diff --git a/ip6t-firewall-vserver b/ip6t-firewall-vserver index 2859060..c69614c 100755 --- a/ip6t-firewall-vserver +++ b/ip6t-firewall-vserver @@ -10,6 +10,8 @@ # Short-Description: IPv6 Firewall ### END INIT INFO +CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-vserver.conf + # ------------- Load Kernel Modules ------------- # @@ -30,8 +32,15 @@ echo ## -------------------------------------------------------------------------- ## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf ## -------------------------------------------------------------------------- - -source /etc/ipt-firewall/ip6t-firewall.conf + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi # ------------- @@ -512,6 +521,7 @@ echo_done # - VPN # --- +echononl "\tPermit all traffic through VPN lines.." if $local_vpn_service ; then echononl "\tPermit all traffic through VPN lines.." for _port in ${local_vpn_port_arr[@]} ; do @@ -526,6 +536,97 @@ if $local_vpn_service ; then fi done echo_done +else + echo_skipped +fi + + +echo + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Servive to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + _deny_service_arr=() + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then + $ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD") + fi + + else + + $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT") + fi + + fi + + done + + done + + for _val in "${_deny_service_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then + $ip6t -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + if ! containsElement "${_dev},${_val_arr[1]},FORWARD" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]},FORWARD") + fi + + else + $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + if ! containsElement "${_dev},${_val_arr[1]},INPUT" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev},${_val_arr[1]},INPUT") + fi + fi + + done + + done + + for _val in "${_deny_net_arr[@]}" ; do + IFS=',' read -a _val_arr <<< "${_val}" + $ip6t -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + + echo_done +else + echo_skipped fi @@ -610,7 +711,6 @@ if $local_dns_service ; then $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT # Zonetransfer - $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT done fi @@ -648,7 +748,6 @@ echononl "\t\tSSH Service" if $local_ssh_service ; then for _port in ${ssh_port_arr[@]} ; do $ip6t -A INPUT -p tcp --dport $_port -m state --state NEW -j ACCEPT - done fi @@ -870,10 +969,10 @@ fi # --- -# - Mail (POP/IMAP Server) +# - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- -echononl "\t\tMail (POP/IMAP Server)" +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then @@ -899,6 +998,33 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done fi # if $local_mail_service + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + if containsElement "$_ip" ${lxc_ips_arr[@]} ; then + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + else + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + fi + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + echo_done else echo_skipped diff --git a/ip6t-firewall-vserver.conf.sample b/ip6t-firewall-vserver.conf.sample index 2961d98..382793a 100644 --- a/ip6t-firewall-vserver.conf.sample +++ b/ip6t-firewall-vserver.conf.sample @@ -197,19 +197,6 @@ local_munin_service=false munin_remote_port="4949" -# ------------- -# - Protocols Out -# ------------- - -# - Rsync Protocol -# - -# - Needed for some integrated provider of clamav-unofficial-sigs -# - -local_rsync_out=false -rsync_out_ips="" -rsync_ports="873" - - # ------------- # --- Services local Network # ------------- @@ -236,6 +223,71 @@ guest_ips="$guest_1_ips $guest_2_ips $guest_3_ips $guest_4_ips $guest_5_ips $gue lxc_ips="$guest_ips" vserver_ips="" + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +local_rsync_out=false +rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-netr,local-address,port,protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 +# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c +# - +# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=", [,] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 +# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + # - Remote Munin Server # - munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4" @@ -261,6 +313,10 @@ smtpd_ips="" # - mail_server_ips="" +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" + # - FTP Server # - ftp_server_ips="" @@ -286,9 +342,11 @@ local_xymon_client=false # ------------- # - TCP Ports +# - tcp_out_ports="" # - UDP Ports +# - udp_out_ports="" @@ -422,6 +480,7 @@ done # --- # - Local Network Interfaces +# --- declare -a local_if_arr for _dev in $local_ifs ; do local_if_arr+=("$_dev") @@ -443,6 +502,22 @@ for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + # --- # - Generally block ports # --- @@ -505,13 +580,22 @@ for _ip in $smtpd_ips ; do done # --- -# - Mail POP/IMAP Server +# - Mail Services (smtps/pop(s)/imap(s) # --- declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done + # --- # - IP Addresses Mumble Server # --- diff --git a/ipt-firewall-vserver b/ipt-firewall-vserver index c1d45ea..038b1b7 100755 --- a/ipt-firewall-vserver +++ b/ipt-firewall-vserver @@ -10,6 +10,8 @@ # Short-Description: IPv4 Firewall ### END INIT INFO +CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-vserver.conf + # ------------- Load Kernel Modules ------------- # @@ -51,7 +53,23 @@ echo ## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf ## -------------------------------------------------------------------------- -source /etc/ipt-firewall/ipt-firewall.conf + +echo +echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" +echo + +## -------------------------------------------------------------------------- +## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf +## -------------------------------------------------------------------------- + +if [[ -f "$CONFIG_FILE" ]]; then + source $CONFIG_FILE +else + echo + echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" + echo + exit 1 +fi @@ -75,6 +93,21 @@ if ! $host_is_vm ; then echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" echo_done fi + + if $kernel_support_dynaddr ; then + echononl "\tActivate kernel support for dynamic addresses.." + if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then + echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr + echo_done + else + echo_failed + fi + else + echo 0 > /proc/sys/net/ipv4/ip_dynaddr + echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m" + echo_done + fi + fi @@ -347,7 +380,6 @@ for _dev in ${ext_if_arr[@]} ; do done - # --- # - drop new packages without syn flag # --- @@ -689,8 +721,8 @@ echo_done # - VPN # --- +echononl "\tPermit all traffic through VPN lines.." if $local_vpn_service ; then - echononl "\tPermit all traffic through VPN lines.." for _port in ${local_vpn_port_arr[@]} ; do $ipt -A INPUT -p udp --dport $_port -m state --state NEW -j ACCEPT done @@ -703,6 +735,97 @@ if $local_vpn_service ; then fi done echo_done +else + echo_skipped +fi + + +echo + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +echononl "\tRestrict local Service to given (extern) IP-Address/Network" +if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then + + _deny_service_arr=() + + for _val in "${restrict_local_service_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then + $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD") + fi + + else + + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT" "${_deny_service_arr[@]}" ; then + _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT") + fi + + fi + + done + + done + + for _val in "${_deny_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +echononl "\tRestrict local Address/Network to given extern Address/Network" +if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then + + _deny_net_arr=() + + for _val in "${restrict_local_net_to_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then + $ipt -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + if ! containsElement "${_dev}:${_val_arr[1]}:FORWARD" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev}:${_val_arr[1]}:FORWARD") + fi + + else + $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + if ! containsElement "${_dev}:${_val_arr[1]}:INPUT" "${_deny_net_arr[@]}" ; then + _deny_net_arr+=("${_dev}:${_val_arr[1]}:INPUT") + fi + fi + + done + + done + + for _val in "${_deny_net_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP + done + + echo_done +else + echo_skipped fi @@ -768,7 +891,7 @@ for _ip in ${dns_server_ips[@]} ; do # $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT - if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then + if containsElement "$_ip" ${lxc_ips_arr[@]} ; then $ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT # Zonetransfer @@ -1045,10 +1168,10 @@ fi # --- -# - Mail (POP/IMAP Server) +# - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- -echononl "\t\tMail (POP/IMAP Server)" +echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then @@ -1081,6 +1204,32 @@ else fi +# --- +# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only +# --- + +echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" + +if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + + if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_client_ips_arr[@]} ; do + # mail ports + # + if containsElement "$_ip" ${lxc_ips_arr[@]} ; then + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + else + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + fi + done + fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] + + echo_done +else + echo_skipped +fi + + # --- # - HTTP(S) OUT # --- diff --git a/ipt-firewall-vserver.conf.sample b/ipt-firewall-vserver.conf.sample index 1f7a5a3..fa5cb99 100644 --- a/ipt-firewall-vserver.conf.sample +++ b/ipt-firewall-vserver.conf.sample @@ -197,19 +197,6 @@ local_munin_service=false munin_remote_port="4949" -# ------------- -# - Protocols Out -# ------------- - -# - Rsync Protocol -# - -# - Needed for some integrated provider of clamav-unofficial-sigs -# - -local_rsync_out=false -rsync_out_ips="" -rsync_ports="873" - - # ------------- # --- Services local Network # ------------- @@ -238,6 +225,71 @@ vserver_ips="$guest_ips" broadcast_ips="" + +# ------------- +# - Protocols Out +# ------------- + +# - Rsync Protocol +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +local_rsync_out=false +rsync_out_ips="" +rsync_ports="873" + + +# ------------- +# ---- Restrict local Servive to given (extern) IP-Address/Network +# ------------- + +# - restrict_local_service_to_net +# - +# - restrict_local_service_to_net="ext-net:local-address:port:protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some extern netwoks access to special local +# - services. +# - +# - Example: +# - allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036 +# - allow access from 86.73.85.0/24 to https service at 83.223.86.98 +# - +# - restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp +# - 86.73.85.0/24:83.223.86.98:443:tcp" +# - +# - Blank separated list +# - +restrict_local_service_to_net="" + + +# ------------- +# ---- Restrict local Network to given extern IP-Address/Network +# ------------- + +# - restrict_local_net_to_net +# - +# - restrict_local_net_to_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 +# - 83.223.86.96/32:86.223.73.0/24" +# - +# - Blank separated list +# - +restrict_local_net_to_net="" + # - Remote Munin Server # - munin_remote_ip="83.223.86.99" @@ -263,6 +315,10 @@ smtpd_ips="" # - mail_server_ips="" +# - Mail Client (smtps/pop(s)/imap(s) +# - +mail_client_ips="" + # - FTP Server # - ftp_server_ips="" @@ -288,9 +344,11 @@ local_xymon_client=false # ------------- # - TCP Ports +# - tcp_out_ports="" # - UDP Ports +# - udp_out_ports="" @@ -348,6 +406,35 @@ create_iperf_rules=true # - kernel_activate_forwarding=false +# - Activate kernel support for dynamic IP adresses +# - (not needed in case of static IP) +# - +# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt +# - +# - The values for the ip_dynaddr sysctl are [*]: +# - +# - 1: To enable: +# - 2: To enable verbosity: +# - 4: To enable RST-provoking: +# - 8: To enable asymetric routing work-around [**] +# - +# - [*] At boot, by default no address rewriting is attempted. +# - [**] This code is currently totaly untested. +# - +# - Flags can be combined by adding them. Common settings +# - would be: +# - +# - To enable rewriting in quiet mode: +# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable rewriting in verbose mode: +# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable quiet RST-provoking mode (1+4): +# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr +# - ... +# - +kernel_support_dynaddr=false +dynaddr_flag="5" + # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) @@ -498,6 +585,22 @@ for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done +# --- +# - Restrict local Servive to given IP-Address/Network +# --- +declare -a restrict_local_service_to_net_arr +for _val in $restrict_local_service_to_net ; do + restrict_local_service_to_net_arr+=("$_val") +done + +# --- +# - Restrict local Network to given IP-Address/Network +# --- +declare -a restrict_local_net_to_net_arr +for _val in $restrict_local_net_to_net ; do + restrict_local_net_to_net_arr+=("$_val") +done + # --- # - Generally block ports # --- @@ -560,13 +663,22 @@ for _ip in $smtpd_ips ; do done # --- -# - Mail POP/IMAP Server +# - Mail Services (smtps/pop(s)/imap(s) # --- declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done +# --- +# - Mail client (smtps/pop(s)/imap(s) +# --- +# local +declare -a mail_client_ips_arr +for _ip in $mail_client_ips ; do + mail_client_ips_arr+=("$_ip") +done + # --- # - IP Addresses Mumble Server # ---