firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
60dd071fc9
ipt-server/ipt-firewall-server
Christoph 60dd071fc9 Change Shebang
2017-02-22 04:29:05 +01:00

1478 lines
44 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: ipt-firewall
# Required-Start: $local_fs $remote_fs $syslog $network
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv4 Firewall
### END INIT INFO
CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf
# ------------- Load Kernel Modules -------------
#
## - Load appropriate modules.
## -
if ! $host_is_vm ; then
/sbin/modprobe ip_tables > /dev/null 2>&1
/sbin/modprobe iptable_nat > /dev/null 2>&1
# - Note:!
# - Since Kernel 4.7 the automatic conntrack helper assignment
# - is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# - Enable it by setting this variable in file /etc/sysctl.conf:
# -
# - net.netfilter.nf_conntrack_helper = 1
# -
# - Reboot or type "sysctl -p"
## - Load module for FTP Connection tracking and NAT
## -
/sbin/modprobe ip_conntrack > /dev/null 2>&1
/sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1
/sbin/modprobe ip_nat_ftp > /dev/null 2>&1
## - Load modules for SIP VOIP
## -
#/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1
#/sbin/modprobe nf_nat_sip > /dev/null 2>&1
fi
#
# ------------- End: Load Kernel Modules -------------
echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# -------------
# --- Activate IP Forwarding
# -------------
## - IP Forwarding deaktivieren.
## -
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
## -
## - Only needed, if hosts acts as a router.
## -
if $kernel_activate_forwarding ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echononl "\tActivate Forwarding.."
echo_done
else
echo 0 > /proc/sys/net/ipv4/ip_forward
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo_done
fi
if $kernel_support_dynaddr ; then
echononl "\tActivate kernel support for dynamic addresses.."
if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
echo_done
else
echo_failed
fi
else
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo_done
fi
# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
if ! $host_is_vm ; then
## - Reduce DoS'ing ability by reducing timeouts
## -
if $kernel_reduce_timeouts ; then
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
fi
## - SYN COOKIES
## -
if $kernel_tcp_syncookies ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
fi
## - Protection against ICMP bogus error responses
## -
if $kernel_protect_against_icmp_bogus_messages ; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
## - Ignore Broadcast Pings
## -
if $kernel_ignore_broadcast_ping ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Deactivate Source Routed Packets
## -
if $kernel_deactivate_source_route ; then
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $asr
done
fi
## - Deactivate sending ICMP redirects
## -
if $kernel_dont_accept_redirects ; then
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $rp_filter
done
fi
## - Logging of spoofed (source routed" and "redirect") packets
## -
if $kernel_log_martians ; then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
fi
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - NUMBER OF CONNECTIONS TO TRACK
## -
#echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo_done # Adjust Kernel Parameters (Security/Tuning)
else
echo_skipped
fi
# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_init_script" ]; then
echononl "\tStopping fail2ban.."
$fail2ban_init_script stop > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
echo_warning
fi
fi
#
# ------------- Ende: Stop Fail2Ban if installed -------------
# -------------
# --- Set default policies / Flush Rules
# -------------
echo
echononl "\tFlushing firewall iptable (IPv4).."
# - default policies
# -
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
## - flush chains
## -
$ipt -F
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -F -t mangle
$ipt -F -t nat
$ipt -F -t raw
$ipt -X
$ipt -Z
echo_done # Flushing firewall iptable (IPv6)..
echo
# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------
case $1 in
flush)
exit 0;;
esac
# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
fi
$ipt -A INPUT -i $_dev -j ACCEPT
$ipt -A OUTPUT -o $_dev -j ACCEPT
$ipt -A FORWARD -i $_dev -j ACCEPT
$ipt -A FORWARD -o $_dev -j ACCEPT
done
echo_done
fi
# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."
# ---
# - Block IPs
# ---
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
done
# ---
# - Block Interfaces
# ---
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
fi
$ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
fi
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j DROP
$ipt -A FORWARD -o $_if -j DROP
fi
$ipt -A INPUT -i $_if -j DROP
$ipt -A OUTPUT -o $_if -j DROP
done
echo_done # Block IPs / Networks / Interfaces..
# ---
# - Allow Forwarding certain private Addresses
# ---
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
for _ip in ${forward_private_ip_arr[@]}; do
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -d $_ip -j ACCEPT
$ipt -A FORWARD -s $_ip -j ACCEPT
echo_done
else
echo_skipped
fi
done
fi
# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."
# ---
# - Protection against syn-flooding
# ---
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
fi
$ipt -A syn-flood -j DROP
# ---
# - Drop Fragments
# ---
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too
for _dev in ${ext_if_arr[@]} ; do
if $log_fragments || $log_all ; then
$ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -f -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j DROP
fi
done
# ---
# - drop new packages without syn flag
# ---
if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
fi
fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi
# ---
# - drop invalid packages
# ---
if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
fi
fi
$ipt -A INPUT -m state --state INVALID -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j DROP
fi
# ---
# - ungewöhnliche Flags verwerfen
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
# ---
# - Refuse private addresses on extern interfaces
# ---
# Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
# input
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
fi
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j DROP
fi
done
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level
$ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level
$ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level
$ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level
$ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level
$ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level
#
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level
$ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level
$ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level
$ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level
fi
fi
# Refuse packets claiming to be from a Class A private network.
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
# Retfuse packets claiming to be from a Class C private network.
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $_dev -s $loopback -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
if $kernel_activate_forwarding ; then
# Refuse packets claiming to be from a Class A private network.
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
# Refuse packets claiming to be from a Class C private network.
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A FORWARD -i $_dev -s $loopback -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
fi
done
# ---
# - Refuse packets claiming to be to the loopback interface.
# ---
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
for _dev in ${ext_if_arr[@]} ; do
if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -d $loopback -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback -j DROP
fi
done
# ---
# - Don't allow spoofing from that server
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed_out || $log_all ; then
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level
$ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level
$ipt -A FORWARD -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level
$ipt -A FORWARD -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level
$ipt -A FORWARD -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level
fi
fi
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $_dev -s $loopback -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
$ipt -A FORWARD -o $_dev -s $loopback -j DROP
fi
done
echo_done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------
case $1 in
sto*)
#echononl "Stopping firewall iptable (IPv4).."
echo
echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
echo
exit 0;;
esac
echo
# -------------
# --- Traffic Counter (used by munin)
# -------------
echononl "\tCreate Traffic Counter (used by munin)"
if $create_traffic_counter ; then
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -d $_ip
$ipt -A INPUT -s $_ip
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -d $_ip
$ipt -A FORWARD -s $_ip
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
$ipt -A INPUT -p tcp --dport 5001 -j ACCEPT
$ipt -A INPUT -p tcp --sport 5001 -j ACCEPT
#
$ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT
$ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT
$ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# -------------
# --- Generally prohibited
# -------------
echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
if $kernel_activate_forwarding ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
fi
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP
done
if $kernel_activate_forwarding ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP
done
fi
done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# ---
# - VPN
# ---
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
echononl "\tPermit all traffic through VPN lines.."
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${vpn_server_ip_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do
$ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
for _vpn_if in ${vpn_if_arr[@]} ; do
$ipt -A INPUT -i $_vpn_if -j ACCEPT
$ipt -A OUTPUT -o $_vpn_if -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_vpn_if -j ACCEPT
$ipt -A FORWARD -o $_vpn_if -j ACCEPT
fi
done
fi
if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_vpn_server_ip_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# -------------
# --- Services
# -------------
echo
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# ---
# - DHCP
# ---
echononl "\t\tDHCP"
if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then
for _dev in ${dhcp_if_arr[@]} ; do
# - in
$ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
# - out
$ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DNS out only
# ---
echononl "\t\tDNS out only"
# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ipt -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
if $kernel_activate_forwarding ; then
# - forward from virtual mashine(s)
$ipt -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - DNS Service
# ---
echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do
# dns requests
$ipt -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - SSH out only
# ---
echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
done
echo_done
# ---
# - SSH Service
# ---
echononl "\t\tSSH Service"
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Rsync Out
# ---
echononl "\t\tRsync (only OUT)"
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${rsync_out_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${forward_rsync_out_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Telnet
# ---
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - MySQL
# ---
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Munin remote service
# ---
echononl "\t\tMunin remote service"
if [ "X$munin_remote_ip" != "X" ]; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Munin local service
# ---
echononl "\t\tMunin local service"
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_munin_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mail (SMTP OUT)
# ---
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Mail (SMTP Server)
# ---
echononl "\t\tMail (SMTP Server including Spam Control)"
if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# - DCC (port udp:6277)
$ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ipt -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ipt -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# DCC (port udp:6277)
$ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mail (POP/IMAP Server)
# ---
echononl "\t\tMail (POP/IMAP Server)"
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
#
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
#
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) OUT
# ---
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - HTTP(S) (local) Webserver
# ---
echononl "\t\tHTTP(S) (local) Webserver"
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${http_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_http_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - FTP out only"
# ---
echononl "\t\tFTP out only"
for _dev in ${ext_if_arr[@]} ; do
# (Datenkanal aktiv)
$ipt -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# (Datenkanal passiv)
$ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# (Kontrollverbindung)
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
# (Datenkanal aktiv)
$ipt -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# (Datenkanal passiv)
$ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# (Kontrollverbindung)
$ipt -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - FTP Server"
# ---
echononl "\t\tFTP Server"
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ipt -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# Datenkanal (passiver modus)
$ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ipt -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ipt -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# Datenkanal (passiver modus)
$ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mumble Service
# ---
echononl "\t\tMumble Service"
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mumble_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mumble_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - NTP out only"
# ---
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Whois out only
# ---
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
fi
done
echo_done
echo
# ---
# - Special TCP Ports OUT
# ---
echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Special UDP Ports OUT
# ---
echononl "\t\tSpecial UDP Ports OUT"
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${udp_out_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${forward_udp_out_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
echo
# ---
# - UNIX Traceroute
# ---
echononl "\t\tUNIX Traceroute"
# versendet udp packete im gegensatz zu tracert von windows
# der icmp-echo-request pakete versendet
# einige implementierungen von traceroute (linux) erm<72>lichens
# die option -I und versenden dann ebenfalls icmp-echo-request pakete
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ipt -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ipt -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
fi
done
echo_done
# ---
# - Ping
# ---
echononl "\t\tPing"
$ipt -A INPUT -p icmp -j ACCEPT
$ipt -A OUTPUT -p icmp -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p icmp -j ACCEPT
fi
#for _dev in ${ext_if_arr[@]} ; do
# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
# if $kernel_activate_forwarding ; then
# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
# fi
#done
#for _dev in ${local_if_arr[@]} ; do
# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
# if $kernel_activate_forwarding ; then
# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
# fi
#done
echo_done
# ---
# - log all rejected traffic
# ---
echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ipt -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
fi
echo_done
else
echo_skipped
fi
# ---
# - Drop all other
# ---
echo
echononl "\tDrop all other on all interfaces"
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP
echo_done
# -------------
# ------------- Start Fail2Ban if installed
# -------------
if [ -x "$fail2ban_init_script" ]; then
echo
echononl "\tStarting fail2ban.."
$fail2ban_init_script start > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
echo_failed
fi
fi
echo
exit 0
# ------------ Portforwarding ------------- #
# -
# - !! NOTICE:
# - you need also portforwarding enabled at the kernel
# - echo 1 >/proc/sys/net/ipv4/ip_forward
#
#
# ----------------------------------------------
# <old-ip>:<old-port> --> <new-ip>:<new-port>:80
# ----------------------------------------------
#
#$ipt -A FORWARD [-i <iface>] -p tcp --dport <new-port> -d <new-ip> -j ACCEPT
#$ipt -A FORWARD [-o <iface>] -p tcp --sport <new-port> -s <new-ip> -j ACCEPT
#
#$ipt -t nat -A PREROUTING [-i <iface>] -p tcp --dport <old-port> [-d <old-ip>] -j DNAT --to-destination <new-ip>:<new-port>
#$ipt -t nat -A POSTROUTING -d <new-ip> -j MASQUERADE
#
#
# -----------------------------------------------
# www-alt.oopen.de --> www-neu.oopen.de
#
# 46.4.129.3:80 --> 83.223.86.130:80
# 46.4.129.3:443 --> 83.223.86.130:443
# -----------------------------------------------
#
#$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT
#$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT
#
#$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
#
# -
# ---------- Ende Portforwarding ---------- #
Reference in New Issue View Git Blame Copy Permalink