o.open/Office_Networks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update network BLKR

Browse Source
This commit is contained in:
Christoph 2018-10-14 02:14:43 +02:00
parent f13100cf23
commit 94bc10a582
4 changed files with 708 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
BLKR/ipt-firewall/logging_ipv4.conf
View File

@ -19,7 +19,7 @@ log_blocked=false
log_unprotected=false log_unprotected=false
log_prohibited=false log_prohibited=false
log_voip=false log_voip=false
log_rejected=true log_rejected=false
log_ssh=false log_ssh=false

222
BLKR/ipt-firewall/main_ipv4.conf
View File

@ -8,7 +8,11 @@
# - IPv4 Addresses Gateway # - IPv4 Addresses Gateway
# --- # ---
declare -a gateway_ipv4_address_arr declare -a gateway_ipv4_address_arr
read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2)
_ips="$(ip a | grep "inet " | awk '{print$2}' | cut -d'/' -f1)"
for _ip in $_ips ; do
gateway_ipv4_address_arr+=("$_ip")
done
# ============= # =============
@ -50,6 +54,97 @@ unprotected_ifs=""
any_access_to_inet_networks="" any_access_to_inet_networks=""
# - Allow these networks getting any access from the internet.
# -
# - Note:
# - =====
# - Traffic recieved on natted interfaces will be ommitted!
# -
# - Blank separated list of networks
# -
any_access_from_inet_networks=""
# =============
# - Allow local services from given local networks
# =============
# - allow_local_net_to_local_service
# -
# - allow_local_net_to_local_service="local-net:local-service:port:protocol"
# -
# - Note:
# - =====
# - - Only 'tcp' and 'udp' are allowed valuse for protocol.
# - - Traffic recieved on natted interfaces will be ommitted!
# -
# - Use this parameter to (only) give some local netwoks access to special local
# - services (but not for all local networks as you can configure later).
# -
# - If you plan to separate networks (see parameter 'separate_local_networks'), but
# - to allow these networks some special local services, you can also use this parameter.
# -
# - Example:
# - allow access from 194.150.169.139 to ssh service at 83.223.73.210 on port 1036
# - allow access from 86.73.85.0/24 to https service at 83.223.73.204
# -
# - allow_ext_net_to_local_service="194.150.169.139/32:83.223.73.210:1036:tcp
# - 86.73.85.0/24:83.223.73.204:$standard_https_port:tcp"
# -
# - Blank separated list
# -
allow_local_net_to_local_service=""
# =============
# - Allow all traffic from extern address/network to local address/network
# =============
# - allow_ext_net_to_local_net
# -
# - allow_ext_net_to_local_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
# -
# - All traffic from the given first network to the given second network is allowed
# -
# - Note:
# - =====
# - - Traffic recieved on natted interfaces will be ommitted!
# - - If you want allow both directions, you have to make two entries - one for evry directions.
# -
# - Example:
# - allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
# - 83.223.86.96/32:86.223.73.0/24"
# -
# - Blank separated list
# -
allow_local_net_to_local_ip=""
# =============
# - Block all extern traffic to (given) local network
# =============
# - block_all_ext_to_local_net
# -
# - block_all_ext_to_local_net="<local-net> [<local-net [<local-net .."
# -
# - Blocks all extern traffic to given local network(s)
# -
# - Note:
# - =====
# - - Traffic recieved on natted interfaces will be ommitted!
# -
# - Example:
# - block_all_ext_to_local_net="83.223.73.32/29 83.223.73.48/29"
# -
# - Blank separated list
# -
block_all_ext_to_local_net=""
# ============= # =============
# - Allow local services from given local networks # - Allow local services from given local networks
@ -276,6 +371,15 @@ vpn_local_net_ports="1194"
# - DHCP Service # - DHCP Service
# ====== # ======
# - Ist this Gateway DHCP Client?
# -
# - local_dhcp_client_interfaces="<interface1> [<interface> [.."
# -
# - Example:
# - dhcp_client_interfaces="$ext_if_static_1"
# -
dhcp_client_interfaces=""
# - DHCP Server Gateway # - DHCP Server Gateway
# - # -
local_dhcp_service=true local_dhcp_service=true
@ -409,6 +513,11 @@ http_ports="$standard_http_ports"
# - Mail Services # - Mail Services
# ====== # ======
# - SMTP server (i.e. mail relay service) Gateway
# -
local_smtp_service=false
# - Mailserver (SMTP(POP/IMAP) Gateway # - Mailserver (SMTP(POP/IMAP) Gateway
# - # -
# - NOT YET IMPLEMENTED # - NOT YET IMPLEMENTED
@ -538,10 +647,9 @@ samba_tcp_ports="137 138 139 445"
# - Samba Service local networks # - Samba Service local networks
# - # -
# - 192.168.122.10 Samba Fileserver # - 192.168.162.10 Samba Fileserver
# - 192.168.122.20 KVM Windows 7 Freigaben
# - # -
samba_server_local_ips="192.168.122.10 192.168.122.20" samba_server_local_ips="192.168.162.10"
# - Samba Service DMZ # - Samba Service DMZ
# - # -
@ -570,6 +678,8 @@ local_ntp_service=true
# - SNMP services local Networks # - SNMP services local Networks
# - # -
# - Blank separated list of ip's
# -
snmp_server_ips="" snmp_server_ips=""
# - SNMP Port # - SNMP Port
@ -715,21 +825,59 @@ remote_console_port=5900
# - Ubiquiti Unifi # - Ubiquiti Unifi
# ====== # ======
# - Notice: # - By default, the UniFi controller will operate on the following ports:
# - The Accesspoint IP is not needed (i think so), because the
# - AP uses port 8080 for cummunication with the controller, and
# - this port will be configured with the rules concerning the
# - controllers.
# - # -
# - again: setting unifi_ap_local_ips is not needed # - unifi_http_port=8080 (port for UAP to inform controller)
#unifi_ap_local_ips="192.168.64.50" # - unifi_https_port=8443 (port for controller GUI / API, as seen in web browser)
# - unifi_portal_http_port=8880 (port for HTTP portal redirect - Hotspot)
# - unifi_portal_https_port=8843 (port for HTTPS portal redirect - Hotspot)
# - unifi_http_port=6789 (port used for throughput measurement)
# - unifi_db_port=27117 (local-bound port for DB server)
# -
# -
# - In version 4.5.2 and later, users can also define the port assigned to STUN services,
# - for scenarios where two or more separate UniFi instances are desired on the
# - same controller machine.
# -
# - unifi_stun_port=3478 # UDP port used for STUN
# - # Open Port from controller to Unifi APs
# -
# -
# - Ubiquity Networks uses port 10001/UDP for its AirControl
# - management discovery protocol
# -
# - unifi_aircontroll_port=10001
# -
# -
# - Since v3.2.9+ and v4.6.0+, two more ports are being reserved for device redirector.
# - There is no need to open firewall for these ports on controller. However, on
# - controller, avoid to use these ports:
# -
# - port 8881 for redirector port for wireless clients
# - port 8882 for redirector port for wired clients
# -
# -
# - For AP-EDU Broadcasts:
# -
# - UDP ports 5656-5699
# -
unify_tcp_ports="8080,8443,8880,8843,6789,27117"
unify_udp_ports="3478"
unify_broadcast_udp_ports="10001,5656:5699"
unifi_controller_gateway_ips="" # - Unifi Controller at gateway?
# -
local_unifi_controller_service=false
# - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway
# -
unifi_ap_local_ips=""
# - UniFi Controllers on local network (other than this machine)
# -
unify_controller_local_net_ips="" unify_controller_local_net_ips=""
unify_controller_ports="8080,8443"
provide_hotspot=true
hotspot_ports="8880,8843"
# ====== # ======
@ -738,21 +886,30 @@ hotspot_ports="8880,8843"
# - IPMI Tools local Networks # - IPMI Tools local Networks
# - # -
# - 192.168.122.201 IPMI Fileserver # - 192.168.162.15 IPMI Fileserver
# - 192.168.122.202 IPMI Gateway
# - # -
# - Blank seoarated list # - Blank seoarated list
# - # -
ipmi_server_ips="192.168.122.201 192.168.2.15" ipmi_server_ips="192.168.162.15"
# - IPMI Tools Port # - IPMI Tools Port
# - # -
# - UDP 161: SNMP
# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) # - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI)
# -
# - TCP 80: Webinterface.
# - TCP 161: SNMP
# - TCP 443: Webinterface (SSL)
# - TCP 623: Virtual Media for Remote Console # - TCP 623: Virtual Media for Remote Console
# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." # - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
# - TCP 5120: CD/USB
# - TCP 5123: Floppy
# - TCP 5900: KVM over IP
# - TCP 5901: Video for remote console
# - TCP 5985: Wsman
# - # -
ipmi_udp_ports="623 5900" ipmi_udp_ports="161 623"
ipmi_tcp_ports="80 443 623 3520" ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985"
# ============= # =============
@ -780,8 +937,6 @@ local_rsync_out=false
# - IP Addresses Printer # - IP Addresses Printer
# - # -
# - 192.168.122.5 Brother HL-5380DN
# -
# - Blank separated list # - Blank separated list
# - # -
printer_ips="" printer_ips=""
@ -860,10 +1015,27 @@ other_services=""
# --- Masuqerading # --- Masuqerading
# ============= # =============
# - Masquerade (NAT) networks
# -
# - nat_networks="<src-network>:<output-device> [<src-network>:<output-device>] [.."
# -
# - Multiple declarations (blank separated list) are possible
# -
# - Example:
# - nat_network="172.16.1.0/24:${local_if_2}
# - 172.16.63.0/24:${ext_if_static_1}"
# -
# - 172.16.1.0/24 Rescue network (routers)
# -
nat_networks=""
# - Masquerade TCP Connections # - Masquerade TCP Connections
# - # -
# - masquerade_tcp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>:..]" # - masquerade_tcp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>:..]"
# - # -
# - Multiple declarations (blank separated list) are possible
# -
# - Example: # - Example:
# - # -
# - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} # - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1}
@ -944,6 +1116,10 @@ allow_samba_requests_out=true
allow_vpn_out=true allow_vpn_out=true
vpn_out_ports="1194 1195 1196" vpn_out_ports="1194 1195 1196"
allow_cisco_vpn_out=true
cisco_vpn_out_ports="$standard_isakmp_port $standard_ipsec_nat_t"
cisco_vpn_out_protocol="esp"
# === # ===
# = Services allowed between local networks # = Services allowed between local networks
@ -967,7 +1143,7 @@ allow_scanning_between_local_nets=true
# - Permit internet access to all machines at local network # - Permit internet access to all machines at local network
# - Does not include this server itself # - Does not include this server itself
# - # -
permit_local_net_to_inet=true permit_local_net_to_inet=false
# - Do not block any traffic between local machines # - Do not block any traffic between local machines
# - # -

18
BLKR/rc.local.BLKR
View File

@ -1,18 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
sleep 2
/etc/init.d/ntp restart || /bin/true
exit 0

520
BLKR/sbin/ipt-firewall-gateway
View File

@ -240,10 +240,31 @@ $ipt -Z
$ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
unset natted_interface_arr
declare -a natted_interface_arr
for _dev in ${nat_device_arr[@]} ; do for _dev in ${nat_device_arr[@]} ; do
$ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
natted_interface_arr+=("$_dev")
done done
if [[ ${#nat_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
for _val in "${nat_network_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
# - Prevent natting on an interface already natted
# -
if containsElement "${_val_arr[1]}" "${nat_device_arr[@]}" ; then
continue
fi
# - ?? - Don't know which rule is the right one
# -
#$ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -d ${_val_arr[0]} -j MASQUERADE
$ipt -t nat -A POSTROUTING -o ${_val_arr[1]} -s ${_val_arr[0]} -j MASQUERADE
done
fi
if $telekom_internet_tv ; then if $telekom_internet_tv ; then
$ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE $ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE
fi fi
@ -589,6 +610,188 @@ done
echo_done # Block IPs / Networks / Interfaces.. echo_done # Block IPs / Networks / Interfaces..
# ---
# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
# ---
echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."
if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then
declare -a octets
declare -i index
while IFS='' read -r _line || [[ -n $_line ]] ; do
is_valid_ipv4=true
is_valid_mask=true
ipv4=""
mask=""
# Ignore comment lines
#
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
# Ignore blank lines
#
[[ $_line =~ ^[[:space:]]*$ ]] && continue
# Remove leading whitespace characters
#
_line="${_line#"${_line%%[![:space:]]*}"}"
# Catch IPv4 Address
#
given_ipv4="$(echo $_line | cut -d ' ' -f1)"
# Splitt Ipv4 address from possible given CIDR number
#
IFS='/' read -ra _addr <<< "$given_ipv4"
_ipv4="${_addr[0]}"
if [[ -n "${_addr[1]}" ]] ; then
_mask="${_addr[1]}"
test_netmask=false
# Is 'mask' a valid CIDR number? If not, test agains a valid netmask
#
if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then
# Its not a vaild mask number, but naybe a valit netmask.
#
test_netmask=true
else
if [[ $_mask -gt 32 ]]; then
# Its not a vaild cidr number, but naybe a valit netmask.
#
test_netmask=true
else
# OK, we have a vaild cidr number between '0' and '32'
#
mask=$_mask
fi
fi
# Test if given '_mask' is a valid netmask.
#
if $test_netmask ; then
octets=( ${_mask//\./ } )
# Complete netmask if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
done
[[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_mask=false
fi
if [[ $index -gt 0 ]] ; then
mask="${mask}.${octet}"
else
mask="${octet}"
fi
else
is_valid_mask=false
fi
((index++))
done
fi
adjust_mask=false
else
mask=32
adjust_mask=true
fi
# Splitt given address into their octets
#
octets=( ${_ipv4//\./ } )
# Complete IPv4 address if necessary
#
while [[ ${#octets[@]} -lt 4 ]]; do
octets+=(0)
# Only adjust CIDR number if not given
#
if $adjust_mask ; then
mask="$(expr $mask - 8)"
fi
done
# Pre-check if given IPv4 Address seems to be a valid address
#
[[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false
# Check if given IPv4 Address is a valid address
#
if $is_valid_ipv4 ; then
index=0
for octet in ${octets[@]} ; do
if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
if [[ $octet -gt 255 ]] ; then
is_valid_ipv4=false
fi
if [[ $index -gt 0 ]] ; then
ipv4="${ipv4}.${octet}"
else
ipv4="${octet}"
fi
else
is_valid_ipv4=false
fi
((index++))
done
fi
if $is_valid_ipv4 && $is_valid_mask; then
_ip="${ipv4}/${mask}"
for _dev in ${ext_if_arr[@]} ; do
if $log_blocked_ip || $log_all ; then
$ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
fi
fi
$ipt -A INPUT -i $_dev -s $_ip -j DROP
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -i $_dev -s $_ip -j DROP
fi
done
else
msg="$msg '${given_ipv4}'"
fi
done < "${ipt_conf_dir}/ban_ipv4.list"
echo_done
if [[ -n "$msg" ]]; then
warn "Ignored:$msg"
fi
else
echo_skipped
fi
# --- # ---
# - Allow Forwarding certain private Addresses # - Allow Forwarding certain private Addresses
# --- # ---
@ -1145,7 +1348,8 @@ fi
echononl "\tAllow these local networks any access to the internet" echononl "\tAllow these local networks any access to the internet"
if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding ; then && $kernel_activate_forwarding \
&& ! $permit_local_net_to_inet ; then
for _net in ${any_access_to_inet_network_arr[@]}; do for _net in ${any_access_to_inet_network_arr[@]}; do
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
@ -1158,6 +1362,157 @@ else
fi fi
echononl "\tAllow these local networks any access from the internet"
if [[ ${#any_access_from_inet_network_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding ; then
_found=false
for _net in ${any_access_from_inet_network_arr[@]}; do
for _dev in ${ext_if_arr[@]} ; do
# - Traffic recieved on natted interfaces will be ommitted!
# -
if containsElement "$_dev" "${nat_device_arr[@]}" ; then
continue
else
_found=true
fi
$ipt -A FORWARD -i $_dev -p ALL -d $_net -m conntrack --ctstate NEW -j ACCEPT
done
done
if $_found ; then
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# ---
# - Allow local services from given extern networks
# ---
echononl "\tAllow local services from given extern networks"
if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding ; then
_found=false
for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then
$ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
fi
# - Traffic recieved on natted interfaces will be ommitted!
# -
if containsElement "$_dev" "${nat_device_arr[@]}" ; then
continue
else
_found=true
fi
$ipt -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT
done
done
if $_found ; then
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# ---
# - Allow all traffic from extern address/network to local address/network
# ---
# - !! Note:
# - does NOT depend on settings 'permit_between_local_networks' !!
# -
echononl "\tAllow all traffic from extern to local network/address"
if [[ ${#allow_ext_net_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding ; then
_found=false
for _val in ${allow_ext_net_to_local_net_arr[@]} ; do
IFS=':' read -a _val_arr <<< "${_val}"
for _dev in ${ext_if_arr[@]} ; do
# - Traffic recieved on natted interfaces will be ommitted!
# -
if containsElement "$_dev" "${nat_device_arr[@]}" ; then
continue
else
_found=true
fi
$ipt -A FORWARD -p ALL -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT
done
done
if $_found ; then
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# ---
# - Block all extern traffic to (given) local network
# ---
echononl "\tBlock all extern traffic to (given) local network"
if [[ ${#block_all_ext_to_local_net_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding ; then
_found=false
for _net in ${block_all_ext_to_local_net_arr[@]} ; do
for _dev in ${ext_if_arr[@]} ; do
# - Traffic recieved on natted interfaces will be ommitted!
# -
if containsElement "$_dev" "${nat_device_arr[@]}" ; then
continue
else
_found=true
fi
$ipt -A FORWARD -p ALL -i $_dev -d $_net -m conntrack --ctstate NEW -j DROP
done
done
if $_found ; then
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
# --- # ---
# - Allow local services from given local networks # - Allow local services from given local networks
@ -1448,6 +1803,20 @@ fi
# - DHCP # - DHCP
# --- # ---
echononl "\t\tLocal DHCP Client"
if [[ ${#dhcp_client_interfaces_arr[@]} -gt 0 ]] ; then
for _dev in ${dhcp_client_interfaces_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp -m udp -d 255.255.255.255 --dport 67 -j ACCEPT
$ipt -A INPUT -i $_dev -p udp -m udp --dport 68 -j ACCEPT
done
echo_done
else
echo_skipped
fi
echononl "\t\tDHCP" echononl "\t\tDHCP"
if $local_dhcp_service ; then if $local_dhcp_service ; then
@ -1492,13 +1861,13 @@ echononl "\t\tDNS out only"
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
# - out from local and virtual mashine(s) # - out from local and virtual mashine(s)
$ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
#$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true)
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
# - forward from virtual mashine(s) # - forward from virtual mashine(s)
$ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
#$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
fi fi
done done
@ -1515,11 +1884,19 @@ echononl "\t\tDNS Service Gateway"
# - # -
if $local_dns_service ; then if $local_dns_service ; then
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
# - Allow requests from local networks # - Allow requests from local networks
# - # -
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
# - in # - in
$ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -i $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
done done
# - Zonetransfere (uses tcp/53) # - Zonetransfere (uses tcp/53)
@ -1551,11 +1928,21 @@ echononl "\t\tDNS Service local Network"
# - Make nameservers at the local network area rechable for all # - Make nameservers at the local network area rechable for all
# - # -
if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then
# dns requests
#
# Note:
# If the total size of the DNS record is larger than 512 bytes,
# it will be sent over TCP, not UDP.
#
for _ip in ${dns_server_ip_arr[@]} ; do for _ip in ${dns_server_ip_arr[@]} ; do
$ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT
done done
fi fi
done done
@ -1759,6 +2146,35 @@ else
fi fi
# ---
# - Cisco kompartibles VPN (FRITZ!Box)
# ---
echononl "\t\tCisco VPN Service (FRITZ\!Box) only out"
if $allow_cisco_vpn_out && [[ ${#cisco_vpn_out_port_arr[@]} -gt 0 ]]; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${cisco_vpn_out_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
for _vpn_if in ${vpn_if_arr[@]} ; do
$ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding ; then
$ipt -A FORWARD -o $_vpn_if -p $cisco_vpn_out_protocol -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - VPN Service only out # - VPN Service only out
# --- # ---
@ -2056,6 +2472,23 @@ else
fi fi
# ---
# - SMTP (Relay) Service Gateway
# ---
echononl "\t\tSMTP (Relay) Service Gateway (only on local network)"
if $local_smtp_service ; then
for _dev in ${local_if_arr[@]} ; do
$ipt -A INPUT -p tcp -i $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
fi
# --- # ---
# - Mail User Services smtps/pop(s)/imap(s) only out # - Mail User Services smtps/pop(s)/imap(s) only out
# --- # ---
@ -2217,10 +2650,16 @@ if $allow_ftp_request_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
# - Allow active FTP connections from local network
# -
#$ipt -A INPUT -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT
fi fi
# - Allow active FTP connections from local network
# -
$ipt -A FORWARD -i $_dev -p tcp --sport 20 -m conntrack --ctstate NEW -j ACCEPT
done done
echo_done echo_done
@ -3115,12 +3554,14 @@ if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then
for _ip in ${pcns_server_ip_arr[@]} ; do for _ip in ${pcns_server_ip_arr[@]} ; do
if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then
$ipt -A OUTPUT -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
fi fi
if $kernel_activate_forwarding && ! $permit_between_local_networks ; then if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
$ipt -A FORWARD -p tcp -s $_ip -d $usv_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT
@ -3140,48 +3581,73 @@ fi
# --- # ---
# - Ubiquiti Unifi Accesspoints # - Ubiquiti Unifi Controller Gateway
# --- # ---
echononl "\t\tUbiquiti Unifi Accesspoints"
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do echononl "\t\tUbiquiti Unifi Controller Gateway"
if $local_unifi_controller_service ; then
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then
$ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -i $_dev -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi $ipt -A INPUT -p udp -i $_dev -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done
done done
fi echo_done
else
echo_skipped
fi
echononl "\t\tUbiquiti Unifi Controller Gateway - STUN to Unifi APs"
if $local_unifi_controller_service ; then
if [[ ${#unifi_ap_local_ip_arr[@]} -gt 0 ]] ; then
for _ip_ap in ${unifi_ap_local_ip_arr[@]} ; do
$ipt -A OUTPUT -p udp -d $_ip_ap -m multiport --sports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done
echo_done
else
echo_skipped
warn "Local Unifi Controller is defined, but no Unifi APs!"
fi
else
echo_skipped
fi
# ---
# - Ubiquiti Unifi Controller local Network
# ---
echononl "\t\tUbiquiti Unifi Controller local Network"
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] \
&& $kernel_activate_forwarding \
&& ! $permit_between_local_networks ; then
if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then
for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do
for _dev in ${local_if_arr[@]} ; do for _dev in ${local_if_arr[@]} ; do
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_broadcast_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $provide_hotspot ; then
$ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
fi $ipt -A FORWARD -i $_dev -p udp -d $_ip_ctl -m multiport --dports $unify_udp_ports -m conntrack --ctstate NEW -j ACCEPT
done done
# - Note: # - Note:
# - If (local) alias interfaces like eth1:0 in use, youe need a further # - If (local) alias interfaces like eth1:0 in use, youe need a further
# - special rule. # - special rule.
# - # -
if $kernel_activate_forwarding && $local_alias_interfaces ; then if $local_alias_interfaces ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_tcp_ports --tcp-flag ACK ACK -j ACCEPT
if $provide_hotspot ; then
$ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
$ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT
fi
fi fi
done done
fi
echo_done echo_done
else else