firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f6ec6c7517
ipt-server/ip6t-firewall-server
Christoph f6ec6c7517 Initial import
2017-02-12 16:07:07 +01:00

1251 lines
35 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
### BEGIN INIT INFO
# Provides: ip6t-firewall
# Required-Start: $local_fs $remote_fs $syslog $network $time
# Required-Stop: $local_fs $remote_fs $syslog $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: IPv6 Firewall
### END INIT INFO
CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf
# ------------- Load Kernel Modules -------------
#
# Load appropriate modules.
if ! $host_is_vm ; then
/sbin/modprobe ip6_tables
/sbin/modprobe ip6table_filter
/sbin/modprobe ip6t_REJECT
fi
#
# ------------- End: Load Kernel Modules -------------
echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m"
echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
# -------------
# --- Activate IP Forwarding
# -------------
if ! $host_is_vm ; then
# ---
# - Disable ip forwarding between interfaces
# ---
if $kernel_forward_between_interfaces ; then
echononl "\tActivate Forwarding.."
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
else
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
fi
echo_done
fi
# -------------
# --- Adjust Kernel Parameters (Security/Tuning)
# -------------
echononl "\tAdjust Kernel Parameters (Security/Tuning).."
if ! $host_is_vm ; then
# ---
# - Deactivate Source Routed Packets
# ---
for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do
if $kernel_deactivate_source_route ; then
echo 0 > $asr
fi
done
# ---
# - Deactivate sending ICMP redirects
# ---
if $kernel_dont_accept_redirects ; then
echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects
fi
echo_done # Adjust Kernel Parameters (Security/Tuning)
else
echo_skipped
fi # if ! $host_is_vm
# ------------- Stop Fail2Ban if installed -------------
#
if [ -x "$fail2ban_init_script" ]; then
echononl "\tStopping fail2ban.."
$fail2ban_init_script stop > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
echo_warning
fi
fi
#
# ------------- Ende: Stop Fail2Ban if installed -------------
# -------------
# --- Set default policies / Flush Rules
# -------------
echo
echononl "\tFlushing firewall iptable (IPv6).."
# - default policies
# -
$ip6t -P INPUT ACCEPT
$ip6t -P OUTPUT ACCEPT
$ip6t -P FORWARD ACCEPT
## - flush chains
## -
$ip6t -F
$ip6t -F INPUT
$ip6t -F OUTPUT
$ip6t -F FORWARD
$ip6t -F -t mangle
$ip6t -F -t nat
$ip6t -F -t raw
$ip6t -X
$ip6t -Z
echo_done # Flushing firewall iptable (IPv6)..
echo
# -------------
# ------------ Stopping firewall if only flushing was requested (parameter flush)
# -------------
case $1 in
flush)
exit 0;;
esac
# -------------
# --- Pass through Devices Interfaces (not firewalled)
# -------------
if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then
echononl "\tPass through Devices (not firewalled)"
for _dev in ${unprotected_if_arr[@]} ; do
if $log_unprotected || $log_all ; then
$ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
$ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level
fi
$ip6t -A INPUT -i $_dev -j ACCEPT
$ip6t -A OUTPUT -o $_dev -j ACCEPT
$ip6t -A FORWARD -i $_dev -j ACCEPT
$ip6t -A FORWARD -o $_dev -j ACCEPT
done
echo_done
fi
# -------------
# --- Block IPs / Networks / Interfaces
# -------------
echononl "\tBlock IPs / Networks / Interfaces.."
# ---
# - Block IPs
# ---
for _ip in $blocked_ips ; do
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
fi
fi
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
done
# ---
# - Block Interfaces
# ---
for _if in ${blocked_if_arr[@]} ; do
if $log_blocked_if || $log_all ; then
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
fi
$ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
$ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level
fi
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_if -j DROP
$ip6t -A FORWARD -o $_if -j DROP
fi
$ip6t -A INPUT -i $_if -j DROP
$ip6t -A OUTPUT -o $_if -j DROP
done
echo_done # Block IPs / Networks / Interfaces..
# ---
# - Allow Forwarding certain private Addresses
# ---
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
for _ip in ${forward_private_ip_arr[@]}; do
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -d $_ip -j ACCEPT
$ip6t -A FORWARD -s $_ip -j ACCEPT
echo_done
else
echo_skipped
fi
done
fi
# -------------
# --- Protections against several attacks / unwanted packages
# -------------
echo
echononl "\tProtections against several attacks / unwanted packages.."
# ---
# - Protection against syn-flooding
# ---
$ip6t -N syn-flood
$ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
if $log_syn_flood || $log_all ; then
$ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level
fi
$ip6t -A syn-flood -j DROP
# ---
# - drop new packages without syn flag
# ---
if $log_new_not_sync || $log_all ; then
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level
fi
fi
$ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
fi
# ---
# - drop invalid packages
# ---
if $log_invalid_state || $log_all ; then
$ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level
fi
fi
$ip6t -A INPUT -m state --state INVALID -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -m state --state INVALID -j DROP
fi
# ---
# - ungewöhnliche Flags verwerfen
# ---
for _dev in ${ext_if_arr[@]} ; do
if $log_invalid_flags || $log_all ; then
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level
fi
fi
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
fi
done
# ---
# - Refuse private addresses on extern interfaces
# ---
# - Refuse spoofed packets pretending to be from your IP address.
if $log_spoofed || $log_all ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level
fi
done
fi
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP
if $kernel_forward_between_interfaces ; then
$ipi6t -A FORWARD -s $_ip -d $_ip -j DROP
fi
done
# - private Adressen auf externen interface verwerfen
for _dev in ${ext_if_arr[@]} ; do
if $log_spoofed || $log_all ; then
$ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level
$ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level
fi
fi
$ip6t -A INPUT -i $_dev -s $ula_block -j DROP
$ip6t -A INPUT -i $_dev -s $loopback -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -i $_dev -s $loopback -j DROP
fi
# Don't allow spoofing from that server
$ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
$ip6t -A OUTPUT -o $_dev -s $loopback -j DROP
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
$ip6t -A FORWARD -o $_dev -s $loopback -j DROP
fi
done
echo_done
# -------------
# ------------- Stopping firewall here if requested (parameter stop)
# -------------
case $1 in
sto*)
#echononl "Stopping firewall iptable (IPv6).."
echo
echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m"
echo
exit 0;;
esac
echo
# -------------
# --- Traffic Counter (used by munin)
# -------------
echononl "\tCreate Traffic Counter (used by munin)"
if $create_traffic_counter ; then
for _ip in ${ext_ip_arr[@]} ; do
$ip6t -A INPUT -d $_ip
$ip6t -A INPUT -s $_ip
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -d $_ip
$ip6t -A FORWARD -s $_ip
fi
done
echo_done
else
echo_skipped
fi
# -------------
# --- iPerf
# -------------
# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks.
# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP,
# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
echononl "\tCreate \"iPerf\" rules.."
if $create_iperf_rules ; then
$ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT
$ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT
#
$ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT
$ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT
$ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT
fi
echo_done
else
echo_skipped
fi
# -------------
# --- Generally prohibited
# -------------
echononl "\tGenerally prohibited traffic.."
for _dev in ${ext_if_arr[@]} ; do
if $log_prohibited || $log_all ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
if $kernel_forward_between_interfaces ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level
done
fi
fi
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP
done
if $kernel_forward_between_interfaces ; then
for _port in ${block_tcp_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP
done
for _port in ${block_udp_port_arr[@]} ; do
$ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP
done
fi
done
echo_done
echo
# -------------
# --- Traffic generally allowed
# -------------
echononl "\tLoopback device generally allowed.."
# ---
# - Loopback device
# ---
$ip6t -A INPUT -i lo -j ACCEPT
$ip6t -A OUTPUT -o lo -j ACCEPT
echo_done
# ---
# - Already established connections
# ---
echononl "\tAccept already established connections.."
$ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
echo_done
# ---
# - VPN
# ---
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then
echononl "\tPermit all traffic through VPN lines.."
if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${vpn_server_ip_arr[@]} ; do
for _port in ${vpn_port_arr[@]} ; do
$ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
for _vpn_if in ${vpn_if_arr[@]} ; do
$ip6t -A INPUT -i $_vpn_if -j ACCEPT
$ip6t -A OUTPUT -o $_vpn_if -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_vpn_if -j ACCEPT
$ip6t -A FORWARD -o $_vpn_if -j ACCEPT
fi
done
fi
if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_vpn_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# -------------
# --- Services
# -------------
echo
echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m"
# ---
# - DHCP
# ---
echononl "\t\tDHCP"
if [[ ${#dhcp_if_arr[@]} -gt 0 ]] ; then
for _dev in ${dhcp_if_arr[@]} ; do
# - in
$ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
# - out
$ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
done
echo_done
else
echo_skipped
fi
# ---
# - DNS out only
# ---
echononl "\t\tDNS out only"
# - Nameservers on the INET must be reachable for the local recursiv nameserver
# - but also for all others
# -
for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s)
$ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true)
if $kernel_forward_between_interfaces ; then
# - forward from virtual mashine(s)
$ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - DNS Service
# ---
echononl "\t\tDNS Service"
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${dns_server_ips[@]} ; do
# dns requests
$ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_dns_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
$ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - SSH out only
# ---
echononl "\t\tSSH out only"
# ausgehende Anfragen
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
fi
done
for _dev in ${local_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT
done
echo_done
# ---
# - SSH Service
# ---
echononl "\t\tSSH Service"
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ssh_server_ip_arr[@]} ; do
for _port in ${ssh_port_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Rsync Out
# ---
echononl "\t\tRsync (only OUT)"
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${rsync_out_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _port in ${rsync_port_arr[@]} ; do
for _ip in ${forward_rsync_out_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Telnet
# ---
echononl "\t\tTelnet (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - MySQL
# ---
echononl "\t\tMySQL (only OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Munin remote service
# ---
echononl "\t\tMunin remote service"
if [ "X$munin_remote_ip" != "X" ]; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Munin local service
# ---
echononl "\t\tMunin local service"
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${munin_server_ip_arr[@]} ; do
$ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_munin_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mail (SMTP OUT)
# ---
echononl "\t\tMail (SMTP OUT)"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Mail (SMTP Server)
# ---
echononl "\t\tMail (SMTP Server including Spam Control)"
if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then
for _ip in ${smtpd_ips_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# - DCC (port udp:6277)
$ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT
$ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_smtpd_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT
#
# Razor2 (TCP Port 2703)
$ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT
# DEPRECATED: TCP Port 7 (echo)
$ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT
#
# Pyzor (UDP Port 24441 or TCP Port 24441 or both ?)
$ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT
#
# DCC (port udp:6277)
$ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT
# if DCC Server is running (port tcp:6277)
$ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT
$ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mail (POP/IMAP Server)
# ---
echononl "\t\tMail (POP/IMAP Server)"
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_server_ips_arr[@]} ; do
# mail ports
#
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]]
if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mail_server_ip_arr[@]} ; do
# mail ports
#
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
done
fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) OUT
# ---
echononl "\t\tHTTP(S) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - HTTP(S) (local) Webserver
# ---
echononl "\t\tHTTP(S) (local) Webserver"
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${http_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_http_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT
done
fi
fi
echo_done
else
echo_skipped
fi
# ---
# - FTP out only"
# ---
echononl "\t\tFTP out only"
for _dev in ${ext_if_arr[@]} ; do
# (Datenkanal aktiv)
$ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# (Datenkanal passiv)
$ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# (Kontrollverbindung)
$ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
# (Datenkanal aktiv)
$ip6t -A FORWARD -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT
# (Datenkanal passiv)
$ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
# (Kontrollverbindung)
$ip6t -A FORWARD -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - FTP Server"
# ---
echononl "\t\tFTP Server"
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ip6t -A OUTPUT -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# Datenkanal (passiver modus)
$ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ip6t -A INPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_ftp_server_ip_arr[@]} ; do
# (Datenkanal aktiv)
$ip6t -A FORWARD -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT
# Datenkanal (passiver modus)
$ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
# - Kontrollverbindung
$ip6t -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Mumble Service
# ---
echononl "\t\tMumble Service"
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then
if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${mumble_server_ip_arr[@]} ; do
$ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
if [[ ${#forward_mumble_server_ip_arr[@]} ]] && $kernel_forward_between_interfaces ; then
for _ip in ${forward_mumble_server_ip_arr[@]} ; do
$ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Timeserver (Port 37 NOT NTP!)"
# ---
echononl "\t\tTimeserver (Port 37 NOT NTP!) out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - NTP out only"
# ---
echononl "\t\tNTP out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT
fi
done
echo_done
# ---
# - Whois out only
# ---
echononl "\t\tWhois out only"
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT
fi
done
echo_done
echo
# ---
# - Special TCP Ports OUT
# ---
echononl "\t\tSpecial TCP Ports OUT"
if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${tcp_out_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
# ---
# - Special UDP Ports OUT
# ---
echononl "\t\tSpecial UDP Ports OUT"
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${udp_out_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${forward_udp_out_port_arr[@]} ; do
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT
done
done
fi
echo_done
else
echo_skipped
fi
echo
# ---
# - UNIX Traceroute
# ---
echononl "\t\tUNIX Traceroute"
# versendet udp packete im gegensatz zu tracert von windows
# der icmp-echo-request pakete versendet
# einige implementierungen von traceroute (linux) erm<72>lichens
# die option -I und versenden dann ebenfalls icmp-echo-request pakete
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
$ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT
fi
done
echo_done
# ---
# - Ping
# ---
echononl "\t\tPing"
$ip6t -A INPUT -p ipv6-icmp -j ACCEPT
$ip6t -A OUTPUT -p ipv6-icmp -j ACCEPT
if $kernel_forward_between_interfaces ; then
$ip6t -A FORWARD -p ipv6-icmp -j ACCEPT
fi
#for _dev in ${ext_if_arr[@]} ; do
# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT
# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT
# if $kernel_forward_between_interfaces ; then
# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT
# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT
# fi
#done
#for _dev in ${local_if_arr[@]} ; do
# $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT
# $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT
# if $kernel_forward_between_interfaces ; then
# $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT
# $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT
# fi
#done
echo_done
# ---
# - log all rejected traffic
# ---
echo
echononl "\tLogging all rejected traffic"
if $log_rejected || $log_all ; then
#$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
if $kernel_forward_between_interfaces ; then
#$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level
fi
echo_done
else
echo_skipped
fi
# ---
# - Drop all other
# ---
echo
echononl "\tDrop all other on all interfaces"
$ip6t -A INPUT -j DROP
$ip6t -A OUTPUT -j DROP
$ip6t -A FORWARD -j DROP
echo_done
# -------------
# ------------- Start Fail2Ban if installed
# -------------
if [ -x "$fail2ban_init_script" ]; then
echo
echononl "\tStarting fail2ban.."
$fail2ban_init_script start > /dev/null 2>&1
if [ "$?" = "0" ];then
echo_done
else
echo_failed
fi
fi
echo
exit 0
Reference in New Issue View Git Blame Copy Permalink