Office_Networks/GA-Schloss/ipt-firewall/ipt-firewall-gateway.conf

#!/usr/bin/env bash

## - Configuration file for firewall script IPv4
## -    ipt-firewall-gateway
## -    ipt-firewall-flush
## -

#######################################################################
# -------------------------- Configuration -------------------------- #

# =============
# --- Define programs
# =============

ipt=/sbin/iptables
tc=/sbin/tc


# =============
# -  Load Kernel Modules
# =============

/sbin/modprobe ip_tables > /dev/null 2>&1
/sbin/modprobe iptable_nat > /dev/null 2>&1
/sbin/modprobe iptable_filter > /dev/null 2>&1
/sbin/modprobe iptable_mangle > /dev/null 2>&1
/sbin/modprobe iptable_raw > /dev/null 2>&1

/sbin/modprobe nf_conntrack > /dev/null 2>&1
/sbin/modprobe nf_nat > /dev/null 2>&1

# - Note:! 
# -    Since Kernel 4.7 the automatic conntrack helper assignment
# -    is disabled by default (net.netfilter.nf_conntrack_helper = 0).
# -    Enable it by setting this variable in file /etc/sysctl.conf:
# -
# -       net.netfilter.nf_conntrack_helper = 1
# -
# -    Reboot or type "sysctl -p"

# - Load module for FTP Connection tracking and NAT
# -
/sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1
/sbin/modprobe nf_nat_ftp > /dev/null 2>&1

# - Load modules for SIP VOIP
# -
/sbin/modprobe nf_conntrack_sip > /dev/null 2>&1
/sbin/modprobe nf_nat_sip > /dev/null 2>&1



# =============
# --- Logging
# =============

log_all=false

log_syn_flood=false
log_fragments=false
log_new_not_sync=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_prohibited=false
log_voip=false
log_rejected=true

log_ssh=false

# - Log using the specified syslog level. 7 (debug) is a good choice 
# - unless you specifically need something else. 
# -
log_level=debug

# - logging messages
# -
log_prefix="IPv4:"


# ---
# - Log all traffic for givven ip address
# ---

log_ips=""



# =============
# --- Define Network Interfaces / Ip-Adresses / Ports
# =============

# - Extern Interfaces DSL Lines
# -    (blank separated list)
ext_if_dsl_1="ppp-st"
ext_if_dsl_2="ppp-surf1"
ext_if_dsl_3=""
ext_if_dsl_4=""

ext_ifs_dsl="$ext_if_dsl_1 $ext_if_dsl_2 $ext_if_dsl_3 $ext_if_dsl_4"

# - Extern Interfaces Static Lines
# -    (blank separated list)
ext_if_static_1="eth9"
ext_if_static_2=""
ext_if_static_3=""
ext_if_static="$ext_if_static_1 $ext_if_static_2 $ext_if_static_3"

# - VPN Interfaces
# -    (blank separated list)
vpn_ifs="tun+"

# - Local Interfaces
local_if_1="bond1"
local_if_2="bond0.11"
local_if_3="bond0.77"
local_if_4="bond0.78"
local_if_5="eth3"
local_if_6="eth7"
local_if_7=""

local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"

# - Are local alias interfaces like eth0:0 defined"
# -
local_alias_interfaces=true



# =============
# --- Define Ports for Services out
# =============

standard_ident_port=113
standard_silc_port=706
standard_irc_port=6667
standard_jabber_port=5222
standard_smtp_port=25
standard_ssh_port=22
standard_http_port=80
standard_https_port=443
standard_ftp_port=21
standard_tftp_udp_port=69
standard_ntp_port=123
standard_timeserver_port=37
standard_pgp_keyserver_port=11371
standard_telnet_port=23
standard_whois_port=43
standard_cpan_wait_port=1404
standard_hbci_port=3000
standard_mysql_port=3306
standard_cups_port=631
standard_print_port=9100
standard_remote_console_port=5900


# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"



# =============
# --- Interfaces completly blocked
# =============

# - Interfaces to block (note: they will all be blocked)
# -
# - Here: eth1 is used for DSL Line, that becomes an extra 
# - interface (ppp-light). A further use of eth1 (which would 
# - be possible) is not configured at time, so you can block it.
# -
blocked_ifs=""



# =============
# --- Interfaces not firewalled
# =============

# - Note:
# - Can be (for example) an interface, whose (complete) traffic is 
# - protected by a firewall on an other system in the local area 
# -
# - Here: the static line castle stockhausen
# -
unprotected_ifs=""


# =============
# --- Networks not firewalled through extern interfaces
# =============

# - Allow these networks any access to the internet.
# -
# - Blank separated list of networks
# -
any_access_to_inet_networks=""



# =============
# - Allow local services from given local networks
# =============

# - allow_local_net_to_local_service
# - 
# - allow_local_net_to_local_service="local-net:local-service:port:protocol"
# -
# - Only 'tcp' and 'udp' are allowed valuse for protocol.
# -
# - Use this parameter to (only) give some local netwoks access to special local 
# - services (but not for all local networks as you can configure later).
# -
# - If you plan to separate local networks (see parameter 'separate_local_networks'), but 
# - to allow these networks some special local services, you can also use this parameter.
# -
# - Example:
# -    allow access from 10.113.0.0/16 to https service at 192.168.10.1
# -    allow access from 10.113.0.0/16 to https service at 192.168.10.13
# -
# -    allow_local_net_to_local_service="10.113.0.0/16:192.168.10.1:$standard_https_port:tcp 
# -                                      10.113.0.0/16192.168.10.13:$standard_https_port:tcp"
# -
# - Blank separated list
# -    
allow_local_net_to_local_service="10.113.0.0/16:192.168.10.1:$standard_https_port:tcp
                                  10.113.0.0/16:192.168.10.13:$standard_https_port:tcp"
#allow_local_net_to_local_service=""




# =============
# --- Separate local Networks
# =============

# - Don't allow these networks any connections to other local networks
# -
# - Example:
# -    separate_local_networks="10.113.1.0/24 10.113.2.0/24"
# -
# - 10.113.0.0/16: Accesspoint Networks Schloss
# - 10.123.0.0/16: Accesspoint Networks Altenschlirf
# -
separate_local_networks="10.113.0.0/16 10.123.0.0/16"
#separate_local_networks=""



# =============
# --- Traffic Shaping
# =============

TRAFFIC_SHAPING=false

RATE_UP=10000
LIMIT_UP=$(expr $RATE_UP / 100 \* 85)

LIMIT_CLASS=$(expr $LIMIT_UP / 7)

RTP_PORTS_START=49152
RTP_PORTS_END=49408
SIP_PORT_REMOTE=5060
SIP_PORT_LOCAL=5067
SIP_LOCAL_IP=192.168.63.240
STUN_PORTS=3478

TC_DEV=$ext_if_dsl_1



# =============
# ---- Allow Forwarding (private) IPs / IP-Ranges
# =============

# - Maybe useful in case of virtual hosts with private addresses or
# - if using a vpn network to forward into private areas.
# -
# - Note: this rules takes affect before rules to protect against
# -       unwanted packages e.g. blocking private addresses on
# -       externel interfaces.
# -       
# - Note: you can specify networks using CIDR notation
# -       like "192.168.2.0/24"
# -
forward_private_ips=""



# =============
# --- Services local machine / local networksa
# =============

# ======
# - IPv6 over IPv4 (SixXS)
# ======

local_sixxs_service=false
tic_server=tic.sixxs.net
six_pop_server=deham01.sixxs.net


# ======
# - VPN Service
# ======

# - VPN Service on Gateway?
local_vpn_service=true
vpn_gw_ports="1194 1195 1196"

# - VPN Services DMZ (reachable also from WAN)
# -
# - vpn_server_dmz_arr=[<ip-address>]=<dsl-device>
# -
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# - Example:
# -   vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1
# -   vpn_server_dmz_arr[192.168.10.13]=$ext_if_dsl_2
# -
declare -A vpn_server_dmz_arr
#vpn_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1

# - Local VPN Ports
# -
# - Blank separated list
vpn_local_net_ports="1194"


# ======
# - DHCP Service
# ======

# - DHCP Server Gateway
local_dhcp_service=true


# ======
# - DNS Service
# ======

# - DNS Service Gateway
local_dns_service=true

# - DNS Server local Networks
# -
# - 192.168.11.1    - ga-schloss
# - 192.168.11.3    - GAASDC03.ga.intra (windows server Schloss)
# - 192.168.10.254  - ga-al
# - 192.168.10.3    - GAASDC01.ga.intra (Windows Server Altenschlirf)
# - 192.168.81.1    - ga-nh (Novalishaus)
# - 
# - Blank separated list
dns_server_ips="192.168.11.1 192.168.11.3 192.168.10.3 192.168.10.254 192.168.81.1 172.16.0.1"


# ======
# - SSH
# ======

# - SSH Service Gateway
local_ssh_service=true

# - SSH Ports
# -
# - blank separated list
# -
ssh_ports="22"


# ======
# - HTTP(S) Service
# ======

# - HTTP(S) Service Gateway
local_http_service=false

# - HTTP(S) Services only locale Networks
# -
# - Telefonanlage
# - =============
# - 192.168.10.20    Telefon Anlage Altenschlirf
# - 192.168.11.20    Telefon Anlage Schloss
# - 192.168.81.20    Telefon Anlage Novalishaus
# -
# - 192.168.10.16    Xymon Server
# - 
# - Drucker
# - =======
# - 
# -
# - Switches
# - ========
# - 172.16.0.243     Uplink Schloss / IPMI Altenschlirf
# -
# -
# - IPMI
# - ====
# - 172.17.0.15      IPMI Gateway Altenschlirf
# -
# - Blank separated list of ipv4-addresses
# -
http_server_only_local_ips="
   172.16.0.243
   172.17.0.15
   192.168.10.20
   192.168.11.20
   192.168.81.20
   192.168.10.16"

# - HTTP(S) Services DMZ (reachable also from WAN)
# -
# - http_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Note:
# -    Each extern interface can have only one service on a certain port.
# -
# - 192.168.10.1     Mail Server incomming on ppp-st ($ext_if_dsl_1)
# - 192.168.10.13    Citrix Server incomming on ppp-surf1 ($ext_if_dsl_2)
# -
# - Example:
# -    http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2
# -    http_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1
# -
# - WebServer Luna: 192.168.63.20 (ppp-ckubu = $ext_if_dsl_1)
declare -A http_server_dmz_arr
#http_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1

# - HTTPS Services DMZ only port 443 (reachable also from WAN)
# -
# - http__ssl_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# - 192.168.10.1     Mail Server incomming on ppp-st ($ext_if_dsl_1)
# - 192.168.10.13    Citrix Server incomming on ppp-surf1 ($ext_if_dsl_2)
# -
# - Example:
# -
# -    http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1
# -    http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_2
# -
declare -A http_ssl_server_dmz_arr
http_ssl_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1
http_ssl_server_dmz_arr[192.168.10.13]=$ext_if_dsl_2

# - HTTP(S) Ports 
# -
# - comma separated list
# -
http_ports="80,443"


# ======
# - Mail Services
# ======

# - Mailserver (SMTP(POP/IMAP) Gateway
# -
# - NOT YET IMPLEMENTED
# -
#local_mail_service=false

# - Mail Services smtp,smtps/pop(s)/imap(s) only local Networks
# -
# - comma separated list
# -
mail_server_only_local_ips=""

# - Mails Services DMZ smtp,smtps/pop(s)/imap(s) (reachable also from WAN)
# -
# - mail_server_dmz_arr[<ip-address>]=<dsl-device>
# -
# - multiple declarations are possible
# -
# - Example:
# -    Mail Server:   192.168.10.1 incomming on ppp-st ($ext_if_dsl_1)
# -
# -    mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1
# -
declare -A mail_server_dmz_arr
mail_server_dmz_arr[192.168.10.1]=$ext_if_dsl_1

# - Mail client ports (smtps/pop(s)/imap(s)
# -
# - comma separated list
mail_user_ports="587,465,110,995,143,993"

# - Mail Server (local Networks) SMTP Port
# -
mail_smtp_port=$standard_smtp_port


# ======
# - FTP Service
# ======

# - FTP Service Gateway
# -
local_ftp_service=false

# - FTP Server at local Networks
# -
# - comma separated list
# -
ftp_server_only_local_ips=""

# - FTP Service DMZ
# -
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# - ftp_server_dmz_arr[<ip-address>]=<dsl-device>
# - ftp_passive_port_range=<first-port:last-port>
# -
declare -A ftp_server_dmz_arr
#ftp_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1
ftp_passive_port_range="50000:50400"

# - FTP Ports
# -
# - Hard scriptetd:
# -    FTP Control Port: 21
# -    FTP Data Port:    20


# ======
# - TFTP Service Gateway
# ======

# - TFTP Server Gateway (Port udp 69)
local_tftp_service=false

# - TFTP Server at local Networks
# -
# - 192.168.10.20   - Telefonanlage (Schloss)
# -
tftp_server_ips="192.168.10.20"

# - TFTF Ports
# -
# - Note: its udp !
# -
tftp_udp_port=69


# ======
# - LDAP Service
# ======

# - Is this a LDAP Server ?
# -
local_ldap_service=false

# - LDAP Service local Networks
# -
# - Ports: 389 udp 
# -        389 tcp
# -
# - Ports LDAP SSL: 636 tcp
# -
ldap_server_local_ips=""
ldap_udp_ports="389"
ldap_tcp_ports="389 636"


# ======
# - Samba Service
# ======

# - Samba Server Gateway
# -
local_samba_service=false

# - Samba Service
# -
# - Ports: 137,138 udp 
# -        139,445 tcp
# -
samba_udp_ports="137:138"
samba_tcp_ports="137 138 139 445"

# - Samba Service local networks
# -
# - ??     Windows Server Altenschlirf
# -
samba_server_local_ips=""

# - Samba Service DMZ
# - 
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# -    samba_server_dmz_arr[<ip-address>]=<dsl-device>
# -
declare -A samba_server_dmz_arr
#samba_server_dmz_arr[192.168.10.10]=$ext_if_dsl_1


# ======
# - NTP Service
# ======

# - NTP Service Gateway
# -
local_ntp_service=true


# ======
# - SNMP Service
# ======

# - SNMP services local Networks
# -
# - Blank separated list of ipv4-addresses
# -
snmp_server_ips=""

# - SNMP Port
# -
snmp_port="161"


# ======
# - Mumble Service
# ======

# - NOT YET IMPLEMENTED

# - Mumble ports
mumble_ports="64738"


# ======
# - XyMon Service
# ======

# - XyMon Service Gateway (usually TCP port 1984)
# -
local_xymon_server=false

# - XyMon Service (usually TCP port 1984)
# -
# - Comma separated list of ip's
# -
xymon_server_ips="192.168.10.16"
local_xymon_client=""

# - XyMon Ports
# -
xymon_port=1984


# ======
# - Munin Service
# ======

# - Munin Service Gateway (usually TCP port 4949)
# -
local_munin_server=false

# - If 'local_munin_server=' provide service also to inet?
# -
provide_munin_service_to_inet=true
munin_remote_port="4949"

# - Munin Server local Networks (usually TCP port 4949)
# -
# - Blank separated list
munin_local_server_ips=""

# - Munin Remote Server
# -
# - Note: 
# - The munin server himself initiates the connection to the concerning clients.
# - In case of natted (local) networks you have to also nat the incomming
# - requests from munin server.
# -
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# - munin_local_client_ip_arr[<ip-address>]=<dsl-device>
# -
#munin_remote_server="83.223.86.163"
munin_remote_server=""

# - Munin - clients on local network (server is $munin_remote_server)
# -
# - Example:
# -    munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1
# -
declare -A munin_local_client_ip_arr
#munin_local_client_ip_arr[192.168.63.20]=$ext_if_dsl_1

# - Munin Port
# -
munin_local_port=4949


# ======
# - PowerChut Network Shutdown (PCNS)
# ======

# - PCNS local Services
# -
pcns_server_ips=""

# - local USV
# -
usv_ip=""

# - PCNS Ports
# -
# - Webinterface (https): tcp 6547
# - Connection usv:       tcp/udp 3052
# -
pcns_tcp_port=3052
pcns_udp_port=3052
pcns_web_port=6547


# ======
# - Remote Console (VNC Service)
# ======

# - VNC Service local network
# 
# - Blank separated list
# -
# - 172.17.0.15      IPMI Gateway Altenschlirf
# - 172.16.11.15     IPMI Gateway Schloss
# - 10.11.11.16      IPMI Gateway Ersatz
# - 192.168.81.15  Gateway Novalishaus
# -
rm_server_ips="172.17.0.15 172.16.11.15 10.11.11.16 192.168.81.15"

# - VNC Service DMZ
# -
# - Note:
# -    Each extern interface can have only one thuch service 
# -
# -    rm_server_dmz_arr[<ip-address>]=<dsl-device>
# -
declare -A rm_server_dmz_arr
#rm_server_dmz_arr[192.168.63.20]=$ext_if_dsl_1

# - Remote Console (VNC) Port
# -
remote_console_port=5900


# ======
# - Ubiquiti Unifi
# ======

# - Notice:
# -    The Accesspoint IP is not needed (i think so), because the 
# -    AP uses port 8080 for cummunication with the controller, and
# -    this port will be configured with the rules concerning the 
# -    controllers.
# -
# - again: setting unifi_ap_local_ips is not needed
#unifi_ap_local_ips="192.168.64.50"

unifi_controller_gateway_ips=""
unify_controller_local_net_ips=""
unify_controller_ports="8080,8443"

provide_hotspot=true
hotspot_ports="8880,8843"


# ======
# - IPMI Tools 
# ======

# - IPMI Tools local Networks
# -
# - Blank seoarated list
# -
# - 172.17.0.15    Gateway Altenschlirf
# - 172.16.11.15   Gateway Schloss
# - 10.11.11.16    Ersatz Gateway
# - 192.168.81.15  Gateway Novalishaus
# -
ipmi_server_ips="
   172.17.0.15
   172.16.11.15
   10.11.11.16
   192.168.81.15"

# - IPMI Tools Port
# -
# - UDP 623:  Access IPMI Programms (as IPMIView or FreeIPMI)
# - TCP 623:  Virtual Media for Remote Console
# - TCP 3520: "This is TCP Port 3520 which is also needed in addition to TCP port 5900 to be able to use iKVM."
# -
ipmi_udp_port=623
ipmi_tcp_ports="623 3520"


# =============
# - Protocols Out for give src ip-addresses
# =============

# - Rsync Protocol
# -
# - The given server address (from local network) can access rsyncd at (any) remote machine
# -
# - Needed for some integrated provider of clamav-unofficial-sigs
# -
local_rsync_out=false
rsync_out_ips=""
rsync_ports="873"



# =============
# --- Scanner
# =============

# ======
# - Brother (brscan)
# ======

# - IP Adresses Brother Scanner
# -
# - Blank seoarated list
# -
brother_scanner_ips=""
brscan_port=54921



# =============
# --- Telefon Systems
# =============

# - IP Adresses Telephone Systems (Telefonanlagen)
# -
# - Dont't foregt to add ip-adresses also to http(s) service if the
# - systems provide webinterfaces!
# -
tele_sys_ips="
   192.168.10.20
   192.168.11.20
   192.168.81.20"
tele_sys_remote_sip_server_port=5060
tele_sys_local_sip_server_port=5067
allow_between_tele_systems=true

VOIP_PORTS="69 5000:5099 7775 32000:32512"
# -    TFTP=69 (used from telephones getting their connection data / firmwareupdate )
# -    RTP_PORTS= UDP i.e. 5000:5099 or here
# -    RTP_PORTS_END=5099
#SIP_PORT_REMOTE=5060
#SIP_PORT_LOCAL=5067
#SIP_LOCAL_IP=192.168.63.240
#STUN_PORTS=3478
udp_voip_ports="7775 5000:5099"


# =====
# - Telekom Internet TV (Entertain)
# =====

telekom_internet_tv=false
tv_ip=""
tv_extern_if="eth2.8"
tv_local_if="$local_if_1"


# =============
# --- Masuqerading
# =============

# - Masquerade TCP Connections
# -
# -    masquerade_tcp_con="<src-network>:<dst-host>:<dst-port>:<output-device> [<src-network>:<dst-host>:..]"
# -
# -    172.16.11.254: Zyxel Speedport 5501
# -    192.168.11.29: VNC Service Heizungssystem
# -
# -    masquerade_tcp_con="10.0.0.0/8:172.16.11.254:80:${local_if_7} 
# -                        10.0.0.0/8:192.168.62.244:443:${local_if_1}"
# -
masquerade_tcp_cons="10.0.0.0/8:192.168.11.29:5900:${local_if_1}
                     192.168.63.0/24:192.168.11.29:5900:${local_if_1}
                     192.168.10.131/32:192.168.11.29:5900:${local_if_1}
                     10.0.0.0/8:172.16.11.254:80:${ext_if_static_1}
                     192.168.63.0/24:172.16.11.254:80:${ext_if_static_1}"


# =============
# --- Portforwarding
# =============

# - Portforwarding TCP
# -
# - portforward_tcp="<device-in>:<port-in>:<ip-to-forward>:<port-out>"
# -
# - multiple declarations are possible
# - 
# - Example:
# -    portforward_tcp="$ext_if_dsl_1:9997:192.168.52.25:22 $ext_if_dsl_1:9998:192.168.53.24:22"
# -
portforward_tcp=""

# - Portforwarding UDP
# -
# - portforward_udp="<device-in>:<udp-port-in>:<ip-to-forward>:<udp-port-out>"
# -
# - multiple declarations are possible
# - 
# - Example:
# -    portforward_udp="$ext_if_dsl_1:1094:192.168.52.25:1094 $ext_if_dsl_1:9999:192.168.53.24:1095"
# -
portforward_udp=""



# =============
# --- Basic behavior
# =============

# ===
# = Services allowed out to the world wide web
# ===

allow_ssh_request_out=true
allow_http_request_out=true
allow_smtp_request_out=true
allow_mail_request_out=true
allow_ftp_request_out=true
allow_tftp_request_out=true
allow_ntp_request_out=true
allow_timeserver_request_out=true
allow_pgpserver_request_out=true
allow_telnet_request_out=true
allow_whois_request_out=true
allow_cpan_wait_request_out=true
allow_hbci_request_out=true
allow_jabber_request_out=true
allow_silc_request_out=true
allow_irc_request_out=true
allow_mysql_request_out=true
allow_ipmi_request_out=true
allow_remote_console_request_out=true

allow_samba_requests_out=true

allow_vpn_out=true
vpn_out_ports="1194 1195 1196"


# ===
# = Services allowed between local networks
# ===

# - These Parameters are only considered, if traffic 
# - between local networks are not permitted, thats 
# - if 'permit_between_local_networks=false' (see below).
# - 
allow_ssh_between_local_nets=true
allow_samba_between_local_nets=false
allow_ldap_between_local_nets=false
allow_printing_between_local_nets=true
allow_scanning_between_local_nets=true


# ===
# = Other Parameters
# ===

# - Permit internet access to all machines at local network
# - Does not include this server itself
# -
permit_local_net_to_inet=true

# - Do not block any traffic between local machines
# -
permit_between_local_networks=true

# - Do not block any ICMP traffic
# -
permit_all_icmp_traffic=true

# - Access to Mailservices (LAN and WAN) (pop/imap/smtps) from local (gateway) machine.
# -
# - Maybe useful for testing purpose with telnet or openssl
# -
provide_mailservice_from_local=true

# - iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. 
# - It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, 
# - SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters.
# -
create_iperf_rules=false



# =============
# - MAC Address Filtering
# =============

# - MAC Addreses alowed to all destinations (gateway, remote, local networks)
# -
# - Blank separated list
# -
#allow_all_mac_src_addresses="c4:54:44:30:d3:0f"
allow_all_mac_src_addresses=""

# - MAC Addreses alowed to local networks (gateway, local networks)
# -
# - Blank separated list
# -
#allow_local_mac_src_addresses="c4:54:44:30:d3:0f"
allow_local_mac_src_addresses=""


# - MAC Addreses alowed to remote networks
# -
# - Blank separated list
# -
#allow_remote_mac_src_addresses="c4:54:44:30:d3:0f"
allow_remote_mac_src_addresses=""




# =============
# --- Block IP's / IP-Ranges
# =============

# -    222.184.0.0/13 CHINANET-JS
# -    61.160.0.0/16 - CHINANET-JS
# -    116.8.0.0/14 CHINANET-GX
# -
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14"


# =============
# --- Block Ports on extern Interfaces
# =============

# - Generally (for all interfaces) block this ports
# -
# - Portmapper
# - tcp 111
# - udp 111
# -
# - Authentication tap ident
# - tcp 113
# -
# - Location Service
# - tcp 135
# -
# - Windows Stuff
# - tcp 137:139
# - udp 137:139
# - tcp 445
# -
block_tcp_ports="111 135 631"
block_udp_ports="111"
if ! $allow_samba_requests_out ; then
   block_tcp_ports="$block_udp_ports 137:139 445"
   block_udp_ports="$block_udp_ports 137:139"
fi

block_ident=true


# =============
# - Packets not wanted on gateway on local Interfaces
# =============

not_wanted_on_gw_tcp_ports="111 113 135 631"
not_wanted_on_gw_udp_ports="111 631"
if ! $local_samba_service ; then
   not_wanted_on_gw_tcp_ports="$not_wanted_on_gw_tcp_ports 137:139 445"
   not_wanted_on_gw_udp_ports="$not_wanted_on_gw_udp_ports 137:139"
fi

not_wanted_ident=true


# =============
# --- Router 
# =============

# - Set to "true" to secure/tune the kernel
# -
adjust_kernel_parameters=true

# - Protection against several attacks
# -
protect_against_several_attacks=true



# =============
# --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
# =============

# - Activate forwarding
# -
# - Enable/disable forwarding to and between interfaces
# -
kernel_activate_forwarding=true

# - Activate kernel support for dynamic IP adresses
# - (not needed in case of static IP)
# -
# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
# -
# - The values for the ip_dynaddr sysctl are [*]:
# -
# -   1:  To enable:
# -   2:  To enable verbosity:
# -   4:  To enable RST-provoking:
# -   8:  To enable asymetric routing work-around [**]
# -
# -  [*] At boot, by default no address rewriting is attempted.
# -  [**] This code is currently totaly untested.
# -
# - Flags can be combined by adding them. Common settings
# - would be:
# -
# - To enable rewriting in quiet mode:
# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable rewriting in verbose mode:
# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
# - To enable quiet RST-provoking mode (1+4):
# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
# - ...
# -
kernel_support_dynaddr=true
dynaddr_flag="5"

# - Reduce DoS'ing ability by reducing timeouts
# -
kernel_reduce_timeouts=true

# - Hardening TCP/IP Stack Against SYN Floods
# -
# - Enable syn cookies prevents against the common 'syn flood attack'
# -
kernel_tcp_syncookies=true

# - Protection against ICMP bogus error responses
# -
kernel_protect_against_icmp_bogus_messages=true

# - Ignore Broadcast Pings
# -
kernel_ignore_broadcast_ping=true

# - Deactivate Source Routed Packets
# -
kernel_deactivate_source_route=true

# - Deactivate sending ICMP redirects
# -
# - Note: IP TV requires sending ICMP redirects. So if IP TV is provided, this
# -       Parameter will be set to "false"
# -
# - ICMP redirects are used by routers to specify better routing paths out of 
# - one network, based on the host choice, so basically it affects the way 
# - packets are routed and destinations. 
# -
kernel_dont_accept_redirects=true

# - Activate Reverse Path Filtering (Antispoofing)
# -
# - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen 
# - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, 
# - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
# - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für 
# - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle 
# - nicht voll funktionsfähig ist. 
# -
kernel_activate_rp_filter=true

# - Logging of spoofed (source routed" and "redirect") packets
# -
kernel_log_martians=false



# =============
# --- Some further Ports/IP-Address Configuration
# =============

# - unpriviligierte Ports
# -
unprivports="1024:65535"

# - Loopback
loopback="127.0.0.0/8"

# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"

# - Multicast Addresse
class_d_multicast="224.0.0.0/4"

# Reserved Addresse
class_e_reserved="240.0.0.0/5"


# ----------------------- End: Configuration ----------------------- #
######################################################################


## ====================================
## - Don't make changes after this Line
## ====================================


# -----------
# --- Define Arrays
# -----------

# ---
# - Masquerade TCP Connections
# ---
declare -a masquerade_tcp_con_arr
for _str in $masquerade_tcp_cons ; do
   masquerade_tcp_con_arr+=("$_str")
done


# ---
# - Extern Network interfaces (DSL, Staic Lines, All together)
# ---
declare -a dsl_device_arr
declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do
   dsl_device_arr+=("$_dev")
   ext_if_arr+=("$_dev")
done
for _dev in $ext_if_static ; do
   ext_if_arr+=("$_dev")
done

# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
   vpn_if_arr+=("$_dev")
done

# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
   local_if_arr+=("$_dev")
done

# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
   blocked_if_arr+=("$_dev")
done

# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
   unprotected_if_arr+=("$_dev")
done

# ---
# - Allow these local networks any access to the internet
# ---
declare -a any_access_to_inet_network_arr
for _net in $any_access_to_inet_networks ; do
   any_access_to_inet_network_arr+=("$_net")
done

# ---
# - Allow local services from given local networks
# ---
declare -a allow_local_net_to_local_service_arr 
for _val in $allow_local_net_to_local_service ; do
   allow_local_net_to_local_service_arr+=("$_val")
done

# ---
# - Separate local Networks
# ---
declare -a separate_local_network_arr
for _net in $separate_local_networks ; do
   separate_local_network_arr+=("$_net")
done

# ---
# - Generally block ports on extern interfaces
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
   block_tcp_port_arr+=("$_port")
done

declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
   block_udp_port_arr+=("$_port")
done

# ---
# - Not wanted on intern interfaces
# ---
declare -a not_wanted_on_gw_tcp_port_arr
for _port in $not_wanted_on_gw_tcp_ports ; do
   not_wanted_on_gw_tcp_port_arr+=("$_port")
done

declare -a not_wanted_on_gw_udp_port_arr
for _port in $not_wanted_on_gw_udp_ports ; do
   not_wanted_on_gw_udp_port_arr+=("$_port")
done

# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
   forward_private_ip_arr+=("$_ip")
done

# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
   log_ip_arr+=("$_ip")
done

# ---
# - IP Addresses Gateway
# ---
declare -a gateway_address_arr
read -a gateway_address_arr <<<$(ifconfig | grep "inet Ad" | awk '{print$2}' | cut -d':' -f2)

# ---
# - IP Adresses DNS Server
# ---
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
   dns_server_ip_arr+=("$_ip")
done

# ---
# - IP Adresses HTTP Server only local Networks
# ---
declare -a http_server_only_local_ip_arr
for _ip in $http_server_only_local_ips ; do
   http_server_only_local_ip_arr+=("$_ip")
done

# ---
# - IP Addresses Mail Server only local Networks
# ---
declare -a mail_server_only_local_ip_arr
for _ip in $mail_server_only_local_ips ; do
   mail_server_only_local_ip_arr+=("$_ip")
done

# ---
# - IP Addresses FTP Server
# ---
declare -a ftp_server_only_local_ip_arr
for _ip in $ftp_server_only_local_ips ; do
   ftp_server_only_local_ip_arr+=("$_ip")
done

# ---
# - IP Addresses Samba Server
# ---
declare -a samba_server_local_ip_arr
for _ip in $samba_server_local_ips ; do
   samba_server_local_ip_arr+=("$_ip")
done

# ---
# - IP Addresses LDAP Server
# ---
declare -a ldap_server_local_ip_arr
for _ip in $ldap_server_local_ips ; do
   ldap_server_local_ip_arr+=("$_ip")
done

# ---
# - IP Adresses Telephone Systems
# ---
declare -a tele_sys_ip_arr
for _ip in $tele_sys_ips ; do
   tele_sys_ip_arr+=("$_ip")
done

# ---
# - IP Adresses SNMP Server
# ---
declare -a snmp_server_ip_arr
for _ip in $snmp_server_ips ; do
   snmp_server_ip_arr+=("$_ip")
done

# ---
# - IP Adresses Munin Service 
# ---
declare -a munin_local_server_ip_arr
for _ip in $munin_local_server_ips ; do
   munin_local_server_ip_arr+=("$_ip")
done

# ---
# - IP Adresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
   xymon_server_ip_arr+=("$_ip")
done

# ---
# - IP Adresses IPMI interface
# ---
declare -a ipmi_server_ip_arr
for _ip in $ipmi_server_ips ; do
   ipmi_server_ip_arr+=("$_ip")
done

# ---
# -IP Addresses Ubiquiti Unifi Accesspoints
# ---
declare -a unifi_ap_local_ip_arr
for _ip in $unifi_ap_local_ips ; do
   unifi_ap_local_ip_arr+=("$_ip")
done
declare -a unifi_controller_gateway_ip_arr
for _ip in $unifi_controller_gateway_ips ; do
   unifi_controller_gateway_ip_arr+=("$_ip")
done
declare -a unify_controller_local_net_ip_arr
for _ip in $unify_controller_local_net_ips ; do
   unify_controller_local_net_ip_arr+=("$_ip")
done


# ---
# - IP Adresses Brother Scanner (brscan)
# ---
declare -a brother_scanner_ip_arr
for _ip in $brother_scanner_ips ; do
   brother_scanner_ip_arr+=("$_ip")
done

# ---
# - IP Addresses PCNS Server
# ---
declare -a pcns_server_ip_arr
for _ip in $pcns_server_ips ; do
   pcns_server_ip_arr+=("$_ip")
done


# ---
# - IP Addresses VNC Service
# ---
declare -a rm_server_ip_arr
for _ip in $rm_server_ips ; do
   rm_server_ip_arr+=("$_ip")
done

# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
   rsync_out_ip_arr+=("$_ip")
done

# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
   ssh_port_arr+=("$_port")
done

# ---
# - VPN Ports
# ---
declare -a vpn_gw_port_arr
for _port in $vpn_gw_ports ; do
   vpn_gw_port_arr+=("$_port")
done
declare -a vpn_local_net_port_arr
for _port in $vpn_local_net_ports ; do
   vpn_local_net_port_arr+=("$_port")
done
declare -a vpn_out_port_arr
for _port in $vpn_out_ports ; do
   vpn_out_port_arr+=("$_port")
done

# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
   rsync_port_arr+=("$_port")
done

# ---
# - Samba Ports
# ---

declare -a samba_udp_port_arr
for _port in $samba_udp_ports ; do
   samba_udp_port_arr+=("$_port")
done

declare -a samba_tcp_port_arr
for _port in $samba_tcp_ports ; do
   samba_tcp_port_arr+=("$_port")
done

# ---
# - LDAP Ports
# ---

declare -a ldap_udp_port_arr
for _port in $ldap_udp_ports ; do
   ldap_udp_port_arr+=("$_port")
done

declare -a ldap_tcp_port_arr
for _port in $ldap_tcp_ports ; do
   ldap_tcp_port_arr+=("$_port")
done

# ---
# - IPMI
# ---

declare -a ipmi_tcp_port_arr
for _port in $ipmi_tcp_ports ; do
   ipmi_tcp_port_arr+=("$_port")
done


# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
   portforward_tcp_arr+=("$_str")
done

# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
   portforward_udp_arr+=("$_str")
done

# ---
# - MAC Address Filtering
# ---
declare -a allow_all_mac_src_address_arr
for _mac in $allow_all_mac_src_addresses ; do
   allow_all_mac_src_address_arr+=("$_mac")
done

declare -a allow_local_mac_src_address_arr
for _mac in $allow_local_mac_src_addresses ; do
   allow_local_mac_src_address_arr+=("$_mac")
done

declare -a allow_remote_mac_src_address_arr
for _mac in $allow_remote_mac_src_addresses ; do
   allow_remote_mac_src_address_arr+=("$_mac")
done


# =============
# --- Some functions
# =============
echononl(){
   echo X\\c > /tmp/shprompt$$
   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
      echo -e -n "$*\\c" 1>&2
   else
       echo -e -n "$*" 1>&2
   fi
   rm /tmp/shprompt$$
}
echo_done() {
   echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
   echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
   echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
   echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
   echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}


fatal (){
   echo ""
   echo -e "fatal Error: $*"
   echo ""
   echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
   echo ""
   exit 1
}

error(){
   echo ""
   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
   echo ""
}

warn (){
   echo ""
   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
   echo ""
}

info (){
   echo ""
   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
   echo ""
}

## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
   local e
   for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
   return 1
}