#!/usr/bin/env bash ### BEGIN INIT INFO # Provides: ip6t-firewall # Required-Start: $local_fs $remote_fs $syslog $network $time # Required-Stop: $local_fs $remote_fs $syslog $network # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: IPv6 Firewall ### END INIT INFO CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-vserver.conf if [[ -z "$fail2ban_client" ]]; then fail2ban_client="$(which fail2ban-client)" fi # ------------- Load Kernel Modules ------------- # # Load appropriate modules. if ! $host_is_vm ; then /sbin/modprobe ip6_tables /sbin/modprobe ip6table_filter /sbin/modprobe ip6t_REJECT fi # # ------------- End: Load Kernel Modules ------------- echo echo -e "\033[37m\033[1m\tStarting firewall iptables (IPv6)..\033[m" echo ## -------------------------------------------------------------------------- ## --- All Configurations will be done in /etc/ipt-firewall/ipt-firewall.conf ## -------------------------------------------------------------------------- if [[ -f "$CONFIG_FILE" ]]; then source $CONFIG_FILE else echo echo -e "\033[31m\033[1m\tNo Configuration File found..\033[m \033[37m\033[1mExiting now!\033[m" echo exit 1 fi # ------------- # --- Activate IP Forwarding # ------------- if ! $host_is_vm ; then # --- # - Disable ip forwarding between interfaces # --- if $kernel_forward_between_interfaces ; then echononl "\tActivate Forwarding.." echo 1 > /proc/sys/net/ipv6/conf/all/forwarding else echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" echo 0 > /proc/sys/net/ipv6/conf/all/forwarding fi echo_done fi # ------------- # --- Adjust Kernel Parameters (Security/Tuning) # ------------- echononl "\tAdjust Kernel Parameters (Security/Tuning).." if ! $host_is_vm ; then # --- # - Deactivate Source Routed Packets # --- for asr in /proc/sys/net/ipv6/conf/*/accept_source_route; do if $kernel_deactivate_source_route ; then echo 0 > $asr fi done # --- # - Deactivate sending ICMP redirects # --- if $kernel_dont_accept_redirects ; then echo "0" > /proc/sys/net/ipv6/conf/all/accept_redirects fi echo_done # Adjust Kernel Parameters (Security/Tuning) else echo_skipped fi # if ! $host_is_vm # ------------- Stop Fail2Ban if installed ------------- # if [ -x "$fail2ban_client" ]; then echononl "\tStopping fail2ban.." $fail2ban_client stop > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else echo_warning fi fi # # ------------- Ende: Stop Fail2Ban if installed ------------- # ------------- # --- Set default policies / Flush Rules # ------------- echo echononl "\tFlushing firewall iptable (IPv6).." # - default policies # - $ip6t -P INPUT ACCEPT $ip6t -P OUTPUT ACCEPT $ip6t -P FORWARD ACCEPT ## - flush chains ## - $ip6t -F $ip6t -F INPUT $ip6t -F OUTPUT $ip6t -F FORWARD $ip6t -F -t mangle $ip6t -F -t nat $ip6t -F -t raw $ip6t -X $ip6t -Z echo_done # Flushing firewall iptable (IPv6).. echo # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- case $1 in flush) exit 0;; esac # ------------- # --- Pass through Devices Interfaces (not firewalled) # ------------- if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then echononl "\tPass through Devices (not firewalled)" for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level fi $ip6t -A INPUT -i $_dev -j ACCEPT $ip6t -A OUTPUT -o $_dev -j ACCEPT $ip6t -A FORWARD -i $_dev -j ACCEPT $ip6t -A FORWARD -o $_dev -j ACCEPT done echo_done fi # ------------- # --- Block IPs / Networks / Interfaces # ------------- echononl "\tBlock IPs / Networks / Interfaces.." # --- # - Block IPs # --- for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level fi fi $ip6t -A INPUT -i $_dev -s $_ip -j DROP if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $_ip -j DROP fi done done # --- # - Block Interfaces # --- for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level fi $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level fi if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_if -j DROP $ip6t -A FORWARD -o $_if -j DROP fi $ip6t -A INPUT -i $_if -j DROP $ip6t -A OUTPUT -o $_if -j DROP done echo_done # Block IPs / Networks / Interfaces.. # --- # - Allow Forwarding certain private Addresses # --- if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then echononl "\tAllow forwarding (private) IPs / IP-Ranges.." for _ip in ${forward_private_ip_arr[@]}; do if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -d $_ip -j ACCEPT $ip6t -A FORWARD -s $_ip -j ACCEPT echo_done else echo_skipped fi done fi # ------------- # --- Protections against several attacks / unwanted packages # ------------- echo echononl "\tProtections against several attacks / unwanted packages.." # --- # - Protection against syn-flooding # --- $ip6t -N syn-flood $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level fi $ip6t -A syn-flood -j DROP # --- # - Drop new packages without syn flag # --- if $log_new_not_sync || $log_all ; then $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level fi fi $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP fi # --- # - Drop invalid packages # --- if $log_invalid_state || $log_all ; then $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level fi fi $ip6t -A INPUT -m state --state INVALID -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -m state --state INVALID -j DROP fi # --- # - ungewöhnliche Flags verwerfen # --- for _dev in ${ext_if_arr[@]} ; do if $log_invalid_flags || $log_all ; then $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level fi fi $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP fi done # --- # - Refuse private addresses on extern interfaces # --- # - Refuse spoofed packets pretending to be from your IP address. for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level done for _ip in ${guest_ips_arr[@]} ; do $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level fi done fi for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP done for _ip in ${guest_ips_arr[@]} ; do $ip6t -A INPUT -i $_dev -s $_ip -d $_ip -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $_ip -d $_ip -j DROP fi done done # - private Adressen auf externen interface verwerfen for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level fi fi $ip6t -A INPUT -i $_dev -s $ula_block -j DROP $ip6t -A INPUT -i $_dev -s $loopback -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP $ip6t -A FORWARD -i $_dev -s $loopback -j DROP fi # Don't allow spoofing from that server $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP $ip6t -A FORWARD -o $_dev -s $loopback -j DROP fi done echo_done # ------------- # ------------- Stopping firewall here if requested (parameter stop) # ------------- case $1 in sto*) #echononl "Stopping firewall iptable (IPv6).." echo echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" echo exit 0;; esac echo # ------------- # --- Traffic Counter (used by munin) # ------------- echononl "\tCreate Traffic Counter (used by munin)" if $create_traffic_counter ; then for _ip in ${lxc_ips_arr[@]} ; do $ip6t -A FORWARD -d $_ip $ip6t -A FORWARD -s $_ip done for _ip in ${vserver_ips_arr[@]} ; do $ip6t -A INPUT -d $_ip $ip6t -A INPUT -s $_ip done echo_done else echo_skipped fi # ------------- # --- iPerf # ------------- # iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." if $create_iperf_rules ; then $ip6t -A INPUT -p tcp --dport 5001 -j ACCEPT $ip6t -A INPUT -p tcp --sport 5001 -j ACCEPT # $ip6t -A OUTPUT -p tcp --dport 5001 -j ACCEPT $ip6t -A OUTPUT -p tcp --sport 5001 -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p tcp --dport 5001 -j ACCEPT $ip6t -A FORWARD -p tcp --sport 5001 -j ACCEPT fi echo_done else echo_skipped fi # ------------- # --- Generally prohibited # ------------- echononl "\tGenerally prohibited traffic.." for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then for _port in ${block_tcp_port_arr[@]} ; do $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level done for _port in ${block_udp_port_arr[@]} ; do $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level done if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then for _port in ${block_tcp_port_arr[@]} ; do $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level done for _port in ${block_udp_port_arr[@]} ; do $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level done fi fi for _port in ${block_tcp_port_arr[@]} ; do $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ip6t -A INPUT -p udp -i $_dev --dport $_port -j DROP done if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then for _port in ${block_tcp_port_arr[@]} ; do $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j DROP done fi done echo_done echo # ------------- # --- Traffic generally allowed # ------------- echononl "\tLoopback device generally allowed.." # --- # - Loopback device # --- $ip6t -A INPUT -i lo -j ACCEPT $ip6t -A OUTPUT -o lo -j ACCEPT echo_done # --- # - Already established connections # --- echononl "\tAccept already established connections.." $ip6t -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT $ip6t -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT fi echo_done # --- # - VPN # --- echononl "\tPermit all traffic through VPN lines.." if $local_vpn_service ; then echononl "\tPermit all traffic through VPN lines.." for _port in ${local_vpn_port_arr[@]} ; do $ip6t -A INPUT -p udp --dport $_port -m state --state NEW -j ACCEPT done for _vpn_if in ${vpn_if_arr[@]} ; do $ip6t -A INPUT -i $_vpn_if -j ACCEPT $ip6t -A OUTPUT -o $_vpn_if -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_vpn_if -j ACCEPT $ip6t -A FORWARD -o $_vpn_if -j ACCEPT fi done echo_done else echo_skipped fi echo # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- echononl "\tRestrict local Servive to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then _deny_service_arr=() for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then $ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD" "${_deny_service_arr[@]}" ; then _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},FORWARD") fi else $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT" "${_deny_service_arr[@]}" ; then _deny_service_arr+=("${_dev},${_val_arr[1]},${_val_arr[2]},${_val_arr[3]},INPUT") fi fi done done for _val in "${_deny_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A ${_val_arr[4]} -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP done echo_done else echo_skipped fi # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do if containsElement "${_val_arr[1]}" ${lxc_ips_arr[@]} ; then $ip6t -A FORWARD -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev},${_val_arr[1]},FORWARD" "${_deny_net_arr[@]}" ; then _deny_net_arr+=("${_dev},${_val_arr[1]},FORWARD") fi else $ip6t -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev},${_val_arr[1]},INPUT" "${_deny_net_arr[@]}" ; then _deny_net_arr+=("${_dev},${_val_arr[1]},INPUT") fi fi done done for _val in "${_deny_net_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" $ip6t -A ${_val_arr[2]} -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP done echo_done else echo_skipped fi # ------------- # --- Services # ------------- echo echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" # --- # - DHCP # --- echononl "\t\tDHCP" if $local_dhcp_service ; then # - Allow requests from intern networks for _dev in ${local_if_arr[@]} ; do # - in $ip6t -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out $ip6t -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done echo_done else echo_skipped fi # --- # - DNS # --- echononl "\t\tDNS" # - Nameservers on the INET must be reachable for the local recursiv nameserver # - but also for all others # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ip6t -A OUTPUT -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then # - forward from virtual mashine(s) $ip6t -A FORWARD -o $_dev -p udp --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp --dport 53 -m state --state NEW -j ACCEPT fi done # - Make nameservers rechable for all # - for _ip in ${dns_server_ips[@]} ; do # dns requests # # Note: # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ip6t -A OUTPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT if containsElement "$_ip" ${lxc_ips_arr[@]} || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT # Zonetransfer $ip6t -A FORWARD -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT fi if containsElement "$_ip" ${vserver_ips_arr[@]} ; then $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT # Zonetransfer $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT fi done if $local_dns_service ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -p udp -d $_ip --dport 53 -m state --state NEW -j ACCEPT $ip6t -A INPUT -p tcp -d $_ip --dport 53 -m state --state NEW -j ACCEPT # Zonetransfer $ip6t -A OUTPUT -p tcp -s $_ip --dport 53 -m state --state NEW -j ACCEPT done fi echo_done # --- # - SSH out only # --- echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT fi done for _dev in ${local_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 22 -m state --state NEW -j ACCEPT done echo_done # --- # - SSH Service # --- echononl "\t\tSSH Service" if $local_ssh_service ; then for _port in ${ssh_port_arr[@]} ; do $ip6t -A INPUT -p tcp --dport $_port -m state --state NEW -j ACCEPT done fi for _ip in ${ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT else $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done # --- # - Rsync Out # --- echononl "\t\tRsync (only OUT)" if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || $local_rsync_out ; then for _port in ${rsync_port_arr[@]} ; do if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then for _ip in ${rsync_out_ip_arr[@]} ; do $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT done fi if $local_rsync_out ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT done fi done echo_done else echo_skipped fi # --- # - Telnet # --- echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 23 -m state --state NEW -j ACCEPT fi done echo_done # --- # - MySQL # --- echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 3306 -m state --state NEW -j ACCEPT fi done echo_done # --- # - Munin # --- echononl "\t\tMunin remote service" if [ "X$munin_remote_ip" != "X" ]; then for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_activate_forwarding ; then $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Munin local service # --- echononl "\t\tMunin local service" if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || $local_munin_service ; then if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_server_ip_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT elif containsElement "$_ip" ${vserver_ips_arr[@]} ; then $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT fi done fi if $local_munin_service ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Mail (SMTP OUT) # --- echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 25 -m state --state NEW -j ACCEPT fi done echo_done # --- # - Mail (SMTP Server) # --- echononl "\t\tMail (SMTP Server including Spam Control)" if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || $local_smtp_service ; then if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then if [ -n "$guest_if" ]; then $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ip6t -A FORWARD -o $guest_if -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) $ip6t -A FORWARD -o $guest_if -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ip6t -A FORWARD -o $guest_if -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $guest_if -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT # # DCC (port udp:6277) $ip6t -A FORWARD -o $guest_if -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A FORWARD -o $guest_if -p tcp -s $_ip --dport 6277 -j ACCEPT fi else $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ip6t -A OUTPUT -o $host_if -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT # # - DCC (port udp:6277) $ip6t -A OUTPUT -o $host_if -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 6277 -j ACCEPT fi done fi if $local_smtp_service ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 25 -m state --state NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ip6t -A OUTPUT -o $host_if -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT # # - DCC (port udp:6277) $ip6t -A OUTPUT -o $host_if -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --dport 6277 -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || $local_mail_service ; then if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_server_ips_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then if [ -n "$guest_if" ]; then # mail ports # $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT fi else # mail ports # $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT fi done fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] if $local_mail_service ; then for _ip in ${host_ips_arr[@]} ; do # mail ports # $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT done fi # if $local_mail_service echo_done else echo_skipped fi # --- # - Mail Client (Submission/SMTPS/POPS/IMAPS) out only # --- echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_client_ips_arr[@]} ; do # mail ports # if containsElement "$_ip" ${lxc_ips_arr[@]} ; then $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT else $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT fi done fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] echo_done else echo_skipped fi # --- # - HTTP(S) OUT # --- echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $http_ports -m state --state NEW -j ACCEPT fi done echo_done # --- # - HTTP(S) (local) Webserver # --- echononl "\t\tHTTP(S) (local) Webserver" if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || $local_http_service ; then if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${http_server_ip_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then if [ -n "$guest_if" ]; then $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT fi else $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT fi done fi if $local_http_service ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - FTP out only" # --- echononl "\t\tFTP out only" for _dev in ${ext_if_arr[@]} ; do # (Datenkanal aktiv) $ip6t -A INPUT -i $_dev -p tcp --sport 20 -m state --state NEW -j ACCEPT # (Datenkanal passiv) $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # (Kontrollverbindung) $ip6t -A OUTPUT -o $_dev -p tcp --dport 21 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then # (Datenkanal aktiv) $ip6t -A FORWARD -i $_dev -p tcp -d $_ip --sport 20 -m state --state NEW -j ACCEPT # (Datenkanal passiv) $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # (Kontrollverbindung) $ip6t -A FORWARD -o $_dev -p tcp -s $_ip --dport 21 -m state --state NEW -j ACCEPT fi done echo_done # --- # - FTP Server" # --- echononl "\t\tFTP Server" if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || $local_ftp_service ; then if [[ ${#ftp_server_ip_arr[@]} > 0 ]] ; then for _ip in ${ftp_server_ip_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then if [ -n "$guest_if" ]; then # (Datenkanal aktiv) $ip6t -A FORWARD -o $guest_if -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # Datenkanal (passiver modus) $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # - Kontrollverbindung $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT fi else # (Datenkanal aktiv) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # Datenkanal (passiver modus) $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # - Kontrollverbindung $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT fi done fi if $local_ftp_service ; then for _ip in ${host_ips_arr[@]} ; do # (Datenkanal aktiv) $ip6t -A OUTPUT -o $host_if -p tcp -s $_ip --sport 20 -m state --state NEW -j ACCEPT # Datenkanal (passiver modus) $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # - Kontrollverbindung $ip6t -A INPUT -i $host_if -p tcp -d $_ip --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Mumble Service # --- echononl "\t\tMumble Service" if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || $local_mumble_service ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${mumble_server_ip_arr[@]} ; do if containsElement "$_ip" ${lxc_ips_arr[@]} ; then if [ -n "$guest_if" ]; then $ip6t -A FORWARD -i $guest_if -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A FORWARD -i $guest_if -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT fi else $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $host_if -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT fi done fi if $local_mumble_service ; then for _ip in ${host_ips_arr[@]} ; do $ip6t -A INPUT -i $host_if -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT $ip6t -A INPUT -i $host_if -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Timeserver (Port 37 NOT NTP!)" # --- echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 37 -m state --state NEW -j ACCEPT fi done echo_done # --- # - NTP out only" # --- echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 123 -m state --state NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp --dport 123 -m state --state NEW -j ACCEPT fi done echo_done # --- # - Whois out only" # --- echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p tcp --dport 43 -m state --state NEW -j ACCEPT fi done echo_done echo # --- # - Special TCP Ports OUT # --- echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]]; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} -gt 0 ]] || $kernel_activate_forwarding ; then $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Special UDP Ports OUT # --- echononl "\t\tSpecial UDP Ports OUT" if [[ ${#udp_out_port_arr[@]} -gt 0 ]]; then for _dev in ${ext_if_arr[@]} ; do for _port in ${udp_out_port_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT if [[ ${#lxc_ips_arr[@]} -gt 0 ]] || $kernel_activate_forwarding ; then $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT fi done done echo_done else echo_skipped fi echo # --- # - UNIX Traceroute # --- echononl "\t\tUNIX Traceroute" # versendet udp packete im gegensatz zu tracert von windows # der icmp-echo-request pakete versendet # einige implementierungen von traceroute (linux) erm�lichens # die option -I und versenden dann ebenfalls icmp-echo-request pakete for _dev in ${ext_if_arr[@]} ; do $ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT $ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT fi done echo_done # --- # - Ping # --- echononl "\t\tPing" for _dev in ${ext_if_arr[@]} ; do $ip6t -A INPUT -i $_dev -p ipv6-icmp -j ACCEPT $ip6t -A OUTPUT -o $_dev -p ipv6-icmp -j ACCEPT done if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_dev -p ipv6-icmp -j ACCEPT $ip6t -A FORWARD -o $_dev -p ipv6-icmp -j ACCEPT fi if [ -n "$local_if" ]; then $ip6t -A INPUT -i $local_if -p ipv6-icmp -j ACCEPT $ip6t -A OUTPUT -o $local_if -p ipv6-icmp -j ACCEPT fi echo_done # --- # - log all rejected traffic # --- echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then #$ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level debug #$ip6t -A INPUT -j LOG --log-prefix "$log_prefix Rejected: " --log-level debug $ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level $ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level if [[ ${#lxc_ips_arr[@]} > 0 ]] || $kernel_forward_between_interfaces ; then #$ip6t -A FORWARD -j LOG --log-prefix "$log_prefix Rejected: " --log-level debug $ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix Rejected: " --log-level $log_level fi echo_done else echo_skipped fi # --- # - Drop all other # --- echo echononl "\tDrop all other on all interfaces" $ip6t -A INPUT -j DROP $ip6t -A OUTPUT -j DROP $ip6t -A FORWARD -j DROP echo_done # ------------- # ------------- Start Fail2Ban if installed # ------------- if [ -x "$fail2ban_client" ]; then echo echononl "\tStarting fail2ban.." $fail2ban_client start > /dev/null 2>&1 if [ "$?" = "0" ];then echo_done else echo_failed fi fi echo exit 0