From f13100cf231c6027714f652b842d987348377ff0 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 14 Oct 2018 00:44:52 +0200 Subject: [PATCH] Add network BLKR. --- BLKR/README.txt | 25 + BLKR/bin/admin-stuff | 1 + BLKR/bin/manage-gw-config | 1 + BLKR/bin/monitoring | 1 + BLKR/bind/bind.keys | 69 + BLKR/bind/db.0 | 12 + BLKR/bind/db.127 | 13 + BLKR/bind/db.192.168.162.0 | 28 + BLKR/bind/db.255 | 12 + BLKR/bind/db.blkr.netz | 30 + BLKR/bind/db.empty | 14 + BLKR/bind/db.local | 14 + BLKR/bind/db.root | 88 + BLKR/bind/named.conf | 11 + BLKR/bind/named.conf.default-zones | 30 + BLKR/bind/named.conf.local | 19 + BLKR/bind/named.conf.local.INSTALL | 8 + BLKR/bind/named.conf.options | 47 + BLKR/bind/named.conf.options.INSTALL | 20 + BLKR/bind/rndc.key | 4 + BLKR/bind/zones.rfc1918 | 20 + BLKR/cron_root.BLKR | 52 + BLKR/ddclient.conf.BLKR | 14 + BLKR/default_isc-dhcp-server.BLKR | 21 + BLKR/dhcpd.conf.BLKR | 137 + BLKR/hostapd.conf.BLKR | 31 + BLKR/hostname.BLKR | 1 + BLKR/hosts.BLKR | 9 + BLKR/interfaces.BLKR | 64 + BLKR/ipt-firewall.service.BLKR | 14 + BLKR/ipt-firewall/default_ports.conf | 39 + BLKR/ipt-firewall/include_functions.conf | 113 + BLKR/ipt-firewall/interfaces_ipv4.conf | 51 + BLKR/ipt-firewall/load_modules_ipv4.conf | 36 + BLKR/ipt-firewall/load_modules_ipv6.conf | 9 + BLKR/ipt-firewall/logging_ipv4.conf | 40 + BLKR/ipt-firewall/logging_ipv6.conf | 40 + BLKR/ipt-firewall/main_ipv4.conf | 1202 +++++++ BLKR/ipt-firewall/post_decalrations.conf | 454 +++ BLKR/mailname.BLKR | 1 + BLKR/main.cf.BLKR | 268 ++ BLKR/rc.local.BLKR | 18 + BLKR/resolv.conf.BLKR | 4 + BLKR/sasl_passwd.BLKR | 1 + BLKR/sasl_passwd.db.BLKR | Bin 0 -> 12288 bytes BLKR/sbin/ipt-firewall-gateway | 3695 ++++++++++++++++++++++ BLKR/src/ipt-gateway | 1 + 47 files changed, 6782 insertions(+) create mode 100644 BLKR/README.txt create mode 160000 BLKR/bin/admin-stuff create mode 160000 BLKR/bin/manage-gw-config create mode 160000 BLKR/bin/monitoring create mode 100644 BLKR/bind/bind.keys create mode 100644 BLKR/bind/db.0 create mode 100644 BLKR/bind/db.127 create mode 100644 BLKR/bind/db.192.168.162.0 create mode 100644 BLKR/bind/db.255 create mode 100644 BLKR/bind/db.blkr.netz create mode 100644 BLKR/bind/db.empty create mode 100644 BLKR/bind/db.local create mode 100644 BLKR/bind/db.root create mode 100644 BLKR/bind/named.conf create mode 100644 BLKR/bind/named.conf.default-zones create mode 100644 BLKR/bind/named.conf.local create mode 100644 BLKR/bind/named.conf.local.INSTALL create mode 100644 BLKR/bind/named.conf.options create mode 100644 BLKR/bind/named.conf.options.INSTALL create mode 100644 BLKR/bind/rndc.key create mode 100644 BLKR/bind/zones.rfc1918 create mode 100644 BLKR/cron_root.BLKR create mode 100644 BLKR/ddclient.conf.BLKR create mode 100644 BLKR/default_isc-dhcp-server.BLKR create mode 100644 BLKR/dhcpd.conf.BLKR create mode 100644 BLKR/hostapd.conf.BLKR create mode 100644 BLKR/hostname.BLKR create mode 100644 BLKR/hosts.BLKR create mode 100644 BLKR/interfaces.BLKR create mode 100644 BLKR/ipt-firewall.service.BLKR create mode 100644 BLKR/ipt-firewall/default_ports.conf create mode 100644 BLKR/ipt-firewall/include_functions.conf create mode 100644 BLKR/ipt-firewall/interfaces_ipv4.conf create mode 100644 BLKR/ipt-firewall/load_modules_ipv4.conf create mode 100644 BLKR/ipt-firewall/load_modules_ipv6.conf create mode 100644 BLKR/ipt-firewall/logging_ipv4.conf create mode 100644 BLKR/ipt-firewall/logging_ipv6.conf create mode 100644 BLKR/ipt-firewall/main_ipv4.conf create mode 100644 BLKR/ipt-firewall/post_decalrations.conf create mode 100644 BLKR/mailname.BLKR create mode 100644 BLKR/main.cf.BLKR create mode 100755 BLKR/rc.local.BLKR create mode 100644 BLKR/resolv.conf.BLKR create mode 100644 BLKR/sasl_passwd.BLKR create mode 100644 BLKR/sasl_passwd.db.BLKR create mode 100755 BLKR/sbin/ipt-firewall-gateway create mode 160000 BLKR/src/ipt-gateway diff --git a/BLKR/README.txt b/BLKR/README.txt new file mode 100644 index 0000000..9b34211 --- /dev/null +++ b/BLKR/README.txt @@ -0,0 +1,25 @@ + +Notice: + You have to change some configuration files becaus the because + the configuration of network interfaces must not be equal. + + !! Take care, to use the right device names !! + Maybe they are called i.e. 'enp0sXX', but you can rename it. + See also : README.rename.netdevices + + For the backup gateway host: + eth1 --> LAN + eth2 --> WAN or ppp0 (DSL device) + + eth0 --> WLAN or second LAN or what ever + or + br0 --> WLAN or second LAN or what ever + + + So you have to change the following files + dsl-provider.ANW-KM: ppp0 comes over eth2 + interfaces.ANW-KM: see above + default_isc-dhcp-server.ANW-KM + ipt-firewall.ANW-KM: LAN device (mostly ) = eth1 + second LAN WLAN or what ever (if present) = eth0 + diff --git a/BLKR/bin/admin-stuff b/BLKR/bin/admin-stuff new file mode 160000 index 0000000..8d81bd8 --- /dev/null +++ b/BLKR/bin/admin-stuff @@ -0,0 +1 @@ +Subproject commit 8d81bd8667f74cf7f7cc1c521b52eab0e7c4b034 diff --git a/BLKR/bin/manage-gw-config b/BLKR/bin/manage-gw-config new file mode 160000 index 0000000..b5fb1f7 --- /dev/null +++ b/BLKR/bin/manage-gw-config @@ -0,0 +1 @@ +Subproject commit b5fb1f7b3a421a24388ba6b25a3e5d58591ae7fe diff --git a/BLKR/bin/monitoring b/BLKR/bin/monitoring new file mode 160000 index 0000000..f66029f --- /dev/null +++ b/BLKR/bin/monitoring @@ -0,0 +1 @@ +Subproject commit f66029fe95ffc2010b0d3e435dbebf9ef7b7f849 diff --git a/BLKR/bind/bind.keys b/BLKR/bind/bind.keys new file mode 100644 index 0000000..db22d4b --- /dev/null +++ b/BLKR/bind/bind.keys @@ -0,0 +1,69 @@ +# The bind.keys file is used to override the built-in DNSSEC trust anchors +# which are included as part of BIND 9. As of the current release, the only +# trust anchors it contains are those for the DNS root zone ("."), and for +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors +# for any other zones MUST be configured elsewhere; if they are configured +# here, they will not be recognized or used by named. +# +# The built-in trust anchors are provided for convenience of configuration. +# They are not activated within named.conf unless specifically switched on. +# To use the built-in root key, set "dnssec-validation auto;" in +# named.conf options. To use the built-in DLV key, set +# "dnssec-lookaside auto;". Without these options being set, +# the keys in this file are ignored. +# +# This file is NOT expected to be user-configured. +# +# These keys are current as of Feburary 2017. If any key fails to +# initialize correctly, it may have expired. In that event you should +# replace this file with a current version. The latest version of +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. + +managed-keys { + # ISC DLV: See https://www.isc.org/solutions/dlv for details. + # + # NOTE: The ISC DLV zone is being phased out as of February 2017; + # the key will remain in place but the zone will be otherwise empty. + # Configuring "dnssec-lookaside auto;" to activate this key is + # harmless, but is no longer useful and is not recommended. + dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 + brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ + 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 + ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk + Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM + QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt + TDN0YUuWrBNh"; + + # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml + # for current trust anchor information. + # + # These keys are activated by setting "dnssec-validation auto;" + # in named.conf. + # + # This key (19036) is to be phased out starting in 2017. It will + # remain in the root zone for some time after its successor key + # has been added. It will remain this file until it is removed from + # the root zone. + . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF + FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX + bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD + X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz + W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS + Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq + QxA+Uk1ihz0="; + + # This key (20326) is to be published in the root zone in 2017. + # Servers which were already using the old key (19036) should + # roll seamlessly to this new one via RFC 5011 rollover. Servers + # being set up for the first time can use the contents of this + # file as initializing keys; thereafter, the keys in the + # managed key database will be trusted and maintained + # automatically. + . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; +}; diff --git a/BLKR/bind/db.0 b/BLKR/bind/db.0 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/BLKR/bind/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/BLKR/bind/db.127 b/BLKR/bind/db.127 new file mode 100644 index 0000000..cd05bef --- /dev/null +++ b/BLKR/bind/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. diff --git a/BLKR/bind/db.192.168.162.0 b/BLKR/bind/db.192.168.162.0 new file mode 100644 index 0000000..6cdacfa --- /dev/null +++ b/BLKR/bind/db.192.168.162.0 @@ -0,0 +1,28 @@ +; +; BIND reverse data file for local blkr.netz zone +; +$TTL 43600 +@ IN SOA ns.blkr.netz. ckubu.oopen.de. ( + 2018101301 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; + + IN NS ns-blkr.blkr.netz. + +; - Gateway/Firewall +254 IN PTR gw-blkr.blkr.netz. + + +; - (Caching ) Nameserver +1 IN PTR ns-blkr.blkr.netz. + + +; - Fileserver +10 IN PTR file-blkr.blkr.netz. + + +; - IPMI +15 IN PTR ipmi-file-blkr.blkr.netz. diff --git a/BLKR/bind/db.255 b/BLKR/bind/db.255 new file mode 100644 index 0000000..e3aabdb --- /dev/null +++ b/BLKR/bind/db.255 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/BLKR/bind/db.blkr.netz b/BLKR/bind/db.blkr.netz new file mode 100644 index 0000000..8d768a0 --- /dev/null +++ b/BLKR/bind/db.blkr.netz @@ -0,0 +1,30 @@ +; +; BIND data file for local blkr.netz zone +; +$TTL 43600 +@ IN SOA ns.anw-blkr.netz. ckubu.oopen.de. ( + 2018101301 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; + + +@ IN NS ns-blkr.anw-blkr.netz. + +; Gateway/Firewall +gw-blkr IN A 192.168.162.254 +gate IN CNAME gw-blkr +gw IN CNAME gw-blkr + +; (Caching ) Nameserver +ns-blkr IN A 192.168.162.1 +ns IN CNAME ns-blkr +nscache IN CNAME ns-blkr +resolver IN CNAME ns-blkr + + +; - Fileserver +file-blkr IN A 192.168.162.10 +file IN CNAME file-blkr diff --git a/BLKR/bind/db.empty b/BLKR/bind/db.empty new file mode 100644 index 0000000..8a12858 --- /dev/null +++ b/BLKR/bind/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. diff --git a/BLKR/bind/db.local b/BLKR/bind/db.local new file mode 100644 index 0000000..2f272d4 --- /dev/null +++ b/BLKR/bind/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 diff --git a/BLKR/bind/db.root b/BLKR/bind/db.root new file mode 100644 index 0000000..6c19741 --- /dev/null +++ b/BLKR/bind/db.root @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File diff --git a/BLKR/bind/named.conf b/BLKR/bind/named.conf new file mode 100644 index 0000000..880786a --- /dev/null +++ b/BLKR/bind/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/BLKR/bind/named.conf.default-zones b/BLKR/bind/named.conf.default-zones new file mode 100644 index 0000000..355338b --- /dev/null +++ b/BLKR/bind/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + diff --git a/BLKR/bind/named.conf.local b/BLKR/bind/named.conf.local new file mode 100644 index 0000000..1caa6da --- /dev/null +++ b/BLKR/bind/named.conf.local @@ -0,0 +1,19 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + + +zone "blkr.netz" { + type master; + file "/etc/bind/db.blkr.netz"; +}; + +zone "162.168.192.in-addr.arpa" { + type master; + file "/etc/bind/db.192.168.162.0"; +}; + diff --git a/BLKR/bind/named.conf.local.INSTALL b/BLKR/bind/named.conf.local.INSTALL new file mode 100644 index 0000000..7a57b10 --- /dev/null +++ b/BLKR/bind/named.conf.local.INSTALL @@ -0,0 +1,8 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + diff --git a/BLKR/bind/named.conf.options b/BLKR/bind/named.conf.options new file mode 100644 index 0000000..54ca136 --- /dev/null +++ b/BLKR/bind/named.conf.options @@ -0,0 +1,47 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + + // Security options + listen-on port 53 { + 127.0.0.1; + 192.168.162.1; + }; + allow-query { + 127.0.0.1; + 172.16.0.0/12; + 192.168.0.0/16; + 10.0.0.0/8; + }; + allow-recursion { + 127.0.0.1; + 172.16.0.0/12; + 192.168.0.0/16; + 10.0.0.0/16; + }; + allow-transfer { none; }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/BLKR/bind/named.conf.options.INSTALL b/BLKR/bind/named.conf.options.INSTALL new file mode 100644 index 0000000..af79758 --- /dev/null +++ b/BLKR/bind/named.conf.options.INSTALL @@ -0,0 +1,20 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/BLKR/bind/rndc.key b/BLKR/bind/rndc.key new file mode 100644 index 0000000..48256d5 --- /dev/null +++ b/BLKR/bind/rndc.key @@ -0,0 +1,4 @@ +key "rndc-key" { + algorithm hmac-md5; + secret "p8uEoosC6vrcRj73ribYKg=="; +}; diff --git a/BLKR/bind/zones.rfc1918 b/BLKR/bind/zones.rfc1918 new file mode 100644 index 0000000..03b5546 --- /dev/null +++ b/BLKR/bind/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; diff --git a/BLKR/cron_root.BLKR b/BLKR/cron_root.BLKR new file mode 100644 index 0000000..5f9c67e --- /dev/null +++ b/BLKR/cron_root.BLKR @@ -0,0 +1,52 @@ +# DO NOT EDIT THIS FILE - edit the master and reinstall. +# (/tmp/crontab.kbCNiX/crontab installed on Mon Apr 10 18:45:46 2017) +# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) +# Edit this file to introduce tasks to be run by cron. +# +# Each task to run has to be defined through a single line +# indicating with different fields when the task will be run +# and what command to run for the task +# +# To define the time you can provide concrete values for +# minute (m), hour (h), day of month (dom), month (mon), +# and day of week (dow) or use '*' in these fields (for 'any').# +# Notice that tasks will be started based on the cron's system +# daemon's notion of time and timezones. +# +# Output of the crontab jobs (including errors) is sent through +# email to the user the crontab file belongs to (unless redirected). +# +# For example, you can run a backup of all your user accounts +# at 5 a.m every week with: +# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ +# +# For more information see the manual pages of crontab(5) and cron(8) +# +# m h dom mon dow command +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +## adjust system time +## +#23 0-23/4 * * * /usr/sbin/ntpdate ptbtime2.ptb.de > /dev/null + +## check forwarding ( /proc/sys/net/ipv4/ip_forward contains "1" ) +## if not set this entry to "1" +## +0-59/2 * * * * /root/bin/monitoring/check_forwarding.sh + +## check if pppd is running and internet access works. if +## not restart it +## +#1-59/10 * * * * /root/bin/check_inet.sh + + +1-59/10 * * * * /root/bin/monitoring/check_dns.sh + +## check if openvpn is running if not restart the service +## +#0-59/30 * * * * /root/bin/monitoring/check_vpn.sh + + +## - copy gateway configuration +## - +13 4 * * * /root/bin/manage-gw-config/copy_gateway-config.sh BLKR diff --git a/BLKR/ddclient.conf.BLKR b/BLKR/ddclient.conf.BLKR new file mode 100644 index 0000000..667f495 --- /dev/null +++ b/BLKR/ddclient.conf.BLKR @@ -0,0 +1,14 @@ +# Configuration file for ddclient generated by debconf +# +# /etc/ddclient.conf + +protocol=dyndns2 +use=web, web=checkip.dyndns.com/, web-skip='IP Address' +server=members.dyndns.org +login=ckubu +password=7213b4e6178a11e6ab1362f831f6741e +blkr.homelinux.org + +ssl=yes +mail=root +mail-failure=root diff --git a/BLKR/default_isc-dhcp-server.BLKR b/BLKR/default_isc-dhcp-server.BLKR new file mode 100644 index 0000000..bd84f94 --- /dev/null +++ b/BLKR/default_isc-dhcp-server.BLKR @@ -0,0 +1,21 @@ +# Defaults for isc-dhcp-server initscript +# sourced by /etc/init.d/isc-dhcp-server +# installed at /etc/default/isc-dhcp-server by the maintainer scripts + +# +# This is a POSIX shell fragment +# + +# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). +#DHCPD_CONF=/etc/dhcp/dhcpd.conf + +# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). +#DHCPD_PID=/var/run/dhcpd.pid + +# Additional options to start dhcpd with. +# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead +#OPTIONS="" + +# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? +# Separate multiple interfaces with spaces, e.g. "eth0 eth1". +INTERFACESv4="eth1" diff --git a/BLKR/dhcpd.conf.BLKR b/BLKR/dhcpd.conf.BLKR new file mode 100644 index 0000000..8f9d379 --- /dev/null +++ b/BLKR/dhcpd.conf.BLKR @@ -0,0 +1,137 @@ +# +# Sample configuration file for ISC dhcpd for Debian +# +# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $ +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +option subnet-mask 255.255.255.0; +option broadcast-address 192.168.162.255; + +option domain-name "blkr.netz"; +option domain-name-servers ns.blkr.netz; + +option routers 192.168.162.254; + +default-lease-time 43200; +max-lease-time 86400; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility local7; + +# No service will be given on this subnet, but declaring it helps the +# DHCP server to understand the network topology. + +subnet 192.168.162.0 netmask 255.255.255.0 { + # --- 192.168.22.160/27 --- + # network address....: 192.168.22.160 + # Broadcast address..: 192.168.22.191 + # netmask............: 255.255.255.224 + # network range......: 192.168.22.160 - 192.168.22.191 + # Usable range.......: 192.168.22.161 - 192.168.22.190 + range 192.168.162.161 192.168.162.190; + option domain-name "blkr.netz"; + option subnet-mask 255.255.255.0; + option broadcast-address 192.168.162.255; + option domain-name-servers ns.blkr.netz; + option routers 192.168.162.254; + default-lease-time 43200; + max-lease-time 86400; +} + +host file-blkr { + hardware ethernet ac:1f:6b:94:81:96; + fixed-address file-blkr.blkr.netz ; +} + +## host siemens_gigaset_515 { +## hardware ethernet 00:01:E3:08:4A:75 ; +## fixed-address siemens_gigaset_515.opp.local ; +## } + +# This is a very basic subnet declaration. + +#subnet 10.254.239.0 netmask 255.255.255.224 { +# range 10.254.239.10 10.254.239.20; +# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; +#} + +# This declaration allows BOOTP clients to get dynamic addresses, +# which we don't really recommend. + +#subnet 10.254.239.32 netmask 255.255.255.224 { +# range dynamic-bootp 10.254.239.40 10.254.239.60; +# option broadcast-address 10.254.239.31; +# option routers rtr-239-32-1.example.org; +#} + +# A slightly different configuration for an internal subnet. +#subnet 10.5.5.0 netmask 255.255.255.224 { +# range 10.5.5.26 10.5.5.30; +# option domain-name-servers ns1.internal.example.org; +# option domain-name "internal.example.org"; +# option routers 10.5.5.1; +# option broadcast-address 10.5.5.31; +# default-lease-time 600; +# max-lease-time 7200; +#} + +# Hosts which require special configuration options can be listed in +# host statements. If no address is specified, the address will be +# allocated dynamically (if possible), but the host-specific information +# will still come from the host declaration. + +#host passacaglia { +# hardware ethernet 0:0:c0:5d:bd:95; +# filename "vmunix.passacaglia"; +# server-name "toccata.fugue.com"; +#} + +# Fixed IP addresses can also be specified for hosts. These addresses +# should not also be listed as being available for dynamic assignment. +# Hosts for which fixed IP addresses have been specified can boot using +# BOOTP or DHCP. Hosts for which no fixed address is specified can only +# be booted with DHCP, unless there is an address range on the subnet +# to which a BOOTP client is connected which has the dynamic-bootp flag +# set. +#host fantasia { +# hardware ethernet 08:00:07:26:c0:a5; +# fixed-address fantasia.fugue.com; +#} + +# You can declare a class of clients and then do address allocation +# based on that. The example below shows a case where all clients +# in a certain class get addresses on the 10.17.224/24 subnet, and all +# other clients get addresses on the 10.0.29/24 subnet. + +#class "foo" { +# match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; +#} + +#shared-network 224-29 { +# subnet 10.17.224.0 netmask 255.255.255.0 { +# option routers rtr-224.example.org; +# } +# subnet 10.0.29.0 netmask 255.255.255.0 { +# option routers rtr-29.example.org; +# } +# pool { +# allow members of "foo"; +# range 10.17.224.10 10.17.224.250; +# } +# pool { +# deny members of "foo"; +# range 10.0.29.10 10.0.29.230; +# } +#} diff --git a/BLKR/hostapd.conf.BLKR b/BLKR/hostapd.conf.BLKR new file mode 100644 index 0000000..5cb61ed --- /dev/null +++ b/BLKR/hostapd.conf.BLKR @@ -0,0 +1,31 @@ +interface=wlan0 +bridge=br0 +ssid=Alix-WLAN-OOPEN +driver=nl80211 + +## - D-LINK DWA-552 +## - MicroTIK RouterBOARD R52n-M +## - +#wme_enabled=1 +#ieee80211n=1 +#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] + +## - Linksys WMP600N +## - +#wme_enabled=1 +#ieee80211n=1 +#ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC12] + +channel=4 +hw_mode=g +ignore_broadcast_ssid=0 +auth_algs=1 +macaddr_acl=0 +wpa=2 +wpa_key_mgmt=WPA-PSK +wpa_passphrase=WoAuchImmer +wpa_pairwise=TKIP +rsn_pairwise=CCMP +wpa_group_rekey=600 +ctrl_interface=/var/run/hostapd + diff --git a/BLKR/hostname.BLKR b/BLKR/hostname.BLKR new file mode 100644 index 0000000..bca6e9b --- /dev/null +++ b/BLKR/hostname.BLKR @@ -0,0 +1 @@ +gw-blkr diff --git a/BLKR/hosts.BLKR b/BLKR/hosts.BLKR new file mode 100644 index 0000000..a39432a --- /dev/null +++ b/BLKR/hosts.BLKR @@ -0,0 +1,9 @@ +127.0.0.1 localhost +127.0.1.1 gw-blkr.blkr.netz gw-blkr + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/BLKR/interfaces.BLKR b/BLKR/interfaces.BLKR new file mode 100644 index 0000000..a6ee7db --- /dev/null +++ b/BLKR/interfaces.BLKR @@ -0,0 +1,64 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + + +#----------------------------- +# lo - loopback interface +#----------------------------- +auto lo +iface lo inet loopback + + + +#----------------------------- +# eth2 - WAN +#----------------------------- + +auto eth2 +iface eth2 inet static + address 172.16.162.254 + network 172.16.162.0 + netmask 255.255.255.0 + broadcast 172.16.162.255 + gateway 172.16.162.1 + dns-nameservers 127.0.0.1 + dns-search anw-km.netz + + +#----------------------------- +# eth1 - LAN +#----------------------------- + +auto eth1 +iface eth1 inet static + address 192.168.162.254 + network 192.168.162.0 + netmask 255.255.255.0 + broadcast 192.168.162.255 + +auto eth1:0 +iface eth1:0 inet static + address 192.168.162.53 + network 192.168.162.0 + netmask 255.255.255.0 + broadcast 192.168.162.255 + + + +#----------------------------- +# br0 (bind eth0 + wlan0) - WAN +#----------------------------- + +auto br0 +iface br0 inet static + address 192.168.163.254 + network 192.168.163.0 + netmask 255.255.255.0 + broadcast 192.168.163.255 + bridge_ports eth0 wlan0 + bridge_stp off + bridge_maxwait 1 + +iface eth0 inet manual +iface wlan0 inet manual + diff --git a/BLKR/ipt-firewall.service.BLKR b/BLKR/ipt-firewall.service.BLKR new file mode 100644 index 0000000..9842090 --- /dev/null +++ b/BLKR/ipt-firewall.service.BLKR @@ -0,0 +1,14 @@ +[Unit] +Description=IPv4 Firewall with iptables +After=network.target + +[Service] +SyslogIdentifier="ipt-gateway" +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/sbin/ipt-firewall-gateway start +ExecStop=/usr/local/sbin/ipt-firewall-gateway stop +User=root + +[Install] +WantedBy=multi-user.target diff --git a/BLKR/ipt-firewall/default_ports.conf b/BLKR/ipt-firewall/default_ports.conf new file mode 100644 index 0000000..0191f18 --- /dev/null +++ b/BLKR/ipt-firewall/default_ports.conf @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Ports for Services out +# ============= + +standard_ident_port=113 +standard_silc_port=706 +standard_irc_port=6667 +standard_jabber_port=5222 +standard_smtp_port=25 +standard_ssh_port=22 +standard_http_port=80 +standard_https_port=443 +standard_ftp_port=21 +standard_tftp_udp_port=69 +standard_ntp_port=123 +standard_snmp_port=161 +standard_snmp_trap_port=162 +standard_timeserver_port=37 +standard_pgp_keyserver_port=11371 +standard_telnet_port=23 +standard_whois_port=43 +standard_cpan_wait_port=1404 +standard_xymon_port=1984 +standard_hbci_port=3000 +standard_mysql_port=3306 +standard_ipp_port=631 +standard_cups_port=$standard_ipp_port +standard_print_raw_port=515 +standard_print_port=9100 +standard_remote_console_port=5900 + + +# - Comma separated lists +# - +standard_http_ports="80,443" +standard_mailuser_ports="587,465,110,995,143,993" + diff --git a/BLKR/ipt-firewall/include_functions.conf b/BLKR/ipt-firewall/include_functions.conf new file mode 100644 index 0000000..9bb5205 --- /dev/null +++ b/BLKR/ipt-firewall/include_functions.conf @@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +# ============= +# --- Some functions +# ============= + +# - Is this script running on terminal ? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} +echo_done() { + if $terminal ; then + echo -e "\033[75G[ \033[32mdone\033[m ]" + else + echo " [ done ]" + fi +} +echo_ok() { + if $terminal ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + else + echo " [ ok ]" + fi +} +echo_warning() { + if $terminal ; then + echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]" + else + echo " [ warning ]" + fi +} +echo_failed(){ + if $terminal ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + else + echo ' [ failed! ]' + fi +} +echo_skipped() { + if $terminal ; then + echo -e "\033[75G[ \033[37mskipped\033[m ]" + else + echo " [ skipped ]" + fi +} + + +fatal (){ + echo "" + echo "" + if $terminal ; then + echo -e "\t[ \033[31m\033[1mFatal\033[m ]: \033[37m\033[1m$*\033[m" + echo "" + echo -e "\t\033[31m\033[1m Firewall Script will be interrupted..\033[m\033[m" + else + echo "fatal: $*" + echo "Firewall Script will be interrupted.." + fi + echo "" + exit 1 +} + +error(){ + echo "" + if $terminal ; then + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + else + echo "Error: $*" + fi + echo "" +} + +warn (){ + echo "" + if $terminal ; then + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + else + echo "Warning: $*" + fi + echo "" +} + +info (){ + echo "" + if $terminal ; then + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + else + echo "Info: $*" + fi + echo "" +} + +## - Check if a given array (parameter 2) contains a given string (parameter 1) +## - +containsElement () { + local e + for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done + return 1 +} + diff --git a/BLKR/ipt-firewall/interfaces_ipv4.conf b/BLKR/ipt-firewall/interfaces_ipv4.conf new file mode 100644 index 0000000..6f7f5ca --- /dev/null +++ b/BLKR/ipt-firewall/interfaces_ipv4.conf @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +# ============= +# --- Define Network Interfaces / Ip-Adresses / Ports +# ============= + +# - Extern Interfaces DSL Lines +# - (blank separated list) +ext_if_dsl_1="" +ext_if_dsl_2="" +ext_if_dsl_3="" +ext_if_dsl_4="" + +ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4" + +# - Extern Interfaces Static Lines +# - (blank separated list) +ext_if_static_1="eth2" +ext_if_static_2="" +ext_if_static_3="" + +ext_ifs_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3" + +# - VPN Interfaces +# - (blank separated list) +vpn_ifs="tun+" + +# - Local Interfaces +local_if_1="eth1" +local_if_2="br0" +local_if_3="" +local_if_4="" +local_if_5="" +local_if_6="" +local_if_7="" + +local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" + +local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" + +# - Devices given in list "nat_devices" will be natted +# - +# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here. +# - +# - Blank separated list +# - +nat_devices="" + +# - Are local alias interfaces like eth0:0 defined" +# - +local_alias_interfaces=true diff --git a/BLKR/ipt-firewall/load_modules_ipv4.conf b/BLKR/ipt-firewall/load_modules_ipv4.conf new file mode 100644 index 0000000..bc383f0 --- /dev/null +++ b/BLKR/ipt-firewall/load_modules_ipv4.conf @@ -0,0 +1,36 @@ +# ============= +# - Load Kernel Modules +# ============= + +# - Note:! +# - Since Kernel 4.7 the automatic conntrack helper assignment +# - is disabled by default (net.netfilter.nf_conntrack_helper = 0). +# - Enable it by setting this variable in file /etc/sysctl.conf: +# - +# - net.netfilter.nf_conntrack_helper = 1 +# - +# - Reboot or type "sysctl -p" + + +ip_tables + +iptable_nat +iptable_filter +iptable_mangle +iptable_raw + +# - Load base modules for tracking +# - +nf_conntrack +nf_nat + +# - Load module for FTP Connection tracking and NAT +# - +nf_conntrack_ftp +nf_nat_ftp + +# - Load modules for SIP VOIP +# - +nf_conntrack_sip +nf_nat_sip + diff --git a/BLKR/ipt-firewall/load_modules_ipv6.conf b/BLKR/ipt-firewall/load_modules_ipv6.conf new file mode 100644 index 0000000..2c55689 --- /dev/null +++ b/BLKR/ipt-firewall/load_modules_ipv6.conf @@ -0,0 +1,9 @@ +# ============= +# - Load Kernel Modules +# ============= + +ip6_tables +ip6table_filter +ip6t_REJECT + +ip6table_mangle diff --git a/BLKR/ipt-firewall/logging_ipv4.conf b/BLKR/ipt-firewall/logging_ipv4.conf new file mode 100644 index 0000000..90f9606 --- /dev/null +++ b/BLKR/ipt-firewall/logging_ipv4.conf @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +# ============= +# --- Logging +# ============= + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=true + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv4:" + + +# --- +# - Log all traffic for givven ip address +# --- + +log_ips="" diff --git a/BLKR/ipt-firewall/logging_ipv6.conf b/BLKR/ipt-firewall/logging_ipv6.conf new file mode 100644 index 0000000..a024215 --- /dev/null +++ b/BLKR/ipt-firewall/logging_ipv6.conf @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +# ============= +# --- Logging +# ============= + +log_all=false + +log_syn_flood=false +log_fragments=false +log_new_not_sync=false +log_invalid_state=false +log_invalid_flags=false +log_spoofed=false +log_spoofed_out=false +log_to_lo=false +log_not_wanted=false +log_blocked=false +log_unprotected=false +log_prohibited=false +log_voip=false +log_rejected=false + +log_ssh=false + +# - Log using the specified syslog level. 7 (debug) is a good choice +# - unless you specifically need something else. +# - +log_level=debug + +# - logging messages +# - +log_prefix="IPv6:" + + +# --- +# - Log all traffic for givven ip address +# --- + +log_ips="" diff --git a/BLKR/ipt-firewall/main_ipv4.conf b/BLKR/ipt-firewall/main_ipv4.conf new file mode 100644 index 0000000..887f116 --- /dev/null +++ b/BLKR/ipt-firewall/main_ipv4.conf @@ -0,0 +1,1202 @@ +#!/usr/bin/env bash + +## --------------------------------------------------------- +## --- Main Configurations Ipv4 Firewall Script ipt-firewall +## --------------------------------------------------------- + +# --- +# - IPv4 Addresses Gateway +# --- +declare -a gateway_ipv4_address_arr +read -a gateway_ipv4_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2) + + +# ============= +# --- Interfaces completly blocked +# ============= + +# - Interfaces to block (note: they will all be blocked) +# - +# - For Example: eth1 is used for DSL Line, that becomes an extra +# - interface (ppp-light). A further use of eth1 (which would +# - be possible) is not configured at time, so you can block it. +# - +blocked_ifs="" + + + +# ============= +# --- Interfaces not firewalled +# ============= + +# - Note: +# - Can be (for example) an interface, whose (complete) traffic is +# - protected by a firewall on an other system in the local area +# - +# - Here: the static line castle stockhausen +# - +unprotected_ifs="" + + + +# ============= +# --- Networks not firewalled through extern interfaces +# ============= + +# - Allow these networks any access to the internet. +# - +# - Blank separated list of networks +# - +any_access_to_inet_networks="" + + + +# ============= +# - Allow local services from given local networks +# ============= + +# - allow_local_net_to_local_service +# - +# - allow_local_net_to_local_service="local-net:local-service:port:protocol" +# - +# - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Use this parameter to (only) give some local netwoks access to special local +# - services (but not for all local networks as you can configure later). +# - +# - If you plan to separate local networks (see parameter 'separate_local_networks'), but +# - to allow these networks some special local services, you can also use this parameter. +# - +# - Example: +# - allow access from 10.113.0.0/16 to https service at 192.168.10.1 +# - allow access from 10.113.0.0/16 to https service at 192.168.10.13 +# - +# - allow_local_net_to_local_service="10.113.0.0/16:192.168.10.1:$standard_https_port:tcp +# - 10.113.0.0/16192.168.10.13:$standard_https_port:tcp" +# - +# - Blank separated list +# - +allow_local_net_to_local_service="" + + + +# ============= +# - Allow all traffic from local network to local ip-address +# ============= + +# - allow_local_net_to_local_ip +# - +# - allow_local_net_to_local_ip=": [:] [..]" +# - +# - All traffic from the given network to the given ip address is allowed +# - +# - Example: +# - allow_local_net_to_local_ip="10.113.0.0/16:192.168.10.1 +# - 10.113.0.0/16:192.168.10.13" +# - +# - Blank separated list +# - +allow_local_net_to_local_ip="" + + + +# ============= +# - Allow all traffic from local ip-address to local network +# ============= + +# - allow_local_ip_to_local_net +# - +# - allow_local_ip_to_local_net=": [:] [..]" +# - +# - All traffic from the given ip address to the given network is allowed +# - +# - Example: +# - allow_local_ip_to_local_net="192.168.10.9:10.10.10.0/24 +# - 192.168.10.16:10.10.10.0/24" +# - +# - Blank separated list +# - +allow_local_ip_to_local_net="" + + + +# ============= +# - Allow all traffic from (one) local network to (another) local network +# ============= + +# - allow_local_net_to_local_net +# - +# - allow_local_net_to_local_net=": [:] [..]" +# - +# - All traffic from the given first network to the given second network is allowed +# - +# - Notice: +# - If you want allow both directions, you have to make two entries - one for evry directions. +# - +# - Example: +# - allow_local_net_to_local_net="192.168.11.0/24:10.10.11.0/24 +# - 192.168.78.0/24:10.10.11.0/24" +# - +# - Blank separated list +# - +allow_local_net_to_local_net="" + + + +# ============= +# - Allow local ip address from given local interface +# ============= + +# - allow_local_if_to_local_ip +# - +# - All traffic from the given network interface to the given ip address is allowed +# - +# - Example: +# - allow_local_if_to_local_ip="${local_if_1}:192.168.10.1 +# - ${local_if_2}:192.168.10.13" +# - +# - Blank separated list +# - +allow_local_if_to_local_ip="" + + + +# ============= +# --- Separate local Networks +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="10.113.1.0/24 10.113.2.0/24" +# - +# - Blank separated list +# - +separate_local_networks="" + + + +# ============= +# --- Separate local Interfaces +# ============= + +# - Don't allow these networks any connections to other local networks +# - +# - Example: +# - separate_local_networks="$local_if_1 $local_if_2" +# - +separate_local_ifs="" + + + +# ============= +# --- Traffic Shaping +# ============= + +TRAFFIC_SHAPING=false + +RATE_UP=10000 +LIMIT_UP=$(expr $RATE_UP / 100 \* 85) + +LIMIT_CLASS=$(expr $LIMIT_UP / 7) + +RTP_PORTS_START=49152 +RTP_PORTS_END=49408 +SIP_PORT_REMOTE=5060 +SIP_PORT_LOCAL=5067 +SIP_LOCAL_IP=192.168.63.240 +STUN_PORTS=3478 + +TC_DEV=$ext_if_dsl_1 + + + +# ============= +# ---- Allow Forwarding (private) IPs / IP-Ranges +# ============= + +# - Maybe useful in case of virtual hosts with private addresses or +# - if using a vpn network to forward into private areas. +# - +# - Note: this rules takes affect before rules to protect against +# - unwanted packages e.g. blocking private addresses on +# - externel interfaces. +# - +# - Note: you can specify networks using CIDR notation +# - like "192.168.2.0/24" +# - +forward_private_ips="" + + + +# ============= +# --- Services local machine / local networksa +# ============= + +# ====== +# - IPv6 over IPv4 (SixXS) +# ====== + +local_sixxs_service=false +tic_server=tic.sixxs.net +six_pop_server=deham01.sixxs.net + + +# ====== +# - VPN Service +# ====== + +# - VPN Service on Gateway? +# - +local_vpn_service=true +vpn_gw_ports="1194 1195 1196" + +# - VPN Services DMZ (reachable also from WAN) +# - +# - vpn_server_dmz_arr=[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - vpn_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A vpn_server_dmz_arr + +# - Local VPN Ports +# - +# - Blank separated list +# - +vpn_local_net_ports="1194" + + +# ====== +# - DHCP Service +# ====== + +# - DHCP Server Gateway +# - +local_dhcp_service=true + +# - Are DHCP Failover Servers present? +# - +# - Balnk separated list +# - +dhcp_failover_server_ips="" + +dhcp_failover_port=647 + + +# ====== +# - DNS Service +# ====== + +# - DNS Service Gateway +# - +local_dns_service=true + +# - DNS Server local Networks +# - +# - Blank separated list +# - +dns_server_ips="" + + +# ====== +# - SSH +# ====== + +# - SSH Service Gateway +# - +local_ssh_service=true + + +# - SSH Services local Networks +# - +# - Blank separated list +# - +ssh_server_only_local_ips="" + + +# - SSH Services DMZ (reachable also from WAN) +# - +# - ssh_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one service on a certain port. +# - +# - ssh_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - ssh_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A ssh_server_dmz_arr + + +# - SSH Ports used on Gateway and also local machines +# - +# - blank separated list +# - +ssh_ports="22" + + +# ====== +# - HTTP(S) Service +# ====== + +# - HTTP(S) Service Gateway +# - +local_http_service=false + + +# - HTTP(S) Services only locale Networks +# - +# - Blank separated list +# - +http_server_only_local_ips="" + + +# - HTTP(S) Services DMZ (reachable also from WAN) +# - +# - http_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one service on a certain port. +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) +# - +# - http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - http_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - WebServer Luna: 192.168.63.20 (ppp-ckubu = $ext_if_dsl_1) +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_server_dmz_arr + + +# - HTTPS Services DMZ only port 443 (reachable also from WAN) +# - +# - http__ssl_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - Citrix Server: 192.168.10.13 incomming on ppp-surf1 ($ext_if_dsl_1) +# - +# - http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 +# - +# - Multiple settins of this parameter is possible +# - +declare -A http_ssl_server_dmz_arr + + +# - HTTP(S) Ports +# - +# - comma separated list +# - +http_ports="$standard_http_ports" + + +# ====== +# - Mail Services +# ====== + +# - Mailserver (SMTP(POP/IMAP) Gateway +# - +# - NOT YET IMPLEMENTED +# - +local_mail_service=false + + +# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks +# - +# - comma separated list +# - +mail_server_only_local_ips="" + + +# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN) +# - +# - mail_server_dmz_arr[]= +# - +# - Multiple declarations are possible +# - +# - Example: +# - Mail Server: 192.168.10.1 incomming on ppp-st ($ext_if_dsl_2) +# - +# - mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 +# - +declare -A mail_server_dmz_arr + + +# - Mail client ports (smtps/pop(s)/imap(s) +# - +# - comma separated list +# - +mail_user_ports="$standard_mailuser_ports" + + +# - Mail Server (local Networks) SMTP Port +# - +mail_smtp_port="$standard_smtp_port" + + +# ====== +# - FTP Service +# ====== + +# - FTP Service Gateway +# - +local_ftp_service=false + +# - FTP Server at local Networks +# - +# - comma separated list +# - +ftp_server_only_local_ips="" + +# - FTP Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - ftp_server_dmz_arr[]= +# - ftp_passive_port_range= +# - +declare -A ftp_server_dmz_arr +#ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 +ftp_passive_port_range="50000:50400" + +# - FTP Ports +# - +# - Hard scriptetd: +# - FTP Control Port: 21 +# - FTP Data Port: 20 + + +# ====== +# - TFTP Service Gateway +# ====== + +# - TFTP Server Gateway (Port udp 69) +local_tftp_service=false + +# - TFTP Server at local Networks +# - +tftp_server_ips="" + +# - TFTF Ports +# - +# - Note: its udp ! +# - +tftp_udp_port=69 + + +# ====== +# - LDAP Service +# ====== + +# - Is this a LDAP Server ? +# - +local_ldap_service=false + +# - LDAP Service local Networks +# - +# - Ports: 389 udp +# - 389 tcp +# - +# - Ports LDAP SSL: 636 tcp +# - +ldap_server_local_ips="" +ldap_udp_ports="389" +ldap_tcp_ports="389 636" + + +# ====== +# - Samba Service +# ====== + +# - Samba Server Gateway +# - +local_samba_service=false + +# - Samba Service +# - +# - Ports: 137,138 udp +# - 139,445 tcp +# - +samba_udp_ports="137:138" +samba_tcp_ports="137 138 139 445" + +# - Samba Service local networks +# - +# - 192.168.122.10 Samba Fileserver +# - 192.168.122.20 KVM Windows 7 Freigaben +# - +samba_server_local_ips="192.168.122.10 192.168.122.20" + +# - Samba Service DMZ +# - +# - samba_server_dmz_arr[]= +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - Multiple settins of this parameter is possible +# - +declare -A samba_server_dmz_arr + + +# ====== +# - NTP Service +# ====== + +# - NTP Service Gateway +# - +local_ntp_service=true + + +# ====== +# - SNMP Service +# ====== + +# - SNMP services local Networks +# - +snmp_server_ips="" + +# - SNMP Port +# - +# - snmp_port Port Agent +# - snmp_trap_port Port Management Station +# - +snmp_port="$standard_snmp_port" +snmp_trap_port="$standard_snmp_trap_port" + + +# ====== +# - Mumble Service +# ====== + +# - NOT YET IMPLEMENTED + +# - Mumble ports +# - +mumble_ports="64738" + + +# ====== +# - XyMon Service +# ====== + +# - XyMon Service Gateway (usually TCP port 1984) +# - +local_xymon_server=false + +# - XyMon Service (usually TCP port 1984) +# - +# - Blank separated list of ip's +# - +xymon_server_ips="" +local_xymon_client="" + +# - XyMon Ports +# - +xymon_port="$standard_xymon_port" + + +# ====== +# - Munin Service +# ====== + +# - Munin Service Gateway (usually TCP port 4949) +# - +local_munin_server=false + + +# - If 'local_munin_server=' provide service also to inet? +# - +provide_munin_service_to_inet=true +munin_remote_port="4949" + + +# - Munin Server local Networks (usually TCP port 4949) +# - +# - Blank separated list +# - +munin_local_server_ips="" + + +# - Munin Remote Server +# - +# - Note: +# - The munin server himself initiates the connection to the concerning clients. +# - In case of natted (local) networks you have to also nat the incomming +# - requests from munin server. +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - munin_local_client_ip_arr[]= +# - +# - Multiple settins of this parameter is possible +# - +#munin_remote_server="83.223.86.163" +munin_remote_server="" + + +# - Munin - clients on local network (server is $munin_remote_server) +# - +# - Example: +# - munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1 +# - +declare -A munin_local_client_ip_arr + +# - Munin Port +# - +munin_local_port=4949 + + +# ====== +# - PowerChut Network Shutdown (PCNS) +# ====== + +# - PCNS local Services +# - +pcns_server_ips="" + +# - local USV +# - +usv_ip="" + +# - PCNS Ports +# - +# - Webinterface (https): tcp 6547 +# - Connection usv: tcp/udp 3052 +# - +pcns_tcp_port=3052 +pcns_udp_port=3052 +pcns_web_port=6547 + + +# ====== +# - Remote Console (VNC Service) +# ====== + +# - VNC Service local network +# +# - Blank separated list +# - +rm_server_ips="192.168.122.0/24" + +# - VNC Service DMZ +# - +# - Note: +# - Each extern interface can have only one thuch service +# - +# - rm_server_dmz_arr[]= +# - +declare -A rm_server_dmz_arr +#rm_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1 + +# - Remote Console (VNC) Port +# - +remote_console_port=5900 + + +# ====== +# - Ubiquiti Unifi +# ====== + +# - Notice: +# - The Accesspoint IP is not needed (i think so), because the +# - AP uses port 8080 for cummunication with the controller, and +# - this port will be configured with the rules concerning the +# - controllers. +# - +# - again: setting unifi_ap_local_ips is not needed +#unifi_ap_local_ips="192.168.64.50" + +unifi_controller_gateway_ips="" +unify_controller_local_net_ips="" +unify_controller_ports="8080,8443" + +provide_hotspot=true +hotspot_ports="8880,8843" + + +# ====== +# - IPMI Tools +# ====== + +# - IPMI Tools local Networks +# - +# - 192.168.122.201 IPMI Fileserver +# - 192.168.122.202 IPMI Gateway +# - +# - Blank seoarated list +# - +ipmi_server_ips="192.168.122.201 192.168.2.15" + +# - IPMI Tools Port +# - +# - UDP 623: Access IPMI Programms (as IPMIView or FreeIPMI) +# - TCP 623: Virtual Media for Remote Console +# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM." +# - +ipmi_udp_ports="623 5900" +ipmi_tcp_ports="80 443 623 3520" + + +# ============= +# - Rsync Out for given src ip-addresses +# ============= + +# - Rsync Protocol +# - +# - The given server address (from local network) can access rsyncd at (any) remote machine +# - +# - Needed for some integrated provider of clamav-unofficial-sigs +# - +rsync_out_ips="" +rsync_ports="873" + +# - rsync out from this machine? +# - +local_rsync_out=false + + + +# ============= +# - Printer +# ============= + +# - IP Addresses Printer +# - +# - 192.168.122.5 Brother HL-5380DN +# - +# - Blank separated list +# - +printer_ips="" + + + +# ============= +# --- Scanner +# ============= + +# ====== +# - Brother (brscan) +# ====== + +# - IP Adresses Brother Scanner +# - +# - Blank seoarated list +# - +brother_scanner_ips="" +brscan_port=54921 + + + +# ============= +# --- Telefon Systems +# ============= + +# - IP Adresses Telephone Systems (Telefonanlagen) +# - +# - Dont't foregt to add ip-adresses also to http(s) service if the +# - systems provide webinterfaces! +# - +# - Blank seoarated list +# - +tele_sys_ips="" +tele_sys_remote_sip_server_port=5060 +tele_sys_local_sip_server_port=5067 +allow_between_tele_systems=false + +VOIP_PORTS="69 5000:5099 7775 32000:32512" +# - TFTP=69 (used from telephones getting their connection data / firmwareupdate ) +# - RTP_PORTS= UDP i.e. 5000:5099 or here +# - RTP_PORTS_END=5099 +#SIP_PORT_REMOTE=5060 +#SIP_PORT_LOCAL=5067 +#SIP_LOCAL_IP=192.168.63.240 +#STUN_PORTS=3478 +udp_voip_ports="7775 5000:5099" + + +# ===== +# - Telekom Internet TV (Entertain) +# ===== + +telekom_internet_tv=false +tv_ip="192.168.63.5" +tv_extern_if="eth2.8" +tv_local_if="$local_if_1" + + + +# ====== +# - Other local Services +# ====== + +# - You can configure further local services here. +# - +# - other_services=":: [:: [.." +# - +# - Blank seperated list +# - +other_services="" + + +# ============= +# --- Masuqerading +# ============= + +# - Masquerade TCP Connections +# - +# - masquerade_tcp_con="::: [::..]" +# - +# - Example: +# - +# - masquerade_tcp_con="192.168.63.0/24:192.168.62.244:80:${local_if_1} +# - 10.0.0.0/8:192.168.62.244:443:${local_if_1}" +# - +# - 192.168.64.55: Repeater TP-Link TL-WA850RE +# - +# - Blank separated list +# - +masquerade_tcp_cons="" + + +# ============= +# --- Portforwarding +# ============= + +# - Portforwarding TCP +# - +# - portforward_tcp=":::" +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_tcp="$ext_if_dsl_1:9997:192.168.52.25:22 +# - $ext_if_dsl_1:9998:192.168.53.24:22" +# - +# - Blank separated list +# - +portforward_tcp="" + + +# - Portforwarding UDP +# - +# - portforward_udp=":::" +# - +# - Multiple declarations are possible +# - +# - Example: +# - portforward_udp="$ext_if_dsl_1:1094:192.168.52.25:1094 +# - $ext_if_dsl_1:9999:192.168.53.24:1095" +# - +# - Blank separated list +# - +portforward_udp="" + + + +# ============= +# --- Basic behavior +# ============= + +# === +# = Services allowed out to the world wide web +# === + +allow_ssh_request_out=true +allow_http_request_out=true +allow_smtp_request_out=true +allow_mail_request_out=true +allow_ftp_request_out=true +allow_tftp_request_out=true +allow_ntp_request_out=true +allow_timeserver_request_out=true +allow_pgpserver_request_out=true +allow_telnet_request_out=true +allow_whois_request_out=true +allow_cpan_wait_request_out=true +allow_hbci_request_out=true +allow_jabber_request_out=true +allow_silc_request_out=true +allow_irc_request_out=true +allow_mysql_request_out=true +allow_ipmi_request_out=true +allow_remote_console_request_out=true + +allow_samba_requests_out=true + +allow_vpn_out=true +vpn_out_ports="1194 1195 1196" + + +# === +# = Services allowed between local networks +# === + +# - These Parameters are only considered, if traffic +# - between local networks are not permitted, thats +# - if 'permit_between_local_networks=false' (see below). +# - +allow_ssh_between_local_nets=true +allow_samba_between_local_nets=false +allow_ldap_between_local_nets=false +allow_printing_between_local_nets=true +allow_scanning_between_local_nets=true + + +# === +# = Other Parameters +# === + +# - Permit internet access to all machines at local network +# - Does not include this server itself +# - +permit_local_net_to_inet=true + +# - Do not block any traffic between local machines +# - +permit_between_local_networks=false + +# - Do not block any ICMP traffic +# - +permit_all_icmp_traffic=true + +# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine. +# - +# - Maybe useful for testing purpose with telnet or openssl +# - +provide_mailservice_from_local=true + +# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. +# - +create_iperf_rules=false + + + +# ============= +# - MAC Address Filtering +# ============= + +# - MAC Addreses alowed to all destinations (gateway, remote, local networks) +# - +# - Blank separated list +# - +allow_all_mac_src_addresses="" + +# - MAC Addreses alowed to local networks (gateway, local networks) +# - +# - Blank separated list +# - +allow_local_mac_src_addresses="" + + +# - MAC Addreses alowed to remote networks +# - +# - Blank separated list +# - +allow_remote_mac_src_addresses="" + + + + +# ============= +# --- Block IP's / IP-Ranges +# ============= + +# - 222.184.0.0/13 CHINANET-JS +# - 61.160.0.0/16 - CHINANET-JS +# - 116.8.0.0/14 CHINANET-GX +# - +# - Blank separated list +# - +blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14" + + +# ============= +# --- Block Ports on extern Interfaces +# ============= + +# - Generally (for all interfaces) block this ports +# - +# - Portmapper +# - tcp 111 +# - udp 111 +# - +# - Authentication tap ident +# - tcp 113 +# - +# - Location Service +# - tcp 135 +# - +# - Windows Stuff +# - tcp 137:139 +# - udp 137:139 +# - tcp 445 +# - +block_tcp_ports="111 135 631" +block_udp_ports="111" +if ! $allow_samba_requests_out ; then + block_tcp_ports="$block_udp_ports 137:139 445" + block_udp_ports="$block_udp_ports 137:139" +fi + +block_ident=true + + +# ============= +# - Packets not wanted on gateway on local Interfaces +# ============= + +not_wanted_on_gw_tcp_ports="111 113 135 631" +not_wanted_on_gw_udp_ports="111 631" +if ! $local_samba_service ; then + not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445" + not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139" +fi + +not_wanted_ident=true + + +# ============= +# --- Router +# ============= + +# - Set to "true" to secure/tune the kernel +# - +adjust_kernel_parameters=true + +# - Protection against several attacks +# - +protect_against_several_attacks=true + + + +# ============= +# --- Kernel related - Adjust Kernel Parameters (Security/Tuning) +# ============= + +# - Activate forwarding +# - +# - Enable/disable forwarding to and between interfaces +# - +kernel_activate_forwarding=true + +# - Activate kernel support for dynamic IP adresses +# - (not needed in case of static IP) +# - +# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt +# - +# - The values for the ip_dynaddr sysctl are [*]: +# - +# - 1: To enable: +# - 2: To enable verbosity: +# - 4: To enable RST-provoking: +# - 8: To enable asymetric routing work-around [**] +# - +# - [*] At boot, by default no address rewriting is attempted. +# - [**] This code is currently totaly untested. +# - +# - Flags can be combined by adding them. Common settings +# - would be: +# - +# - To enable rewriting in quiet mode: +# - # echo 1 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable rewriting in verbose mode: +# - # echo 3 > /proc/sys/net/ipv4/ip_dynaddr +# - To enable quiet RST-provoking mode (1+4): +# - # echo 5 > /proc/sys/net/ipv4/ip_dynaddr +# - ... +# - +kernel_support_dynaddr=true +dynaddr_flag="5" + +# - Reduce DoS'ing ability by reducing timeouts +# - +kernel_reduce_timeouts=true + +# - Hardening TCP/IP Stack Against SYN Floods +# - +# - Enable syn cookies prevents against the common 'syn flood attack' +# - +kernel_tcp_syncookies=true + +# - Protection against ICMP bogus error responses +# - +kernel_protect_against_icmp_bogus_messages=true + +# - Ignore Broadcast Pings +# - +kernel_ignore_broadcast_ping=true + +# - Deactivate Source Routed Packets +# - +kernel_deactivate_source_route=true + +# - Deactivate sending ICMP redirects +# - +# - Note: IP TV requires sending ICMP redirects. So if IP TV is provided, this +# - Parameter will be set to "false" +# - +# - ICMP redirects are used by routers to specify better routing paths out of +# - one network, based on the host choice, so basically it affects the way +# - packets are routed and destinations. +# - +kernel_dont_accept_redirects=true + +# - Activate Reverse Path Filtering (Antispoofing) +# - +# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen +# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, +# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat +# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für +# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle +# - nicht voll funktionsfähig ist. +# - +kernel_activate_rp_filter=true + +# - Logging of spoofed (source routed" and "redirect") packets +# - +kernel_log_martians=false + + + +# ============= +# --- Some further Ports/IP-Address Configuration +# ============= + +# - unpriviligierte Ports +# - +unprivports="1024:65535" + +# - Loopback +loopback="127.0.0.0/8" + +# - Private Networks +priv_class_a="10.0.0.0/8" +priv_class_b="172.16.0.0/12" +priv_class_c="192.168.0.0/16" + +# - Multicast Addresse +class_d_multicast="224.0.0.0/4" + +# Reserved Addresse +class_e_reserved="240.0.0.0/5" + diff --git a/BLKR/ipt-firewall/post_decalrations.conf b/BLKR/ipt-firewall/post_decalrations.conf new file mode 100644 index 0000000..a90ea98 --- /dev/null +++ b/BLKR/ipt-firewall/post_decalrations.conf @@ -0,0 +1,454 @@ +#!/usr/bin/env bash + + +# ----------- +# --- Define Arrays +# ----------- + +# --- +# - Masquerade TCP Connections +# --- +declare -a masquerade_tcp_con_arr +for _str in $masquerade_tcp_cons ; do + masquerade_tcp_con_arr+=("$_str") +done + + +# --- +# - Extern Network interfaces (DSL, Staic Lines, All together) +# --- +declare -a nat_device_arr +declare -a dsl_device_arr +declare -a ext_if_arr +for _dev in $ext_ifs_dsl ; do + dsl_device_arr+=("$_dev") + ext_if_arr+=("$_dev") + nat_device_arr+=("$_dev") +done +for _dev in $ext_ifs_static ; do + ext_if_arr+=("$_dev") +done +for _dev in $nat_devices ; do + if ! containsElement $_dev "${nat_device_arr[@]}" ; then + nat_device_arr+=("$_dev") + fi +done + +# --- +# - VPN Interfaces +# --- +declare -a vpn_if_arr +for _dev in $vpn_ifs ; do + vpn_if_arr+=("$_dev") +done + +# --- +# - Local Network Interfaces +# --- +declare -a local_if_arr +for _dev in $local_ifs ; do + local_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces completly blocked +# --- +declare -a blocked_if_arr +for _dev in $blocked_ifs ; do + blocked_if_arr+=("$_dev") +done + +# --- +# - Network Interfaces not firewalled +# --- +declare -a unprotected_if_arr +for _dev in $unprotected_ifs ; do + unprotected_if_arr+=("$_dev") +done + +# --- +# - Allow these local networks any access to the internet +# --- +declare -a any_access_to_inet_network_arr +for _net in $any_access_to_inet_networks ; do + any_access_to_inet_network_arr+=("$_net") +done + +# --- +# - Allow local services from given local networks +# --- +declare -a allow_local_net_to_local_service_arr +for _val in $allow_local_net_to_local_service ; do + allow_local_net_to_local_service_arr+=("$_val") +done + +# --- +# - Allow all traffic from local network to local ip-address +# --- +declare -a allow_local_net_to_local_ip_arr +for _val in $allow_local_net_to_local_ip ; do + allow_local_net_to_local_ip_arr+=("$_val") +done + +# --- +# - Allow all traffic from local ip-address to local network +# --- +declare -a allow_local_ip_to_local_net_arr +for _val in $allow_local_ip_to_local_net ; do + allow_local_ip_to_local_net_arr+=("$_val") +done + +# --- +# - Allow all traffic from (one) local network to (another) local network +# --- +declare -a allow_local_net_to_local_net_arr +for _val in $allow_local_net_to_local_net ; do + allow_local_net_to_local_net_arr+=("$_val") +done + +# --- +# - Allow local ip address from given local interface +# --- +declare -a allow_local_if_to_local_ip_arr +for _val in $allow_local_if_to_local_ip ; do + allow_local_if_to_local_ip_arr+=("$_val") +done + +# --- +# - Separate local Networks +# --- +declare -a separate_local_network_arr +for _net in $separate_local_networks ; do + separate_local_network_arr+=("$_net") +done + +# --- +# - Separate local Interfaces +# --- +declare -a separate_local_if_arr +for _net in $separate_local_ifs ; do + separate_local_if_arr+=("$_net") +done + +# --- +# - Generally block ports on extern interfaces +# --- +declare -a block_tcp_port_arr +for _port in $block_tcp_ports ; do + block_tcp_port_arr+=("$_port") +done + +declare -a block_udp_port_arr +for _port in $block_udp_ports ; do + block_udp_port_arr+=("$_port") +done + +# --- +# - Not wanted on intern interfaces +# --- +declare -a not_wanted_on_gw_tcp_port_arr +for _port in $not_wanted_on_gw_tcp_ports ; do + not_wanted_on_gw_tcp_port_arr+=("$_port") +done + +declare -a not_wanted_on_gw_udp_port_arr +for _port in $not_wanted_on_gw_udp_ports ; do + not_wanted_on_gw_udp_port_arr+=("$_port") +done + +# --- +# - Private IPs / IP-Ranges allowed to forward +# --- +declare -a forward_private_ip_arr +for _ip in $forward_private_ips ; do + forward_private_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses to log +# --- +declare -a log_ip_arr +for _ip in $log_ips ; do + log_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses DHCP Failover Server +# --- +declare -a dhcp_failover_server_ip_arr +for _ip in $dhcp_failover_server_ips ; do + dhcp_failover_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses DNS Server +# --- +declare -a dns_server_ip_arr +for _ip in $dns_server_ips ; do + dns_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses SSH Server only at ocal Networks +# --- +declare -a ssh_server_only_local_ip_arr +for _ip in $ssh_server_only_local_ips ; do + ssh_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses HTTP Server only local Networks +# --- +declare -a http_server_only_local_ip_arr +for _ip in $http_server_only_local_ips ; do + http_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Mail Server only local Networks +# --- +declare -a mail_server_only_local_ip_arr +for _ip in $mail_server_only_local_ips ; do + mail_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses FTP Server +# --- +declare -a ftp_server_only_local_ip_arr +for _ip in $ftp_server_only_local_ips ; do + ftp_server_only_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Samba Server +# --- +declare -a samba_server_local_ip_arr +for _ip in $samba_server_local_ips ; do + samba_server_local_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses LDAP Server +# --- +declare -a ldap_server_local_ip_arr +for _ip in $ldap_server_local_ips ; do + ldap_server_local_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses Telephone Systems +# --- +declare -a tele_sys_ip_arr +for _ip in $tele_sys_ips ; do + tele_sys_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses SNMP Server +# --- +declare -a snmp_server_ip_arr +for _ip in $snmp_server_ips ; do + snmp_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses Munin Service +# --- +declare -a munin_local_server_ip_arr +for _ip in $munin_local_server_ips ; do + munin_local_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses XyMon +# --- +declare -a xymon_server_ip_arr +for _ip in $xymon_server_ips ; do + xymon_server_ip_arr+=("$_ip") +done + +# --- +# - IP Adresses IPMI interface +# --- +declare -a ipmi_server_ip_arr +for _ip in $ipmi_server_ips ; do + ipmi_server_ip_arr+=("$_ip") +done + +# --- +# -IP Addresses Ubiquiti Unifi Accesspoints +# --- +declare -a unifi_ap_local_ip_arr +for _ip in $unifi_ap_local_ips ; do + unifi_ap_local_ip_arr+=("$_ip") +done +declare -a unifi_controller_gateway_ip_arr +for _ip in $unifi_controller_gateway_ips ; do + unifi_controller_gateway_ip_arr+=("$_ip") +done +declare -a unify_controller_local_net_ip_arr +for _ip in $unify_controller_local_net_ips ; do + unify_controller_local_net_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Printer +# - +declare -a printer_ip_arr +for _ip in $printer_ips ; do + printer_ip_arr+=("$_ip") +done + + +# --- +# - IP Adresses Brother Scanner (brscan) +# --- +declare -a brother_scanner_ip_arr +for _ip in $brother_scanner_ips ; do + brother_scanner_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses PCNS Server +# --- +declare -a pcns_server_ip_arr +for _ip in $pcns_server_ips ; do + pcns_server_ip_arr+=("$_ip") +done + + +# --- +# - IP Addresses VNC Service +# --- +declare -a rm_server_ip_arr +for _ip in $rm_server_ips ; do + rm_server_ip_arr+=("$_ip") +done + +# --- +# - IP Addresses Rsync Out +# --- +# local +declare -a rsync_out_ip_arr +for _ip in $rsync_out_ips ; do + rsync_out_ip_arr+=("$_ip") +done + +# --- +# - Other local Services +# --- +declare -a other_service_arr +for _val in $other_services ; do + other_service_arr+=("$_val") +done + +# --- +# - SSH Ports +# --- +declare -a ssh_port_arr +for _port in $ssh_ports ; do + ssh_port_arr+=("$_port") +done + +# --- +# - VPN Ports +# --- +declare -a vpn_gw_port_arr +for _port in $vpn_gw_ports ; do + vpn_gw_port_arr+=("$_port") +done +declare -a vpn_local_net_port_arr +for _port in $vpn_local_net_ports ; do + vpn_local_net_port_arr+=("$_port") +done +declare -a vpn_out_port_arr +for _port in $vpn_out_ports ; do + vpn_out_port_arr+=("$_port") +done + +# --- +# - Rsync Out Ports +# -- +declare -a rsync_port_arr +for _port in $rsync_ports ; do + rsync_port_arr+=("$_port") +done + +# --- +# - Samba Ports +# --- + +declare -a samba_udp_port_arr +for _port in $samba_udp_ports ; do + samba_udp_port_arr+=("$_port") +done + +declare -a samba_tcp_port_arr +for _port in $samba_tcp_ports ; do + samba_tcp_port_arr+=("$_port") +done + +# --- +# - LDAP Ports +# --- + +declare -a ldap_udp_port_arr +for _port in $ldap_udp_ports ; do + ldap_udp_port_arr+=("$_port") +done + +declare -a ldap_tcp_port_arr +for _port in $ldap_tcp_ports ; do + ldap_tcp_port_arr+=("$_port") +done + +# --- +# - IPMI +# --- + +declare -a ipmi_udp_port_arr +for _port in $ipmi_udp_ports ; do + ipmi_udp_port_arr+=("$_port") +done + +declare -a ipmi_tcp_port_arr +for _port in $ipmi_tcp_ports ; do + ipmi_tcp_port_arr+=("$_port") +done + + +# --- +# - Portforwrds TCP +# --- +declare -a portforward_tcp_arr +for _str in $portforward_tcp ; do + portforward_tcp_arr+=("$_str") +done + +# --- +# - Portforwrds UDP +# --- +declare -a portforward_udp_arr +for _str in $portforward_udp ; do + portforward_udp_arr+=("$_str") +done + +# --- +# - MAC Address Filtering +# --- +declare -a allow_all_mac_src_address_arr +for _mac in $allow_all_mac_src_addresses ; do + allow_all_mac_src_address_arr+=("$_mac") +done + +declare -a allow_local_mac_src_address_arr +for _mac in $allow_local_mac_src_addresses ; do + allow_local_mac_src_address_arr+=("$_mac") +done + +declare -a allow_remote_mac_src_address_arr +for _mac in $allow_remote_mac_src_addresses ; do + allow_remote_mac_src_address_arr+=("$_mac") +done + diff --git a/BLKR/mailname.BLKR b/BLKR/mailname.BLKR new file mode 100644 index 0000000..437a348 --- /dev/null +++ b/BLKR/mailname.BLKR @@ -0,0 +1 @@ +gw-blkr.blkr.netz diff --git a/BLKR/main.cf.BLKR b/BLKR/main.cf.BLKR new file mode 100644 index 0000000..3f7083c --- /dev/null +++ b/BLKR/main.cf.BLKR @@ -0,0 +1,268 @@ +# ============ Basic settings ============ + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname +myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = /usr/share/doc/postfix +html_directory = /usr/share/doc/postfix/html + +## - The Internet protocols Postfix will attempt to use when making +## - or accepting connections. +## - DEFAULT: ipv4 +inet_protocols = ipv4 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + 192.168.162.254 + +myhostname = gw-blkr.blkr.netz + +mydestination = + gw-blkr.blkr.netz + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + 192.168.162.254/32 + +#smtp_bind_address = 192.168.100.254 +#smtp_bind_address6 = + + +## - The method to generate the default value for the mynetworks parameter. +## - +## - mynetworks_style = host" when Postfix should "trust" only the local machine +## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP +## - clients in the same IP subnetworks as the local machine. +## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same +## - IP class A/B/C networks as the local machine. +## - +#mynetworks_style = host + + +## - The maximal size of any local(8) individual mailbox or maildir file, +## - or zero (no limit). In fact, this limits the size of any file that is +## - written to upon local delivery, including files written by external +## - commands that are executed by the local(8) delivery agent. +## - +mailbox_size_limit = 0 + +## - The maximal size in bytes of a message, including envelope information. +## - +## - we user 50MB +## - +message_size_limit = 52480000 + +## - The system-wide recipient address extension delimiter +## - +recipient_delimiter = + + +## - The alias databases that are used for local(8) delivery. +## - +alias_maps = + hash:/etc/aliases + +## - The alias databases for local(8) delivery that are updated +## - with "newaliases" or with "sendmail -bi". +## - +alias_database = + hash:/etc/aliases + + +## - The maximal time a message is queued before it is sent back as +## - undeliverable. Defaults to 5d (5 days) +## - Specify 0 when mail delivery should be tried only once. +## - +maximal_queue_lifetime = 3d +bounce_queue_lifetime = $maximal_queue_lifetime + +## - delay_warning_time (default: 0h) +## - +## - The time after which the sender receives a copy of the message +## - headers of mail that is still queued. To enable this feature, +## - specify a non-zero time value (an integral value plus an optional +## - one-letter suffix that specifies the time unit). +## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +## - The default time unit is h (hours). +delay_warning_time = 1d + + + +# ============ Relay parameters ============ + +#relayhost = + + +# ============ SASL authentication ============ + +# Enable SASL authentication +smtp_sasl_auth_enable = yes + +# Forwarding to the ip-adress of host b.mx.oopen.de +relayhost = [b.mx.oopen.de] + +# File including login data +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + +# Force using a (TLS) security connection +# obsulete - use smtp_tls_security_level instead +#smtp_use_tls = yes +#smtp_tls_enforce_peername = no +smtp_tls_security_level = encrypt + +# Disallow methods that allow anonymous authentication. +smtp_sasl_security_options = noanonymous + + + +# ============ TLS parameters ============ + +## - Aktiviert TLS für den Mailempfang +## - +## - may: +## - Opportunistic TLS. Use TLS if this is supported by the remote +## - SMTP server, otherwise use plaintext +## - +## - This overrides the obsolete parameters smtpd_use_tls and +## - smtpd_enforce_tls. This parameter is ignored with +## - "smtpd_tls_wrappermode = yes". +#smtpd_use_tls=yes +smtp_tls_security_level=encrypt + +## - Aktiviert TLS für den Mailversand +## - +## - may: +## - Opportunistic TLS: announce STARTTLS support to SMTP clients, +## - but do not require that clients use TLS encryption. +# smtp_use_tls=yes +smtpd_tls_security_level=may + +## - 0 Disable logging of TLS activity. +## - 1 Log TLS handshake and certificate information. +## - 2 Log levels during TLS negotiation. +## - 3 Log hexadecimal and ASCII dump of TLS negotiation process. +## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +## - +smtpd_tls_loglevel = 1 +smtp_tls_loglevel = 1 + +smtpd_tls_cert_file = /etc/postfix/ssl/mailserver.crt +smtpd_tls_key_file = /etc/postfix/ssl/mailserver.key + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 +## - +smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem +## - also possible to use 2048 key with that parameter +## - +#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 +## - +smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem + + +## - File containing CA certificates of root CAs trusted to sign either remote SMTP +## - server certificates or intermediate CA certificates. These are loaded into +## - memory !! BEFORE !! the smtp(8) client enters the chroot jail. +## - +smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt + +## - Directory with PEM format certificate authority certificates that the Postfix SMTP +## - client uses to verify a remote SMTP server certificate. Don't forget to create the +## - necessary "hash" links with, for example, " +## - /bin/c_rehash /etc/postfix/certs". +## - +## - !! Note !! +## - To use this option in chroot mode, this directory (or a copy) must be inside +## - the chroot jail. +## - +## - Note that a chrooted daemon resolves all filenames relative to the Postfix +## - queue directory (/var/spool/postfix) +## - +#smtpd_tls_CApath = /etc/postfix/certs + + +# Disable SSLv2 SSLv3 - Postfix SMTP server +# +# List of TLS protocols that the Postfix SMTP server will exclude or +# include with opportunistic TLS encryption. +smtpd_tls_protocols = !SSLv2, !SSLv3 +# +# The SSL/TLS protocols accepted by the Postfix SMTP server +# with mandatory TLS encryption. +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +# Disable SSLv2 SSLv3 - Postfix SMTP client +# +# List of TLS protocols that the Postfix SMTP client will exclude or +# include with opportunistic TLS encryption. +smtp_tls_protocols = !SSLv2, !SSLv3 +# +# List of SSL/TLS protocols that the Postfix SMTP client will use +# with mandatory TLS encryption +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange +## - openssl > 1.0 +## - +smtpd_tls_eecdh_grade = strong + +# standard list cryptographic algorithm +tls_preempt_cipherlist = yes + +# Disable ciphers which are less than 256-bit: +# +#smtpd_tls_mandatory_ciphers = high +# +# opportunistic +smtpd_tls_ciphers = high + + +# Exclude ciphers +#smtpd_tls_exclude_ciphers = +# RC4 +# aNULL +# SEED-SHA +# EXP +# MD5 +smtpd_tls_exclude_ciphers = + aNULL + eNULL + EXPORT + DES + RC4 + MD5 + PSK + aECDH + EDH-DSS-DES-CBC3-SHA + EDH-RSA-DES-CDC3-SHA + KRB5-DE5, CBC3-SHA + + +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + diff --git a/BLKR/rc.local.BLKR b/BLKR/rc.local.BLKR new file mode 100755 index 0000000..1d9442b --- /dev/null +++ b/BLKR/rc.local.BLKR @@ -0,0 +1,18 @@ +#!/bin/sh -e +# +# rc.local +# +# This script is executed at the end of each multiuser runlevel. +# Make sure that the script will "exit 0" on success or any other +# value on error. +# +# In order to enable or disable this script just change the execution +# bits. +# +# By default this script does nothing. + +sleep 2 +/etc/init.d/ntp restart || /bin/true + + +exit 0 diff --git a/BLKR/resolv.conf.BLKR b/BLKR/resolv.conf.BLKR new file mode 100644 index 0000000..fd95275 --- /dev/null +++ b/BLKR/resolv.conf.BLKR @@ -0,0 +1,4 @@ +# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +nameserver 127.0.0.1 +search blkr.netz diff --git a/BLKR/sasl_passwd.BLKR b/BLKR/sasl_passwd.BLKR new file mode 100644 index 0000000..df68aa6 --- /dev/null +++ b/BLKR/sasl_passwd.BLKR @@ -0,0 +1 @@ +[b.mx.oopen.de] blkr@b.mx.oopen.de:CJFtqw4K4TXg diff --git a/BLKR/sasl_passwd.db.BLKR b/BLKR/sasl_passwd.db.BLKR new file mode 100644 index 0000000000000000000000000000000000000000..8fd3a83eda04bbcc5d5ed9074ca5798626b005ab GIT binary patch literal 12288 zcmeI&u?oU45P;!J2hl<5;#+8@OiqH}psRx*3Kok()v5^k626v`2u@BugRfwYQm{@A z9sfcu;VxX@TdyJ_#xMQm&5G3Y(D19O2azD#3h}B%f3fwvy<9shX^*^*W{mIgxU6Qs z`Rq0k0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1j-iB8U6R1KahJU z^>^rFA)mkd&-`EiAz=QWi?Jhs00IagfB*srAb /dev/null 2>&1 + if [[ "$?" != "0" ]]; then + warn "Loading module '$module' failed!" + fi + fi + done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) + +fi + +if [[ ! -f "$conf_logging" ]]; then + fatal "Missing configuration for logging - file '$conf_logging'" +else + source $conf_logging +fi + +if [[ ! -f "$conf_default_ports" ]]; then + fatal "Missing configuration for default_ports - file '$conf_default_ports'" +else + source $conf_default_ports +fi + +if [[ ! -f "$conf_interfaces" ]]; then + fatal "Missing interface configurations - file '$conf_interfaces'" +else + source $conf_interfaces +fi + +if [[ ! -f "$conf_main" ]]; then + fatal "Missing main configurations - file '$conf_main'" +else + source $conf_main +fi + +if [[ ! -f "$conf_post_declarations" ]]; then + fatal "Missing post declarations - file '$conf_post_declarations'" +else + source $conf_post_declarations +fi + + +echo +if $terminal ; then + echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" +else + echo "Starting firewall iptables (IpV4).." +fi +echo + + +# ------------- +# --- Activate IP Forwarding +# ------------- + +## - IP Forwarding aktivieren/deaktivieren. +## - +## - Dieses benötigen wir lediglich bei einem Rechner in mehreren Netzen. +## - Es ist anzuraten, diese Einstellung vor allen anderen vorzunehmen, +## - weil hiermit auch andere (de)aktiviert werden. +## - +if $kernel_activate_forwarding ; then + echo 1 > /proc/sys/net/ipv4/ip_forward + echononl "\tActivate Forwarding.." + echo_done +else + echo 0 > /proc/sys/net/ipv4/ip_forward + echononl "\t\033[33m\033[1mDisable Forwarding.." + echo_done +fi + +if $kernel_support_dynaddr ; then + echononl "\tActivate kernel support for dynamic addresses.." + if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then + echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr + echo_done + else + echo_failed + fi +else + echo 0 > /proc/sys/net/ipv4/ip_dynaddr + echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" + echo_done +fi + +# ------------- +# --- Adjust Kernel Parameters (Security/Tuning) +# ------------- + +echononl "\tAdjust Kernel Parameters (Security/Tuning).." + +if $adjust_kernel_parameters ; then + ## - Reduce DoS'ing ability by reducing timeouts + ## - + if $kernel_reduce_timeouts ; then + echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout + echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time + echo 1 > /proc/sys/net/ipv4/tcp_window_scaling + echo 0 > /proc/sys/net/ipv4/tcp_sack + fi + + ## - SYN COOKIES + ## - + if $kernel_tcp_syncookies ; then + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog + echo 3 > /proc/sys/net/ipv4/tcp_synack_retries + fi + + ## - Protection against ICMP bogus error responses + ## - + if $kernel_protect_against_icmp_bogus_messages ; then + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + fi + + ## - Ignore Broadcast Pings + ## - + if $kernel_ignore_broadcast_ping ; then + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + fi + + ## - Deactivate Source Routed Packets + ## - + if $kernel_deactivate_source_route ; then + for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do + echo 0 > $asr + done + fi + + ## - Deactivate sending ICMP redirects + ## - + if ! $telekom_internet_tv ; then + if $kernel_dont_accept_redirects ; then + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 1 > $rp_filter + done + else + for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do + echo 0 > $rp_filter + done + fi + fi + + ## - Logging of spoofed (source routed" and "redirect") packets + ## - + if $kernel_log_martians ; then + echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + fi + + echo_done # Adjust Kernel Parameters (Security/Tuning) +else + echo_skipped +fi + + +# ------------- +# --- Set default policies / Flush Rules +# ------------- + +echo +echononl "\tFlushing firewall iptable (IPv4).." + +# - default policies +# - +$ipt -P INPUT ACCEPT +$ipt -P OUTPUT ACCEPT +$ipt -P FORWARD ACCEPT + +## - flush chains +## - +$ipt -F +$ipt -F INPUT +$ipt -F OUTPUT +$ipt -F FORWARD +$ipt -F -t mangle +$ipt -F -t nat +$ipt -F -t raw +$ipt -X +$ipt -Z + +$ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + +for _dev in ${nat_device_arr[@]} ; do + $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE +done + +if $telekom_internet_tv ; then + $ipt -t nat -A POSTROUTING -o $tv_extern_if -j MASQUERADE +fi + +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr +if [[ ${#masquerade_tcp_con_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${masquerade_tcp_con_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + + + # - Skip if no interface is given + # - + if [[ -z "${_val_arr[3]}" ]] ; then + no_if_for_ip_arr+=("${_val_arr[1]}") + continue + fi + $ipt -t nat -A POSTROUTING -o ${_val_arr[3]} -p tcp -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j MASQUERADE + done +fi + +#echo_done # Flushing firewall iptable (IPv4).. +if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "Masquerading for ip '$_ip' was omitted - No idestination interface present!" + done +else + echo_done +fi +echo + + +# ------------- +# - Log given IP Addresses +# ------------- + +echononl "\tLog given IP Addresses" +if [[ ${#log_ip_arr[@]} -gt 0 ]]; then + for _ip in ${log_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -j LOG --log-prefix "IPv4: $_ip IN: " --log-level $log_level + $ipt -A OUTPUT -d $_ip -j LOG --log-prefix "IPv4: $_ip OUT: " --log-level $log_level + $ipt -A FORWARD -s $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD FROM: " --log-level $log_level + $ipt -A FORWARD -d $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD TO: " --log-level $log_level + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Stopping firewall if only flushing was requested (parameter flush) +# ------------- + +case $1 in + flush) + warn No firewall rules are active! + exit 0;; +esac + + +# --- +# - Stop here, if no extern interface is configured +# --- + +if [[ ${#ext_if_arr[@]} -lt 1 ]] ; then + fatal "No extern Interface is configured!" +fi + + + +# ------------- +# --- Traffic Shaping +# ------------- + +echo "" +if $terminal ; then + echononl "\033[37m\033[1m\tStarting outbound shaping...\033[m" +else + echo -n "Starting outbound shaping" +fi + +if $TRAFFIC_SHAPING && [[ -n "$TC_DEV" ]] ; then + + tc=$(which tc) + + if [[ -z "$tc" ]]; then + echo_skipped + warn "'tc'-programm not found. Outbound shaping was ommitted!" + else + + ## - Löschen aller Klassen für $TC_DEV und der Filterregeln + ## - + $tc qdisc del dev $TC_DEV root 2> /dev/null > /dev/null + $ipt -t mangle -D POSTROUTING -o $TC_DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null + $ipt -t mangle -F MYSHAPER-OUT + $ipt -t mangle -X MYSHAPER-OUT + + + # add HTB root qdisc + $tc qdisc add dev $TC_DEV root handle 1:0 htb default 26 + + # add main rate limit class(es) + $tc class add dev $TC_DEV parent 1: classid 1:1 htb rate ${LIMIT_UP}kbit + + # create fair-share-classes, descending priority + $tc class add dev $TC_DEV parent 1:1 classid 1:20 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 0 + $tc class add dev $TC_DEV parent 1:1 classid 1:21 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 1 + $tc class add dev $TC_DEV parent 1:1 classid 1:22 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 2 + $tc class add dev $TC_DEV parent 1:1 classid 1:23 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 3 + $tc class add dev $TC_DEV parent 1:1 classid 1:24 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 4 + $tc class add dev $TC_DEV parent 1:1 classid 1:25 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 5 + $tc class add dev $TC_DEV parent 1:1 classid 1:26 htb rate ${LIMIT_CLASS}kbit ceil ${LIMIT_UP}kbit prio 6 + + + # attach qdisc to leaf classes + # + # here we at SFQ to each priority class. SFQ insures that + # within each class connections will be treated (almost) fairly. + $tc qdisc add dev $TC_DEV parent 1:20 handle 20: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:21 handle 21: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:22 handle 22: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:23 handle 23: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:24 handle 24: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:25 handle 25: sfq perturb 10 + $tc qdisc add dev $TC_DEV parent 1:26 handle 26: sfq perturb 10 + + + # filter traffic into classes by fwmark + # + # here we direct traffic into priority class according to + # the fwmark set on the packet (we set fwmark with iptables + # later). Note that above we've set the default priority + # class to 1:26 so unmarked packets (or packets marked with + # unfamiliar IDs) will be defaulted to the lowest priority + # class. + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25 + $tc filter add dev $TC_DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 + + + # add MYSHAPER-OUT chain to the mangle table in iptables + # + # this sets up the table we'll use + # to filter and mark packets. + $ipt -t mangle -N MYSHAPER-OUT + $ipt -t mangle -I POSTROUTING -o $TC_DEV -j MYSHAPER-OUT + + + # add fwmark entries to classify different types of traffic + # + # Set fwmark from 20-26 according to + # desired class. 20 is highest prio. + + # mark 20 - high prio 0 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 20 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 + $ipt -t mangle -A MYSHAPER-OUT -p icmp -j RETURN + + # mark 21 - high prio 1 + # - DNS Service + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j MARK --set-mark 21 + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport 53 -j RETURN + + # mark 22 - high prio 2 + # - VoIP SIP (sip ports, rtp ports, stun ports(3478)) + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${RTP_PORTS_START}:${RTP_PORTS_END} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --dport ${SIP_PORT_REMOTE} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp --sport ${SIP_PORT_LOCAL} -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p udp -m multiport --dport ${STUN_PORTS} -j RETURN + + # mark 23 - prio 3 + # - OpenVPN + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 1094,1095 -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j RETURN + $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 23 + $ipt -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j RETURN + + # mark 24 - prio 4 + # - WWW + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j MARK --set-mark 24 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 80,443 -j RETURN + + + # mark 25 - prio 5 + # - Mailtraffic + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j MARK --set-mark 25 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m multiport --dport 587,110,995,143,993 -j RETURN + + + # Remaining packets are marked according to TOS + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark 22 + $ipt -t mangle -A MYSHAPER-OUT -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark 25 + # redundant- mark any unmarked packets as 26 (low prio) + $ipt -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 + + echo_done + fi +else + echo_skipped +fi + + + +# --- +# - Provide (Telekom) IP TV +# --- + +echo +echononl "\tProvide (Telekom) Internet TV" + +if $telekom_internet_tv && [[ -n "$tv_local_if" ]] ; then + + # - Telekom VDSL - Rules for IPTV + # - + $ipt -A INPUT -i $tv_local_if -p igmp -s $tv_ip -j ACCEPT + #$ipt -A INPUT -i $tv_local_if -p igmp -j DROP + + $ipt -A FORWARD -s $tv_ip -j ACCEPT + $ipt -A FORWARD -d $tv_ip -j ACCEPT + + $ipt -A FORWARD -i $tv_ip -j ACCEPT + $ipt -A FORWARD -o $tv_ip -j ACCEPT + + + # - Forward all networks defined defind by igmpproxy + # - (see: phyint eth2.8 upstream ratelimit 0 threshold 1) + # + #$ipt -A FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 239.35.100.6/24 -d 224.0.0.0/4 -j ACCEPT + #$ipt -A FORWARD -s 93.230.64.0/19 -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -s 224.0.0.0/4 -j ACCEPT + + $ipt -A OUTPUT -d 224.0.0.0/4 -j ACCEPT + $ipt -A INPUT -d 224.0.0.0/4 -j ACCEPT + + $ipt -A INPUT -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A INPUT -i $tv_local_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A OUTPUT -o $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + $ipt -A OUTPUT -o $tv_local_if -d 224.0.0.0/4 -j ACCEPT + + #$ipt -A FORWARD -d 224.0.0.0/4 -j ACCEPT + $ipt -A FORWARD -i $tv_local_if -o $tv_extern_if -j ACCEPT + $ipt -A FORWARD -i $tv_extern_if -d 224.0.0.0/4 -j ACCEPT + + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- Pass through Devices Interfaces (not firewalled) +# ------------- + +if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then + echononl "\tPass through Devices (not firewalled)" + for _dev in ${unprotected_if_arr[@]} ; do + if $log_unprotected || $log_all ; then + $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -j ACCEPT + $ipt -A OUTPUT -o $_dev -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -j ACCEPT + $ipt -A FORWARD -o $_dev -j ACCEPT + fi + done + echo_done +fi + + + +# ------------- +# --- Block IPs / Networks / Interfaces +# ------------- +echononl "\tBlock IPs / Networks / Interfaces.." + + +# --- +# - Block IPs +# --- + +for _ip in $blocked_ips ; do + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done +done + + +# --- +# - Block Interfaces +# --- + +for _if in ${blocked_if_arr[@]} ; do + if $log_blocked_if || $log_all ; then + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + fi + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_if -j DROP + $ipt -A FORWARD -o $_if -j DROP + fi + $ipt -A INPUT -i $_if -j DROP + $ipt -A OUTPUT -o $_if -j DROP +done + +echo_done # Block IPs / Networks / Interfaces.. + + +# --- +# - Allow Forwarding certain private Addresses +# --- + +echononl "\tAllow forwarding (private) IPs / IP-Ranges.." +if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${forward_private_ip_arr[@]}; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -d $_ip -j ACCEPT + $ipt -A FORWARD -s $_ip -j ACCEPT + echo_done + else + echo_skipped + fi + done +else + echo_skipped +fi + + +# ------------- +# --- Protections against several attacks / unwanted packages +# ------------- +echo +echononl "\tProtections against several attacks / unwanted packages.." + +if $protect_against_several_attacks ; then + + # --- + # - Protection against syn-flooding + # --- + + $ipt -N syn-flood + $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN + if $log_syn_flood || $log_all ; then + $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + fi + $ipt -A syn-flood -j DROP + + + # --- + # - Drop Fragments + # --- + + # I have to say that fragments scare me more than anything. + # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" + # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such + # fragments is very OS-dependent (see this paper for details). + # I am not going to trust any fragments. + # Log fragments just to see if we get any, and deny them too + + for _dev in ${ext_if_arr[@]} ; do + if $log_fragments || $log_all ; then + $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -f -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -f -j DROP + fi + done + + + # --- + # - drop new packages without syn flag + # --- + + #if $log_new_not_sync || $log_all ; then + # $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # fi + #fi + #$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #$ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP + #fi + + + # --- + # - drop invalid packages + # --- + + #if $log_invalid_state || $log_all ; then + # $ipt -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # fi + #fi + #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP + #if $kernel_activate_forwarding ; then + # $ipt -A FORWARD -m conntrack --ctstate INVALID -j DROP + #fi + + + # --- + # - ungewöhnliche Flags verwerfen + # --- + + for _dev in ${ext_if_arr[@]} ; do + if $log_invalid_flags || $log_all ; then + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + fi + done + + + # --- + # - Refuse private addresses on extern interfaces + # --- + + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address + for _dev in ${dsl_device_arr[@]} ; do + if $log_spoofed || $log_all ; then + $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + # + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + fi + fi + # Refuse packets claiming to be from a Class A private network. + $ipt -A INPUT -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A INPUT -i $_dev -s $priv_class_b -j DROP + # Retfuse packets claiming to be from a Class C private network. + $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A INPUT -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A INPUT -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j DROP + if $kernel_activate_forwarding ; then + # Refuse packets claiming to be from a Class A private network. + $ipt -A FORWARD -i $_dev -s $priv_class_a -j DROP + # Refuse packets claiming to be from a Class B private network. + $ipt -A FORWARD -i $_dev -s $priv_class_b -j DROP + # Refuse packets claiming to be from a Class C private network. + $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP + # Refuse packets claiming to be from loopback interface. + $ipt -A FORWARD -i $_dev -s $loopback -j DROP + # Refuse Class D multicast addresses. Multicast is illegal as a source address. + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP + # Refuse Class E reserved IP addresses. + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j DROP + # Refuse broadcast address packets. + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j DROP + fi + done + + + # --- + # - Refuse packets claiming to be to the loopback interface. + # --- + + # Refusing packets claiming to be to the loopback interface protects against + # source quench, whereby a machine can be told to slow itself down by an icmp source + # quench to the loopback. + for _dev in ${ext_if_arr[@]} ; do + if $log_to_lo || $log_all ; then + $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -d $loopback -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -d $loopback -j DROP + fi + done + + + # --- + # - Don't allow spoofing from that server + # --- + + for _dev in ${dsl_device_arr[@]} ; do + if $log_spoofed_out || $log_all ; then + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + fi + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP + $ipt -A OUTPUT -o $_dev -s $loopback -j DROP + done + + echo_done +else + echo_skipped +fi + + +# ------------- +# --- Log VoIP Traffic (local telephone systems ( ${tel_sys_ip_arr[@]}) +# ------------- + +if $log_voip || $log_all ; then + for _ip in ${tel_sys_ip_arr[@]} ; do + $ipt -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level + done +fi +#for _PORT in ${VOIP_PORTS} ; do +# $ipt -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level +#done + + +# ------------- +# ------------- Stopping firewall here if requested (parameter stop) +# ------------- + + +case $1 in + sto*) + echo + if $terminal ; then + echo -e "\t\033[37m\033[1mStop was requested. No more firewall rules..\033[m" + else + echo "Stop was requested. No more firewall rules.." + fi + echo + exit 0;; +esac + + +echo + + +# ------------- +# --- iPerf +# ------------- + +# iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. +# It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, +# SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. + +echononl "\tCreate \"iPerf\" rules.." +if $create_iperf_rules ; then + $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT + # + $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT + $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT + $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - Drop packets not wanted on gateway +# --- + +echononl "\tDrop packets not wanted on gateway" + +for _dev in ${local_if_arr[@]} ; do + if $log_not_wanted || $log_all ; then + if $not_wanted_ident ; then + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + done + fi + if $not_wanted_ident ; then + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -j DROP + done + for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -j DROP + done +done + +echo_done + + +# ------------- +# --- Generally prohibited from WAN +# ------------- + +echononl "\tGenerally prohibited from WAN" + +for _dev in ${ext_if_arr[@]} ; do + if $log_prohibited || $log_all ; then + if $block_ident ; then + $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + if $kernel_activate_forwarding ; then + if $block_ident ; then + $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + done + fi + fi + if $block_ident ; then + $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP + done + if $kernel_activate_forwarding ; then + if $block_ident ; then + $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j REJECT --reject-with tcp-reset + fi + for _port in ${block_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP + done + for _port in ${block_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP + done + fi +done + +echo_done +echo + + +# ------------- +# --- Traffic generally allowed +# ------------- + +echononl "\tLoopback device generally allowed.." + +# --- +# - Loopback device +# --- + +$ipt -A INPUT -i lo -j ACCEPT +$ipt -A OUTPUT -o lo -j ACCEPT + +echo_done + + +# --- +# - Allow all Traffic from source mac-address +# --- + +echononl "\tAllow all Traffic from MAC Source-Address" + +if [[ ${#allow_all_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_all_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow local Traffic from source mac-address +# --- + +echononl "\tAllow local Traffic from MAC Source-Address" + + +if [[ ${#allow_local_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_local_mac_src_address_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -m mac --mac-source $_mac -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Allow remote Traffic from source mac-address +# --- + +echononl "\tAllow remote Traffic from MAC Source-Address" + + +if [[ ${#allow_remote_mac_src_address_arr[@]} -gt 0 ]] ; then + for _mac in ${allow_remote_mac_src_address_arr[@]} ; do + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -m mac --mac-source $_mac -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Already established connections +# --- + +echononl "\tAccept already established connections.." + +$ipt -A INPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +$ipt -A OUTPUT -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +if $kernel_activate_forwarding ; then + $ipt -A FORWARD -p ALL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +fi + +echo_done + + +# --- +# - Permit all traffic through VPN lines +# --- +echononl "\tPermit all traffic through VPN lines.." +for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + for _local_dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_vpn_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT + done + fi +done +echo_done + + + +# --- +# - Telefon Systems +# --- + +echononl "\tAllow all Traffic between Telefon Systems" +if [[ ${#tele_sys_ip_arr[@]} -gt 1 ]] && $allow_between_tele_systems && ! $permit_between_local_networks ; then + for _ip_1 in ${tele_sys_ip_arr[@]} ; do + for _ip_2 in ${tele_sys_ip_arr[@]} ; do + #[[ "$_ip_1" = "$_ip_2" ]] && continue + $ipt -A FORWARD -s $_ip_1 -d $_ip_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Telefon Systems to remote SIP-Server +# --- + +echononl "\tTelefon System to remote SIP-Server" +if [[ ${#tele_sys_ip_arr[@]} -gt 0 ]] ; then + if [ -z "$tele_sys_remote_sip_server_port" -o -z "$tele_sys_local_sip_server_port" ] ; then + echo_failed + warn "Local or remote SIP Port not given"! + else + for _ip in ${tele_sys_ip_arr[@]} ; do + $ipt -A FORWARD -p udp -s $_ip --sport $tele_sys_local_sip_server_port \ + --dport $tele_sys_remote_sip_server_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + echo_done +else + echo_skipped +fi + + + +# --- +# - All request from local networks to the internet +# --- + +echononl "\tPermit all traffic from local networks to the internet.." +if $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Networks not firewalled through extern interfaces +# --- + +echononl "\tAllow these local networks any access to the internet" +if [[ ${#any_access_to_inet_network_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _net in ${any_access_to_inet_network_arr[@]}; do + for _dev in ${ext_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p ALL -s $_net -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow local services from given local networks +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tAllow local services from given local networks" +if [[ ${#allow_local_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in "${allow_local_net_to_local_service_arr[@]}" ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from local network to local ip-address +# --- + +echononl "\tAllow all traffic from local network to local ip-address" + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +if [[ ${#allow_local_net_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_net_to_local_ip_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from local ip-address to local network +# --- + +echononl "\tAllow all traffic from local ip-address to local network" + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +if [[ ${#allow_local_ip_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_ip_to_local_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow all traffic from (one) local network to (another) local network +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tAllow all traffic from local network to (another) local network" + +if [[ ${#allow_local_net_to_local_net_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_net_to_local_net_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Allow local ip address from given local interface +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tAllow local ip address from given local interface" + +if [[ ${#allow_local_if_to_local_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${allow_local_if_to_local_ip_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + $ipt -A FORWARD -p ALL -i ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -i ${_val_arr[0]} -d ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -o ${_val_arr[0]} -s ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_ok +else + echo_skipped +fi + + + +# --- +# - Separate local networks +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tSeparate local networks.." + +if [[ ${#separate_local_network_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _net in ${separate_local_network_arr[@]}; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p all -s $_net -j DROP + done + done + echo_done +else + echo_skipped +fi + + + +# --- +# - Separate local interfaces +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tSeparate local interfaces.." + +if [[ ${#separate_local_if_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _dev_1 in ${separate_local_if_arr[@]}; do + for _dev_2 in ${local_if_arr[@]} ; do + [[ "$_dev_1" = "$_dev_2" ]] && continue + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p all -j DROP + $ipt -A FORWARD -i $_dev_2 -o $_dev_1 -p all -j DROP + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Permit all traffic between local networks +# --- + +echononl "\tPermit all traffic between local networks.." +if $kernel_activate_forwarding ; then + if $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + + +# ------------- +# --- Services +# ------------- + +echo +if $terminal ; then + echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" +else + echo "Add Rules for Services.." +fi + + +# --- +# - IPv6 over IPv4 (Tunnel Provider SixXS) +# --- + +echononl "\t\tIPv6 Tunnel SixXS" +if $local_sixxs_service ; then + if [ -n "$tic_server" -a -n "$six_pop_server" ]; then + # TIC (tunnel information & control) packages, from/to tic.sixxs.net + $ipt -A OUTPUT -p tcp -d $tic_server --dport 3874 -m conntrack --ctstate NEW -j ACCEPT + + # heartbeat packets (outgoing only) + $ipt -A OUTPUT -p udp -d $six_pop_server --dport 3740 -m conntrack --ctstate NEW -j ACCEPT + + # 6over4 tunnel packets + $ipt -A OUTPUT -p 41 -d $six_pop_server -j ACCEPT + $ipt -A INPUT -p 41 -d $six_pop_server -j ACCEPT + + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + +# --- +# - DHCP +# --- + +echononl "\t\tDHCP" + +if $local_dhcp_service ; then + # - Allow requests from intern networks + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + # - out + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DHCP Failover +# --- + +echononl "\t\tDHCP Failover Server" +if $local_dhcp_service && [[ ${#dhcp_failover_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dhcp_failover_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp --dport $dhcp_failover_port -s $_ip -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip --dport $dhcp_failover_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - DNS out only +# --- + +echononl "\t\tDNS out only" + +# - Nameservers on the INET must be reachable for the local recursiv nameserver +# - but also for all others +# - +for _dev in ${ext_if_arr[@]} ; do + # - out from local and virtual mashine(s) + $ipt -A OUTPUT -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ipt -A OUTPUT -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + # - forward from virtual mashine(s) + $ipt -A FORWARD -o $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + #$ipt -A FORWARD -o $_dev -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + fi +done + +echo_done + + +# --- +# - DNS Service Gateway +# --- + +echononl "\t\tDNS Service Gateway" + +# - Local Nameservice +# - +if $local_dns_service ; then + + # - Allow requests from local networks + # - + for _dev in ${local_if_arr[@]} ; do + # - in + $ipt -A INPUT -i $_dev -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + # - Zonetransfere (uses tcp/53) + # + for _ip in ${dns_server_ips[@]} ; do + # - out + # - + # - local master (here) gets request for a zone from slave ($_ip) + $ipt -A INPUT -p tcp -s $_ip --sport $unprivports --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + # - in + # - + # - local slave (here) requests zone from master ($_ip) + $ipt -A OUTPUT -p tcp --sport $unprivports -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - DNS Services at local Network +# --- + +echononl "\t\tDNS Service local Network" + +# - Make nameservers at the local network area rechable for all +# - +if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${dns_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + + +# --- +# - SSH out only +# --- + +echononl "\t\tSSH out only" + +if $allow_ssh_request_out && ! $permit_local_net_to_inet ; then + # - Provide SSH to everywhere (also LAN) + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Service Gateway +# --- + +echononl "\t\tSSH Service Gateway (also from WAN)" + +if $local_ssh_service ; then + # - Provides SSH in from everywhere + for _port in ${ssh_port_arr[@]} ; do + $ipt -A INPUT -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Services only local Network +# --- + +echononl "\t\tSSH Services only local Network" + +if [[ ${#ssh_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${ssh_server_only_local_ip_arr[@]} ; do + for _port in ${ssh_port_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - SSH Services DMZ +# --- + +echononl "\t\tSSH Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!ssh_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ssh_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${ssh_port_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - SSH Service between local Netwotks +# --- + +echononl "\t\tSSH Service between local Netwotks" +if $allow_ssh_between_local_nets ; then + if $kernel_activate_forwarding ; then + for _dev_1 in ${local_if_arr[@]} ; do + + for _port in ${ssh_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev_1 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + for _dev_2 in ${local_if_arr[@]} ; do + + if ! $permit_between_local_networks ; then + # - Notice: + # - In case of routing multiple netwoks on the same interface or + # - using alias interfaces like eth0:0, you need a rule with + # - incomming- and outgoing interface are equal! + # - + # - So DON'T add statement like this: + # - [[ "$_dev_2" = "$_dev_1" ]] && continue + # - + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "$_dev_2" = "$_dev_1" ]] && $local_alias_interfaces ; then + for _port in ${ssh_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --sport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p tcp --dport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service only out +# --- + +echononl "\t\tVPN Service only out" + +if $allow_vpn_out && [[ ${#vpn_out_port_arr[@]} -gt 0 ]]; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${vpn_out_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + + for _vpn_if in ${vpn_if_arr[@]} ; do + $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - VPN Service Gateway +# --- + +echononl "\t\tVPN Service Gateway" + +if $local_vpn_service ; then + + # - Cconnection establishment + # - + for _port in ${vpn_gw_port_arr[@]} ; do + $ipt -A INPUT -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done + +else + echo_skipped +fi + + +# --- +# - VPN Service DMZ +# --- + +echononl "\t\tVPN Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${!vpn_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${vpn_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${vpn_local_net_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port + fi + done + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTP(S) OUT +# --- + +echononl "\t\tHTTP(S) out only" + +if $allow_http_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + + +# --- +# - HTTP(S) (local) Webserver +# --- + +echononl "\t\tHTTP(S) Services Gateway" +# - Access to the local Webservice +if $local_http_service ; then + $ipt -A INPUT -p tcp -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services only local Network +# --- + +echononl "\t\tHTTP(S) Services only local Network" +# - Access to the Webservices (LAN) +if [[ ${#http_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${http_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HTTP(S) Services DMZ +# --- + +echononl "\t\tHTTP(S) Services DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then + http_port_arr=(${http_ports//,/ }) + for _ip in "${!http_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${http_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + fi + done + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT + fi + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - HTTPS Services DMZ (only port 443) +# --- + +echononl "\t\tHTTPS Services DMZ (only port $standard_https_port)" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!http_ssl_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${http_ssl_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_activate_forwarding ; then + + # - Nat if interface is on a dsl line + # - + if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port + fi + $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_https_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_https_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only out +# --- + +echononl "\t\tMail Services SMTP only out" + +if $allow_smtp_request_out && ! $permit_local_net_to_inet ; then + # - Provide SMTP out for all to WAN + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -p tcp -o $_dev --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail User Services smtps/pop(s)/imap(s) only out +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only out" + +if $allow_mail_request_out && ! $permit_local_net_to_inet ; then + # - Provide using Mailservices (WAN) from whole LAN + # - + # - Not needed from local machine. But for testing pupose (i.e. telnet ) + # - + # - + for _dev in ${ext_if_arr[@]} ; do + if $provide_mailservice_from_local ; then + # - Note! + # - this provides access both to LAN and WAN + $ipt -A OUTPUT -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_mailuser_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Service SMTP only local Networks +# --- + +echononl "\t\tMail Service SMTP only local Networks" +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $standard_smtp_port --tcp-flag ACK ACK -j ACCEPT + fi + + echo_done + done +else + echo_skipped +fi + + +# --- +# - Mail Services smtps/pop(s)/imap(s) only local Networks +# --- + +echononl "\t\tMail Services smtps/pop(s)/imap(s) only local Networks" + +if [[ ${#mail_server_only_local_ip_arr[@]} -gt 0 ]]; then + for _ip in ${mail_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Mail Server DMZ +# --- + +echononl "\t\tMail Server DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then + mail_port_arr=(${mail_user_ports//,/ }) + mail_port_arr+=("$mail_smtp_port") + for _ip in "${!mail_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${mail_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + for _port in ${mail_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port + fi + $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --sports $mail_smtp_port,$mail_user_ports --tcp-flag ACK ACK -j ACCEPT + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - FTP out only +# --- + +echononl "\t\tFTP out only" + +if $allow_ftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_done +fi + + +# --- +# - FTP Service Gateway +# --- + +echononl "\t\tFTP Service Gateway" + +if $local_ftp_service ; then + $ipt -A INPUT -p tcp --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services only local Network +# --- + +echononl "\t\tFTP Service local Networks" +if [[ ${#ftp_server_only_local_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _ip in ${ftp_server_only_local_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT + fi + + if $local_alias_interfaces ; then + # - Control Port + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $unprivports --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - FTP Services DMZ +# --- + +echononl "\t\tFTP Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; then + IFS=':' read -a ftp_passive_port_arr <<< "${ftp_passive_port_range}" + for _ip in "${!ftp_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${ftp_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + $ipt -A OUTPUT -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - From extern + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i ${ftp_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 + $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} + fi + fi + + # - From intern + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport 21 -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + + # - Control Port + $ipt -A FORWARD -p tcp -d $_ip --dport 21 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 21 --tcp-flag ACK ACK -j ACCEPT + # - Data Port activ + $ipt -A FORWARD -p tcp -d $_ip --dport 20 --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport 20 --tcp-flag ACK ACK -j ACCEPT + # - Data Port passiv + $ipt -A FORWARD -p tcp -d $_ip --sport $unprivports --dport $ftp_passive_port_range --tcp-flag ACK ACK -j ACCEPT + + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - TFTF Service out only +# --- + +echononl "\t\tTFTF Service out only" + +if $allow_tftp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + fi + echo_done +else + echo_skipped +fi + + +# --- +# - TFTP Service Gateway +# --- + +echononl "\t\tTFTF Service Gateway" + +if $local_tftp_service ; then + $ipt -A INPUT -p udp --dport $tftp_udp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + + +# --- +# - Samba Service Gateway (only for local Networks) +# --- + +echononl "\t\tSamba Service Gateway (only for local Networks)" + +if $local_samba_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service only between local Networks +# --- + +echononl "\t\tSamba Service only local Networks" + +if [[ ${#samba_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${samba_server_local_ip_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && $allow_samba_between_local_nets && ! $permit_between_local_networks ; then + + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Samba Service DMZ +# --- + +echononl "\t\tSamba Service DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in "${!samba_server_dmz_arr[@]}"; do + + # - Skip if no interface is given + # - + if [[ -z "${samba_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From extern + if $kernel_activate_forwarding ; then + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + IFS=':' read -a _udp_port_arr <<< ${_port} + if [[ -n "${_udp_port_arr[1]}" ]] ; then + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]} + else + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port + fi + fi + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i ${samba_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + # - Nat if interface is on a dsl line + # - + if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port + fi + done + fi + + # - From intern + for _dev in ${local_if_arr[@]} ; do + for _port in ${samba_udp_port_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + for _port in ${samba_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + done + + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service Gateway (only for local Networks) +# --- + +echononl "\t\tLDAP(S) Service Gateway (only for local Networks)" + +if $local_ldap_service ; then + for _dev in ${local_if_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - LDAP and LDAP SSL Service only between local Networks +# --- + +echononl "\t\tLDAP(S) Service only local Networks" + +if [[ ${#ldap_server_local_ip_arr[@]} -gt 0 ]] ; then + for _dev in ${local_if_arr[@]} ; do + for _ip in ${ldap_server_local_ip_arr[@]} ; do + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + if $kernel_activate_forwarding && $allow_ldap_between_local_nets && ! $permit_between_local_networks ; then + + for _port in ${ldap_udp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ldap_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - NTP out only +# --- + +echononl "\t\tNTP Service out only" + +if $allow_ntp_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - NTP Service Gateway +# --- + +echononl "\t\tNTP Service Gateway" +if $local_ntp_service ; then + if ! $allow_ntp_request_out ; then + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + fi + $ipt -A INPUT -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + echo_done +else + echo_skipped +fi + + +# --- +# - Timeserver (Port 37 NOT NTP!)" +# --- + +echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" + +if $allow_timeserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - PGP Keyserver out only +# --- + +echononl "\t\tPGP Keyserver out only" + +if $allow_pgpserver_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Telnet +# --- + +echononl "\t\tTelnet (only OUT)" + +if $allow_telnet_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Whois out only +# --- + +echononl "\t\tWhois out only" + +if $allow_whois_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CPAN Wait only out +# --- + +# - CPAN::WAIT adds some comands to the CPAN shell() to perform searches on +# - a WAIT server. It connects to a WAIT server using a simple protocoll +# - resembling NNTP as described in RFC977. + +echononl "\t\tCPAN Wait only out" + +if $allow_cpan_wait_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_cpan_wait_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - HBCI only out (only forward) +# --- + +echononl "\t\tHBCI only out (only forward)" + +if $allow_hbci_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_hbci_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Jabber only out +# --- + +echononl "\t\tJabber only out" + +if $allow_jabber_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_jabber_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Silc only out +# --- + +echononl "\t\tSilc only out" + +if $allow_silc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_silc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IRC (Internet Relay Chat) only out +# --- + +echononl "\t\tIRC only out" + +if $allow_irc_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -p tcp -o $_dev --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_irc_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - MySQL +# --- + +echononl "\t\tMySQL (only OUT)" + +if $allow_mysql_request_out ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - CUPS only between local Networks (IPP Port 631) +# --- + +echononl "\t\tCUPS/IPP (Port 631) only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck Port 9100 (RAW) only out between local Networks +# --- + +echononl "\t\tRAW Druck Port 9100 only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Druck LPD (Port 515) only out between local Networks +# --- + +echononl "\t\tDruck LPD (Port 515) only between local Networks" + +if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_printing_between_local_nets ; then + for _local_dev_1 in ${local_if_arr[@]} ; do + for _local_dev_2 in ${local_if_arr[@]} ; do + if ! $local_alias_interfaces ; then + [[ "$_local_dev_1" = "$_local_dev_2" ]] && continue + fi + $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Printer +# --- + +echononl "\t\tKnown Printers (Ports: 515/631/9100) only local Networks" +if [[ ${#printer_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks \ + && ! $allow_printing_between_local_nets ; then + for _ip in ${printer_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_ipp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_ipp_port --tcp-flag ACK ACK -j ACCEPT + + $ipt -A FORWARD -o $_dev -p tcp -d $_ip --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Scanner +# --- + +echononl "\t\tBrother Scanner (Port $brscan_port) only between local Networks" + +if [[ ${#brother_scanner_ip_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding \ + && ! $permit_between_local_networks \ + && $allow_scanning_between_local_nets ; then + for _ip in ${brother_scanner_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + # - UDP + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + # - TCP + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $brscan_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s $_ip --sport $brscan_port --tcp-flag ACK ACK -j ACCEPT + fi + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Other local Services +# --- + +echononl "\t\tOther local Services" + +if [[ ${#other_service_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in ${other_service_arr[@]} ; do + IFS=':' read -a _val_arr <<< "${_val}" + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces && [[ "${_val_arr[2]}" = "tcp" ]] ; then + $ipt -A FORWARD -i $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -s ${_val_arr[0]} --sport ${_val_arr[1]} --tcp-flag ACK ACK -j ACCEPT + fi + done + done + echo_ok +else + echo_skipped +fi + + +# --- +# - Rsync only Out Gateway +# --- + +echononl "\t\tRsync (only OUT) Gateway" + +if $local_rsync_out ; then + for _dev in ${ext_if_arr[@]} ; do + for _port in ${rsync_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Rsync only Out from given local machines +# --- + +echononl "\t\tRsync Out from given local machines" + +if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding && ! $permit_local_net_to_inet; then + for _port in ${rsync_port_arr[@]} ; do + for _ip in ${rsync_out_ip_arr[@]} ; do + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - SNMP Services local Networks +# --- + +echononl "\t\tSNMP Services local Networks" + +if [[ ${#snmp_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then + for _ip in ${snmp_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -s $_ip --dport $snmp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -d $_ip --dport $snmp_trap_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - WakeOnLan only out into local Networks +# --- + +echononl "\t\tWakeOnLan only out into local Networks" +$ipt -A OUTPUT -p udp --dport 9 -j ACCEPT +echo_done + + +# --- +# - NFS Service (portmapper, mountd, nfs) +# --- + +if $terminal; then + echononl "\t\tNFS Service\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tVoIP\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSip\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" + + echononl "\t\tSkype\t\t\t\t - \033[37m\033[1mNot yet implemented\033[m -" + echo -e "\033[75G[ \033[37mskipped\033[m ]" +else + echo "NFS Service - Not yet implemented" + echo "VoIP - Not yet implemented" + echo "Sip - Not yet implemented" + echo "Skype - Not yet implemented" +fi + + +# --- +# - PowerChute Network Shutdown local Network +# --- + +echononl "\t\tPowerChute Network Shutdown local Network" + +if [[ ${#pcns_server_ip_arr[@]} -gt 0 ]] && [[ -n "$usv_ip" ]] ; then + + for _ip in ${pcns_server_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -p tcp -s $usv_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -s $usv_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -s $usv_ip -d $_ip --dport $pcns_tcp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $usv_ip -d $_ip --dport $pcns_udp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port -m conntrack --ctstate NEW -j ACCEPT + fi + + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_tcp_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $pcns_web_port --tcp-flag ACK ACK -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + +# --- +# - Ubiquiti Unifi Accesspoints +# --- + +echononl "\t\tUbiquiti Unifi Accesspoints" +if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] || [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + if [[ ${#unifi_controller_gateway_ip_arr[@]} -gt 0 ]] ; then + + for _ip_ctl in ${unifi_controller_gateway_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ipt -A INPUT -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + done + fi + + if [[ ${#unify_controller_local_net_ip_arr[@]} -gt 0 ]] ; then + for _ip_ctl in ${unify_controller_local_net_ip_arr[@]} ; do + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports -m conntrack --ctstate NEW -j ACCEPT + if $provide_hotspot ; then + $ipt -A FORWARD -i $_dev -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $unify_controller_ports --tcp-flag ACK ACK -j ACCEPT + if $provide_hotspot ; then + $ipt -A FORWARD -p tcp -d $_ip_ctl -m multiport --dports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip_ctl -m multiport --sports $hotspot_ports --tcp-flag ACK ACK -j ACCEPT + fi + fi + + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) only out +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) only out" + +if $allow_ipmi_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + + for _port in ${ipmi_udp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding ; then + + for _port in ${ipmi_udp_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - IPMI Tools (e.g. IPMIView) local Networks +# --- + +echononl "\t\tIPMI Tools (e.g. IPMIView) local Networks" + +if [[ ${#ipmi_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${ipmi_server_ip_arr[@]} ; do + + for _port in ${ipmi_udp_port_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A OUTPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _port in ${ipmi_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT + done + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + for _port in ${ipmi_udp_port_arr[@]} ; do + $ipt -A FORWARD -p udp -s $_ip --sport $_port -m conntrack --ctstate NEW -j ACCEPT + done + for _port in ${ipmi_tcp_port_arr[@]} ; do + $ipt -A FORWARD -p tcp -d $_ip --dport $_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $_port --tcp-flag ACK ACK -j ACCEPT + done + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) only out +# --- + +echononl "\t\tRemote Console (VNC) only out" + +if $allow_remote_console_request_out && ! $permit_local_net_to_inet ; then + for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_remote_console_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) local Networks +# --- + +echononl "\t\tRemote Console (VNC) local Networks" + + +if [[ ${#rm_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${rm_server_ip_arr[@]} ; do + + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Remote Console (VNC) DMZ +# --- + +echononl "\t\tRemote Console (VNC) DMZ" +unset no_if_for_ip_arr +declare -a no_if_for_ip_arr + +if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then + for _ip in ${!rm_server_dmz_arr[@]} ; do + + # - Skip if no interface is given + # - + if [[ -z "${rm_server_dmz_arr[$_ip]}" ]] ; then + no_if_for_ip_arr+=("$_ip") + continue + fi + + # - From Gateway + $ipt -A OUTPUT -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding ; then + + # - From extern + + # - Nat if interface is on a dsl line + # - + if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then + $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port + fi + $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + + # - From intern + if ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $remote_console_port --tcp-flag ACK ACK -j ACCEPT + fi + fi + done + + if [[ ${#no_if_for_ip_arr[@]} -gt 0 ]] ; then + echo_warning + for _ip in ${no_if_for_ip_arr[@]} ; do + warn "No Interface given for ip '$_ip'" + done + else + echo_done + fi + +else + echo_skipped +fi + + +# --- +# - Munin Service Gateway +# --- + +echononl "\t\tMunin Service Gateway" + +if $local_munin_server ; then + + if $provide_munin_service_to_inet ; then + # - Provide Service for local and extern networks + # - + $ipt -A OUTPUT -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + else + # - Provide Service only for for local network + # - + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin Service local Networks +# --- + +echononl "\t\tMunin Service local Networks" +if [[ ${#munin_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${munin_local_server_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --sport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $munin_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Munin remote Server +# --- + +echononl "\t\tMunin remote Server" + +if [[ -n $munin_remote_server ]] && [[ ${#munin_local_client_ip_arr[@]} -gt 0 ]]; then + + for _ip in ${!munin_local_client_ip_arr[@]} ; do + if containsElement "$_ip" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + elif $kernel_activate_forwarding ; then + $ipt -t nat -A PREROUTING -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server --dport $munin_local_port -j DNAT --to $_ip:$munin_local_port + $ipt -A FORWARD -i ${munin_local_client_ip_arr[$_ip]} -p tcp -s $munin_remote_server -d $_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon local service +# --- + +echononl "\t\tXyMon Service Gateway" + +if $local_xymon_server ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A INPUT -i $_dev -p tcp --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - XyMon Service Intranet +# --- + +echononl "\t\tXyMon Service Intranet" + +if [[ ${#xymon_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${xymon_server_ip_arr[@]} ; do + if $local_xymon_client ; then + $ipt -A OUTPUT -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + fi + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p tcp -d $_ip --dport $xymon_port -m conntrack --ctstate NEW -j ACCEPT + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --dport $xymon_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --sport $xymon_port --tcp-flag ACK ACK -j ACCEPT + fi + done + + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- Portforwarding +# ------------- + +# --- +# - Portforwarding TCP +# --- + +echo +echononl "\tPortforwarding TCP" + +if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${portforward_tcp_arr[@]}" ; do + + # - Split value + # - + IFS=':' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p tcp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} + + # - Allow Packets + # - + $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Portforwarding UDP +# --- + +echononl "\tPortforwarding UDP" + +if [[ ${#portforward_udp_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then + for _val in "${portforward_udp_arr[@]}" ; do + + # - Split value + # - + IFS=':' read -a _val_arr <<< "${_val}" + + # - DNAT + # - + $ipt -t nat -A PREROUTING -i ${_val_arr[0]} -p udp --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j DNAT --to ${_val_arr[2]}:${_val_arr[3]} + + # - Allow Packets + # - + $ipt -t filter -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[2]} --dport ${_val_arr[3]} -m conntrack --ctstate NEW -j ACCEPT + + done + echo_done +else + echo_skipped +fi + + +# --- +# - UNIX Traceroute +# --- + +echo +echononl "\tUNIX Traceroute" + +# versendet udp packete im gegensatz zu tracert von windows +# der icmp-echo-request pakete versendet +# einige implementierungen von traceroute (linux) erm�lichens +# die option -I und versenden dann ebenfalls icmp-echo-request pakete + +for _dev in ${ext_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + fi +done + +echo_done + + +# ------------- +# --- ICMP Traffic (i.e. ping requests) +# ------------- + +echononl "\tPermit all ICMP traffic.." +if $permit_all_icmp_traffic ; then + $ipt -A INPUT -p icmp -j ACCEPT + $ipt -A OUTPUT -p icmp -j ACCEPT + $ipt -A FORWARD -p icmp -j ACCEPT + echo_done +else + echo_skipped +fi + + + +# --- +# - Deny between local networks +# --- + +echo +echononl "\tDeny all traffic between local networks.." +if $kernel_activate_forwarding ; then + if ! $permit_between_local_networks ; then + for _dev_1 in ${local_if_arr[@]} ; do + for _dev_2 in ${local_if_arr[@]} ; do + if $log_rejected || $log_all ; then + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level + fi + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP + done + done + echo_done + else + echo_skipped + fi +else + echo_skipped +fi + + +# ------------- +# --- Log traffic not matched so far +# ------------- +echo + +echononl "\tLog traffic not matched so far.." +if $log_rejected || $log_all ; then + $ipt -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + $ipt -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + $ipt -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + #$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level + #$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level + #$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + echo_done +else + echo_skipped +fi + + + +# ------------- +# --- DROP traffic not matched so far +# ------------- +echononl "\tDROP traffic not matched so far.." + +# - drop all other for all interfaces.. +# +$ipt -A INPUT -j DROP +$ipt -A OUTPUT -j DROP +$ipt -A FORWARD -j DROP +# +# ---------- Ende: DROP ---------- + +echo_done + + +# --- +# - Warning, if no intern (local) interface is configured +# --- + +if [[ ${#local_if_arr[@]} -lt 1 ]] ; then + echo "" + echo "" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi + warn "No local Interface is configured!" + if $terminal ; then + echo -e "\t\033[33m\033[1m----------\033[m" + else + echo "----------" + fi +fi + +echo +exit 0 + diff --git a/BLKR/src/ipt-gateway b/BLKR/src/ipt-gateway new file mode 160000 index 0000000..aa6a6aa --- /dev/null +++ b/BLKR/src/ipt-gateway @@ -0,0 +1 @@ +Subproject commit aa6a6aa992674fd0d21c32505550e49e7cb4afca