From 3d27513b812bd2aace0ec52effba6c5c40bb0482 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 19 Jan 2026 16:10:52 +0100 Subject: [PATCH] ip6t-firewall-server: replace '-m statet --state ..' with '-m conntrack --ctstate ..'. --- ip6t-firewall-server | 304 +++++++++++++++++++++---------------------- 1 file changed, 152 insertions(+), 152 deletions(-) diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 54dd946..052a608 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -15,7 +15,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv6.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_main=${ipt_conf_dir}/main_ipv6.conf -conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf +conf_post_declarations=${ipt_conf_dir}/post_declarations.conf conf_ban_ipv6_list="${ipt_conf_dir}/ban_ipv6.list" @@ -392,11 +392,11 @@ echo_done # --- echononl "\tPermit all traffic through VPN lines.." for _vpn_if in ${vpn_if_arr[@]} ; do - $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT fi done echo_done @@ -1341,7 +1341,7 @@ if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_ext_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1359,7 +1359,7 @@ echononl "\t\tAllow extern IP-Address/Network" if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _net in "${allow_ext_net_arr[@]}" ; do - $ip6t -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p all -d $_net -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1380,7 +1380,7 @@ if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1399,7 +1399,7 @@ if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_from_network_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1455,14 +1455,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_forward_between_interfaces=true) if $kernel_forward_between_interfaces ; then # - forward from virtual mashine(s) - $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1485,10 +1485,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer - $ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1500,10 +1500,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer - $ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done @@ -1540,9 +1540,9 @@ echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then @@ -1550,10 +1550,10 @@ for _dev in ${ext_if_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1563,17 +1563,17 @@ done if [[ ${#local_if_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then for _port in ${ssh_port_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done fi @@ -1593,7 +1593,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} - if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1601,7 +1601,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} - if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1621,7 +1621,7 @@ if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1635,14 +1635,14 @@ if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} - if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do - $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_vpn_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1661,7 +1661,7 @@ if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${wireguard_out_port_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1675,14 +1675,14 @@ if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_wireguard_server_ if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${wireguard_server_ip_arr[@]} ; do for _port in ${wireguard_server_port_arr[@]} ; do - $ip6t -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_wireguard_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1704,7 +1704,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt for _port in ${rsync_port_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1714,7 +1714,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt for _port in ${rsync_port_arr[@]} ; do for _ip in ${forward_rsync_out_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1733,9 +1733,9 @@ fi echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1749,9 +1749,9 @@ echo_done echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1766,7 +1766,7 @@ echononl "\t\tLocal Prometheus Service" if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${prometheus_local_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m conntrack --ctstate NEW -j ACCEPT done echo_done else @@ -1783,7 +1783,7 @@ echononl "\t\tLocal Prometheus Client" if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${prometheus_local_client_ip_arr[@]} ; do for _ip in ${prometheus_remote_server_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1800,9 +1800,9 @@ echononl "\t\tMunin remote service" if [ "X$munin_remote_ip" != "X" ]; then for _dev in ${ext_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done @@ -1822,13 +1822,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_munin_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1845,9 +1845,9 @@ fi echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1864,9 +1864,9 @@ if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done @@ -1887,19 +1887,19 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) - $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) - $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) - $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # - DCC (port udp:6277) - $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ip6t -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT @@ -1908,19 +1908,19 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_smtpd_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) - $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) - $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) - $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # DCC (port udp:6277) - $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ip6t -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT $ip6t -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT @@ -1943,9 +1943,9 @@ if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_listen_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done @@ -1968,7 +1968,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] for _ip in ${mail_server_ips_arr[@]} ; do # mail ports # - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] @@ -1976,7 +1976,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] for _ip in ${forward_mail_server_ip_arr[@]} ; do # mail ports # - $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then @@ -1996,7 +1996,7 @@ if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do - $ip6t -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else @@ -2019,7 +2019,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] for _ip in ${mail_client_ips_arr[@]} ; do # mail ports # - $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] @@ -2027,7 +2027,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] for _ip in ${forward_mail_client_ip_arr[@]} ; do # mail ports # - $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then @@ -2044,9 +2044,9 @@ fi echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2063,12 +2063,12 @@ if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${http_server_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_http_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done fi fi @@ -2088,14 +2088,14 @@ if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mm_server_ip_arr[@]} ; do - $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_mm_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi fi @@ -2126,7 +2126,7 @@ for _dev in ${ext_if_arr[@]} ; do # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW \ -m recent --name ftp6data_out_$j --rdest --set -j ACCEPT # - (2) @@ -2137,7 +2137,7 @@ for _dev in ${ext_if_arr[@]} ; do # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - $ip6t -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + $ip6t -A OUTPUT -o $_dev -p tcp -m conntrack --ctstate NEW --dport 1024: \ -m recent --name ftp6data_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT ((j++)) @@ -2155,18 +2155,18 @@ echo_done # #for _dev in ${ext_if_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ip6t -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) -# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) -# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT +# $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_forward_between_interfaces ; then # # (Datenkanal aktiv) -# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) -# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) -# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # fi #done # @@ -2212,7 +2212,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A INPUT -p tcp -m state --state NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT + $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport 21 -m recent --name ftpdata_$i --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the @@ -2222,7 +2222,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - $ip6t -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + $ip6t -A INPUT -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections @@ -2253,7 +2253,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ip6t -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT + $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT # - (2) # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the @@ -2263,9 +2263,9 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). # - - $ip6t -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT - $ip6t -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + $ip6t -A FORWARD -p tcp -m conntrack --ctstate NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT # - Accept (helper ftp) related connections @@ -2290,22 +2290,22 @@ fi # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # for _ip in ${ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ip6t -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) -# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung -# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then # for _ip in ${forward_ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) -# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung -# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT +# $ip6t -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # @@ -2326,11 +2326,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2339,11 +2339,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2364,7 +2364,7 @@ if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${xmmp_remote_out_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" - $ip6t -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -2383,15 +2383,15 @@ echononl "\t\tMumble Service" if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mumble_server_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT - $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_mumble_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2412,18 +2412,18 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi - $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi - $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2436,15 +2436,15 @@ echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi echo_done @@ -2456,11 +2456,11 @@ echononl "\t\tJitsi Meet Dovecot Authentication" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then - $ip6t -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi echo_done else @@ -2475,7 +2475,7 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \ && $jitsi_jibri_remote_auth \ && [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done @@ -2496,17 +2496,17 @@ if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@ else if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jibri_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_jibri_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2527,17 +2527,17 @@ if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_a if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${nc_turn_server_ip_arr[@]} ; do - $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2555,9 +2555,9 @@ fi echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2571,11 +2571,11 @@ echo_done echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2607,9 +2607,9 @@ fi echononl "\t\tLDAP out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2623,9 +2623,9 @@ echo_done echononl "\t\tLDAPS out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2639,9 +2639,9 @@ echo_done echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2655,9 +2655,9 @@ echo_done echononl "\t\tPGP/GPG Key server - out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2671,9 +2671,9 @@ echo_done echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2693,7 +2693,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2701,7 +2701,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do - $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2722,7 +2722,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${udp_out_port_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2730,7 +2730,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${forward_udp_out_port_arr[@]} ; do - $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2830,11 +2830,11 @@ echononl "\t\tUNIX Traceroute" # die option -I und versenden dann ebenfalls icmp-echo-request pakete for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT - $ip6t -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ip6t -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT - $ip6t -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ip6t -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT fi done