (extern) network
# -
# - Example:
# -    allow_local_service="192.68.11.64/27:8443:tcp 192.68.11.64/27:8080:tcp"
# -
# - Blank separated list
# -
allow_local_service_from_networks=""


# -------------
# --- Services local Network
# -------------

# - VPN Server
# -
vpn_server_ips=""
forward_vpn_server_ips=""

# - VPN Port(s) used by local Services
# -
# - blank separated list
# -
vpn_ports="$standard_vpn_port"


# local NTP Server
#
local_ntp_service=false

# NPT Port used by local service
#
ntp_port="$standard_ntp_port"

# Network allowed for NTP requests
#
# Note: if not set no port will be open!
#
ntp_allowed_net=""


# DHCP Server
#
# Comma seperated Interface list for DHCP services
#
dhcp_server_ifs=""

# - DNS Server 
# -
# - Note:
# -    leave empty if you support only DNS Resolver Service
# -
dns_server_ips=""
forward_dns_server_ips=""


# - local DNS Resolver
# -
local_resolver_service=false

# - Resolover Port used by local service
# -
resolver_port="$standard_dns_port"

# - Network allowed for DNS requests
# -
# - Note: if not set no port will be open!
# -
# - Example:
# -    resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
# -
# -    # Open DNS Resolver
# -    resolver_allowed_net="0.0.0.0/0"
# -
resolver_allowed_networks=""


# - SSH Server
# -
ssh_server_ips=""
forward_ssh_server_ips=""

# - SSH Port(s) used by local Services
# -
# - blank separated list
# -
ssh_ports="$standard_ssh_port"


# - HTTP(S) Server
# -
http_server_ips=""
forward_http_server_ips=""

# - HTTP(S) Ports used by local Services
# -
# - comma separated list
# -
http_ports="$standard_http_ports"


# - Mail SMTP Server 
# -
smtpd_ips=""
forward_smtpd_ips=""

# - Mail Services (smtps/pop(s)/imap(s)
# -
mail_server_ips=""
forward_mail_server_ips=""

# - Client Ports used by local Mail Services
# -
# - comma separated list
# -
mail_user_ports="$standard_mailuser_ports"


# - Mail Client (smtps/pop(s)/imap(s)
# -
mail_client_ips=""
forward_mail_client_ips=""


# - Dovecot auth service
# -
dovecot_auth_service=false

# - Port listen for dovecot auth requests
# -
dovecot_auth_port="$dovecot_external_auth_port"

# - Client Network(s) allowed to connect to dovecot's auth service
# -
# - Example:
# -    dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
# - 
dovecot_auth_allowed_networks=""


# - FTP Server
# -
ftp_server_ips=""
forward_ftp_server_ips=""

# - FTP passive port range use by local ftp service(s)
# -
# - example: ftp_passive_port_range="50000:50400"
# -
ftp_passive_port_range="50000:50400"


# - XMPP Service (Jabber - Prosody)
# -
xmpp_server_ips=""
forward_xmpp_server_ips=""

# - Ports used by XMpp (Prosody) service
# -
# -    5222 eingehend, für Client-Verbindungen unverschlüsselt oder TLS-verschlüsselt
# -    5223 eingehend, für SSL-verschlüsselte Clientverbindungen (veraltet)
# -    5269 ein- und ausgehend, für Verbindungen zu anderen Servern
# -
# - WebSocket (support is provided by mod_websocket)
# -    5280 eingehend, für Client-Verbindungen über HTTP-Polling (nützlich für Webapplikationen)
# -
xmmp_tcp_in_ports="5222 5223 5269"
xmmp_tcp_out_ports="5269"

# - XMPP Remote Dovecote Out Service
# -
# - Example:
# -    xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
# -
xmmp_remote_out_services=""


# - Mumble Server
# -
mumble_server_ips=""
forward_mumble_server_ips=""

# - Ports used by local Mumble Services
# -
# - comma separated list
# -
mumble_ports="$standard_mumble_port"


# - Jitsi Video Conferencing Server
# -
jitsi_server_ips=""
forward_jitsi_server_ips=""

# - Jitsi (incomming) Ports
# -
# - comma separated list of ports/port ranges)
# -
jitsi_tcp_ports="$standard_jitsi_tcp_ports"
jitsi_udp_port_range="$standard_jitsi_udp_port_range"

# - Jitsi (outgoing) Ports (STUN Services)
# -
jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446"
jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"

# - Jitsi Dovecot Authentication
# -
jitsi_dovecot_auth=false
jitsi_dovecot_host=""
jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"

# - Jibri extern Client Recording / Streamin
# -
jitsi_jibri_remote_auth=false
# - Remote Jibri servers
# -
# - blank separated list of ipv4 addresses
# -
jitsi_jibri_remote_ips=""
jitsi_jibri_remote_auth_port="$default_jibri_out_port"


# - Jibri Recording / Streaming Service
# -
# - blank separated list of ipv4 addresse
# -
jibri_server_ips=""
# - blank separated list of ipv4 addresse
# -
forward_jibri_server_ips=""
jibri_remote_jitsi_server=""
jibri_remote_auth_port="$default_jibri_out_port"


# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
nc_turn_server_ips=""
forward_nc_turn_server_ips=""

# - Ports used by local TURN Server (Stun Server)
# -
# - comma separated list
# -
nc_turn_ports="$standard_turn_service_ports"
nc_turn_udp_ports="$standard_turn_service_udp_ports"


# - TFTP Server
# -
# - NOT YET IMPLEMENTED
# -
tftp_server_ips=""

# - Munin Server
# -
munin_server_ips=""
forward_munin_server_ips=""

# - Port used by clients hosted on this (local) Munin Services
# -
# - !! Only one port is possible !!
# -
munin_remote_port="$standard_munin_port"


# - Remote Munin Server
# -
munin_remote_ip="95.217.64.122"
munin_local_port="4949"

# - XyMon Server
# -
# - NOT YET IMPLEMENTED
# -
xymon_server_ips=""
local_xymon_client=false

# - Port used by local Xymon Services
# -
# - !! Only one port is possible !!
# -
xymon_port="$standard_xymon_port"



# -------------
# - Protocols Out
# -------------

# - Rsync Protocol
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
rsync_out_ips=""
forward_rsync_out_ips=""
rsync_ports="873"


# -------------
# --- Allow special Ports (OUT)
# -------------

# - TCP Ports
tcp_out_ports=""
forward_tcp_out_ports=""

# - UDP Ports
udp_out_ports=""
forward_udp_out_ports=""



# =============
# --- Portforwarding
# =============

# - Portforwarding TCP
# -
# - portforward_tcp="<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# -    portforward_tcp="${ext_if_1}:83.223.86.95:9997:192.168.52.25:22
# -                     ${ext_if_1}:${ext_1_ip}:80:83.223.86.98:80
# -                     ${ext_if_1}:${ext_1_ip}:443:83.223.86.98:443
# -                     "
# -
# - Note!
# -    be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES.
# -
# - Blank separated list
# -
portforward_tcp=""


# - Portforwarding UDP
# -
# - portforward_udp="<device-in>:<src-ip>:<udp-port-in>:<ip-to-forward>:<udp-port-out>"
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# -    portforward_udp="
# -       ${ext_if_1}:${ext_1_ip}:1194:192.168.52.25:1194
# -       ${ext_if_1}:${ext_1_ip}:1195:192.168.53.24:1195
# -    "
# -
# - Blank separated list
# -
portforward_udp=""



# -------------
# --- Block IP's / IP-Ranges
# -------------

# -    222.184.0.0/13 CHINANET-JS
# -    61.160.0.0/16 - CHINANET-JS
# -    116.8.0.0/14 CHINANET-GX
# -
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"


# -------------
# --- Block Ports
# -------------

# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 113 135 137:139 445"
block_udp_ports="111 137:139"


# -------------
# - Some special stuff
# -------------

create_traffic_counter=true
create_iperf_rules=true


# -------------
# --- Router ?
# -------------

# - Activate forwarding
# -
# - Enable/disable forwarding to and between interfaces
# -
kernel_activate_forwarding=false

# - Activate kernel support for dynamic IP adresses
# - (not needed in case of static IP)
# -
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
# -
# - The values for the ip_dynaddr sysctl are [*]:
# -
# -   1:  To enable:
# -   2:  To enable verbosity:
# -   4:  To enable RST-provoking:
# -   8:  To enable asymetric routing work-around [**]
# -
# -  [*] At boot, by default no address rewriting is attempted.
# -  [**] This code is currently totaly untested.
# -
# - Flags can be combined by adding them. Common settings
# - would be:
# -
# - To enable rewriting in quiet mode:
# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable rewriting in verbose mode:
# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable quiet RST-provoking mode (1+4):
# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# - ...
# -
kernel_support_dynaddr=false
dynaddr_flag="5"


# -------------
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# -------------

# - Reduce DoS'ing ability by reducing timeouts
# -
kernel_reduce_timeouts=true

# - Hardening TCP/IP Stack Against SYN Floods
# -
# - Enable syn cookies prevents against the common 'syn flood attack'
# -
kernel_tcp_syncookies=true

# - Protection against ICMP bogus error responses
# -
kernel_protect_against_icmp_bogus_messages=true

# - Ignore Broadcast Pings
# -
kernel_ignore_broadcast_ping=true

# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true

# - Deactivate sending ICMP redirects
# -
# - ICMP redirects are used by routers to specify better routing paths out of 
# - one network, based on the host choice, so basically it affects the way 
# - packets are routed and destinations. 
# -
kernel_dont_accept_redirects=true

# - Activate Reverse Path Filtering (Antispoofing)
# -
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
# - nicht voll funktionsfähig ist. 
# -
kernel_activate_rp_filter=true

# - Logging of spoofed (source routed" and "redirect") packets
# -
kernel_log_martians=false