diff --git a/conf/default_settings.conf b/conf/default_settings.conf index 8ad4df3..d212560 100644 --- a/conf/default_settings.conf +++ b/conf/default_settings.conf @@ -13,7 +13,6 @@ default_per_IP_connection_limit=111 standard_checkmk_port=6556 standard_cpan_wait_port=1404 -standard_cups_port=$standard_ipp_port standard_dns_port=53 standard_ftp_port=21 standard_ftp_data_port=20 @@ -23,6 +22,7 @@ standard_http_port=80 standard_https_port=443 standard_ident_port=113 standard_ipp_port=631 +standard_cups_port=$standard_ipp_port standard_irc_port=6667 standard_jabber_port=5222 standard_ldap_port=389 diff --git a/conf/include_functions.conf b/conf/include_functions.conf index 9f563da..92db714 100644 --- a/conf/include_functions.conf +++ b/conf/include_functions.conf @@ -1,5 +1,13 @@ #!/usr/bin/env bash +# - Set firewall command (either iptables or ip6tables) +# +if [[ -x "${ip6t}" ]] ; then + fw_command="${ip6t}" +elif [[ -x "${ipt}" ]] ; then + fw_command="${ipt}" +fi + # ------------- # --- Some functions # ------------- @@ -82,3 +90,167 @@ trim() { echo -n "$var" } + +is_container() { + command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1 +} + + +# ------------- +# - IPv6 handling +# ------------- + +ENABLE_IPV6="auto" # auto | yes | no +IPV6_ACTIVE=0 + +ipv6_sysctl_enabled() { + sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0 +} + +has_ipv6_addr() { + ip -6 addr show scope global 2>/dev/null | grep -q "inet6" +} + +detect_ipv6() { + case "$ENABLE_IPV6" in + yes) return 0 ;; + no) return 1 ;; + auto) ipv6_sysctl_enabled ;; + *) return 1 ;; + esac +} + + +# ------------- +# - Fail2ban +# ------------- + +FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local" +FAIL2BAN_WAS_RUNNING=false +fail2ban_client="$(command -v fail2ban-client 2>/dev/null)" +has_fail2ban() { + command -v fail2ban-client >/dev/null 2>&1 +} + +fail2ban_running() { + systemctl is-active --quiet fail2ban >/dev/null 2>&1 +} + +# ------------- +# - Debian 12/13 compatibility helpers (best effort) +# ------------- +ensure_mod() { + + # --- + # Load a kernel module if possible (no hard failure). + # NOTE: In containers module loading is not possible; modules must be loaded on the host. + # --- + + local m="$1" + + # Already loaded? + if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then + return 0 + fi + + # Skip in containers/guests without module loading capability + # + is_container && return 0 + + # Best effort modprobe + /sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)." +} + +# --- Feature detection helpers (Debian 12/13 + containers) +module_loaded() { + lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1" +} + +can_use_recent() { + # xt_recent is the kernel module behind "-m recent" + # In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent. + module_loaded xt_recent && return 0 + [ -d /proc/net/xt_recent ] && return 0 + # As a last resort, ask iptables to parse the match (works if userspace has it) + "$ipt" -m recent -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_hashlimit() { + # xt_hashlimit is the kernel module behind "-m hashlimit" + module_loaded xt_hashlimit && return 0 + [ -d /proc/net/xt_hashlimit ] && return 0 + "${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_connlimit() { + # xt_connlimit is the kernel module behind "-m connlimit" + module_loaded xt_connlimit && return 0 + "${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_owner() { + # xt_owner is the kernel module behind "-m owner" + module_loaded xt_owner && return 0 + "${fw_command}" -m owner -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_ct_target() { + # Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support) + "${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_helper_match() { + # Check if helper match exists + "${fw_command}" -m helper -h >/dev/null 2>&1 && return 0 + return 1 +} + +can_use_nft() { + command -v nft >/dev/null 2>&1 && return 0 + return 1 +} + +setup_ftp_conntrack_helper_output() { + # Prefer explicit helper assignment (safe with nf_conntrack_helper=0) + if can_use_ct_target ; then + "${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp + return 0 + fi + + # nft fallback (nft-native helper assignment); keeps us "nft-ready" + if can_use_nft ; then + # Best-effort; may fail in containers without CAP_NET_ADMIN + nft add table ip fwhelper >/dev/null 2>&1 || true + nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true + nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true + nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0 + fi + + warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules." + return 1 +} + +setup_ftp_conntrack_helper_prerouting() { + # Prefer explicit helper assignment (safe with nf_conntrack_helper=0) + if can_use_ct_target ; then + "$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp + return 0 + fi + + # nft fallback (nft-native helper assignment); keeps us "nft-ready" + if can_use_nft ; then + nft add table ip fwhelper >/dev/null 2>&1 || true + nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true + nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true + nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0 + fi + + warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges." + return 1 +} + diff --git a/ipt-firewall-server b/ipt-firewall-server index 83449c9..241f115 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1,14 +1,4 @@ #!/usr/bin/env bash -### BEGIN INIT INFO -# Provides: ipt-firewall -# Required-Start: $local_fs $remote_fs $syslog $network -# Required-Stop: $local_fs $remote_fs $syslog $network -# Should-Start: -# Should-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: IPv4 Firewall -### END INIT INFO # ------------- @@ -19,8 +9,6 @@ ipt_conf_dir="/etc/ipt-firewall" inc_functions_file="${ipt_conf_dir}/include_functions.conf" -load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf - conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf @@ -28,17 +16,8 @@ conf_main=${ipt_conf_dir}/main_ipv4.conf conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" -ipt=$(which iptables) - -if [[ -z "$fail2ban_client" ]]; then - fail2ban_client="$(which fail2ban-client)" -fi - - -# ------------- -# - Some checks and preloads.. -# ------------- +ipt="$(command -v iptables 2>/dev/null)" if [[ -z "$ipt" ]] ; then echo "" @@ -49,6 +28,17 @@ if [[ -z "$ipt" ]] ; then exit 1 fi + +# ------------- +# - Load Default Settings and Functions +# ------------- + +if [[ ! -f "$conf_default_settings" ]]; then + fatal "Missing configuration for default_settings - file '$conf_default_settings'" +else + source $conf_default_settings +fi + if [[ ! -f "$inc_functions_file" ]] ; then echo "" echo -e "\tMissing include file '$inc_functions_file'" @@ -61,6 +51,25 @@ else fi +# ------------- +# - Some checks and preloads.. +# ------------- + +# --- Debian 12/13: enforce iptables-nft backend (nf_tables) and prevent legacy/nft mix +if ! "$ipt" --version 2>/dev/null | grep -q "nf_tables"; then + echo "" + echo "ERROR: Your iptables is NOT using nf_tables backend (iptables-nft)." + echo "This script expects iptables-nft on Debian 12/13 to avoid legacy/nft mixed rules." + echo "" + echo "Fix (on the host, as root):" + echo " update-alternatives --set iptables /usr/sbin/iptables-nft" + echo " update-alternatives --set ip6tables /usr/sbin/ip6tables-nft" + echo "" + echo "Current: $($ipt --version 2>/dev/null || echo 'unknown')" + exit 1 +fi + + # - Check if running inside a container # - host_is_vm=false @@ -88,22 +97,34 @@ else fi -if [[ ! -f "$load_modules_file" ]] ; then - warn "No modules for loading configured. Missing file '$load_modules_file'!" +# ------------- +# --- Ensure required modules for this script (best effort; host-side in containers) +# ------------- + +echo +echononl "\tEnsure required modules are loaded.." +if is_container ; then + echo_skipped else + echo_done +fi - if ! $host_is_vm ; then +ensure_mod nf_conntrack +ensure_mod nf_nat +ensure_mod nf_conntrack_ftp +ensure_mod nf_nat_ftp +ensure_mod xt_recent +ensure_mod xt_hashlimit +ensure_mod xt_connlimit +ensure_mod xt_owner +ensure_mod xt_helper +ensure_mod br_netfilter - while read -r module ; do - if ! lsmod | grep -q -E "^$module\s+" ; then - /sbin/modprobe $module > /dev/null 2>&1 - if [[ "$?" != "0" ]]; then - warn "Loading module '$module' failed!" - fi - fi - done < <(sed -ne 's/^[[:space:]]*\([^#].*\)[[:space:]]*/\1/p' $load_modules_file) - fi +# --- Security hardening / predictable conntrack behavior: +# Disable automatic conntrack helper assignment (keep explicit CT --helper rules) +if ! $host_is_vm ; then + sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true fi if [[ ! -f "$conf_logging" ]]; then @@ -112,12 +133,6 @@ else source $conf_logging fi -if [[ ! -f "$conf_default_settings" ]]; then - fatal "Missing configuration for default_settings - file '$conf_default_settings'" -else - source $conf_default_settings -fi - if [[ ! -f "$conf_interfaces" ]]; then fatal "Missing interface configurations - file '$conf_interfaces'" else @@ -256,19 +271,29 @@ else fi -# ------------- Stop Fail2Ban if installed ------------- -# -if [ -x "$fail2ban_client" ]; then - echononl "\tStopping fail2ban.." - $fail2ban_client stop > /dev/null 2>&1 - if [ "$?" = "0" ];then - echo_done +# ------------- Fail2ban handling (do not stop/start; keep bans stable) ------------- +echo +echononl "\tCheck presence and configuration of Fail2ban .." +echo_done +if ! has_fail2ban ; then + warn "Fail2ban is not installed.." +elif ! fail2ban_running ; then + warn "Fail2ban is installed but not running.." +else + CURRENT_BANACTION=$(grep -E '^\s*banaction\s*=' "$FAIL2BAN_CONFIG_FILE" | head -1 | tr -d ' ' | cut -d'=' -f2) + if [[ -n ${CURRENT_BANACTION} ]] ; then + if [ "$CURRENT_BANACTION" = "nftables" ]; then + info "Fail2ban is running, banaction is et to nftables." + else + warn "Change banaction from ${CURRENT_BANACTION} to \033[1mbanaction=nftables\033[m" + fi else - echo_warning + warn "banaction seems not to be configured. Take care that \033[1mbanaction=nftables\033[m" fi + FAIL2BAN_WAS_RUNNING=true fi # -# ------------- Ende: Stop Fail2Ban if installed ------------- +# ------------- Ende: Fail2ban handling (do not stop/start; keep bans stable) ------------- # ------------- @@ -321,17 +346,30 @@ echo echononl "\tDo not firewall bridged traffic" if $do_not_firewall_bridged_traffic ; then - # - Matches if the packet is being bridged and therefore is not being routed. - # - This is only useful in the FORWARD and POSTROUTING chains. - # - - $ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + # Debian 12/13 (iptables-nft): Prefer disabling bridge netfilter hooks via sysctl + # instead of relying on xt_physdev matches. This avoids backend/bridge quirks and + # keeps bridged L2 traffic out of iptables/ip6tables. + # + # Best effort: if sysctl keys are unavailable (or we're in a container), fall back + # to the historical physdev ACCEPT rules. - # - Matches if the packet has entered through a bridge interface. - # - - $ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT - # - Matches if the packet will leave through a bridge interface. - # - - $ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT + _bridge_sysctl_ok=true + + if command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1 ; then + _bridge_sysctl_ok=false + else + # ensure_mod br_netfilter is called earlier (Step 1a) + sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false + sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false + sysctl -w net.bridge.bridge-nf-call-arptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false + fi + + if ! $_bridge_sysctl_ok ; then + # Fallback: allow bridged traffic to pass without filtering (legacy behaviour) + $ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT + $ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT + $ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT + fi echo_done else @@ -368,7 +406,7 @@ echononl "\tLog given IPv4 Addresses" if [[ ${#log_ip_arr[@]} -gt 0 ]]; then for _ip in ${log_ip_arr[@]} ; do $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: " - $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: " + $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: " $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: " done @@ -411,11 +449,11 @@ echo_done # --- echononl "\tPermit all traffic through VPN lines.." for _vpn_if in ${vpn_if_arr[@]} ; do - $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT + $ipt -A FORWARD -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT fi done echo_done @@ -431,12 +469,12 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then $ipt -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" - $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" + $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" fi $ipt -t mangle -A PREROUTING -i $_dev -j ACCEPT - $ipt -A OUTPUT -o $_dev -j ACCEPT + $ipt -A OUTPUT -o $_dev -j ACCEPT $ipt -A INPUT -i $_dev -j ACCEPT $ipt -A FORWARD -o $_dev -j ACCEPT done @@ -503,7 +541,7 @@ for _if in ${blocked_if_arr[@]} ; do $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" - $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" + $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j DROP @@ -876,15 +914,14 @@ if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then for _dev in ${ext_if_arr[@]} ; do if $log_mndp || $log_all ; then - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: " + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: " $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: " $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: " fi fi - - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP @@ -909,14 +946,14 @@ echononl "\tDrop Multicast DNS Traffic" if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then for _dev in ${ext_if_arr[@]} ; do if $log_mdns || $log_all ; then - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: " + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: " $ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: " $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: " fi fi - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP $ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP @@ -937,13 +974,13 @@ echo "" echononl "\tDon't allow spoofing out from this server" for _dev in ${ext_if_arr[@]} ; do if $log_spoofed_out || $log_all ; then - $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" - $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" - $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" - $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" - $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" - $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" - $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" + $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" + $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" + $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" + $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" @@ -998,7 +1035,7 @@ echo_done echononl "\tAccept already established connections.." $ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -$ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + $ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -m conntrack --ctstate INVALID -j DROP @@ -1052,12 +1089,39 @@ fi echononl "\tProtection against SSH brute-force attacks" if $protection_against_ssh_brute_force_attacks ; then - $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set - if $log_ssh_brute_force || $log_all ; then - $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" + if can_use_recent ; then + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set + if $log_ssh_brute_force || $log_all ; then + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" + fi + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP + else + if can_use_hashlimit ; then + warn "xt_recent not available; using hashlimit fallback for SSH brute-force protection." + if $log_ssh_brute_force || $log_all ; then + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ + -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \ + --hashlimit-name sshbf --hashlimit-htable-expire 60000 \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" + fi + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ + -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \ + --hashlimit-name sshbf --hashlimit-htable-expire 60000 \ + -j DROP + else + warn "Neither xt_recent nor xt_hashlimit available; using simple global limit fallback for SSH brute-force protection." + if $log_ssh_brute_force || $log_all ; then + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ + -m limit --limit 10/min --limit-burst 10 \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force (limit fallback):" + fi + $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ + -m limit --limit 10/min --limit-burst 10 \ + -j DROP + fi fi - $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP - echo_done + +echo_done else echo_skipped fi @@ -1074,18 +1138,41 @@ if $limit_connections_per_source_IP ; then per_IP_connection_limit=$default_per_IP_connection_limit fi - if $log_rejected || $log_all ; then + if can_use_connlimit ; then + + if $log_rejected || $log_all ; then + + $ipt -A INPUT -p tcp --syn \ + -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" + + fi $ipt -A INPUT -p tcp --syn \ -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ - -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" + -j REJECT --reject-with tcp-reset + else + warn "xt_connlimit not available; using fallback for per-source limiting (approximate)." + + if can_use_hashlimit ; then + # Fallback: rate-limit new SYNs per source IP (not the same as concurrent connlimit, but protective) + if $log_rejected || $log_all ; then + $ipt -A INPUT -p tcp --syn \ + -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \ + --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \ + -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP (hashlimit fallback):" + fi + + $ipt -A INPUT -p tcp --syn \ + -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \ + --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \ + -j REJECT --reject-with tcp-reset + else + warn "No xt_connlimit and no xt_hashlimit available; skipping per-source connection limiting." + fi fi - $ipt -A INPUT -p tcp --syn \ - -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ - -j REJECT --reject-with tcp-reset - echo_done else echo_skipped @@ -1133,6 +1220,7 @@ if $limit_new_tcp_connections_per_seconds_per_source_IP \ #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT # Rate-Limit für neue SYNs auf 443 pro IP + if can_use_hashlimit ; then $ipt -A INPUT -p tcp --syn \ -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ -m hashlimit --hashlimit-name syn_multi_v4 \ @@ -1140,11 +1228,8 @@ if $limit_new_tcp_connections_per_seconds_per_source_IP \ --hashlimit-mode srcip --hashlimit-srcmask 32 \ -j ACCEPT - if $log_rejected || $log_all ; then - #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit new TCP conn's: " - # rate-limited logging für Überschreiter $ipt -A INPUT -p tcp --syn \ -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ @@ -1154,6 +1239,14 @@ if $limit_new_tcp_connections_per_seconds_per_source_IP \ -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):" fi +else + warn "xt_hashlimit not available; using simple global limit fallback for SYN rate limiting (multiport)." + $ipt -A INPUT -p tcp --syn \ + -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ + -m limit --limit 30/second --limit-burst 60 \ + -j ACCEPT +fi + #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP @@ -1327,7 +1420,7 @@ if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then _deny_net_arr+=("${_dev}:${_val_arr[1]}") @@ -1358,12 +1451,17 @@ echo echononl "\tLOG CGI/PHP traffic out." if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then - for _dev in ${ext_if_arr[@]} ; do - for _user in ${cgi_script_user_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: " + if can_use_owner ; then + for _dev in ${ext_if_arr[@]} ; do + for _user in ${cgi_script_user_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: " + done done - done - echo_done + echo_done + else + warn "owner/xt_owner match not available; skipping CGI/PHP uid-based OUTPUT logging." + echo_skipped + fi else echo_skipped fi @@ -1376,7 +1474,7 @@ echo echononl "\tAllow all outgoing traffic.." if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT fi @@ -1395,9 +1493,9 @@ echo "" echononl "\tDon't allow traffic into private anetworks" for _dev in ${ext_if_arr[@]} ; do if $log_private_network_out || $log_all ; then - $ipt -A OUTPUT -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:" - $ipt -A OUTPUT -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:" - $ipt -A OUTPUT -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:" + $ipt -A OUTPUT -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:" + $ipt -A OUTPUT -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:" + $ipt -A OUTPUT -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:" $ipt -A FORWARD -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:" @@ -1434,7 +1532,7 @@ if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_ext_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" - $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1452,7 +1550,7 @@ echononl "\t\tAllow extern IP-Address/Network" if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _net in "${allow_ext_net_arr[@]}" ; do - $ipt -A OUTPUT -o $_dev -p all -d $_net -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p all -d $_net -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1473,7 +1571,7 @@ if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" - $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1492,7 +1590,7 @@ if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_from_network_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" - $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1514,7 +1612,7 @@ echononl "\t\tDHCP Clients" if [[ ${#dhcp_client_if_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_if_arr[@]} ; do # - out - $ipt -A OUTPUT -p udp -o $_dev --dport 67 -d 0/0 --sport 1024:65535 -j ACCEPT + $ipt -A OUTPUT -p udp -o $_dev --dport 67 -d 0/0 --sport 1024:65535 -j ACCEPT # - in $ipt -A INPUT -p udp -i $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done @@ -1530,7 +1628,7 @@ if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then # - in $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out - $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT + $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done echo_done else @@ -1550,14 +1648,14 @@ echononl "\t\tDNS out only" # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding ; then # - forward from virtual mashine(s) - $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1580,10 +1678,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer - $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1595,10 +1693,10 @@ if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} - # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # - $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer - $ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done @@ -1635,20 +1733,19 @@ echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then for _port in ${ssh_port_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue - - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1658,17 +1755,16 @@ done if [[ ${#local_if_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then for _port in ${ssh_port_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue - - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done fi @@ -1689,7 +1785,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} - if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1697,7 +1793,7 @@ if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} - if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1717,7 +1813,7 @@ if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1731,7 +1827,7 @@ if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} - if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do - $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1739,7 +1835,7 @@ if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} - if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do - $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1759,7 +1855,7 @@ if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${wireguard_out_port_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1773,7 +1869,7 @@ if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${forward_wireguard_server_i if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${wireguard_server_ip_arr[@]} ; do for _port in ${wireguard_server_ports[@]} ; do - $ipt -A INPUT -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1781,7 +1877,7 @@ if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${forward_wireguard_server_i if [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_wireguard_server_ip_arr[@]} ; do for _port in ${wireguard_server_ports[@]} ; do - $ipt -A FORWARD -p udp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -1804,7 +1900,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt for _port in ${rsync_port_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1814,7 +1910,7 @@ if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt for _port in ${rsync_port_arr[@]} ; do for _ip in ${forward_rsync_out_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done @@ -1833,9 +1929,9 @@ fi echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1849,9 +1945,9 @@ echo_done echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1866,7 +1962,7 @@ echononl "\t\tLocal Prometheus Service" if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${prometheus_local_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m conntrack --ctstate NEW -j ACCEPT done echo_done else @@ -1883,7 +1979,7 @@ echononl "\t\tLocal Prometheus Client" if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${prometheus_local_client_ip_arr[@]} ; do for _ip in ${prometheus_remote_server_ip_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -1900,9 +1996,9 @@ echononl "\t\tMunin remote service" if [ "X$munin_remote_ip" != "X" ]; then for _dev in ${ext_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done @@ -1922,13 +2018,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_munin_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi @@ -1945,9 +2041,9 @@ fi echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -1964,9 +2060,9 @@ if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done @@ -1987,40 +2083,40 @@ if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) - $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) - $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) - $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # - DCC (port udp:6277) - $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT - $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT done fi if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_smtpd_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) - $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) - $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) - $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # DCC (port udp:6277) - $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m state --state NEW -j ACCEPT + $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT @@ -2043,9 +2139,9 @@ if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_listen_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done @@ -2068,7 +2164,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] for _ip in ${mail_server_ips_arr[@]} ; do # mail ports # - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] @@ -2076,7 +2172,7 @@ if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@] for _ip in ${forward_mail_server_ip_arr[@]} ; do # mail ports # - $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then @@ -2098,7 +2194,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] for _ip in ${mail_client_ips_arr[@]} ; do # mail ports # - $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] @@ -2106,7 +2202,7 @@ if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@] for _ip in ${forward_mail_client_ip_arr[@]} ; do # mail ports # - $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then @@ -2126,7 +2222,7 @@ if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do - $ipt -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else @@ -2144,9 +2240,9 @@ fi echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2163,12 +2259,12 @@ if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${http_server_ip_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_http_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done fi fi @@ -2188,14 +2284,14 @@ if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mm_server_ip_arr[@]} ; do - $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mm_server_ip_arr[@]} ; do - $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi fi @@ -2214,7 +2310,7 @@ echononl "\t\tFTP out only (using CT target)" # - (Re)define helper # - -$ipt -A OUTPUT -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp +setup_ftp_conntrack_helper_output # - Used for different ftpdata recent lists 'ftpdata_out_$j' # - @@ -2226,25 +2322,28 @@ for _dev in ${ext_if_arr[@]} ; do # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW \ + if can_use_recent ; then + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW \ -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT - - # - (2) - # - - Accept packets if the destination ip-address (--rdest) is in the 'ftpdata_$j' list (--update) - # - and the destination ip-address was seen within the last 1800 seconds (--seconds 1800). - # - - # - - If matched, the "last seen" timestamp of the destination address will be updated (--update). - # - - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - - $ipt -A OUTPUT -o $_dev -p tcp -m state --state NEW --dport 1024: \ + $ipt -A OUTPUT -o $_dev -p tcp -m conntrack --ctstate NEW --dport 1024: \ -m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT +else + warn "xt_recent not available; FTP out-only FTPS workaround disabled (data connections may fail)." + # Allow control connection; non-TLS data connections may still work via helper/RELATED + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT +fi + ((i++)) # - Accept (helper ftp) related connections # - + if can_use_helper_match; then $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT +else + warn "helper match not available; allowing RELATED ftp data without helper restriction" + $ipt -A OUTPUT -m conntrack --ctstate RELATED -o $_dev -p tcp --dport 1024: -j ACCEPT +fi done @@ -2255,18 +2354,18 @@ echo_done # #for _dev in ${ext_if_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) -# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) -# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT +# $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_activate_forwarding ; then # # (Datenkanal aktiv) -# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) -# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) -# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # fi #done # @@ -2290,7 +2389,7 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - - $ipt -A PREROUTING -t raw -p tcp --dport $standard_ftp_port -j CT --helper ftp + setup_ftp_conntrack_helper_prerouting if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then @@ -2311,18 +2410,20 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A INPUT -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT + if can_use_recent ; then + $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \ + -m recent --name ftpdata_$i --set -j ACCEPT - # - (2) - # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the - # - source ip-address was seen within the last 1800 seconds (--seconds 1800). - # - - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). - # - - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - - $ipt -A INPUT -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ - -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ipt -A INPUT -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + else + + warn "xt_recent not available; relaxing FTPS workaround for FTP server $_ip (opening passive range)." + # Control connection + $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT + # Passive data ports (less strict without xt_recent) + $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT + fi # - Accept (helper ftp) related connections # - @@ -2352,25 +2453,41 @@ if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} - # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - - $ipt -A FORWARD -p tcp -m state --state NEW -d $_ip --dport $standard_ftp_port -m recent --name ftpdata_$i --set -j ACCEPT + if can_use_recent ; then + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \ + -m recent --name ftpdata_$i --set -j ACCEPT - # - (2) - # - - Accept packets if the source ip-address is in the 'ftpdata_$i' list (--update) and the - # - source ip-address was seen within the last 1800 seconds (--seconds 1800). - # - - # - - If matched, the "last seen" timestamp of the source address will be updated (--update). - # - - # - - Entries in the ftpdata list not seen in the last 1800 will be removed (--reap). - # - - $ipt -A FORWARD -p tcp -m state --state NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ - -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT - $ipt -A FORWARD -p tcp -m state --state NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ - -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ + -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT + else + warn "xt_recent not available; relaxing FTPS workaround for forwarded FTP server $_ip (opening passive range)." + # Control connection to forwarded server + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT + + # Passive data ports to server (less strict without xt_recent) + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT + + # Return traffic from server passive ports + $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -s $_ip --sport $ftp_passive_port_range \ + --dport 1024: -j ACCEPT + fi # - Accept (helper ftp) related connections # - - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT - $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + if can_use_helper_match; then + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT + else + warn "helper match not available; allowing RELATED ftp data without helper restriction" + $ipt -A FORWARD -m conntrack --ctstate RELATED -d $_ip -p tcp --dport 1024: -j ACCEPT + fi + if can_use_helper_match; then + $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT + else + warn "helper match not available; allowing RELATED ftp data without helper restriction" + $ipt -A FORWARD -m conntrack --ctstate RELATED -s $_ip -p tcp --sport 1024: -j ACCEPT + fi ((i++)) @@ -2388,22 +2505,22 @@ fi # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # for _ip in ${ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m state --state NEW -j ACCEPT +# $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) -# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung -# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # for _ip in ${forward_ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) -# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) -# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung -# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m state --state NEW -j ACCEPT +# $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # @@ -2424,11 +2541,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do - $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2437,11 +2554,11 @@ if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do - $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2462,7 +2579,7 @@ if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${xmmp_remote_out_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" - $ipt -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done @@ -2481,15 +2598,15 @@ echononl "\t\tMumble Service" if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mumble_server_ip_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT - $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mumble_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2510,18 +2627,18 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi - $ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then - $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi - $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2534,15 +2651,15 @@ echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi echo_done @@ -2554,11 +2671,11 @@ echononl "\t\tJitsi Meet Dovecot Authentication" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then - $ipt -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then - $ipt -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi echo_done else @@ -2573,7 +2690,7 @@ if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \ && $jitsi_jibri_remote_auth \ && [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do - $ipt -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done @@ -2594,17 +2711,17 @@ if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@ else if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jibri_server_ip_arr[@]} ; do - $ipt -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jibri_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2625,17 +2742,17 @@ if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_a if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${nc_turn_server_ip_arr[@]} ; do - $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do - $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m state --state NEW -j ACCEPT - $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m state --state NEW -j ACCEPT + $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi @@ -2653,9 +2770,9 @@ fi echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2669,11 +2786,11 @@ echo_done echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m state --state NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2689,7 +2806,7 @@ if [[ -n "$local_ntp_service" ]] && $local_ntp_service ; then if [[ -z "$ntp_allowed_net" ]] ; then echo_failed else - $ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT echo_done fi @@ -2705,9 +2822,9 @@ fi echononl "\t\tLDAP out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2721,9 +2838,9 @@ echo_done echononl "\t\tLDAPS out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2739,9 +2856,9 @@ echo_done echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2755,9 +2872,9 @@ echo_done echononl "\t\tPGP/GPG Key server - out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2771,9 +2888,9 @@ echo_done echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT fi done @@ -2793,7 +2910,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2801,7 +2918,7 @@ if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do - $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2822,7 +2939,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${udp_out_port_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2830,7 +2947,7 @@ if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${forward_udp_out_port_arr[@]} ; do - $ipt -A FORWARD -o $_dev -p udp --dport $_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi @@ -2925,11 +3042,11 @@ echononl "\t\tUNIX Traceroute" # die option -I und versenden dann ebenfalls icmp-echo-request pakete for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT - $ipt -A INPUT -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -o $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT - $ipt -A FORWARD -i $_dev -p udp -m state --state NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT + $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT fi done @@ -2943,7 +3060,7 @@ echo_done echononl "\t\tPing" $ipt -A INPUT -p icmp -j ACCEPT -$ipt -A OUTPUT -p icmp -j ACCEPT + $ipt -A OUTPUT -p icmp -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p icmp -j ACCEPT fi @@ -2976,7 +3093,6 @@ echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then - $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" @@ -3000,7 +3116,7 @@ echo echononl "\tDrop all other on all interfaces" $ipt -A INPUT -j DROP -$ipt -A OUTPUT -j DROP + $ipt -A OUTPUT -j DROP $ipt -A FORWARD -j DROP echo_done @@ -3008,19 +3124,28 @@ echo_done # ------------- -# ------------- Start Fail2Ban if installed +# ------------- Reload Fail2Ban if installed # ------------- -if [ -x "$fail2ban_client" ]; then + +if ${FAIL2BAN_WAS_RUNNING}; then echo - echononl "\tStarting fail2ban.." - $fail2ban_client start > /dev/null 2>&1 - if [ "$?" = "0" ];then + echononl "\tReloading fail2ban.." + $fail2ban_client reload > /dev/null 2>&1 + if [ "$?" = "0" ]; then echo_done - elif [ "$?" = "255" ]; then - echo_skipped else - echo_failed + # Fallback: reload + restart jails if needed + $fail2ban_client reload --restart > /dev/null 2>&1 + if [ "$?" = "0" ]; then + echo_done + else + echo_skipped + warn "Fail2ban reload failed. Leaving fail2ban unchanged. Check: fail2ban-client -d and /var/log/fail2ban.log" + fi fi +else + # fail2ban not running before; do not start it here + : fi echo