#!/usr/bin/env bash ## - Configuration file for firewall script IPv4 ## - ipt-firewall-gateway ## - ipt-firewall-flush ## - ####################################################################### # -------------------------- Configuration -------------------------- # # ------------- # --- Define programs # ------------- ip6t="/sbin/ip6tables" l2ban_client="$(which fail2ban-client)" # ------------- # --- Logging # ------------- log_all=false log_syn_flood=false log_fragments=false log_new_not_sync=false log_invalid_state=false log_invalid_flags=false log_spoofed=false log_spoofed_out=false log_to_lo=false log_not_wanted=false log_blocked=false log_unprotected=false log_prohibited=false log_voip=false log_rejected=true log_ssh=false # - Log using the specified syslog level. 7 (debug) is a good choice # - unless you specifically need something else. # - log_level=debug # - logging messages # - log_prefix="IPv6:" # ------------- # --- Network Interfaces # ------------- # External interface # # Notice: # Depending on your virtualization software, hosts network-interface # may be different from guests one. # # In case of using LXC and a typical network setup with linux bridge br0: # guest_if="br0" # host_if="br0" # blocked_ifs="eth0" # # NOTE: if using LX-Container with macvlan bridge, you CANNOT firewall # guests here !! # guest_if="" # host_if="macvlan0" # blocked_ifs="eth0" # # In case of using Linux-VServer both interfaces are the same: # guest_if="eth0" # host_if="eth0" # blocked_ifs="" # guest_if="" host_if="" ## is this a virtuel system ? host_is_vm=false # - Extern Interfaces Static Lines # - (comma separated list) #ext_if_static="eth0" # - VPN Interfaces # - (comma separated list) vpn_ifs="" # - Local Interfaces local_if_1="" local_if_2="" local_if_3="" local_ifs="$local_if_1 $local_if_2 $local_if_3" # ------------- # --- Interfaces completly blocked # ------------- # - Interfaces to block (note: they will all be blocked) # - # - Example: eth1 is used for DSL Line, that becomes an extra # - interface (maybe ppp0). A further use of eth1 (which would # - be possible) is not configured at time, so you can block it. # - blocked_ifs="eth1" # - blocked_ifs="" # ------------- # --- Interfaces not firewalled # ------------- # - Note: # - Can be (for example) an interface, whose (complete) traffic is # - protected by a firewall on an other system in the local area # - unprotected_ifs="" # ------------- # ---- Allow Forwarding (private) IPs / IP-Ranges # ------------- # - Maybe useful in case of virtual hosts with private addresses or # - if using a vpn network to forward into private areas. # - # - Note: this rules takes affect before rules to protect against # - unwanted packages e.g. blocking private addresses on # - externel interfaces. # - # - Note: you can specify networks using CIDR notation # - like "192.168.2.0/24" # - forward_private_ips="" # ------------- # --- Services local Mashine # ------------- # - Is this a DHCP Server ? local_dhcp_service=false # - Is this a DNS Server ? local_dns_service=false # - Is this a Web Server ? local_http_service=false http_ports="80,443" # - Is this a SMTP Server local_smtp_service=false # - Is this a Mailserver (POP/IMAP) local_mail_service=false mail_user_ports="587,465,110,995,143,993" # - SSH Service local_ssh_service=true # - comma separated list ssh_ports="22" # - VPN Service local_vpn_service=false local_vpn_ports="1194 1195" # - FTP Server # - local_ftp_service=false # - Mumble Server # - local_mumble_service=false mumble_ports="64738" # - Is this a TFTP Server (Port udp 69) # - # - NOT YET IMPLEMENTED # - local_tftp_service=false # - XyMon Service (usually TCP port 1984) # - # - NOT YET IMPLEMENTED # - local_xymon_service=false xymon_port=1984 # - Munin Server (usually TCP port 4949) # - local_munin_service=false munin_remote_port="4949" # ------------- # --- Services local Network # ------------- # host root ip host_ips="/128" # guests ip's # NOT IN USE guest_1_ips="" # NOT IN USE guest_2_ips="" # NOT IN USE guest_3_ips="" # NOT IN USE guest_4_ips="" # NOT IN USE guest_5_ips="" # NOT IN USE guest_6_ips="" guest_ips="$guest_1_ips $guest_2_ips $guest_3_ips $guest_4_ips $guest_5_ips $guest_6_ips" lxc_ips="$guest_ips" vserver_ips="" # ------------- # - Protocols Out # ------------- # - Rsync Protocol # - # - Needed for some integrated provider of clamav-unofficial-sigs # - local_rsync_out=false rsync_out_ips="" rsync_ports="873" # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- # - restrict_local_service_to_net # - # - restrict_local_service_to_net="ext-netr,local-address,port,protocol" # - # - Note: # - ===== # - - Only 'tcp' and 'udp' are allowed valuse for protocol. # - - Traffic recieved on natted interfaces will be ommitted! # - # - Use this parameter to (only) give some extern netwoks access to special local # - services. # - # - Example: # - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036 # - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c # - # - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp" # - # - Blank separated list # - restrict_local_service_to_net="" # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- # - restrict_local_net_to_net # - # - restrict_local_net_to_net=", [,] [..]" # - # - All traffic from the given first network to the given second network is allowed # - # - Note: # - ===== # - - Traffic recieved on natted interfaces will be ommitted! # - - If you want allow both directions, you have to make two entries - one for evry directions. # - # - Example: # - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128 # - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128" # - # - Blank separated list # - restrict_local_net_to_net="" # - Remote Munin Server # - munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4" munin_local_port="4949" # - DNS Server dns_server_ips="" # - SSH Server # - ssh_server_ips="" # - HTTP(S) Server # - http_server_ips="" # - Mail SMTP Server # - smtpd_ips="" # - Mail Services (smtps/pop(s)/imap(s) # - mail_server_ips="" # - Mail Client (smtps/pop(s)/imap(s) # - mail_client_ips="" # - FTP Server # - ftp_server_ips="" # - Mumble Server # - mumble_server_ips="" # - TFTP Server tftp_server_ips="" # - Munin Server # - munin_server_ips="" # - XyMon Server xymon_server_ips="" local_xymon_client=false # ------------- # --- Allow special Ports (OUT) # ------------- # - TCP Ports # - tcp_out_ports="" # - UDP Ports # - udp_out_ports="" # ------------- # --- Block IP's / IP-Ranges # ------------- blocked_ips="" # ------------- # --- Block Ports # ------------- # - Generally (for all interfaces) block this ports # - # - Portmapper # - tcp 111 # - udp 111 # - # - Authentication tap ident # - tcp 113 # - # - Location Service # - tcp 135 # - # - Windows Stuff # - tcp 137:139 # - udp 137:139 # - tcp 445 # - block_tcp_ports="111 113 135 137:139 445" block_udp_ports="111 137:139" # ------------- # - Some special stuff # ------------- create_traffic_counter=true create_iperf_rules=true # ------------- # --- Kernel related - Adjust Kernel Parameters (Security/Tuning) # ------------- # - Disable ip forwarding between interfaces # - kernel_forward_between_interfaces=false # - Deactivate Source Routed Packets # - kernel_deactivate_source_route=true # - Deactivate sending ICMP redirects # - # - ICMP redirects are used by routers to specify better routing paths out of # - one network, based on the host choice, so basically it affects the way # - packets are routed and destinations. # - kernel_dont_accept_redirects=true # ------------- # --- Some further Ports/IP-Address Configuration # ------------- # - unpriviligierte Ports # - unprivports="1024:65535" # unique local address (ULA) - private address block ula_block="fc00::/7" # - Loopback loopback="::1/128" # ----------------------- End: Configuration ----------------------- # ###################################################################### ## ==================================== ## - Don't make changes after this Line ## ==================================== # ----------- # --- Define Arrays # ----------- # --- # - IP-Addresses (Host, Guests (VServer, LX_Container) # --- declare -a host_ips_arr for _ip in $host_ips ; do host_ips_arr+=("$_ip") done declare -a guest_ips_arr for _ip in $guest_ips ; do guest_ips_arr+=("$_ip") done declare -a lxc_ips_arr for _ip in $lxc_ips ; do lxc_ips_arr+=("$_ip") done declare -a vserver_ips_arr for _ip in $vserver_ips ; do vserver_ips_arr+=("$_ip") done # --- # - Extern Interfaces # --- declare -a ext_if_arr ext_if_arr+=("$host_if") if [[ $host_if != $guest_if ]]; then ext_if_arr+=("$guest_if") fi # --- # - VPN Interfaces # --- declare -a vpn_if_arr for _dev in $vpn_ifs ; do vpn_if_arr+=("$_dev") done # --- # - Local Network Interfaces # --- declare -a local_if_arr for _dev in $local_ifs ; do local_if_arr+=("$_dev") done # --- # - Network Interfaces completly blocked # --- declare -a blocked_if_arr for _dev in $blocked_ifs ; do blocked_if_arr+=("$_dev") done # --- # - Network Interfaces not firewalled # --- declare -a unprotected_if_arr for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done # --- # - Restrict local Servive to given IP-Address/Network # --- declare -a restrict_local_service_to_net_arr for _val in $restrict_local_service_to_net ; do restrict_local_service_to_net_arr+=("$_val") done # --- # - Restrict local Network to given IP-Address/Network # --- declare -a restrict_local_net_to_net_arr for _val in $restrict_local_net_to_net ; do restrict_local_net_to_net_arr+=("$_val") done # --- # - Generally block ports # --- declare -a block_tcp_port_arr for _port in $block_tcp_ports ; do block_tcp_port_arr+=("$_port") done declare -a block_udp_port_arr for _port in $block_udp_ports ; do block_udp_port_arr+=("$_port") done # --- # - Private IPs / IP-Ranges allowed to forward # --- declare -a forward_private_ip_arr for _ip in $forward_private_ips ; do forward_private_ip_arr+=("$_ip") done # --- # - IP Addresses DNS Server # --- declare -a dns_server_ip_arr for _ip in $dns_server_ips ; do dns_server_ip_arr+=("$_ip") done # --- # - IP Addresses SSH Server # --- declare -a ssh_server_ip_arr for _ip in $ssh_server_ips ; do ssh_server_ip_arr+=("$_ip") done # --- # - IP Addresses HTTP Server # --- declare -a http_server_ip_arr for _ip in $http_server_ips ; do http_server_ip_arr+=("$_ip") done # --- # - IP Addresses FTP Server # --- declare -a ftp_server_ip_arr for _ip in $ftp_server_ips ; do ftp_server_ip_arr+=("$_ip") done # --- # - Mail SMTP Server # --- declare -a smtpd_ips_arr for _ip in $smtpd_ips ; do smtpd_ips_arr+=("$_ip") done # --- # - Mail Services (smtps/pop(s)/imap(s) # --- declare -a mail_server_ips_arr for _ip in $mail_server_ips ; do mail_server_ips_arr+=("$_ip") done # --- # - Mail client (smtps/pop(s)/imap(s) # --- # local declare -a mail_client_ips_arr for _ip in $mail_client_ips ; do mail_client_ips_arr+=("$_ip") done # --- # - IP Addresses Mumble Server # --- declare -a mumble_server_ip_arr for _ip in $mumble_server_ips ; do mumble_server_ip_arr+=("$_ip") done # --- # - IP Addresses Telephone Systems # --- declare -a tel_sys_ip_arr for _ip in $tel_sys_ips ; do tel_sys_ip_arr+=("$_ip") done # --- # - IP Addresses Munin # --- declare -a munin_server_ip_arr for _ip in $munin_server_ips ; do munin_server_ip_arr+=("$_ip") done # --- # - IP Addresses XyMon # --- declare -a xymon_server_ip_arr for _ip in $xymon_server_ips ; do xymon_server_ip_arr+=("$_ip") done # --- # - IP Addresses Rsync Out # --- declare -a rsync_out_ip_arr for _ip in $rsync_out_ips ; do rsync_out_ip_arr+=("$_ip") done # --- # - local SSH Ports # --- declare -a ssh_port_arr for _port in $ssh_ports ; do ssh_port_arr+=("$_port") done # --- # - local VPN Ports # --- declare -a udp_local_vpn_port_arr for _port in $local_vpn_ports ; do local_vpn_port_arr+=("$_port") done # --- # - Rsync Out # -- declare -a rsync_port_arr for _port in $rsync_ports ; do rsync_port_arr+=("$_port") done # --- # - Special TCP Ports OUT # --- declare -a tcp_out_port_arr for _port in $tcp_out_ports ; do tcp_out_port_arr+=("$_port") done # --- # - Special UDP Ports OUT # --- declare -a udp_out_port_arr for _port in $udp_out_ports ; do udp_out_port_arr+=("$_port") done # ------------- # --- Some functions # ------------- echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } echo_done() { echo -e "\033[75G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[75G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[75G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]" } ## - Check if a given array (parameter 2) contains a given string (parameter 1) ## - containsElement () { local e for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done return 1 }