firewall/ipt-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: firewall:b35a3f32611ca4f51c018743f2d0b38bc117aa0f
Branches Tags
firewall:master
...
compare: firewall:master
Branches Tags
firewall:master

8 Commits
b35a3f3261 ... master

Author SHA1 Message Date
Christoph
85b1e4d2c6 deleted file 'post_decalrations.conf'. 2026-01-19 16:51:33 +01:00
Christoph
a5b66b755b rename post_decalrations.conf -> post_declarations.conf; fix error in handling IPv4 'forward_private_ip_arr'. Fix error setting '/proc/sys/net/ipv4/conf/all/log_martians'. 2026-01-19 16:43:40 +01:00
Christoph
3d27513b81 ip6t-firewall-server: replace '-m statet --state ..' with '-m conntrack --ctstate ..'. 2026-01-19 16:10:52 +01:00
christoph
73122fb0ce ip6t-firewall-server: get rif of debug output/comments. 2026-01-16 10:21:50 +01:00
Christoph
b0804fdfaf Support LX Container on SINMA systems. 2026-01-16 01:40:23 +01:00
Christoph
7dd1a17e10 Fix error handling bridge devices on host systems. 2026-01-15 17:02:40 +01:00
Christoph
16eb4d7e0f ip6t-firewall-server: remove rule ' -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP'. 2026-01-15 01:37:46 +01:00
Christoph
5943f4d1a1 ip6t-firewall-server: a minor change in comments. 2026-01-14 20:10:29 +01:00
4 changed files with 382 additions and 356 deletions
Expand all files Collapse all files

12
conf/include_functions.conf
View File

@@ -121,6 +121,18 @@ detect_ipv6() {
} }
# -------------
# - Network Device Stuff
# -------------
# get virtual ethernet interfaces and the master of the given bridge
#
get_vth_ports() {
local br="$1"
# lists virtual interfaces (veth*)) and the master interface of the given bridge
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
}
# ------------- # -------------
# - Fail2ban # - Fail2ban
# ------------- # -------------

0
conf/post_decalrations.conf → conf/post_declarations.conf
View File

528
ip6t-firewall-server
View File

File diff suppressed because it is too large Load Diff

198
ipt-firewall-server
View File

@@ -13,7 +13,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv4.conf
conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf
conf_main=${ipt_conf_dir}/main_ipv4.conf conf_main=${ipt_conf_dir}/main_ipv4.conf
conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf conf_post_declarations=${ipt_conf_dir}/post_declarations.conf
conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"
@@ -70,33 +70,6 @@ if ! "$ipt" --version 2>/dev/null | grep -q "nf_tables"; then
fi fi
# - Check if running inside a container
# -
host_is_vm=false
# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
# - returns "container=lxc"
# -
r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
if [[ -n "$r_val" ]] ; then
host_is_vm=true
else
# ---
# - For other container types we need a few more tricks
# ---
# Detect old-style libvirt
[ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
# Detect vserver
if ! $host_is_vm ; then
VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
[ "${VXID:-0}" -gt 1 ] && host_is_vm=true
fi
fi
# ------------- # -------------
# --- Ensure required modules for this script (best effort; host-side in containers) # --- Ensure required modules for this script (best effort; host-side in containers)
# ------------- # -------------
@@ -106,24 +79,25 @@ echononl "\tEnsure required modules are loaded.."
if is_container ; then if is_container ; then
echo_skipped echo_skipped
else else
ensure_mod nf_conntrack
ensure_mod nf_nat
ensure_mod nf_conntrack_ftp
ensure_mod nf_nat_ftp
ensure_mod xt_recent
ensure_mod xt_hashlimit
ensure_mod xt_connlimit
ensure_mod xt_owner
ensure_mod xt_helper
ensure_mod br_netfilter
echo_done echo_done
fi fi
ensure_mod nf_conntrack
ensure_mod nf_nat
ensure_mod nf_conntrack_ftp
ensure_mod nf_nat_ftp
ensure_mod xt_recent
ensure_mod xt_hashlimit
ensure_mod xt_connlimit
ensure_mod xt_owner
ensure_mod xt_helper
ensure_mod br_netfilter
# --- Security hardening / predictable conntrack behavior: # --- Security hardening / predictable conntrack behavior:
# Disable automatic conntrack helper assignment (keep explicit CT --helper rules) # Disable automatic conntrack helper assignment (keep explicit CT --helper rules)
if ! $host_is_vm ; then if ! is_container ; then
sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true
fi fi
@@ -201,7 +175,7 @@ fi
echo "" echo ""
echononl "\tAdjust Kernel Parameters (Security/Tuning).." echononl "\tAdjust Kernel Parameters (Security/Tuning).."
if ! $host_is_vm ; then if ! is_container ; then
## - Reduce DoS'ing ability by reducing timeouts ## - Reduce DoS'ing ability by reducing timeouts
## - ## -
if $kernel_reduce_timeouts ; then if $kernel_reduce_timeouts ; then
@@ -251,7 +225,7 @@ if ! $host_is_vm ; then
## - Logging of spoofed (source routed" and "redirect") packets ## - Logging of spoofed (source routed" and "redirect") packets
## - ## -
if $kernel_log_martians ; then if $kernel_log_martians ; then
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi fi
## - Keine ICMP Umleitungspakete akzeptieren. ## - Keine ICMP Umleitungspakete akzeptieren.
@@ -271,6 +245,78 @@ else
fi fi
# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------
echo
echononl "\tDo not firewall bridged / LX Gust System traffic"
if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then
if ! is_container; then
_done=false
for _dev in ${ext_if_arr[@]} ; do
# Try to detect virtual interfaces (veth*)) and the master interface
# of the given bridge dynamically
#
# ports="$(get_bridge_ports "$br")"
#
# or directly here:
#
# ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
#
# ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
#
ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
for _port in $ports ; do
$ipt -A FORWARD -i "${_port}" -j ACCEPT
$ipt -A FORWARD -o "${_port}" -j ACCEPT
_done=true
done
done
if ! ${_done} ; then
$ipt -A FORWARD -i veth+ -j ACCEPT
$ipt -A FORWARD -o veth+ -j ACCEPT
fi
echo_done
else
echo_skipped
fi
else
echo_skipped
fi
echononl "\tIPv4: bypass host filtering for container ports.."
if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then
if ! is_container; then
_bridge_sysctl_ok=true
# IPv4: if you keep the sysctl bypass (recommended if it's working)
sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false
if ${_bridge_sysctl_ok} ; then
echo_done
else
echo_failed
fi
else
echo_skipped
fi
fi
# ------------- Fail2ban handling (do not stop/start; keep bans stable) ------------- # ------------- Fail2ban handling (do not stop/start; keep bans stable) -------------
echo echo
echononl "\tCheck presence and configuration of Fail2ban .." echononl "\tCheck presence and configuration of Fail2ban .."
@@ -339,65 +385,6 @@ echo
# -------------
# --- Prevent bridged traffic getting pushed through the host's iptables rules
# -------------
echononl "\tDo not firewall bridged traffic"
if $do_not_firewall_bridged_traffic ; then
# Debian 12/13 (iptables-nft): Prefer disabling bridge netfilter hooks via sysctl
# instead of relying on xt_physdev matches. This avoids backend/bridge quirks and
# keeps bridged L2 traffic out of iptables/ip6tables.
#
# Best effort: if sysctl keys are unavailable (or we're in a container), fall back
# to the historical physdev ACCEPT rules.
_bridge_sysctl_ok=true
if command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1 ; then
_bridge_sysctl_ok=false
else
# ensure_mod br_netfilter is called earlier (Step 1a)
sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false
sysctl -w net.bridge.bridge-nf-call-ip6tables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false
sysctl -w net.bridge.bridge-nf-call-arptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false
fi
if ! $_bridge_sysctl_ok ; then
# Fallback: allow bridged traffic to pass without filtering (legacy behaviour)
$ipt -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
$ipt -I FORWARD -m physdev --physdev-is-in -j ACCEPT
$ipt -I FORWARD -m physdev --physdev-is-out -j ACCEPT
fi
echo_done
else
echo_skipped
fi
echo
# -------------
# --- Do not firewall traffic from and to LX Gust Systems
# -------------
echononl "\tDo not firewall traffic from and to LX Gust Systems"
if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
for _ip in ${lxc_guest_ip_arr[@]} ; do
$ipt -I FORWARD -p all -d $_ip -j ACCEPT
$ipt -I FORWARD -p all -s $_ip -j ACCEPT
done
echo_done
else
echo_skipped
fi
echo
# ------------- # -------------
# ---- Log given IP Addresses # ---- Log given IP Addresses
# ------------- # -------------
@@ -491,12 +478,13 @@ fi
echononl "\tAllow forwarding (private) IPs / IP-Ranges.." echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
for _ip in ${forward_private_ip_arr[@]}; do for _ip in ${forward_private_ip_arr[@]}; do
# NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through).
if $log_forwarding_priv_ip || $log_all ; then if $log_forwarding_priv_ip || $log_all ; then
$ipt -t mangle -A PREROUTING -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
$ipt -t mangle -A PREROUTING -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
fi fi
$ipt -t mangle -A PREROUTING -d $_ip -j ACCEPT $ipt -A FORWARD -d $_ip -j ACCEPT
$ipt -t mangle -A PREROUTING -s $_ip -j ACCEPT $ipt -A FORWARD -s $_ip -j ACCEPT
done done
echo_done echo_done
else else