firewall/ipt-vserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add 'mail_client_ips', 'restrict_local_service_to_net', 'restrict_local_net_to_net'.

Browse Source
This commit is contained in:
Christoph
2017-07-18 15:30:23 +02:00
parent 6d2a9d8d8d
commit 8bbc845adf
4 changed files with 511 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
ipt-firewall-vserver
View File

@ -10,6 +10,8 @@
# Short-Description: IPv4 Firewall
### END INIT INFO
CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-vserver.conf
# ------------- Load Kernel Modules -------------
#
@ -51,7 +53,23 @@ echo
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
source /etc/ipt-firewall/ipt-firewall.conf
echo
echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m"
echo
## --------------------------------------------------------------------------
## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf
## --------------------------------------------------------------------------
if [[ -f "$CONFIG_FILE" ]]; then
source $CONFIG_FILE
else
echo
echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m"
echo
exit 1
fi
@ -75,6 +93,21 @@ if ! $host_is_vm ; then
echononl "\t\033[33m\033[1mDisable Forwarding..\033[m"
echo_done
fi
if $kernel_support_dynaddr ; then
echononl "\tActivate kernel support for dynamic addresses.."
if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then
echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr
echo_done
else
echo_failed
fi
else
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m"
echo_done
fi
fi
@ -347,7 +380,6 @@ for _dev in ${ext_if_arr[@]} ; do
done
# ---
# - drop new packages without syn flag
# ---
@ -689,8 +721,8 @@ echo_done
# - VPN
# ---
echononl "\tPermit all traffic through VPN lines.."
if $local_vpn_service ; then
echononl "\tPermit all traffic through VPN lines.."
for _port in ${local_vpn_port_arr[@]} ; do
$ipt -A INPUT -p udp --dport $_port -m state --state NEW -j ACCEPT
done
@ -703,6 +735,97 @@ if $local_vpn_service ; then
fi
done
echo_done
else
echo_skipped
fi
echo
# -------------
# ---- Restrict local Servive to given (extern) IP-Address/Network
# -------------
echononl "\tRestrict local Service to given (extern) IP-Address/Network"
if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then
_deny_service_arr=()
for _val in "${restrict_local_service_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
$ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD" "${_deny_service_arr[@]}" ; then
_deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:FORWARD")
fi
else
$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT" "${_deny_service_arr[@]}" ; then
_deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}:INPUT")
fi
fi
done
done
for _val in "${_deny_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP
done
echo_done
else
echo_skipped
fi
# -------------
# ---- Restrict local Network to given extern IP-Address/Network
# -------------
echononl "\tRestrict local Address/Network to given extern Address/Network"
if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then
_deny_net_arr=()
for _val in "${restrict_local_net_to_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then
$ipt -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}:FORWARD" "${_deny_net_arr[@]}" ; then
_deny_net_arr+=("${_dev}:${_val_arr[1]}:FORWARD")
fi
else
$ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
if ! containsElement "${_dev}:${_val_arr[1]}:INPUT" "${_deny_net_arr[@]}" ; then
_deny_net_arr+=("${_dev}:${_val_arr[1]}:INPUT")
fi
fi
done
done
for _val in "${_deny_net_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
$ipt -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP
done
echo_done
else
echo_skipped
fi
@ -768,7 +891,7 @@ for _ip in ${dns_server_ips[@]} ; do
#
$ipt -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_activate_forwarding ; then
if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
$ipt -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT
# Zonetransfer
@ -1045,10 +1168,10 @@ fi
# ---
# - Mail (POP/IMAP Server)
# - Mailservice (Submission/SMTPS/POP/IMAP Server)
# ---
echononl "\t\tMail (POP/IMAP Server)"
echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)"
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then
if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then
@ -1081,6 +1204,32 @@ else
fi
# ---
# - Mail Client (Submission/SMTPS/POPS/IMAPS) out only
# ---
echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only"
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then
for _ip in ${mail_client_ips_arr[@]} ; do
# mail ports
#
if containsElement "$_ip" ${lxc_ips_arr[@]} ; then
$ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
else
$ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT
fi
done
fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]]
echo_done
else
echo_skipped
fi
# ---
# - HTTP(S) OUT
# ---