Add 'mail_client_ips', 'restrict_local_service_to_net', 'restrict_local_net_to_net'.

2017-07-18 15:30:23 +02:00 · 2017-07-18 15:30:23 +02:00 · 8bbc845adf
commit 8bbc845adf
parent 6d2a9d8d8d
4 changed files with 511 additions and 40 deletions
--- a/138
+++ b/138
@ -10,6 +10,8 @@
 # Short-Description: IPv6 Firewall
 ### END INIT INFO

+CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-vserver.conf
+

 # ------------- Load Kernel Modules -------------
 #
@ -30,8 +32,15 @@ echo
 ## --------------------------------------------------------------------------
 ## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
 ## --------------------------------------------------------------------------
-   
-source /etc/ipt-firewall/ip6t-firewall.conf
+
+if [[ -f "$CONFIG_FILE" ]]; then
+   source $CONFIG_FILE
+else
+   echo
+   echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
+   echo
+   exit 1
+fi


 # -------------
@ -512,6 +521,7 @@ echo_done
 # - VPN
 # ---

+echononl "\tPermit all traffic through VPN lines.."
 if $local_vpn_service ; then
   echononl "\tPermit all traffic through VPN lines.."
   for _port in ${local_vpn_port_arr[@]} ; do
@ -526,6 +536,97 @@ if $local_vpn_service ; then
      fi
   done
   echo_done
+else
+   echo_skipped
+fi
+
+
+echo
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+echononl "\tRestrict local Servive to given (extern) IP-Address/Network"
+if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
+
+   _deny_service_arr=()
+
+   for _val in "${restrict_local_service_to_net_arr[@]}" ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
+            $ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+            if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD" "${_deny_service_arr[@]}" ; then
+               _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD")
+            fi
+
+         else
+
+            $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+
+            if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT" "${_deny_service_arr[@]}" ; then
+               _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT")
+            fi
+
+         fi
+
+      done
+
+   done
+
+   for _val in "${_deny_service_arr[@]}" ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+      $ip6t -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+echononl "\tRestrict local Address/Network to given extern Address/Network"
+if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
+
+   _deny_net_arr=()
+
+   for _val in "${restrict_local_net_to_net_arr[@]}" ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+
+         if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
+            $ip6t -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+
+            if ! containsElement "${_dev},${_val_arr[1]},FORWARD" "${_deny_net_arr[@]}" ; then
+               _deny_net_arr+=("${_dev},${_val_arr[1]},FORWARD")
+            fi
+
+         else
+            $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+            if ! containsElement "${_dev},${_val_arr[1]},INPUT" "${_deny_net_arr[@]}" ; then
+               _deny_net_arr+=("${_dev},${_val_arr[1]},INPUT")
+            fi
+         fi
+
+      done
+
+   done
+
+   for _val in "${_deny_net_arr[@]}" ; do
+      IFS=',' read -a _val_arr <<< "${_val}"
+      $ip6t -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
+   done
+
+   echo_done
+else
+   echo_skipped
 fi


@ -610,7 +711,6 @@ if $local_dns_service ; then
      $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
      $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
      # Zonetransfer
-      $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
      $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT
   done
 fi
@ -648,7 +748,6 @@ echononl "\t\tSSH Service"
 if $local_ssh_service ; then
   for _port in ${ssh_port_arr[@]} ; do
      $ip6t -A INPUT -p tcp --dport $_port -m state --state NEW -j ACCEPT
-
   done
 fi

@ -870,10 +969,10 @@ fi


 # ---
-# - Mail (POP/IMAP Server)
+# - Mailservice (Submission/SMTPS/POP/IMAP Server)
 # ---

-echononl "\t\tMail (POP/IMAP Server)"
+echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"

 if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
   if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
@ -899,6 +998,33 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
         $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
      done
   fi # if $local_mail_service
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# ---
+# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
+# ---
+
+echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"
+
+if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
+
+   if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
+      for _ip in ${mail_client_ips_arr[@]} ; do
+         # mail ports 
+         #
+         if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
+            $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
+         else
+            $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
+         fi
+      done
+   fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
+
   echo_done
 else
   echo_skipped
--- a/ip6t-firewall-vserver.conf.sample
+++ b/ip6t-firewall-vserver.conf.sample
@ -197,19 +197,6 @@ local_munin_service=false
 munin_remote_port="4949"


-# -------------
-# - Protocols Out
-# -------------
-
-# - Rsync Protocol
-# -
-# - Needed for some integrated provider of clamav-unofficial-sigs
-# -
-local_rsync_out=false
-rsync_out_ips=""
-rsync_ports="873"
-
-
 # -------------
 # --- Services local Network
 # -------------
@ -236,6 +223,71 @@ guest_ips="$guest_1_ips $guest_2_ips $guest_3_ips $guest_4_ips $guest_5_ips $gue
 lxc_ips="$guest_ips"
 vserver_ips=""

+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+local_rsync_out=false
+rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
+# -    allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
+# -
+# -    restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp 
+# -                                   2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
+# -                               2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
 # - Remote Munin Server
 # -
 munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
@ -261,6 +313,10 @@ smtpd_ips=""
 # -
 mail_server_ips=""

+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+
 # - FTP Server
 # -
 ftp_server_ips=""
@ -286,9 +342,11 @@ local_xymon_client=false
 # -------------

 # - TCP Ports
+# -
 tcp_out_ports=""

 # - UDP Ports
+# -
 udp_out_ports=""


@ -422,6 +480,7 @@ done

 # ---
 # - Local Network Interfaces
+# ---
 declare -a local_if_arr
 for _dev in $local_ifs ; do
   local_if_arr+=("$_dev")
@ -443,6 +502,22 @@ for _dev in $unprotected_ifs ; do
   unprotected_if_arr+=("$_dev")
 done

+# ---
+# - Restrict local Servive to given IP-Address/Network
+# ---
+declare -a restrict_local_service_to_net_arr
+for _val in $restrict_local_service_to_net ; do
+   restrict_local_service_to_net_arr+=("$_val")
+done
+
+# ---
+# - Restrict local Network to given IP-Address/Network
+# ---
+declare -a restrict_local_net_to_net_arr
+for _val in $restrict_local_net_to_net ; do
+   restrict_local_net_to_net_arr+=("$_val")
+done
+
 # ---
 # - Generally block ports
 # ---
@ -505,13 +580,22 @@ for _ip in $smtpd_ips ; do
 done

 # ---
-# - Mail POP/IMAP Server
+# - Mail Services (smtps/pop(s)/imap(s)
 # ---
 declare -a mail_server_ips_arr
 for _ip in $mail_server_ips ; do
   mail_server_ips_arr+=("$_ip")
 done

+# ---
+# - Mail client (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_client_ips_arr
+for _ip in $mail_client_ips ; do
+   mail_client_ips_arr+=("$_ip")
+done
+
 # ---
 # - IP Addresses Mumble Server
 # ---
--- a/161
+++ b/161
@ -10,6 +10,8 @@
 # Short-Description: IPv4 Firewall
 ### END INIT INFO

+CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-vserver.conf
+

 # ------------- Load Kernel Modules -------------
 #
@ -51,7 +53,23 @@ echo
 ## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
 ## --------------------------------------------------------------------------

-source /etc/ipt-firewall/ipt-firewall.conf
+
+echo
+echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
+echo
+
+## --------------------------------------------------------------------------
+## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
+## --------------------------------------------------------------------------
+
+if [[ -f "$CONFIG_FILE" ]]; then
+   source $CONFIG_FILE
+else
+   echo
+   echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
+   echo
+   exit 1
+fi



@ -75,6 +93,21 @@ if ! $host_is_vm ; then
      echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
      echo_done
   fi
+
+   if $kernel_support_dynaddr ; then
+      echononl "\tActivate kernel support for dynamic addresses.."
+      if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
+         echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
+         echo_done
+      else
+         echo_failed
+      fi
+   else
+      echo 0 > /proc/sys/net/ipv4/ip_dynaddr
+      echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m"
+      echo_done
+   fi
+
 fi


@ -347,7 +380,6 @@ for _dev in ${ext_if_arr[@]} ; do
 done


-
 # ---
 # - drop new packages without syn flag
 # ---
@ -689,8 +721,8 @@ echo_done
 # - VPN
 # ---

+echononl "\tPermit all traffic through VPN lines.."
 if $local_vpn_service ; then
-   echononl "\tPermit all traffic through VPN lines.."
   for _port in ${local_vpn_port_arr[@]} ; do
      $ipt -A INPUT -p udp --dport $_port -m state --state NEW -j ACCEPT
   done
@ -703,6 +735,97 @@ if $local_vpn_service ; then
      fi
   done
   echo_done
+else
+   echo_skipped
+fi
+
+
+echo
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+echononl "\tRestrict local Service to given (extern) IP-Address/Network"
+if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
+
+   _deny_service_arr=()
+
+   for _val in "${restrict_local_service_to_net_arr[@]}" ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
+            $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+            if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD" "${_deny_service_arr[@]}" ; then
+               _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD")
+            fi
+
+         else
+
+            $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
+
+            if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT" "${_deny_service_arr[@]}" ; then
+               _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT")
+            fi
+
+         fi
+
+      done
+
+   done
+
+   for _val in "${_deny_service_arr[@]}" ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+      $ipt -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
+   done
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+echononl "\tRestrict local Address/Network to given extern Address/Network"
+if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
+
+   _deny_net_arr=()
+
+   for _val in "${restrict_local_net_to_net_arr[@]}" ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+      for _dev in ${ext_if_arr[@]} ; do
+
+         if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
+            $ipt -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+
+            if ! containsElement "${_dev}:${_val_arr[1]}:FORWARD" "${_deny_net_arr[@]}" ; then
+               _deny_net_arr+=("${_dev}:${_val_arr[1]}:FORWARD")
+            fi
+
+         else
+            $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
+            if ! containsElement "${_dev}:${_val_arr[1]}:INPUT" "${_deny_net_arr[@]}" ; then
+               _deny_net_arr+=("${_dev}:${_val_arr[1]}:INPUT")
+            fi
+         fi
+
+      done
+
+   done
+
+   for _val in "${_deny_net_arr[@]}" ; do
+      IFS=':' read -a _val_arr <<< "${_val}"
+      $ipt -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
+   done
+
+   echo_done
+else
+   echo_skipped
 fi


@ -768,7 +891,7 @@ for _ip in ${dns_server_ips[@]} ; do
   #
   $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
   $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
-   if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then
+   if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
      $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
      $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
      # Zonetransfer
@ -1045,10 +1168,10 @@ fi


 # ---
-# - Mail (POP/IMAP Server)
+# - Mailservice (Submission/SMTPS/POP/IMAP Server)
 # ---

-echononl "\t\tMail (POP/IMAP Server)"
+echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"

 if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
   if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
@ -1081,6 +1204,32 @@ else
 fi


+# ---
+# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
+# ---
+
+echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"
+
+if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
+
+   if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
+      for _ip in ${mail_client_ips_arr[@]} ; do
+         # mail ports 
+         #
+         if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
+            $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
+         else
+            $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
+         fi
+      done
+   fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
+
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - HTTP(S) OUT
 # ---
--- a/ipt-firewall-vserver.conf.sample
+++ b/ipt-firewall-vserver.conf.sample
@ -197,19 +197,6 @@ local_munin_service=false
 munin_remote_port="4949"


-# -------------
-# - Protocols Out
-# -------------
-
-# - Rsync Protocol
-# -
-# - Needed for some integrated provider of clamav-unofficial-sigs
-# -
-local_rsync_out=false
-rsync_out_ips=""
-rsync_ports="873"
-
-
 # -------------
 # --- Services local Network
 # -------------
@ -238,6 +225,71 @@ vserver_ips="$guest_ips"

 broadcast_ips=""

+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+local_rsync_out=false
+rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
+# -
+# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
+# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
 # - Remote Munin Server
 # -
 munin_remote_ip="83.223.86.99"
@ -263,6 +315,10 @@ smtpd_ips=""
 # -
 mail_server_ips=""

+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+
 # - FTP Server
 # -
 ftp_server_ips=""
@ -288,9 +344,11 @@ local_xymon_client=false
 # -------------

 # - TCP Ports
+# -
 tcp_out_ports=""

 # - UDP Ports
+# -
 udp_out_ports=""


@ -348,6 +406,35 @@ create_iperf_rules=true
 # -
 kernel_activate_forwarding=false

+# - Activate kernel support for dynamic IP adresses
+# - (not needed in case of static IP)
+# -
+# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
+# -
+# - The values for the ip_dynaddr sysctl are [*]:
+# -
+# -   1:  To enable:
+# -   2:  To enable verbosity:
+# -   4:  To enable RST-provoking:
+# -   8:  To enable asymetric routing work-around [**]
+# -
+# -  [*] At boot, by default no address rewriting is attempted.
+# -  [**] This code is currently totaly untested.
+# -
+# - Flags can be combined by adding them. Common settings
+# - would be:
+# -
+# - To enable rewriting in quiet mode:
+# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable rewriting in verbose mode:
+# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable quiet RST-provoking mode (1+4):
+# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
+# - ...
+# -
+kernel_support_dynaddr=false
+dynaddr_flag="5"
+

 # -------------
 # --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
@ -498,6 +585,22 @@ for _dev in $unprotected_ifs ; do
   unprotected_if_arr+=("$_dev")
 done

+# ---
+# - Restrict local Servive to given IP-Address/Network
+# ---
+declare -a restrict_local_service_to_net_arr
+for _val in $restrict_local_service_to_net ; do
+   restrict_local_service_to_net_arr+=("$_val")
+done
+
+# ---
+# - Restrict local Network to given IP-Address/Network
+# ---
+declare -a restrict_local_net_to_net_arr
+for _val in $restrict_local_net_to_net ; do
+   restrict_local_net_to_net_arr+=("$_val")
+done
+
 # ---
 # - Generally block ports
 # ---
@ -560,13 +663,22 @@ for _ip in $smtpd_ips ; do
 done

 # ---
-# - Mail POP/IMAP Server
+# - Mail Services (smtps/pop(s)/imap(s)
 # ---
 declare -a mail_server_ips_arr
 for _ip in $mail_server_ips ; do
   mail_server_ips_arr+=("$_ip")
 done

+# ---
+# - Mail client (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_client_ips_arr
+for _ip in $mail_client_ips ; do
+   mail_client_ips_arr+=("$_ip")
+done
+
 # ---
 # - IP Addresses Mumble Server
 # ---