diff --git a/BLKR/ipt-firewall/logging_ipv4.conf b/BLKR/ipt-firewall/logging_ipv4.conf index 90f9606..e653972 100644 --- a/BLKR/ipt-firewall/logging_ipv4.conf +++ b/BLKR/ipt-firewall/logging_ipv4.conf @@ -19,7 +19,7 @@ log_blocked=false log_unprotected=false log_prohibited=false log_voip=false -log_rejected=true +log_rejected=false log_ssh=false diff --git a/BLKR/ipt-firewall/main_ipv4.conf b/BLKR/ipt-firewall/main_ipv4.conf index 887f116..6a11430 100644 --- a/BLKR/ipt-firewall/main_ipv4.conf +++ b/BLKR/ipt-firewall/main_ipv4.conf @@ -8,7 +8,11 @@ # - IPv4 Addresses Gateway # --- declare -a gateway_ipv4_address_arr -read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2) + +_ips="$(ip a | grep "inet " | awk '{print$2}' | cut -d'/' -f1)" +for _ip in $_ips ; do + gateway_ipv4_address_arr+=("$_ip") +done # ============= @@ -50,6 +54,97 @@ unprotected_ifs="" any_access_to_inet_networks="" +# - Allow these networks getting any access from the internet. +# - +# - Note: +# - ===== +# - Traffic recieved on natted interfaces will be ommitted! +# - +# - Blank separated list of networks +# - +any_access_from_inet_networks="" + + + +# ============= +# - Allow local services from given local networks +# ============= + +# - allow_local_net_to_local_service +# - +# - allow_local_net_to_local_service="local-net:local-service:port:protocol" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - - Traffic recieved on natted interfaces will be ommitted! +# - +# - Use this parameter to (only) give some local netwoks access to special local +# - services (but not for all local networks as you can configure later). +# - +# - If you plan to separate networks (see parameter 'separate_local_networks'), but +# - to allow these networks some special local services, you can also use this parameter. +# - +# - Example: +# - allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036 +# - allow access from 86.73.85.0/24 to https service at 83.223.73.204 +# - +# - allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp +# - 86.73.85.0/24:83.223.73.204:$standard_https_port:tcp" +# - +# - Blank separated list +# - +allow_local_net_to_local_service="" + + + +# ============= +# - Allow all traffic from extern address/network to local address/network +# ============= + +# - allow_ext_net_to_local_net +# - +# - allow_ext_net_to_local_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Note: +# - ===== +# - - Traffic recieved on natted interfaces will be ommitted! +# - - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26 +# - 83.223.86.96/32:86.223.73.0/24" +# - +# - Blank separated list +# - +allow_local_net_to_local_ip="" + + + +# ============= +# - Block all extern traffic to (given) local network +# ============= + +# - block_all_ext_to_local_net +# - +# - block_all_ext_to_local_net=" [ /dev/null 2>&1) ; then + + # Its not a vaild mask number, but naybe a valit netmask. + # + test_netmask=true + else + if [[ $_mask -gt 32 ]]; then + + # Its not a vaild cidr number, but naybe a valit netmask. + # + test_netmask=true + else + + # OK, we have a vaild cidr number between '0' and '32' + # + mask=$_mask + fi + fi + + # Test if given '_mask' is a valid netmask. + # + if $test_netmask ; then + octets=( ${_mask//\./ } ) + + # Complete netmask if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + done + + [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false + + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_mask=false + fi + if [[ $index -gt 0 ]] ; then + mask="${mask}.${octet}" + else + mask="${octet}" + fi + + else + is_valid_mask=false + fi + + ((index++)) + done + fi + + adjust_mask=false + else + mask=32 + adjust_mask=true + fi + + # Splitt given address into their octets + # + octets=( ${_ipv4//\./ } ) + + # Complete IPv4 address if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + + # Only adjust CIDR number if not given + # + if $adjust_mask ; then + mask="$(expr $mask - 8)" + fi + done + + # Pre-check if given IPv4 Address seems to be a valid address + # + [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false + + # Check if given IPv4 Address is a valid address + # + if $is_valid_ipv4 ; then + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_ipv4=false + fi + if [[ $index -gt 0 ]] ; then + ipv4="${ipv4}.${octet}" + else + ipv4="${octet}" + fi + + else + is_valid_ipv4=false + fi + + ((index++)) + done + fi + + if $is_valid_ipv4 && $is_valid_mask; then + + _ip="${ipv4}/${mask}" + + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done + + + else + msg="$msg '${given_ipv4}'" + fi + + done < "${ipt_conf_dir}/ban_ipv4.list" + echo_done + + if [[ -n "$msg" ]]; then + warn "Ignored:$msg" + fi +else + echo_skipped +fi + + # --- # - Allow Forwarding certain private Addresses # --- @@ -1145,7 +1348,8 @@ fi echononl "\tAllow these local networks any access to the internet" if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ - && $kernel_activate_forwarding ; then + && $kernel_activate_forwarding \ + && ! $permit_local_net_to_inet ; then for _net in ${any_access_to_inet_network_arr[@]}; do for _dev in ${ext_if_arr[@]} ; do @@ -1158,6 +1362,157 @@ else fi +echononl "\tAllow these local networks any access from the internet" +if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + _found=false + for _net in ${any_access_from_inet_network_arr[@]}; do + for _dev in ${ext_if_arr[@]} ; do + + # - Traffic recieved on natted interfaces will be ommitted! + # - + if containsElement "$_dev" "${nat_device_arr[@]}" ; then + continue + else + _found=true + fi + + $ipt -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT + done + done + if $_found ; then + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + + +# --- +# - Allow local services from given extern networks +# --- + +echononl "\tAllow local services from given extern networks" +if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + _found=false + for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + fi + + # - Traffic recieved on natted interfaces will be ommitted! + # - + if containsElement "$_dev" "${nat_device_arr[@]}" ; then + continue + else + _found=true + fi + + $ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + done + + done + + if $_found ; then + echo_done + else + echo_skipped + fi + +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from extern address/network to local address/network +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tAllow all traffic from extern to local network/address" + +if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + _found=false + for _val in ${allow_ext_net_to_local_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${ext_if_arr[@]} ; do + + # - Traffic recieved on natted interfaces will be ommitted! + # - + if containsElement "$_dev" "${nat_device_arr[@]}" ; then + continue + else + _found=true + fi + + $ipt -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + done + done + + if $_found ; then + echo_done + else + echo_skipped + fi + +else + echo_skipped +fi + + + +# --- +# - Block all extern traffic to (given) local network +# --- + +echononl "\tBlock all extern traffic to (given) local network" +if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + _found=false + for _net in ${block_all_ext_to_local_net_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + + # - Traffic recieved on natted interfaces will be ommitted! + # - + if containsElement "$_dev" "${nat_device_arr[@]}" ; then + continue + else + _found=true + fi + + $ipt -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP + + done + done + + if $_found ; then + echo_done + else + echo_skipped + fi + +else + echo_skipped +fi + + # --- # - Allow local services from given local networks @@ -1448,6 +1803,20 @@ fi # - DHCP # --- +echononl "\t\tLocal DHCP Client" + +if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then + for _dev in ${dhcp_client_interfaces_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + echononl "\t\tDHCP" if $local_dhcp_service ; then @@ -1492,13 +1861,13 @@ echononl "\t\tDNS out only" for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then # - forward from virtual mashine(s) $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - #$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1515,11 +1884,19 @@ echononl "\t\tDNS Service Gateway" # - if $local_dns_service ; then + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + # - Allow requests from local networks # - for _dev in ${local_if_arr[@]} ; do # - in $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT done # - Zonetransfere (uses tcp/53) @@ -1551,11 +1928,21 @@ echononl "\t\tDNS Service local Network" # - Make nameservers at the local network area rechable for all # - if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + + # dns requests + # + # Note: + # If the total size of the DNS record is larger than 512 bytes, + # it will be sent over TCP, not UDP. + # + for _ip in ${dns_server_ip_arr[@]} ; do $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_between_local_networks ; then for _dev in ${local_if_arr[@]} ; do $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT done fi done @@ -1759,6 +2146,35 @@ else fi +# --- +# - Cisco kompartibles VPN (FRITZ!Box) +# --- + +echononl "\t\tCisco VPN Service (FRITZ\!Box) only out" + +if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${cisco_vpn_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + # --- # - VPN Service only out # --- @@ -2056,6 +2472,23 @@ else fi +# --- +# - SMTP (Relay) Service Gateway +# --- + +echononl "\t\tSMTP (Relay) Service Gateway (only on local network)" +if $local_smtp_service ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + + # --- # - Mail User Services smtps/pop(s)/imap(s) only out # --- @@ -2217,10 +2650,16 @@ if $allow_ftp_request_out ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + # - Allow active FTP connections from local network + # - + #$ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT fi + # - Allow active FTP connections from local network + # - + $ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT done echo_done @@ -3115,12 +3554,14 @@ if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then for _ip in ${pcns_server_ip_arr[@]} ; do if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT fi if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT @@ -3140,48 +3581,73 @@ fi # --- -# - Ubiquiti Unifi Accesspoints +# - Ubiquiti Unifi Controller Gateway # --- -echononl "\t\tUbiquiti Unifi Accesspoints" -if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then - for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done +echononl "\t\tUbiquiti Unifi Controller Gateway" +if $local_unifi_controller_service ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT - done + $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs" +if $local_unifi_controller_service ; then + + if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do + + $ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + done + + echo_done + else + echo_skipped + warn "Local Unifi Controller is defined, but no Unifi APs!" + fi +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Controller local Network +# --- + +echononl "\t\tUbiquiti Unifi Controller local Network" +if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks ; then + + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT fi - if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then - for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do - for _dev in ${local_if_arr[@]} ; do - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT - if $provide_hotspot ; then - $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT - fi - done - - # - Note: - # - If (local) alias interfaces like eth1:0 in use, youe need a further - # - special rule. - # - - if $kernel_activate_forwarding && $local_alias_interfaces ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT - if $provide_hotspot ; then - $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT - fi - fi - - done - fi + done echo_done else