Update 'Kanzlei-Kiel'.

2019-05-31 13:40:39 +02:00
parent 0d7da00786
commit d95848426f
1164 changed files with 41953 additions and 125 deletions
--- a/Kanzlei-Kiel/ipt-firewall/ban_ipv4.list
+++ b/Kanzlei-Kiel/ipt-firewall/ban_ipv4.list
@ -0,0 +1,22 @@
+# - IPv4 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
+# -    partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
+# -    network/nn CIDR notation like 1.2.3.0/27
+# -    network/netmask notaions like 1.2.3.0/255.255.255.0
+# -    network/partial_netmask  like 1.2.3.4/255
+# -
+# - Note: 
+# -    - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
+# -
+# - Example:
+# -    79.171.81.0/24
+# -    79.171.81.0/255.255.255.0
+# -    79.171.81.0/255.255.255
+# -    79.171.81
+
--- a/Kanzlei-Kiel/ipt-firewall/interfaces_ipv4.conf
+++ b/Kanzlei-Kiel/ipt-firewall/interfaces_ipv4.conf
@ -6,7 +6,7 @@

 # - Extern Interfaces DSL Lines
 # -    (blank separated list)
-ext_if_dsl_1="ppp-ah"
+ext_if_dsl_1=""
 ext_if_dsl_2=""
 ext_if_dsl_3=""
 ext_if_dsl_4=""
--- a/Kanzlei-Kiel/ipt-firewall/load_modules_ipv4.conf
+++ b/Kanzlei-Kiel/ipt-firewall/load_modules_ipv4.conf
@ -21,7 +21,7 @@ iptable_raw

 # - Load base modules for tracking
 # -
-nf_conntrack
+nf_conntrack nf_conntrack_helper=0
 nf_nat

 # - Load module for FTP Connection tracking and NAT
--- a/Kanzlei-Kiel/ipt-firewall/main_ipv4.conf
+++ b/Kanzlei-Kiel/ipt-firewall/main_ipv4.conf
@ -252,6 +252,86 @@ allow_local_if_to_local_ip=""



+# =============
+# - Allow local ip address from given local interface
+# =============
+
+# - allow_local_if_to_local_ip
+# -
+# - All traffic from the given network interface to the given ip address is allowed
+# -
+# - Example:
+# -   allow_local_if_to_local_ip="${local_if_1}:192.168.10.1
+# -                               ${local_if_2}:192.168.10.13"
+# -
+# - Blank separated list
+# -
+allow_local_if_to_local_ip=""
+
+
+
+# =============
+# - Allow extern service from given local interface
+# =============
+
+# - allow_local_if_to_ext_service
+# -
+# - allow_local_if_to_ext_service="<local-interface>:<extern-ip>:<ext-port>:<protocol> [.."
+# -
+# - All traffic from the given (local) network interface to the given (extern) service is allowed
+# -
+# - Example:
+# -   allow_local_if_to_ext_service="${local_if_1}:83.223.86.98:3306:tcp
+# -                                  ${local_if_2}:83.223.86.98:3306:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_if_to_ext_service="
+   ${local_if_1}:172.16.100.254:80:tcp
+"
+
+
+
+# =============
+# - Allow extern network from given local interface
+# =============
+
+# - allow_local_if_to_ext_net
+# -
+# - allow_local_if_to_ext_net="<local-interface>:ext-network> [<local-interface>:ext-network> [.."
+# -
+# - All traffic from the given (local) network interface to the given (extern) network is allowed
+# -
+# - Example:
+# -   allow_local_if_to_ext_net="${local_if_1}:83.223.86.98/32
+# -                              ${local_if_2}:83.223.86.98/32"
+# -
+# - Blank separated list
+# -
+allow_local_if_to_ext_net=""
+
+
+
+# =============
+# - Allow extern service from given local network
+# =============
+
+# - allow_local_net_to_ext_service
+# - 
+# - allow_local_net_to_ext_service="<local-net:ext-ip:port:protocol> [<local-net:ext-ip:port:protocol> [.."
+# -
+# - All traffic from the given (local) network to the given (extern) service is allowed
+# -
+# - Example:
+# -   allow_local_net_to_ext_service="192.168.63.0/24:83.223.86.98:3306:tcp
+# -                                   192.168.64.0/24:83.223.86.98:3306:tcp"
+# -
+# - Blank separated list
+# -
+allow_local_net_to_ext_service=""
+
+
+
 # =============
 # --- Separate local Networks
 # =============
@ -298,7 +378,7 @@ SIP_PORT_LOCAL=5067
 SIP_LOCAL_IP=192.168.63.240
 STUN_PORTS=3478

-TC_DEV=$ext_if_dsl_1
+TC_DEV=$ext_if_static_1



@ -473,7 +553,7 @@ http_server_only_local_ips="192.168.100.100
 # - Multiple settins of this parameter is possible
 # -
 declare -A http_server_dmz_arr
-
+#http_server_dmz_arr[192.168.100.10]=$ext_if_static_1

 # - HTTPS Services DMZ only port 443 (reachable also from WAN)
 # -
@ -573,7 +653,7 @@ ftp_server_only_local_ips=""
 # - ftp_passive_port_range=<first-port:last-port>
 # -
 declare -A ftp_server_dmz_arr
-#ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1
+#ftp_server_dmz_arr[192.168.63.20]=$ext_if_static_1
 ftp_passive_port_range="50000:50400"

 # - FTP Ports
@ -830,6 +910,7 @@ remote_console_port=5900
 # - same controller machine.
 # -
 # - unifi_stun_port=3478 # UDP port used for STUN
+# -                      # Open Port from controller to Unifi APs
 # -
 # -
 # - Ubiquity Networks uses port 10001/UDP for its AirControl 
@ -858,10 +939,20 @@ unify_broadcast_udp_ports="10001,5656:5699"
 # -
 local_unifi_controller_service=true

+# - Unifi Accesspoints (AP's) controlled by UniFi controller at Gateway
+# -
+unifi_ap_local_ips="
+   192.168.100.50
+   192.168.100.51
+"
+
+
 # - UniFi Controllers on local network (other than this machine)
 # -
 unify_controller_local_net_ips=""

+
+
 # ======
 # - IPMI Tools 
 # ======
@ -870,16 +961,26 @@ unify_controller_local_net_ips=""
 # -
 # - Blank seoarated list
 # -
-ipmi_server_ips="192.168.100.11 172.16.100.15"
+ipmi_server_ips="192.168.100.11 192.168.100.15 172.16.100.15"

 # - IPMI Tools Port
 # -
-# - UDP 623:  Access IPMI Programms (as IPMIView or FreeIPMI)
-# - TCP 623:  Virtual Media for Remote Console
-# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
+# - UDP 161:   SNMP 
+# - UDP 623:   Access IPMI Programms (as IPMIView or FreeIPMI)
+# - 
+# - TCP 80:    Webinterface. 
+# - TCP 161:   SNMP 
+# - TCP 443:   Webinterface (SSL) 
+# - TCP 623:   Virtual Media for Remote Console
+# - TCP 3520:  "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
+# - TCP 5120:  CD/USB
+# - TCP 5123:  Floppy
+# - TCP 5900:  KVM over IP
+# - TCP 5901:  Video for remote console
+# - TCP 5985:  Wsman
 # -
-ipmi_udp_port=623
-ipmi_tcp_ports="623 3520"
+ipmi_udp_ports="161 623"
+ipmi_tcp_ports="80 161 443 623 3520 5120 5123 5900 5901 5985"


 # =============
@ -968,6 +1069,28 @@ tv_extern_if="eth2.8"
 tv_local_if="$local_if_1"


+# =====
+# --- Allow special TCP Ports (OUT)
+# =====
+
+# - TCP Ports
+# -
+# - Blank separated list of tcp ports
+# -
+tcp_out_ports=""
+
+
+# =====
+# --- Allow special UDP Ports (OUT)
+# =====
+
+# - UDP Ports
+# -
+# - Blank separated list udp ports
+# -
+udp_out_ports=""
+
+

 # ======
 # - Other local Services 
@ -1010,12 +1133,18 @@ nat_networks=""
 # -    masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} 
 # -                        10.0.0.0/8:192.168.62.244:443:${local_if_1}"
 # -
-# -    172.16.101.1: Accesspoint TP-Link TL-WA801ND (büro zebra)
+# -    172.16.100.254:     FritzBOX! 7590
+# -    172.16.101.1:       Accesspoint TP-Link TL-WA801ND (büro zebra)
 # -
 # - Blank separated list
 # -
-masquerade_tcp_cons="192.168.63.0/24:172.16.101.1:80:${local_if_1}
-                     10.0.100.0/24:172.16.101.1:80:${local_if_1}"
+masquerade_tcp_cons="
+   192.168.100.0/24:172.16.100.254:80:${ext_if_static_1}
+   10.0.100.0/24:172.16.100.254:80:${ext_if_static_1}
+   192.168.63.0/24:172.16.100.254:80:${ext_if_static_1}
+   192.168.63.0/24:172.16.101.1:80:${local_if_1}
+   10.0.100.0/24:172.16.101.1:80:${local_if_1}
+"


 # =============
@ -1049,7 +1178,10 @@ portforward_tcp=""
 # -
 # - Blank separated list
 # -
-portforward_udp="$vpn_ifs:49909:192.168.100.101:9"
+portforward_udp="
+   $vpn_ifs:49909:192.168.100.101:9
+   $ext_if_static_1:1198:172.16.102.194:1194
+"



--- a/Kanzlei-Kiel/ipt-firewall/post_decalrations.conf
+++ b/Kanzlei-Kiel/ipt-firewall/post_decalrations.conf
@ -149,6 +149,38 @@ for _val in $allow_local_if_to_local_ip ; do
   allow_local_if_to_local_ip_arr+=("$_val")
 done

+# ---
+# - Allow extern service from given local interface
+# ---
+declare -a allow_local_if_to_ext_service_arr
+for _val in $allow_local_if_to_ext_service ; do
+   allow_local_if_to_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern network from given local interface
+# ---
+declare -a allow_local_if_to_ext_net_arr
+for _val in $allow_local_if_to_ext_net ; do
+   allow_local_if_to_ext_net_arr+=("$_val")
+done
+
+# ---
+# - Allow extern service from given local network 
+# ---
+declare -a allow_local_net_to_ext_service_arr
+for _val in $allow_local_net_to_ext_service ; do
+   allow_local_net_to_ext_service_arr+=("$_val")
+done
+
+# ---
+# - Allow extern network from given local network
+# ---
+declare -a allow_local_net_to_ext_net_arr
+for _val in $allow_local_net_to_ext_net ; do
+   allow_local_net_to_ext_net_arr+=("$_val")
+done
+
 # ---
 # - Separate local Networks
 # ---
@ -378,6 +410,24 @@ for _ip in $rsync_out_ips ; do
   rsync_out_ip_arr+=("$_ip")
 done

+# ---
+# - Special TCP Ports OUT
+# ---
+# local
+declare -a tcp_out_port_arr
+for _port in $tcp_out_ports ; do
+   tcp_out_port_arr+=("$_port")
+done
+
+# ---
+# - Special UDP Ports OUT
+# ---
+# local
+declare -a udp_out_port_arr
+for _port in $udp_out_ports ; do
+   udp_out_port_arr+=("$_port")
+done
+
 # ---
 # - Other local Services
 # ---