718 lines
14 KiB
Bash
718 lines
14 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
## - Configuration file for firewall script IPv4
|
|
## - ipt-firewall-gateway
|
|
## - ipt-firewall-flush
|
|
## -
|
|
|
|
#######################################################################
|
|
# -------------------------- Configuration -------------------------- #
|
|
|
|
# -------------
|
|
# --- Define programs
|
|
# -------------
|
|
|
|
ip6t="/sbin/ip6tables"
|
|
l2ban_client="$(which fail2ban-client)"
|
|
|
|
|
|
# -------------
|
|
# --- Logging
|
|
# -------------
|
|
|
|
log_all=false
|
|
|
|
log_syn_flood=false
|
|
log_fragments=false
|
|
log_new_not_sync=false
|
|
log_invalid_state=false
|
|
log_invalid_flags=false
|
|
log_spoofed=false
|
|
log_spoofed_out=false
|
|
log_to_lo=false
|
|
log_not_wanted=false
|
|
log_blocked=false
|
|
log_unprotected=false
|
|
log_prohibited=false
|
|
log_voip=false
|
|
log_rejected=true
|
|
|
|
log_ssh=false
|
|
|
|
# - Log using the specified syslog level. 7 (debug) is a good choice
|
|
# - unless you specifically need something else.
|
|
# -
|
|
log_level=debug
|
|
|
|
# - logging messages
|
|
# -
|
|
log_prefix="IPv6:"
|
|
|
|
|
|
# -------------
|
|
# --- Network Interfaces
|
|
# -------------
|
|
|
|
# External interface
|
|
#
|
|
# Notice:
|
|
# Depending on your virtualization software, hosts network-interface
|
|
# may be different from guests one.
|
|
#
|
|
# In case of using LXC and a typical network setup with linux bridge br0:
|
|
# guest_if="br0"
|
|
# host_if="br0"
|
|
# blocked_ifs="eth0"
|
|
#
|
|
# NOTE: if using LX-Container with macvlan bridge, you CANNOT firewall
|
|
# guests here !!
|
|
# guest_if=""
|
|
# host_if="macvlan0"
|
|
# blocked_ifs="eth0"
|
|
#
|
|
# In case of using Linux-VServer both interfaces are the same:
|
|
# guest_if="eth0"
|
|
# host_if="eth0"
|
|
# blocked_ifs=""
|
|
#
|
|
guest_if=""
|
|
host_if=""
|
|
|
|
## is this a virtuel system ?
|
|
host_is_vm=false
|
|
|
|
# - Extern Interfaces Static Lines
|
|
# - (comma separated list)
|
|
#ext_if_static="eth0"
|
|
|
|
# - VPN Interfaces
|
|
# - (comma separated list)
|
|
vpn_ifs=""
|
|
|
|
# - Local Interfaces
|
|
local_if_1=""
|
|
local_if_2=""
|
|
local_if_3=""
|
|
|
|
local_ifs="$local_if_1 $local_if_2 $local_if_3"
|
|
|
|
|
|
# -------------
|
|
# --- Interfaces completly blocked
|
|
# -------------
|
|
|
|
# - Interfaces to block (note: they will all be blocked)
|
|
# -
|
|
# - Example: eth1 is used for DSL Line, that becomes an extra
|
|
# - interface (maybe ppp0). A further use of eth1 (which would
|
|
# - be possible) is not configured at time, so you can block it.
|
|
# - blocked_ifs="eth1"
|
|
# -
|
|
blocked_ifs=""
|
|
|
|
|
|
# -------------
|
|
# --- Interfaces not firewalled
|
|
# -------------
|
|
|
|
# - Note:
|
|
# - Can be (for example) an interface, whose (complete) traffic is
|
|
# - protected by a firewall on an other system in the local area
|
|
# -
|
|
unprotected_ifs=""
|
|
|
|
|
|
# -------------
|
|
# ---- Allow Forwarding (private) IPs / IP-Ranges
|
|
# -------------
|
|
|
|
# - Maybe useful in case of virtual hosts with private addresses or
|
|
# - if using a vpn network to forward into private areas.
|
|
# -
|
|
# - Note: this rules takes affect before rules to protect against
|
|
# - unwanted packages e.g. blocking private addresses on
|
|
# - externel interfaces.
|
|
# -
|
|
# - Note: you can specify networks using CIDR notation
|
|
# - like "192.168.2.0/24"
|
|
# -
|
|
forward_private_ips=""
|
|
|
|
|
|
# -------------
|
|
# --- Services local Mashine
|
|
# -------------
|
|
|
|
# - Is this a DHCP Server ?
|
|
local_dhcp_service=false
|
|
|
|
# - Is this a DNS Server ?
|
|
local_dns_service=false
|
|
|
|
# - Is this a Web Server ?
|
|
local_http_service=false
|
|
http_ports="80,443"
|
|
|
|
# - Is this a SMTP Server
|
|
local_smtp_service=false
|
|
|
|
# - Is this a Mailserver (POP/IMAP)
|
|
local_mail_service=false
|
|
mail_user_ports="587,465,110,995,143,993"
|
|
|
|
# - SSH Service
|
|
local_ssh_service=true
|
|
# - comma separated list
|
|
ssh_ports="22"
|
|
|
|
# - VPN Service
|
|
local_vpn_service=false
|
|
local_vpn_ports="1194 1195"
|
|
|
|
# - FTP Server
|
|
# -
|
|
local_ftp_service=false
|
|
|
|
# - Mumble Server
|
|
# -
|
|
local_mumble_service=false
|
|
mumble_ports="64738"
|
|
|
|
# - Is this a TFTP Server (Port udp 69)
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_tftp_service=false
|
|
|
|
# - XyMon Service (usually TCP port 1984)
|
|
# -
|
|
# - NOT YET IMPLEMENTED
|
|
# -
|
|
local_xymon_service=false
|
|
xymon_port=1984
|
|
|
|
# - Munin Server (usually TCP port 4949)
|
|
# -
|
|
local_munin_service=false
|
|
munin_remote_port="4949"
|
|
|
|
|
|
# -------------
|
|
# --- Services local Network
|
|
# -------------
|
|
|
|
# host root ip
|
|
host_ips="/128"
|
|
|
|
|
|
# guests ip's
|
|
# NOT IN USE
|
|
guest_1_ips=""
|
|
# NOT IN USE
|
|
guest_2_ips=""
|
|
# NOT IN USE
|
|
guest_3_ips=""
|
|
# NOT IN USE
|
|
guest_4_ips=""
|
|
# NOT IN USE
|
|
guest_5_ips=""
|
|
# NOT IN USE
|
|
guest_6_ips=""
|
|
|
|
guest_ips="$guest_1_ips $guest_2_ips $guest_3_ips $guest_4_ips $guest_5_ips $guest_6_ips"
|
|
lxc_ips="$guest_ips"
|
|
vserver_ips=""
|
|
|
|
|
|
# -------------
|
|
# - Protocols Out
|
|
# -------------
|
|
|
|
# - Rsync Protocol
|
|
# -
|
|
# - Needed for some integrated provider of clamav-unofficial-sigs
|
|
# -
|
|
local_rsync_out=false
|
|
rsync_out_ips=""
|
|
rsync_ports="873"
|
|
|
|
|
|
# -------------
|
|
# ---- Restrict local Servive to given (extern) IP-Address/Network
|
|
# -------------
|
|
|
|
# - restrict_local_service_to_net
|
|
# -
|
|
# - restrict_local_service_to_net="ext-netr,local-address,port,protocol"
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
|
|
# - - Traffic recieved on natted interfaces will be ommitted!
|
|
# -
|
|
# - Use this parameter to (only) give some extern netwoks access to special local
|
|
# - services.
|
|
# -
|
|
# - Example:
|
|
# - allow access from 2003:45:4612:3a00::/56 to tcp service at 2a01:30:0:13:211:84ff:feb7:7f9c on port 1036
|
|
# - allow access from 2a01:30:1fff:fd00:: to https service at 2a01:30:0:13:211:84ff:feb7:7f9c
|
|
# -
|
|
# - restrict_local_service_to_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c,1036,tcp
|
|
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c,443,tcp"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_local_service_to_net=""
|
|
|
|
|
|
# -------------
|
|
# ---- Restrict local Network to given extern IP-Address/Network
|
|
# -------------
|
|
|
|
# - restrict_local_net_to_net
|
|
# -
|
|
# - restrict_local_net_to_net="<src-ext-net>,<dst-local-net> [<src-ext-net>,<dst-local-net>] [..]"
|
|
# -
|
|
# - All traffic from the given first network to the given second network is allowed
|
|
# -
|
|
# - Note:
|
|
# - =====
|
|
# - - Traffic recieved on natted interfaces will be ommitted!
|
|
# - - If you want allow both directions, you have to make two entries - one for evry directions.
|
|
# -
|
|
# - Example:
|
|
# - allow_ext_net_to_local_net="2003:45:4612:3a00::/56,2a01:30:0:13:211:84ff:feb7:7f9c/128
|
|
# - 2a01:30:1fff:fd00::/64,2a01:30:0:13:211:84ff:feb7:7f9c/128"
|
|
# -
|
|
# - Blank separated list
|
|
# -
|
|
restrict_local_net_to_net=""
|
|
|
|
# - Remote Munin Server
|
|
# -
|
|
munin_remote_ip="2a01:30:0:13:2b3:bdff:fe13:cbf4"
|
|
munin_local_port="4949"
|
|
|
|
|
|
# - DNS Server
|
|
dns_server_ips=""
|
|
|
|
# - SSH Server
|
|
# -
|
|
ssh_server_ips=""
|
|
|
|
# - HTTP(S) Server
|
|
# -
|
|
http_server_ips=""
|
|
|
|
# - Mail SMTP Server
|
|
# -
|
|
smtpd_ips=""
|
|
|
|
# - Mail Services (smtps/pop(s)/imap(s)
|
|
# -
|
|
mail_server_ips=""
|
|
|
|
# - Mail Client (smtps/pop(s)/imap(s)
|
|
# -
|
|
mail_client_ips=""
|
|
|
|
# - FTP Server
|
|
# -
|
|
ftp_server_ips=""
|
|
|
|
# - Mumble Server
|
|
# -
|
|
mumble_server_ips=""
|
|
|
|
# - TFTP Server
|
|
tftp_server_ips=""
|
|
|
|
# - Munin Server
|
|
# -
|
|
munin_server_ips=""
|
|
|
|
# - XyMon Server
|
|
xymon_server_ips=""
|
|
local_xymon_client=false
|
|
|
|
|
|
# -------------
|
|
# --- Allow special Ports (OUT)
|
|
# -------------
|
|
|
|
# - TCP Ports
|
|
# -
|
|
tcp_out_ports=""
|
|
|
|
# - UDP Ports
|
|
# -
|
|
udp_out_ports=""
|
|
|
|
|
|
# -------------
|
|
# --- Block IP's / IP-Ranges
|
|
# -------------
|
|
|
|
blocked_ips=""
|
|
|
|
|
|
# -------------
|
|
# --- Block Ports
|
|
# -------------
|
|
|
|
# - Generally (for all interfaces) block this ports
|
|
# -
|
|
# - Portmapper
|
|
# - tcp 111
|
|
# - udp 111
|
|
# -
|
|
# - Authentication tap ident
|
|
# - tcp 113
|
|
# -
|
|
# - Location Service
|
|
# - tcp 135
|
|
# -
|
|
# - Windows Stuff
|
|
# - tcp 137:139
|
|
# - udp 137:139
|
|
# - tcp 445
|
|
# -
|
|
block_tcp_ports="111 113 135 137:139 445"
|
|
block_udp_ports="111 137:139"
|
|
|
|
|
|
# -------------
|
|
# - Some special stuff
|
|
# -------------
|
|
|
|
create_traffic_counter=true
|
|
create_iperf_rules=true
|
|
|
|
|
|
# -------------
|
|
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
|
|
# -------------
|
|
|
|
# - Disable ip forwarding between interfaces
|
|
# -
|
|
kernel_forward_between_interfaces=false
|
|
|
|
# - Deactivate Source Routed Packets
|
|
# -
|
|
kernel_deactivate_source_route=true
|
|
|
|
# - Deactivate sending ICMP redirects
|
|
# -
|
|
# - ICMP redirects are used by routers to specify better routing paths out of
|
|
# - one network, based on the host choice, so basically it affects the way
|
|
# - packets are routed and destinations.
|
|
# -
|
|
kernel_dont_accept_redirects=true
|
|
|
|
|
|
# -------------
|
|
# --- Some further Ports/IP-Address Configuration
|
|
# -------------
|
|
|
|
# - unpriviligierte Ports
|
|
# -
|
|
unprivports="1024:65535"
|
|
|
|
# unique local address (ULA) - private address block
|
|
ula_block="fc00::/7"
|
|
|
|
# - Loopback
|
|
loopback="::1/128"
|
|
|
|
|
|
# ----------------------- End: Configuration ----------------------- #
|
|
######################################################################
|
|
|
|
|
|
## ====================================
|
|
## - Don't make changes after this Line
|
|
## ====================================
|
|
|
|
|
|
|
|
# -----------
|
|
# --- Define Arrays
|
|
# -----------
|
|
|
|
|
|
# ---
|
|
# - IP-Addresses (Host, Guests (VServer, LX_Container)
|
|
# ---
|
|
declare -a host_ips_arr
|
|
for _ip in $host_ips ; do
|
|
host_ips_arr+=("$_ip")
|
|
done
|
|
declare -a guest_ips_arr
|
|
for _ip in $guest_ips ; do
|
|
guest_ips_arr+=("$_ip")
|
|
done
|
|
declare -a lxc_ips_arr
|
|
for _ip in $lxc_ips ; do
|
|
lxc_ips_arr+=("$_ip")
|
|
done
|
|
declare -a vserver_ips_arr
|
|
for _ip in $vserver_ips ; do
|
|
vserver_ips_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Extern Interfaces
|
|
# ---
|
|
declare -a ext_if_arr
|
|
ext_if_arr+=("$host_if")
|
|
if [[ $host_if != $guest_if ]]; then
|
|
ext_if_arr+=("$guest_if")
|
|
fi
|
|
|
|
# ---
|
|
# - VPN Interfaces
|
|
# ---
|
|
declare -a vpn_if_arr
|
|
for _dev in $vpn_ifs ; do
|
|
vpn_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Local Network Interfaces
|
|
# ---
|
|
declare -a local_if_arr
|
|
for _dev in $local_ifs ; do
|
|
local_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Network Interfaces completly blocked
|
|
# ---
|
|
declare -a blocked_if_arr
|
|
for _dev in $blocked_ifs ; do
|
|
blocked_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Network Interfaces not firewalled
|
|
# ---
|
|
declare -a unprotected_if_arr
|
|
for _dev in $unprotected_ifs ; do
|
|
unprotected_if_arr+=("$_dev")
|
|
done
|
|
|
|
# ---
|
|
# - Restrict local Servive to given IP-Address/Network
|
|
# ---
|
|
declare -a restrict_local_service_to_net_arr
|
|
for _val in $restrict_local_service_to_net ; do
|
|
restrict_local_service_to_net_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Restrict local Network to given IP-Address/Network
|
|
# ---
|
|
declare -a restrict_local_net_to_net_arr
|
|
for _val in $restrict_local_net_to_net ; do
|
|
restrict_local_net_to_net_arr+=("$_val")
|
|
done
|
|
|
|
# ---
|
|
# - Generally block ports
|
|
# ---
|
|
declare -a block_tcp_port_arr
|
|
for _port in $block_tcp_ports ; do
|
|
block_tcp_port_arr+=("$_port")
|
|
done
|
|
|
|
declare -a block_udp_port_arr
|
|
for _port in $block_udp_ports ; do
|
|
block_udp_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Private IPs / IP-Ranges allowed to forward
|
|
# ---
|
|
declare -a forward_private_ip_arr
|
|
for _ip in $forward_private_ips ; do
|
|
forward_private_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses DNS Server
|
|
# ---
|
|
declare -a dns_server_ip_arr
|
|
for _ip in $dns_server_ips ; do
|
|
dns_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses SSH Server
|
|
# ---
|
|
declare -a ssh_server_ip_arr
|
|
for _ip in $ssh_server_ips ; do
|
|
ssh_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses HTTP Server
|
|
# ---
|
|
declare -a http_server_ip_arr
|
|
for _ip in $http_server_ips ; do
|
|
http_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses FTP Server
|
|
# ---
|
|
declare -a ftp_server_ip_arr
|
|
for _ip in $ftp_server_ips ; do
|
|
ftp_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Mail SMTP Server
|
|
# ---
|
|
declare -a smtpd_ips_arr
|
|
for _ip in $smtpd_ips ; do
|
|
smtpd_ips_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Mail Services (smtps/pop(s)/imap(s)
|
|
# ---
|
|
declare -a mail_server_ips_arr
|
|
for _ip in $mail_server_ips ; do
|
|
mail_server_ips_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - Mail client (smtps/pop(s)/imap(s)
|
|
# ---
|
|
# local
|
|
declare -a mail_client_ips_arr
|
|
for _ip in $mail_client_ips ; do
|
|
mail_client_ips_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Mumble Server
|
|
# ---
|
|
declare -a mumble_server_ip_arr
|
|
for _ip in $mumble_server_ips ; do
|
|
mumble_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Telephone Systems
|
|
# ---
|
|
declare -a tel_sys_ip_arr
|
|
for _ip in $tel_sys_ips ; do
|
|
tel_sys_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Munin
|
|
# ---
|
|
declare -a munin_server_ip_arr
|
|
for _ip in $munin_server_ips ; do
|
|
munin_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses XyMon
|
|
# ---
|
|
declare -a xymon_server_ip_arr
|
|
for _ip in $xymon_server_ips ; do
|
|
xymon_server_ip_arr+=("$_ip")
|
|
done
|
|
|
|
# ---
|
|
# - IP Addresses Rsync Out
|
|
# ---
|
|
declare -a rsync_out_ip_arr
|
|
for _ip in $rsync_out_ips ; do
|
|
rsync_out_ip_arr+=("$_ip")
|
|
done
|
|
|
|
|
|
# ---
|
|
# - local SSH Ports
|
|
# ---
|
|
declare -a ssh_port_arr
|
|
for _port in $ssh_ports ; do
|
|
ssh_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - local VPN Ports
|
|
# ---
|
|
declare -a udp_local_vpn_port_arr
|
|
for _port in $local_vpn_ports ; do
|
|
local_vpn_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Rsync Out
|
|
# --
|
|
declare -a rsync_port_arr
|
|
for _port in $rsync_ports ; do
|
|
rsync_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Special TCP Ports OUT
|
|
# ---
|
|
declare -a tcp_out_port_arr
|
|
for _port in $tcp_out_ports ; do
|
|
tcp_out_port_arr+=("$_port")
|
|
done
|
|
|
|
# ---
|
|
# - Special UDP Ports OUT
|
|
# ---
|
|
declare -a udp_out_port_arr
|
|
for _port in $udp_out_ports ; do
|
|
udp_out_port_arr+=("$_port")
|
|
done
|
|
|
|
|
|
# -------------
|
|
# --- Some functions
|
|
# -------------
|
|
echononl(){
|
|
echo X\\c > /tmp/shprompt$$
|
|
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
|
|
echo -e -n "$*\\c" 1>&2
|
|
else
|
|
echo -e -n "$*" 1>&2
|
|
fi
|
|
rm /tmp/shprompt$$
|
|
}
|
|
echo_done() {
|
|
echo -e "\033[75G[ \033[32mdone\033[m ]"
|
|
}
|
|
echo_ok() {
|
|
echo -e "\033[75G[ \033[32mok\033[m ]"
|
|
}
|
|
echo_warning() {
|
|
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
|
|
}
|
|
echo_failed(){
|
|
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
|
|
}
|
|
echo_skipped() {
|
|
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
|
|
}
|
|
|
|
## - Check if a given array (parameter 2) contains a given string (parameter 1)
|
|
## -
|
|
containsElement () {
|
|
local e
|
|
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
|
|
return 1
|
|
}
|
|
|
|
|