firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c695a63372
ipt-server/ipt-firewall-server

2461 lines
72 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: ipt-firewall
# Required-Start: $local_fs $remote_fs $syslog $network
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv4 Firewall
### END INIT INFO
# -------------
# - Settings
# -------------
ipt_conf_dir="/etc/ipt-firewall"
inc_functions_file="${ipt_conf_dir}/include_functions.conf"
load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_ports=${ipt_conf_dir}/default_ports.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
ipt=$(which iptables)
if [[ -z "$fail2ban_client" ]]; then
fail2ban_client="$(which fail2ban-client)"
fi
# -------------
# - Some checks and preloads..
# -------------
if [[ -z "$ipt" ]] ; then
echo ""
echo -e "\tiptables was not found on this server!"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
fi
if [[ ! -f "$inc_functions_file" ]] ; then
echo ""
echo -e "\tMissing include file '$inc_functions_file'"
echo
echo -e "\tFirewall Script was stopped!"
echo
exit 1
else
source $inc_functions_file
fi
# - Check if running inside a container
# -
host_is_vm=false
# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
# - returns "container=lxc"
# -
r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
if [[ -n "$r_val" ]] ; then
host_is_vm=true
else
# ---
# - For other container types we need a few more tricks
# ---
# Detect old-style libvirt
[ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
# Detect vserver
if ! $host_is_vm ; then
VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
[ "${VXID:-0}" -gt 1 ] && host_is_vm=true
fi
fi
if [[ ! -f "$load_modules_file" ]] ; then
warn "No modules for loading configured. Missing file '$load_modules_file'!"
else
if ! $host_is_vm ; then
while read -r module ; do
if ! lsmod | grep -q -E "^$module\s+" ; then
/sbin/modprobe $module > /dev/null 2>&1
if [[ "$?" != "0" ]]; then
warn "Loading module '$module' failed!"
fi
fi
done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file)
fi
fi
if [[ ! -f "$conf_logging" ]]; then
fatal "Missing configuration for logging - file '$conf_logging'"
else
source $conf_logging
fi
if [[ ! -f "$conf_default_ports" ]]; then
fatal "Missing configuration for default_ports - file '$conf_default_ports'"
else
source $conf_default_ports
fi
if [[ ! -f "$conf_interfaces" ]]; then
fatal "Missing interface configurations - file '$conf_interfaces'"
else
source $conf_interfaces
fi
if [[ ! -f "$conf_main" ]]; then
fatal "Missing main configurations - file '$conf_main'"
else
source $conf_main
fi
if [[ ! -f "$conf_post_declarations" ]]; then
fatal "Missing post declarations - file '$conf_post_declarations'"
else
source $conf_post_declarations
fi
echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
echo
# -------------
# --- Activate IP Forwarding
# -------------
## - IP Forwarding deaktivieren.
## -
## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise
## -
## - Only needed, if hosts acts as a router.
## -
if $kernel_activate_forwarding ; then
echo 1 > /proc/sys/net/ipv4/ip_forward
echononl "\tActivate Forwarding.."
echo_done
else
echo 0 > /proc/sys/net/ipv4/ip_forward
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo_done
fi
if $kernel_support_dynaddr ; then
echononl "\tActivate kernel support for dynamic addresses.."
if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
echo_done
else
echo_failed
fi
else
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m"
echo_done
fi
# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
if ! $host_is_vm ; then
## - Reduce DoS'ing ability by reducing timeouts
## -
if $kernel_reduce_timeouts ; then
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
fi
## - SYN COOKIES
## -
if $kernel_tcp_syncookies ; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
fi
## - Protection against ICMP bogus error responses
## -
if $kernel_protect_against_icmp_bogus_messages ; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
## - Ignore Broadcast Pings
## -
if $kernel_ignore_broadcast_ping ; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Deactivate Source Routed Packets
## -
if $kernel_deactivate_source_route ; then
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $asr
done
fi
## - Deactivate sending ICMP redirects
## -
if $kernel_dont_accept_redirects ; then
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $rp_filter
done
fi
## - Logging of spoofed (source routed" and "redirect") packets
## -
if $kernel_log_martians ; then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
fi
## - Keine ICMP Umleitungspakete akzeptieren.
## -
## - Diese können zur Veränderung der Routing Tables verwendet
## - werden, möglicherweise mit einem böswilligen Ziel.
## -
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## - NUMBER OF CONNECTIONS TO TRACK
## -
#echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo_done # Adjust Kernel Parameters (Security/Tuning)
else
echo_skipped
fi
# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_client" ]; then
echononl "\tStopping fail2ban.."
$fail2ban_client stop > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
echo_warning
fi
fi
#
# ------------- Ende: Stop Fail2Ban if installed -------------
# -------------
# --- Set default policies / Flush Rules
# -------------
echo
echononl "\tFlushing firewall iptable (IPv4).."
# - default policies
# -
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
## - flush chains
## -
$ipt -F
$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -F -t mangle
$ipt -F -t nat
$ipt -F -t raw
$ipt -X
$ipt -Z
echo_done # Flushing firewall iptable (IPv6)..
echo
# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------
echononl "\tDo not firewall bridged traffic"
if $do_not_firewall_bridged_traffic ; then
# - Matches if the packet is being bridged and therefore is not being routed.
# - This is only useful in the FORWARD and POSTROUTING chains.
# -
$ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# - Matches if the packet has entered through a bridge interface.
# -
$ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT
# - Matches if the packet will leave through a bridge interface.
# -
$ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT
echo_done
else
echo_skipped
fi
echo
# -------------
# ---- Log given IP Addresses
# -------------
echononl "\tLog given IPv4 Addresses"
if [[ ${#log_ip_arr[@]} -gt 0 ]]; then
for _ip in ${log_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: "
$ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: "
$ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: "
$ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: "
done
echo_done
else
echo_skipped
fi
# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------
case $1 in
flush)
echo
echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m"
echo
exit 0;;
esac
# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
$ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:"
fi
$ipt -A INPUT -i $_dev -j ACCEPT
$ipt -A OUTPUT -o $_dev -j ACCEPT
$ipt -A FORWARD -i $_dev -j ACCEPT
$ipt -A FORWARD -o $_dev -j ACCEPT
done
echo_done
fi
# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."
# ---
# - Block IPs
# ---
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:"
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
done
# ---
# - Block Interfaces
# ---
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
$ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
fi
$ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
$ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:"
fi
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_if -j DROP
$ipt -A FORWARD -o $_if -j DROP
fi
$ipt -A INPUT -i $_if -j DROP
$ipt -A OUTPUT -o $_if -j DROP
done
echo_done # Block IPs / Networks / Interfaces..
# ---
# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
# ---
echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."
if [[ -f "$conf_ban_ipv4_list" ]] ; then
declare -a octets
declare -i index
while IFS='' read -r _line || [[ -n $_line ]] ; do
is_valid_ipv4=true
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
# Ignore blank lines
#
[[ $_line =~ ^[[:space:]]*$ ]] && continue
# Remove leading whitespace characters
#
_line="${_line#"${_line%%[![:space:]]*}"}"
# Catch IPv4 Address
#
given_ipv4="$(echo $_line | cut -d ' ' -f1)"
# Splitt Ipv4 address from possible given CIDR number
#
IFS='/' read -ra _addr <<< "$given_ipv4"
_ipv4="${_addr[0]}"
if [[ -n "${_addr[1]}" ]] ; then
_mask="${_addr[1]}"
test_netmask=false
# Is 'mask' a valid CIDR number? If not, test agains a valid netmask
#
if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
test_netmask=true
else
if [[ $_mask -gt 32 ]]; then
# Its not a vaild cidr number, but naybe a valit netmask.
#
test_netmask=true
else
# OK, we have a vaild cidr number between '0' and '32'
#
mask=$_mask
fi
fi
# Test if given '_mask' is a valid netmask.
#
if $test_netmask ; then
octets=( ${_mask//\./ } )
# Complete netmask if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
done
[[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_mask=false
fi
if [[ $index -gt 0 ]] ; then
mask="${mask}.${octet}"
else
mask="${octet}"
fi
else
is_valid_mask=false
fi
((index++))
done
fi
adjust_mask=false
else
mask=32
adjust_mask=true
fi
# Splitt given address into their octets
#
octets=( ${_ipv4//\./ } )
# Complete IPv4 address if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
# Only adjust CIDR number if not given
#
if $adjust_mask ; then
mask="$(expr $mask - 8)"
fi
done
# Pre-check if given IPv4 Address seems to be a valid address
#
[[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false
# Check if given IPv4 Address is a valid address
#
if $is_valid_ipv4 ; then
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_ipv4=false
fi
if [[ $index -gt 0 ]] ; then
ipv4="${ipv4}.${octet}"
else
ipv4="${octet}"
fi
else
is_valid_ipv4=false
fi
((index++))
done
fi
if $is_valid_ipv4 && $is_valid_mask; then
_ip="${ipv4}/${mask}"
if containsElement "$_ip" "${ban_ipv4_arr[@]}" ; then
continue
fi
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
ban_ipv4_arr+=("$_ip")
else
msg="$msg '${given_ipv4}'"
fi
done < "$conf_ban_ipv4_list"
echo_done
if [[ -n "$msg" ]]; then
warn "Ignored:$msg"
fi
else
echo_skipped
fi
# ---
# - Allow Forwarding certain private Addresses
# ---
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
for _ip in ${forward_private_ip_arr[@]}; do
$ipt -A OUTPUT -d $_ip -j ACCEPT
$ipt -A INPUT -s $_ip -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -d $_ip -j ACCEPT
$ipt -A FORWARD -s $_ip -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."
# ---
# - Protection against syn-flooding
# ---
$ipt -N syn-flood
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:"
fi
$ipt -A syn-flood -j DROP
# ---
# - Drop Fragments
# ---
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too
for _dev in ${ext_if_arr[@]} ; do
if $log_fragments || $log_all ; then
$ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:"
fi
fi
$ipt -A INPUT -i $_dev -f -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -f -j DROP
fi
done
# ---
# - drop new packages without syn flag
# ---
if $log_new_not_sync || $log_all ; then
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:"
fi
fi
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi
# ---
# - drop invalid packages
# ---
if $log_invalid_state || $log_all ; then
$ipt -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state:"
fi
fi
$ipt -A INPUT -m state --state INVALID -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -m state --state INVALID -j DROP
fi
# ---
# - ungewöhnliche Flags verwerfen
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:"
fi
fi
$ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
# ---
# - Refuse private addresses on extern interfaces
# ---
# Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
# input
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip):"
fi
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -s $_ip -d $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -s $_ip -d $_ip -j DROP
fi
done
# Refuse packets claiming to be from a
# Class A private network
# Class B private network
# Class C private network
# loopback interface
# Class D multicast address
# Class E reserved IP address
# broadcast address
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
#
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
$ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
fi
fi
# Refuse packets claiming to be from a Class A private network.
$ipt -A INPUT -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A INPUT -i $_dev -s $priv_class_b -j DROP
# Retfuse packets claiming to be from a Class C private network.
$ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP
if $kernel_activate_forwarding ; then
# Refuse packets claiming to be from a Class A private network.
$ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP
# Refuse packets claiming to be from a Class B private network.
$ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP
# Refuse packets claiming to be from a Class C private network.
$ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
# Refuse packets claiming to be from loopback interface.
$ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
# Refuse Class E reserved IP addresses.
$ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP
# Refuse broadcast address packets.
#$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP
fi
done
# ---
# - Refuse packets claiming to be to the loopback interface.
# ---
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
for _dev in ${ext_if_arr[@]} ; do
if $log_to_lo || $log_all ; then
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
fi
fi
$ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
fi
done
# ---
# - Don't allow spoofing from that server
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed_out || $log_all ; then
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
$ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
$ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
fi
fi
$ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
$ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
$ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
$ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
$ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
fi
done
echo_done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------
case $1 in
sto*)
#echononl "Stopping firewall iptable (IPv4).."
echo
echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
echo
exit 0;;
esac
echo
# -------------
# --- Traffic Counter (used by munin)
# -------------
echononl "\tCreate Traffic Counter (used by munin)"
if $create_traffic_counter ; then
for _ip in ${ext_ip_arr[@]} ; do
$ipt -A INPUT -d $_ip
$ipt -A INPUT -s $_ip
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -d $_ip
$ipt -A FORWARD -s $_ip
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
$ipt -A INPUT -p tcp --dport 5001 -j ACCEPT
$ipt -A INPUT -p tcp --sport 5001 -j ACCEPT
#
$ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT
$ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT
$ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# -------------
# --- Generally prohibited
# -------------
echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done
if $kernel_activate_forwarding ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:"
done
fi
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP
done
if $kernel_activate_forwarding ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP
done
fi
done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ipt -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# -------------
# --- Allow all outgoing traffic
# -------------
echononl "\tAllow all outgoing traffic.."
if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# - unprotected_ifs
# -
# - Posiible values are 'true' and 'false'
# -
allow_all_outgoing_traffic=false
# ---
# - Permit all traffic through VPN lines
# ---
echononl "\tPermit all traffic through VPN lines.."
for _vpn_if in ${vpn_if_arr[@]} ; do
$ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
fi
done
echo_done
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
echononl "\tRestrict local Service to given (extern) IP-Address/Network"
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
_deny_service_arr=()
for _val in "${restrict_local_service_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m state --state NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then
_deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}")
fi
done
done
for _val in "${_deny_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
done
echo_done
else
echo_skipped
fi
# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------
echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then
_deny_net_arr+=("${_dev}:${_val_arr[1]}")
fi
done
done
for _val in "${_deny_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
done
echo_done
else
echo_skipped
fi
# -------------
# --- Services
# -------------
echo
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# -------------
# ---- Allow extern Service
# -------------
echononl "\t\tAllow extern Service"
if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_ext_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# -------------
# ---- Allow extern IP-Address/Network
# -------------
echononl "\t\tAllow extern IP-Address/Network"
if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do
for _net in "${allow_ext_net_arr[@]}" ; do
$ipt -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
echo
# -------------
# ---- Allow (non-standard) local Services
# -------------
echononl "\t\tAllow (non-standard) local Services"
if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_local_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# -------------
# ---- Allow local Services from given (extern) network
# -------------
echononl "\t\tAllow local Services from given (extern) network"
if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do
for _val in "${allow_local_service_from_network_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
echo
echo
# ---
# - DHCP
# ---
echononl "\t\tDHCP"
if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then
for _dev in ${dhcp_if_arr[@]} ; do
# - in
$ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
# - out
$ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DNS out only
# ---
echononl "\t\tDNS out only"
# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
if $kernel_activate_forwarding ; then
# - forward from virtual mashine(s)
$ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - DNS Service
# ---
echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
$ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
# Zonetransfer
$ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - local Resolver"
# ---
echononl "\t\tlocal Resolver"
if [[ -n "$local_resolver_service" ]] && $local_resolver_service ; then
if [[ ${#resolver_allowed_network_arr[@]} -gt 0 ]] ; then
for _net in ${resolver_allowed_network_arr[@]} ; do
$ipt -A INPUT -p udp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_failed
fi
else
echo_skipped
fi
# ---
# - SSH out only
# ---
echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT
done
echo_done
# ---
# - SSH Service
# ---
echononl "\t\tSSH Service"
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - VPN
# ---
echononl "\t\tVPN Service only out"
if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
echononl "\t\tVPN Services.."
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${vpn_server_ip_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do
$ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_vpn_server_ip_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do
$ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Rsync Out
# ---
echononl "\t\tRsync (only OUT)"
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${rsync_out_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${forward_rsync_out_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Telnet
# ---
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - MySQL
# ---
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Munin remote service
# ---
echononl "\t\tMunin remote service"
if [ "X$munin_remote_ip" != "X" ]; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Munin local service
# ---
echononl "\t\tMunin local service"
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_munin_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mail (SMTP OUT)
# ---
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Mail SMTP Server (Port 25) including Spam Control
# ---
echononl "\t\tMail SMTP Server (Port 25) including Spam Control"
if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# - DCC (port udp:6277)
$ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
$ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ipt -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ipt -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# DCC (port udp:6277)
$ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---
echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
#
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
#
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
echo_done
else
echo_skipped
fi
# ---
# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
# ---
echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
#
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mail_client_ip_arr[@]} ; do
# mail ports
#
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then
echo_done
else
echo_skipped
fi
# ---
# - (local) Dovecot auth service
# ---
echononl "\t\t(local) Dovecot auth service"
if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then
if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then
for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do
$ipt -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m state --state NEW -j ACCEPT
done
echo_done
else
echo_failed
fi
else
echo_skipped
fi
# ---
# - HTTP(S) OUT
# ---
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - HTTP(S) (local) Webserver
# ---
echononl "\t\tHTTP(S) (local) Webserver"
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${http_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_http_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - FTP out only"
# ---
echononl "\t\tFTP out only (using CT target)"
# - (Re)define helper
# -
$ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
# - Used for different ftpdata recent lists 'ftpdata_out_$j'
# -
declare -i j=1
for _dev in ${ext_if_arr[@]} ; do
# - (1)
# -
# - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'.
# -
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \
-m recent --name ftpdata_out_$j --rdest --set -j ACCEPT
# - (2)
# - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update)
# - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the destination address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \
-m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT
((i++))
# - Accept (helper ftp) related connections
# -
$ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT
done
echo_done
#echononl "\t\tFTP out only"
#
#for _dev in ${ext_if_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# if $kernel_activate_forwarding ; then
# # (Datenkanal aktiv)
# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # (Datenkanal passiv)
# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# # (Kontrollverbindung)
# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT
# fi
#done
#
#echo_done
# ---
# - FTP Server"
# ---
echononl "\t\tFTP Server (using CT target)"
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# - Used for different ftpdata recent lists 'ftpdata_$i'
declare -i i=1
# - (Re)define helper
# -
# - !! Note: !!
# - for both, local FTP server (ftp_server_ip_arr)
# - and forward to FTP server (forward_ftp_server_ip_arr)
# -
$ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
# -
# =====
# - (1)
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
((i++))
done
fi
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# =====
# -
# - ip_conntrack_ftp cannot see the TLS-encrypted traffic
# - ======================================================
# -
# - Workaround:
# - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear
# - (2) accept packets of the formaly created recent list 'ftpdata_$i!
# -
# =====
# - (1)
# -
# - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'.
# -
$ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT
# - (2)
# - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the
# - source ip-address was seen within the last 1800 seconds (--seconds 1800).
# -
# - - If matched, the "last seen" timestamp of the source address will be updated (--update).
# -
# - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap).
# -
$ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
$ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \
-m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT
# - Accept (helper ftp) related connections
# -
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT
$ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT
((i++))
done
fi
echo_done
else
echo_skipped
fi
#echononl "\t\tFTP Server"
#
#if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
# if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
# for _ip in ${ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
# for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# # (Datenkanal aktiv)
# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT
# # Datenkanal (passiver modus)
# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# # - Kontrollverbindung
# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT
# done
# fi
#
# echo_done
#else
# echo_skipped
#fi
# ---
# - XMPP Service (Jabber)
# ---
echononl "\t\tXMPP Service"
if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${xmpp_server_ip_arr[@]} ; do
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_xmpp_server_ip_arr[@]} ; do
for _port in ${xmmp_tcp_in_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
for _port in ${xmmp_tcp_out_port_arr[@]} ; do
$ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - XMPP Remote Dovecote Out Service
# ---
echononl "\t\tXMPP Remote Dovecote Out Service"
if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then
for _dev in "${ext_if_arr[@]}" ; do
for _val in "${xmmp_remote_out_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT
done
done
echo_done
else
echo_skipped
fi
# ---
# - Mumble Service
# ---
echononl "\t\tMumble Service"
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mumble_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_mumble_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Jitsi Video Conferencing Service
# ---
echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT
fi
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_jitsi_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
echononl "\t\tJitsi Meet Dovecot Authentication"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then
if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then
$ipt -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT
fi
if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
$ipt -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT
fi
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
echononl "\t\tJitsi Remote Jibri Client"
if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \
&& $jitsi_jibri_remote_auth \
&& [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m state --state NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - Jibri Recording / Streaming Service
# ---
echononl "\t\tJibri Recording / Streaming Service"
if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]]; then
if [[ -z "$jibri_remote_jitsi_server" ]]; then
echo_skipped
else
if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${jibri_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_jibri_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT
done
fi
echo_done
fi
else
echo_skipped
fi
# ---
# - TURN Service (for NC Talk App)
# ---
echononl "\t\tTURN Service (for NC Talk App) both: udp and tcp"
if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${nc_turn_server_ip_arr[@]} ; do
$ipt -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT
$ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do
$ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - NTP out only"
# ---
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - NTP local Service"
# ---
echononl "\t\tNTP local Service"
if [[ -n "$local_ntp_service" ]] && $local_ntp_service ; then
if [[ -z "$ntp_allowed_net" ]] ; then
echo_failed
else
$ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT
echo_done
fi
else
echo_skipped
fi
# ---
# - Whois out only
# ---
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - GIT out only
# ---
echononl "\t\tGIT out only"
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT
fi
done
echo_done
echo
# ---
# - Special TCP Ports OUT
# ---
echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Special UDP Ports OUT
# ---
echononl "\t\tSpecial UDP Ports OUT"
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${udp_out_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${forward_udp_out_port_arr[@]} ; do
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
echo
# ---
# - UNIX Traceroute
# ---
echononl "\t\tUNIX Traceroute"
# versendet udp packete im gegensatz zu tracert von windows
# der icmp-echo-request pakete versendet
# einige implementierungen von traceroute (linux) erm<72>lichens
# die option -I und versenden dann ebenfalls icmp-echo-request pakete
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ipt -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ipt -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
fi
done
echo_done
# ---
# - Ping
# ---
echononl "\t\tPing"
$ipt -A INPUT -p icmp -j ACCEPT
$ipt -A OUTPUT -p icmp -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -p icmp -j ACCEPT
fi
#for _dev in ${ext_if_arr[@]} ; do
# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
# if $kernel_activate_forwarding ; then
# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
# fi
#done
#for _dev in ${local_if_arr[@]} ; do
# $ipt -A INPUT -i $_dev -p icmp -j ACCEPT
# $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT
# if $kernel_activate_forwarding ; then
# $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT
# $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT
# fi
#done
echo_done
# ---
# - log all rejected traffic
# ---
echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
if $kernel_activate_forwarding ; then
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
fi
echo_done
else
echo_skipped
fi
# ---
# - Drop all other
# ---
echo
echononl "\tDrop all other on all interfaces"
$ipt -A INPUT -j DROP
$ipt -A OUTPUT -j DROP
$ipt -A FORWARD -j DROP
echo_done
# -------------
# ------------- Start Fail2Ban if installed
# -------------
if [ -x "$fail2ban_client" ]; then
echo
echononl "\tStarting fail2ban.."
$fail2ban_client start > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
elif [ "$?" = "255" ]; then
echo_skipped
else
echo_failed
fi
fi
echo
exit 0
# ------------ Portforwarding ------------- #
# -
# - !! NOTICE:
# - you need also portforwarding enabled at the kernel
# - echo 1 >/proc/sys/net/ipv4/ip_forward
#
#
# ----------------------------------------------
# <old-ip>:<old-port> --> <new-ip>:<new-port>:80
# ----------------------------------------------
#
#$ipt -A FORWARD [-i <iface>] -p tcp --dport <new-port> -d <new-ip> -j ACCEPT
#$ipt -A FORWARD [-o <iface>] -p tcp --sport <new-port> -s <new-ip> -j ACCEPT
#
#$ipt -t nat -A PREROUTING [-i <iface>] -p tcp --dport <old-port> [-d <old-ip>] -j DNAT --to-destination <new-ip>:<new-port>
#$ipt -t nat -A POSTROUTING -d <new-ip> -j MASQUERADE
#
#
# -----------------------------------------------
# www-alt.oopen.de --> www-neu.oopen.de
#
# 46.4.129.3:80 --> 83.223.86.130:80
# 46.4.129.3:443 --> 83.223.86.130:443
# -----------------------------------------------
#
#$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT
#$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT
#
#$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80
#$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443
#$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE
#
# -
# ---------- Ende Portforwarding ---------- #
Reference in New Issue View Git Blame Copy Permalink