#!/usr/bin/env bash # ------------- # - Settings # ------------- ipt_conf_dir="/etc/ipt-firewall" inc_functions_file="${ipt_conf_dir}/include_functions.conf" conf_logging=${ipt_conf_dir}/logging_ipv4.conf conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf conf_default_settings=${ipt_conf_dir}/default_settings.conf conf_main=${ipt_conf_dir}/main_ipv4.conf conf_post_declarations=${ipt_conf_dir}/post_declarations.conf conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list" ipt="$(command -v iptables 2>/dev/null)" if [[ -z "$ipt" ]] ; then echo "" echo -e "\tiptables was not found on this server!" echo echo -e "\tFirewall Script was stopped!" echo exit 1 fi # ------------- # - Load Default Settings and Functions # ------------- if [[ ! -f "$conf_default_settings" ]]; then fatal "Missing configuration for default_settings - file '$conf_default_settings'" else source $conf_default_settings fi if [[ ! -f "$inc_functions_file" ]] ; then echo "" echo -e "\tMissing include file '$inc_functions_file'" echo echo -e "\tFirewall Script was stopped!" echo exit 1 else source $inc_functions_file fi # ------------- # - Some checks and preloads.. # ------------- # --- Debian 12/13: enforce iptables-nft backend (nf_tables) and prevent legacy/nft mix if ! "$ipt" --version 2>/dev/null | grep -q "nf_tables"; then echo "" echo "ERROR: Your iptables is NOT using nf_tables backend (iptables-nft)." echo "This script expects iptables-nft on Debian 12/13 to avoid legacy/nft mixed rules." echo "" echo "Fix (on the host, as root):" echo " update-alternatives --set iptables /usr/sbin/iptables-nft" echo " update-alternatives --set ip6tables /usr/sbin/ip6tables-nft" echo "" echo "Current: $($ipt --version 2>/dev/null || echo 'unknown')" exit 1 fi # ------------- # --- Ensure required modules for this script (best effort; host-side in containers) # ------------- echo echononl "\tEnsure required modules are loaded.." if is_container ; then echo_skipped else ensure_mod nf_conntrack ensure_mod nf_nat ensure_mod nf_conntrack_ftp ensure_mod nf_nat_ftp ensure_mod xt_recent ensure_mod xt_hashlimit ensure_mod xt_connlimit ensure_mod xt_owner ensure_mod xt_helper ensure_mod br_netfilter echo_done fi # --- Security hardening / predictable conntrack behavior: # Disable automatic conntrack helper assignment (keep explicit CT --helper rules) if ! is_container ; then sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true fi if [[ ! -f "$conf_logging" ]]; then fatal "Missing configuration for logging - file '$conf_logging'" else source $conf_logging fi if [[ ! -f "$conf_interfaces" ]]; then fatal "Missing interface configurations - file '$conf_interfaces'" else source $conf_interfaces fi if [[ ! -f "$conf_main" ]]; then fatal "Missing main configurations - file '$conf_main'" else source $conf_main fi if [[ ! -f "$conf_post_declarations" ]]; then fatal "Missing post declarations - file '$conf_post_declarations'" else source $conf_post_declarations fi echo echo -e "\033[37m\033[1m\tStarting firewall iptables (IpV4)..\033[m" echo # ------------- # --- Activate IP Forwarding # ------------- ## - IP Forwarding deaktivieren. ## - ## - Activate if kernel_activate_forwarding ist set to true, deactivate otherwise ## - ## - Only needed, if hosts acts as a router. ## - if $kernel_activate_forwarding ; then echo 1 > /proc/sys/net/ipv4/ip_forward echononl "\tActivate Forwarding.." echo_done else echo 0 > /proc/sys/net/ipv4/ip_forward echononl "\t\033[33m\033[1mDisable Forwarding..\033[m" echo_done fi if $kernel_support_dynaddr ; then echononl "\tActivate kernel support for dynamic addresses.." if [[ -n $dynaddr_flag ]] && [[ $dynaddr_flag =~ ^-?[0-9]+$ ]]; then echo $dynaddr_flag > /proc/sys/net/ipv4/ip_dynaddr echo_done else echo_failed fi else echo 0 > /proc/sys/net/ipv4/ip_dynaddr echononl "\t\033[33m\033[1mDisable kernel support for dynamic addresses..\033[m" echo_done fi # ------------- # --- Adjust Kernel Parameters (Security/Tuning) # ------------- echo "" echononl "\tAdjust Kernel Parameters (Security/Tuning).." if ! is_container ; then ## - Reduce DoS'ing ability by reducing timeouts ## - if $kernel_reduce_timeouts ; then echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack fi ## - SYN COOKIES ## - if $kernel_tcp_syncookies ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 3 > /proc/sys/net/ipv4/tcp_synack_retries fi ## - Protection against ICMP bogus error responses ## - if $kernel_protect_against_icmp_bogus_messages ; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi ## - Ignore Broadcast Pings ## - if $kernel_ignore_broadcast_ping ; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi ## - Deactivate Source Routed Packets ## - if $kernel_deactivate_source_route ; then for asr in /proc/sys/net/ipv4/conf/*/accept_source_route ; do echo 0 > $asr done fi ## - Deactivate sending ICMP redirects ## - if $kernel_dont_accept_redirects ; then for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $rp_filter done fi ## - Logging of spoofed (source routed" and "redirect") packets ## - if $kernel_log_martians ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi ## - Keine ICMP Umleitungspakete akzeptieren. ## - ## - Diese können zur Veränderung der Routing Tables verwendet ## - werden, möglicherweise mit einem böswilligen Ziel. ## - #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ## - NUMBER OF CONNECTIONS TO TRACK ## - #echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max echo_done # Adjust Kernel Parameters (Security/Tuning) else echo_skipped fi # ------------- # --- Prevent bridged traffic getting pushed through the host's iptables rules # ------------- echo echononl "\tDo not firewall bridged / LX Gust System traffic" if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then if ! is_container; then _done=false for _dev in ${ext_if_arr[@]} ; do # Try to detect virtual interfaces (veth*)) and the master interface # of the given bridge dynamically # # ports="$(get_bridge_ports "$br")" # # or directly here: # # ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')" # # ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')" # ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')" for _port in $ports ; do $ipt -A FORWARD -i "${_port}" -j ACCEPT $ipt -A FORWARD -o "${_port}" -j ACCEPT _done=true done done if ! ${_done} ; then $ipt -A FORWARD -i veth+ -j ACCEPT $ipt -A FORWARD -o veth+ -j ACCEPT fi echo_done else echo_skipped fi else echo_skipped fi echononl "\tIPv4: bypass host filtering for container ports.." if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then if ! is_container; then _bridge_sysctl_ok=true # IPv4: if you keep the sysctl bypass (recommended if it's working) sysctl -w net.bridge.bridge-nf-call-iptables=0 >/dev/null 2>&1 || _bridge_sysctl_ok=false if ${_bridge_sysctl_ok} ; then echo_done else echo_failed fi else echo_skipped fi fi # ------------- Fail2ban handling (do not stop/start; keep bans stable) ------------- echo echononl "\tCheck presence and configuration of Fail2ban .." echo_done if ! has_fail2ban ; then warn "Fail2ban is not installed.." elif ! fail2ban_running ; then warn "Fail2ban is installed but not running.." else CURRENT_BANACTION=$(grep -E '^\s*banaction\s*=' "$FAIL2BAN_CONFIG_FILE" | head -1 | tr -d ' ' | cut -d'=' -f2) if [[ -n ${CURRENT_BANACTION} ]] ; then if [ "$CURRENT_BANACTION" = "nftables" ]; then info "Fail2ban is running, banaction is et to nftables." else warn "Change banaction from ${CURRENT_BANACTION} to \033[1mbanaction=nftables\033[m" fi else warn "banaction seems not to be configured. Take care that \033[1mbanaction=nftables\033[m" fi FAIL2BAN_WAS_RUNNING=true fi # # ------------- Ende: Fail2ban handling (do not stop/start; keep bans stable) ------------- # ------------- # --- Set default policies / Flush Rules # ------------- echo echononl "\tFlushing firewall iptable (IPv4).." # - default policies # - $ipt -P INPUT ACCEPT $ipt -P OUTPUT ACCEPT $ipt -P FORWARD ACCEPT ## - flush chains ## - $ipt -F $ipt -F INPUT $ipt -F OUTPUT $ipt -F FORWARD $ipt -F -t mangle $ipt -F -t nat $ipt -F -t raw $ipt -X $ipt -Z echo_done # Flushing firewall iptable (IPv6).. echo echononl "\tMasquerade (NAT) interfaces.." if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _dev in ${nat_device_arr[@]} ; do $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE done echo_done else echo_skipped fi echo # ------------- # ---- Log given IP Addresses # ------------- echononl "\tLog given IPv4 Addresses" if [[ ${#log_ip_arr[@]} -gt 0 ]]; then for _ip in ${log_ip_arr[@]} ; do $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip IN: " $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip OUT: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD FROM: " $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix $_ip FORWARD TO: " done echo_done else echo_skipped fi # ------------- # ------------ Stopping firewall if only flushing was requested (parameter flush) # ------------- case $1 in flush) echo echo -e "\t\033[37m\033[1mFlushing firewall was requested. No more rules..\033[m" echo exit 0;; esac # --- # - Permit all traffic through WireGuard lines # --- echononl "\tPermit all traffic through WireGuard lines.." for _wg_if in ${wg_if_arr[@]} ; do $ipt -A INPUT -i $_wg_if -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_wg_if -j ACCEPT fi done echo_done # --- # - Permit all traffic through VPN lines # --- echononl "\tPermit all traffic through VPN lines.." for _vpn_if in ${vpn_if_arr[@]} ; do $ipt -A INPUT -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_vpn_if -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_vpn_if -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # ------------- # --- Pass through Devices Interfaces (not firewalled) # ------------- echononl "\tPass through Devices (not firewalled)" if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then $ipt -t mangle -A PREROUTING -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}:" fi $ipt -t mangle -A PREROUTING -i $_dev -j ACCEPT $ipt -A OUTPUT -o $_dev -j ACCEPT $ipt -A INPUT -i $_dev -j ACCEPT $ipt -A FORWARD -o $_dev -j ACCEPT done echo_done else echo_skipped fi # --- # - Allow Forwarding certain private Addresses # --- echononl "\tAllow forwarding (private) IPs / IP-Ranges.." if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then for _ip in ${forward_private_ip_arr[@]}; do # NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through). if $log_forwarding_priv_ip || $log_all ; then $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: " $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: " fi $ipt -A FORWARD -d $_ip -j ACCEPT $ipt -A FORWARD -s $_ip -j ACCEPT done echo_done else echo_skipped fi # ------------- # --- Block IPs / Networks / Interfaces # ------------- echononl "\tBlock IPs / Networks / Interfaces.." # --- # - Block IPs # --- for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}:" fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j DROP fi done done # --- # - Block Interfaces # --- for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}:" fi if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j DROP $ipt -A FORWARD -o $_if -j DROP fi $ipt -A INPUT -i $_if -j DROP $ipt -A OUTPUT -o $_if -j DROP done echo_done # Block IPs / Networks / Interfaces.. # --- # - Block IPs/Netwoks reading from file 'ban_ipv4.list'" # --- echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." if [[ -f "$conf_ban_ipv4_list" ]] ; then declare -a octets declare -i index while IFS='' read -r _line || [[ -n $_line ]] ; do is_valid_ipv4=true is_valid_mask=true ipv4="" mask="" # Ignore comment lines # [[ $_line =~ ^[[:space:]]{0,}# ]] && continue # Ignore blank lines # [[ $_line =~ ^[[:space:]]*$ ]] && continue # Remove leading whitespace characters # _line="${_line#"${_line%%[![:space:]]*}"}" # Catch IPv4 Address # given_ipv4="$(echo $_line | cut -d ' ' -f1)" # Splitt Ipv4 address from possible given CIDR number # IFS='/' read -ra _addr <<< "$given_ipv4" _ipv4="${_addr[0]}" if [[ -n "${_addr[1]}" ]] ; then _mask="${_addr[1]}" test_netmask=false # Is 'mask' a valid CIDR number? If not, test agains a valid netmask # if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then # Its not a vaild mask number, but naybe a valit netmask. # test_netmask=true else if [[ $_mask -gt 32 ]]; then # Its not a vaild cidr number, but naybe a valit netmask. # test_netmask=true else # OK, we have a vaild cidr number between '0' and '32' # mask=$_mask fi fi # Test if given '_mask' is a valid netmask. # if $test_netmask ; then octets=( ${_mask//\./ } ) # Complete netmask if necessary # while [[ ${#octets[@]} -lt 4 ]]; do octets+=(0) done [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false index=0 for octet in ${octets[@]} ; do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then if [[ $octet -gt 255 ]] ; then is_valid_mask=false fi if [[ $index -gt 0 ]] ; then mask="${mask}.${octet}" else mask="${octet}" fi else is_valid_mask=false fi ((index++)) done fi adjust_mask=false else mask=32 adjust_mask=true fi # Splitt given address into their octets # octets=( ${_ipv4//\./ } ) # Complete IPv4 address if necessary # while [[ ${#octets[@]} -lt 4 ]]; do octets+=(0) # Only adjust CIDR number if not given # if $adjust_mask ; then mask="$(expr $mask - 8)" fi done # Pre-check if given IPv4 Address seems to be a valid address # [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false # Check if given IPv4 Address is a valid address # if $is_valid_ipv4 ; then index=0 for octet in ${octets[@]} ; do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then if [[ $octet -gt 255 ]] ; then is_valid_ipv4=false fi if [[ $index -gt 0 ]] ; then ipv4="${ipv4}.${octet}" else ipv4="${octet}" fi else is_valid_ipv4=false fi ((index++)) done fi if $is_valid_ipv4 && $is_valid_mask; then _ip="${ipv4}/${mask}" if containsElement "$_ip" "${ban_ipv4_arr[@]}" ; then continue fi for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::" fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -s $_ip -j DROP fi done ban_ipv4_arr+=("$_ip") else msg="$msg '${given_ipv4}'" fi done < "$conf_ban_ipv4_list" echo_done if [[ -n "$msg" ]]; then warn "Ignored:$msg" fi else echo_skipped fi # ------------- # --- Protections against several attacks / unwanted packages # ------------- echo echo -e "\t\033[37m\033[1mProtections against several attacks / unwanted packages..\033[m" # --- # - Drop invalid packets # --- echononl "\tDrop invalid packets" if $log_invalid_packets|| $log_all ; then $ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid packets:" fi $ipt -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP echo_done # --- # Drop TCP packets that are new and are not SYN # --- echononl "\tDrop TCP packets that are new and are not SYN" if $log_new_not_sync || $log_all ; then $ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN:" fi $ipt -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP echo_done # --- # - Drop SYN packets with suspicious MSS value # --- echononl "\tDrop SYN packets with suspicious MSS value" if $log_syn_with_suspicious_mss || $log_all ; then $ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j $LOG_TARGET $tag_log_prefix "$log_prefix suspicious MSS:" fi $ipt -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP echo_done # --- # - Block packets with bogus TCP flags # --- echononl "\tBlock packets with bogus TCP flags" if $log_invalid_flags || $log_all ; then $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags:" fi $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP $ipt -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP echo_done # --- # - Block spoofed (own ip) packets # --- echononl "\tBlock spoofed (own ip) packets" if $log_spoofed || $log_all ; then for _ip in ${ext_ip_arr[@]} ; do $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " done fi for _ip in ${ext_ip_arr[@]} ; do $ipt -t mangle -A PREROUTING -s $_ip -d $_ip -j DROP done echo_done # --- # - Block spoofed (private/reserved) packets # --- echononl "\tBlock spoofed (private/reserved) packets" for _dev in ${ext_if_arr[@]} ; do if $log_spoofed || $log_all ; then $ipt -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " $ipt -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix link local block: " $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix TEST-NET-1: " $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " $ipt -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix THIS NET: " $ipt -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " fi done if $log_spoofed || $log_all ; then $ipt -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " fi for _dev in ${ext_if_arr[@]} ; do $ipt -t mangle -A PREROUTING -i $_dev -s $class_d_multicast -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $link_local_rfc_5735 -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_b -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $test_net_1_rfc_5735 -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_c -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $priv_class_a -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $this_net_rfc_5735 -j DROP $ipt -t mangle -A PREROUTING -i $_dev -s $class_e_reserved -j DROP done $ipt -t mangle -A PREROUTING -s $loopback_ipv4 ! -i lo -j DROP echo_done # --- # - Drop fragments in all chains # --- echononl "\tDrop fragments in all chains" if $log_fragments || $log_all ; then /sbin/iptables -t mangle -A PREROUTING -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS:" fi /sbin/iptables -t mangle -A PREROUTING -f -j DROP echo_done # --- # - Drop ICMP all ICMP traffic (you usually don't need this protocol) # --- echononl "\tDrop all ICMP traffic.." if [[ -n "$drop_icmp" ]] && $drop_icmp ; then if $log_rejected || $log_all ; then $ipt -t mangle -A PREROUTING -p icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: " fi $ipt -t mangle -A PREROUTING -p icmp -j DROP echo_done else echo_skipped fi # ------------- # --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic # --- Drop Tinc VPN Traffic # ------------- [ "${drop_mndp,,}" == "yes" ] && drop_mndp=true [ "${drop_mndp,,}" == "no" ] && drop_mndp=false echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic" if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then for _dev in ${ext_if_arr[@]} ; do if $log_mndp || $log_all ; then $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: " $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: " $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: " fi fi $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP $ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP $ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP fi done echo_done else echo_skipped fi # ------------- # --- Drop Multicast DNS Traffic # ------------- [ "${drop_mdns,,}" == "yes" ] && drop_mdns=true [ "${drop_mdns,,}" == "no" ] && drop_mdns=false echononl "\tDrop Multicast DNS Traffic" if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then for _dev in ${ext_if_arr[@]} ; do if $log_mdns || $log_all ; then $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: " $ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: " if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: " $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: " fi fi $ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP $ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP $ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP fi done echo_done else echo_skipped fi # --- # - Don't allow spoofing from that server # --- echo "" echononl "\tDon't allow spoofing out from this server" for _dev in ${ext_if_arr[@]} ; do if $log_spoofed_out || $log_all ; then $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:" $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:" $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:" $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out link local block:" $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out TEST-NET-1:" $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j $LOG_TARGET $tag_log_prefix "$log_prefix out THIS NET:" $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:" fi fi $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP $ipt -A OUTPUT -o $_dev -s $link_local_rfc_5735 -j DROP $ipt -A OUTPUT -o $_dev -s $test_net_1_rfc_5735 -j DROP $ipt -A OUTPUT -o $_dev -s $this_net_rfc_5735 -j DROP $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP $ipt -A FORWARD -o $_dev -s $link_local_rfc_5735 -j DROP $ipt -A FORWARD -o $_dev -s $test_net_1_rfc_5735 -j DROP $ipt -A FORWARD -o $_dev -s $this_net_rfc_5735 -j DROP $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP fi done echo_done # ------------- # --- Traffic generally allowed # ------------- echo echononl "\tLoopback device generally allowed.." # --- # - Loopback device # --- $ipt -A INPUT -i lo -j ACCEPT $ipt -A OUTPUT -o lo -j ACCEPT echo_done # --- # - Already established connections # --- echononl "\tAccept already established connections.." $ipt -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -m conntrack --ctstate INVALID -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT fi echo_done # --- # - Protection against syn-flooding # --- echo echononl "\tProtection against syn-flooding" if $protection_against_syn_flooding ; then $ipt -N syn-flood $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood:" fi $ipt -A syn-flood -j DROP echo_done else echo_skipped fi # --- # - Protection against port scanning # --- echononl "\tProtection against port scanning" if $protection_against_port_scanning ; then $ipt -N port-scanning $ipt -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN if $log_port_scanning || $log_all ; then $ipt -A port-scanning -j $LOG_TARGET $tag_log_prefix "$log_prefix Port Scan:" fi $ipt -A port-scanning -j DROP echo_done else echo_skipped fi # --- # - Protection against SSH brute-force attacks # --- echononl "\tProtection against SSH brute-force attacks" if $protection_against_ssh_brute_force_attacks ; then if can_use_recent ; then $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set if $log_ssh_brute_force || $log_all ; then $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" fi $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP else if can_use_hashlimit ; then warn "xt_recent not available; using hashlimit fallback for SSH brute-force protection." if $log_ssh_brute_force || $log_all ; then $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \ --hashlimit-name sshbf --hashlimit-htable-expire 60000 \ -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force:" fi $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ -m hashlimit --hashlimit-above 10/min --hashlimit-burst 10 --hashlimit-mode srcip \ --hashlimit-name sshbf --hashlimit-htable-expire 60000 \ -j DROP else warn "Neither xt_recent nor xt_hashlimit available; using simple global limit fallback for SSH brute-force protection." if $log_ssh_brute_force || $log_all ; then $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ -m limit --limit 10/min --limit-burst 10 \ -j $LOG_TARGET $tag_log_prefix "$log_prefix SSH brute-force (limit fallback):" fi $ipt -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW \ -m limit --limit 10/min --limit-burst 10 \ -j DROP fi fi echo_done else echo_skipped fi # --- # - Limit connections per source IP # --- echononl "\tLimit connections per source IP" if $limit_connections_per_source_IP ; then if ! is_number $per_IP_connection_limit ; then per_IP_connection_limit=$default_per_IP_connection_limit fi if can_use_connlimit ; then if $log_rejected || $log_all ; then $ipt -A INPUT -p tcp --syn \ -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP:" fi $ipt -A INPUT -p tcp --syn \ -m connlimit --connlimit-above $per_IP_connection_limit --connlimit-mask 32 --connlimit-saddr \ -j REJECT --reject-with tcp-reset else warn "xt_connlimit not available; using fallback for per-source limiting (approximate)." if can_use_hashlimit ; then # Fallback: rate-limit new SYNs per source IP (not the same as concurrent connlimit, but protective) if $log_rejected || $log_all ; then $ipt -A INPUT -p tcp --syn \ -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \ --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \ -j $LOG_TARGET $tag_log_prefix "$log_prefix CONN limit per IP (hashlimit fallback):" fi $ipt -A INPUT -p tcp --syn \ -m hashlimit --hashlimit-above ${per_IP_connection_limit}/min --hashlimit-burst ${per_IP_connection_limit} --hashlimit-mode srcip \ --hashlimit-name connlimit_fallback --hashlimit-htable-expire 60000 \ -j REJECT --reject-with tcp-reset else warn "No xt_connlimit and no xt_hashlimit available; skipping per-source connection limiting." fi fi echo_done else echo_skipped fi # # # --- # - Limit RST packets # --- echononl "\tLimit RST packets" # --- # Ersatzlos gestrichen # --- echo_skipped #if $limit_rst_packets ; then # # $ipt -A INPUT -p tcp --tcp-flags RST RST \ # -m limit --limit 2/s --limit-burst 2 -j ACCEPT # # if $log_rejected || $log_all ; then # $ipt -A INPUT -p tcp --tcp-flags RST RST \ # -m limit --limit 2/s --limit-burst 2 \ # -j $LOG_TARGET $tag_log_prefix "$log_prefix Limit RST packets: " # fi # $ipt -A INPUT -p tcp --tcp-flags RST RST -j DROP # echo_done #else # echo_skipped #fi # --- # - Limit new TCP connections per second per source IP # --- echononl "\tLimit new (syn) TCP connections per second per source IP (multiport)" if $limit_new_tcp_connections_per_seconds_per_source_IP \ && [[ ${#limit_new_tcp_connections_per_seconds_ports} -gt 0 ]]; then #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT # Rate-Limit für neue SYNs auf 443 pro IP if can_use_hashlimit ; then $ipt -A INPUT -p tcp --syn \ -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ -m hashlimit --hashlimit-name syn_multi_v4 \ --hashlimit 30/second --hashlimit-burst 60 \ --hashlimit-mode srcip --hashlimit-srcmask 32 \ -j ACCEPT if $log_rejected || $log_all ; then # rate-limited logging für Überschreiter $ipt -A INPUT -p tcp --syn \ -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ -m hashlimit --hashlimit-name syn_multi_v4_log \ --hashlimit 2/second --hashlimit-burst 10 \ --hashlimit-mode srcip --hashlimit-srcmask 32 \ -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN over limit (multiport):" fi else warn "xt_hashlimit not available; using simple global limit fallback for SYN rate limiting (multiport)." $ipt -A INPUT -p tcp --syn \ -m multiport --dports $limit_new_tcp_connections_per_seconds_ports \ -m limit --limit 30/second --limit-burst 60 \ -j ACCEPT fi #$ipt -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP $ipt -A INPUT -p tcp --syn -m multiport --dports $limit_new_tcp_connections_per_seconds_ports -j DROP echo_done else echo_skipped fi # --- # - Use SYNPROXY on all ports (disables connection limiting rule) # --- #echononl "\tUse SYNPROXY on all ports (disables connection limiting rule)" #$ipt -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack #$ipt -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP #echo_done # ------------- # ------------- Stopping firewall here if requested (parameter stop) # ------------- case $1 in sto*) #echononl "Stopping firewall iptable (IPv4).." echo echo -e "\t\033[37m\033[1mStop was requested. No more rules..\033[m" echo exit 0;; esac echo # ------------- # --- Traffic Counter (used by munin) # ------------- echononl "\tCreate Traffic Counter (used by munin)" if $create_traffic_counter ; then for _ip in ${ext_ip_arr[@]} ; do $ipt -A INPUT -d $_ip $ipt -A INPUT -s $_ip if $kernel_activate_forwarding ; then $ipt -A FORWARD -d $_ip $ipt -A FORWARD -s $_ip fi done echo_done else echo_skipped fi # ------------- # --- iPerf # ------------- # iPerf is a tool for active measurements of the maximum achievable bandwidth on IP networks. # It supports tuning of various parameters related to timing, buffers and protocols (TCP, UDP, # SCTP with IPv4 and IPv6). For each test it reports the bandwidth, loss, and other parameters. echononl "\tCreate \"iPerf\" rules.." if $create_iperf_rules ; then $ipt -A INPUT -p tcp --dport 5001 -j ACCEPT $ipt -A INPUT -p tcp --sport 5001 -j ACCEPT # $ipt -A OUTPUT -p tcp --dport 5001 -j ACCEPT $ipt -A OUTPUT -p tcp --sport 5001 -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp --dport 5001 -j ACCEPT $ipt -A FORWARD -p tcp --sport 5001 -j ACCEPT fi echo_done else echo_skipped fi # ------------- # --- Generally prohibited # ------------- echononl "\tGenerally prohibited traffic.." for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then for _port in ${block_tcp_port_arr[@]} ; do $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done for _port in ${block_udp_port_arr[@]} ; do $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done if $kernel_activate_forwarding ; then for _port in ${block_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done for _port in ${block_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix prohibited traffic:" done fi fi for _port in ${block_tcp_port_arr[@]} ; do $ipt -A INPUT -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ipt -A INPUT -p udp -i $_dev --dport $_port -j DROP done if $kernel_activate_forwarding ; then for _port in ${block_tcp_port_arr[@]} ; do $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j DROP done for _port in ${block_udp_port_arr[@]} ; do $ipt -A FORWARD -p udp -i $_dev --dport $_port -j DROP done fi done echo_done echo # ------------- # ---- Restrict local Servive to given (extern) IP-Address/Network # ------------- echononl "\tRestrict local Service to given (extern) IP-Address/Network" if [[ ${#restrict_local_service_to_net_arr[@]} -gt 0 ]] ; then _deny_service_arr=() for _val in "${restrict_local_service_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j ACCEPT if ! containsElement "${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}" "${_deny_service_arr[@]}" ; then _deny_service_arr+=("${_dev}:${_val_arr[1]}:${_val_arr[2]}:${_val_arr[3]}") fi done done for _val in "${_deny_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A INPUT -i ${_val_arr[0]} -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -j DROP done echo_done else echo_skipped fi # ------------- # ---- Restrict local Network to given extern IP-Address/Network # ------------- echononl "\tRestrict local Address/Network to given extern Address/Network" if [[ ${#restrict_local_net_to_net_arr[@]} -gt 0 ]] ; then _deny_net_arr=() for _val in "${restrict_local_net_to_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT if ! containsElement "${_dev}:${_val_arr[1]}" "${_deny_net_arr[@]}" ; then _deny_net_arr+=("${_dev}:${_val_arr[1]}") fi done done for _val in "${_deny_net_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A INPUT -i ${_val_arr[0]} -d ${_val_arr[1]} -j DROP done echo_done else echo_skipped fi echo # --- # - LOG CGI script Traffic out # --- echo echononl "\tLOG CGI/PHP traffic out." if $log_cgi_traffic_out && [[ ${#cgi_script_user_arr[@]} -gt 0 ]] ; then if can_use_owner ; then for _dev in ${ext_if_arr[@]} ; do for _user in ${cgi_script_user_arr[@]} ; do $ipt -A OUTPUT -o $_dev -m owner --uid-owner $_user -j $LOG_TARGET $tag_log_prefix "$log_prefix $_user PHP-OUT: " done done echo_done else warn "owner/xt_owner match not available; skipping CGI/PHP uid-based OUTPUT logging." echo_skipped fi else echo_skipped fi echo # ------------- # --- Allow all outgoing traffic # ------------- echononl "\tAllow all outgoing traffic.." if [[ -n "$allow_all_outgoing_traffic" ]] && $allow_all_outgoing_traffic ; then for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p ALL -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Don't allow traffic into private networks # --- echo "" echononl "\tDon't allow traffic into private anetworks" for _dev in ${ext_if_arr[@]} ; do if $log_private_network_out || $log_all ; then $ipt -A OUTPUT -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:" $ipt -A OUTPUT -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:" $ipt -A OUTPUT -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:" if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -d $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class A:" $ipt -A FORWARD -o $_dev -d $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class B:" $ipt -A FORWARD -o $_dev -d $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out to priv Class C:" fi fi $ipt -A OUTPUT -o $_dev -d $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -d $priv_class_b -j DROP $ipt -A OUTPUT -o $_dev -d $priv_class_c -j DROP if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -d $priv_class_a -j DROP $ipt -A FORWARD -o $_dev -d $priv_class_b -j DROP $ipt -A FORWARD -o $_dev -d $priv_class_c -j DROP fi done echo_done # ------------- # --- Services # ------------- echo echo -e "\t\033[37m\033[1mAdd Rules for Services..\033[m" # ------------- # ---- Allow extern Service # ------------- echononl "\t\tAllow extern Service" if [[ ${#allow_ext_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_ext_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A OUTPUT -o $_dev -p ${_val_arr[2]} -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # ------------- # ---- Allow extern IP-Address/Network # ------------- echononl "\t\tAllow extern IP-Address/Network" if [[ ${#allow_ext_net_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _net in "${allow_ext_net_arr[@]}" ; do $ipt -A OUTPUT -o $_dev -p all -d $_net -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echo # ------------- # ---- Allow (non-standard) local Services # ------------- echononl "\t\tAllow (non-standard) local Services" if [[ ${#allow_local_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A INPUT -i $_dev -p ${_val_arr[1]} --dport ${_val_arr[0]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # ------------- # ---- Allow local Services from given (extern) network # ------------- echononl "\t\tAllow local Services from given (extern) network" if [[ ${#allow_local_service_from_network_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${allow_local_service_from_network_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A INPUT -i $_dev -p ${_val_arr[2]} -s ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echo echo # --- # - DHCP # --- echononl "\t\tDHCP Clients" if [[ ${#dhcp_client_if_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_if_arr[@]} ; do # - out $ipt -A OUTPUT -p udp -o $_dev --dport 67 -d 0/0 --sport 1024:65535 -j ACCEPT # - in $ipt -A INPUT -p udp -i $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done echo_done else echo_skipped fi echononl "\t\tDHCP Server" if [[ ${#dhcp_server_if_arr[@]} -gt 0 ]] ; then for _dev in ${dhcp_server_if_arr[@]} ; do # - in $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # - out $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT done echo_done else echo_skipped fi # --- # - DNS out only # --- echononl "\t\tDNS out only" # - Nameservers on the INET must be reachable for the local recursiv nameserver # - but also for all others # - for _dev in ${ext_if_arr[@]} ; do # - out from local and virtual mashine(s) $ipt -A OUTPUT -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # - Only useful (needed) if kernel forwarding is activated (kernel_activate_forwarding=true) if $kernel_activate_forwarding ; then # - forward from virtual mashine(s) $ipt -A FORWARD -o $_dev -p udp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - DNS Service # --- echononl "\t\tDNS Service" if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#dns_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${dns_server_ips[@]} ; do # dns requests # # Note: # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ipt -A INPUT -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer $ipt -A OUTPUT -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_dns_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_dns_server_ip_arr[@]} ; do # dns requests # # Note: # If the total size of the DNS record is larger than 512 bytes, # it will be sent over TCP, not UDP. # $ipt -A FORWARD -p udp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -d $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT # Zonetransfer $ipt -A FORWARD -p tcp -s $_ip --dport $standard_dns_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - local Resolver" # --- echononl "\t\tlocal Resolver" if [[ -n "$local_resolver_service" ]] && $local_resolver_service ; then if [[ ${#resolver_allowed_network_arr[@]} -gt 0 ]] ; then for _net in ${resolver_allowed_network_arr[@]} ; do $ipt -A INPUT -p udp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p tcp -s $_net --dport $resolver_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_failed fi else echo_skipped fi # --- # - SSH out only # --- echononl "\t\tSSH out only" # ausgehende Anfragen for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then for _port in ${ssh_port_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done fi done if [[ ${#local_if_arr[@]} -gt 0 ]] ; then for _dev in ${local_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ssh_port -m conntrack --ctstate NEW -j ACCEPT if [[ ${#ssh_port_arr[@]} -gt 0 ]] ; then for _port in ${ssh_port_arr[@]} ; do [[ "$_port" = "$standard_ssh_port" ]] && continue $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done fi done fi echo_done # --- # - SSH Service # --- echononl "\t\tSSH Service" if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#ssh_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_ssh_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_ssh_server_ip_arr[@]} ; do for _port in ${ssh_port_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - VPN # --- echononl "\t\tVPN Service only out" if [[ ${#vpn_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echononl "\t\tVPN Services.." if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#vpn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_vpn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_vpn_server_ip_arr[@]} ; do for _port in ${vpn_port_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - Wireguard # --- echononl "\t\tWireGuard Service only out" if [[ ${#wireguard_out_port_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${wireguard_out_port_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi echononl "\t\tWireGuard Services.." if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] || [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#wireguard_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${wireguard_server_ip_arr[@]} ; do for _port in ${wireguard_server_ports[@]} ; do $ipt -A INPUT -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${forward_wireguard_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_wireguard_server_ip_arr[@]} ; do for _port in ${wireguard_server_ports[@]} ; do $ipt -A FORWARD -p udp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - Rsync Out # --- echononl "\t\tRsync (only OUT)" if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] || [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] ; then if [[ ${#rsync_out_ip_arr[@]} -gt 0 ]] ; then for _port in ${rsync_port_arr[@]} ; do for _ip in ${rsync_out_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_rsync_out_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _port in ${rsync_port_arr[@]} ; do for _ip in ${forward_rsync_out_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - Telnet # --- echononl "\t\tTelnet (only OUT)" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_telnet_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - MySQL # --- echononl "\t\tMySQL (only OUT)" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_mysql_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - Prometheus Monitoring - local Server # --- echononl "\t\tLocal Prometheus Service" if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${prometheus_local_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - Prometheus Monitoring - local client # --- echononl "\t\tLocal Prometheus Client" if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then for _ip in ${prometheus_local_client_ip_arr[@]} ; do for _ip in ${prometheus_remote_server_ip_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - Munin remote service # --- echononl "\t\tMunin remote service" if [ "X$munin_remote_ip" != "X" ]; then for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done else echo_skipped fi # --- # - Munin local service # --- echononl "\t\tMunin local service" if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_munin_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Mail (SMTP OUT) # --- echononl "\t\tMail (SMTP OUT)" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - Mail (additional smtp ports OUT) # --- echononl "\t\tMail (additional smtp ports OUT)" if [[ ${#smtpd_additional_outgoung_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_outgoung_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Mail SMTP Server (Port 25) including Spam Control # --- echononl "\t\tMail SMTP Server (Port 25) including Spam Control" if [[ ${#smtpd_ips_arr[@]} -gt 0 ]] || [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] ; then if [[ ${#smtpd_ips_arr[@]} > 0 ]] ; then for _ip in ${smtpd_ips_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ipt -A OUTPUT -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) $ipt -A OUTPUT -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ipt -A OUTPUT -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # - DCC (port udp:6277) $ipt -A OUTPUT -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A INPUT -p tcp -d $_ip --dport 6277 -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip --dport 6277 -j ACCEPT done fi if [[ ${#forward_smtpd_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_smtpd_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $standard_smtp_port -m conntrack --ctstate NEW -j ACCEPT # # Razor2 (TCP Port 2703) $ipt -A FORWARD -p tcp -s $_ip --dport 2703 -m conntrack --ctstate NEW -j ACCEPT # DEPRECATED: TCP Port 7 (echo) $ipt -A FORWARD -p tcp -s $_ip --dport 7 -m conntrack --ctstate NEW -j ACCEPT # # Pyzor (UDP Port 24441 or TCP Port 24441 or both ?) $ipt -A FORWARD -p udp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport 24441 -m conntrack --ctstate NEW -j ACCEPT # # DCC (port udp:6277) $ipt -A FORWARD -s $_ip -p udp -m udp --dport 6277 -m conntrack --ctstate NEW -j ACCEPT # if DCC Server is running (port tcp:6277) $ipt -A FORWARD -p tcp -d $_ip --dport 6277 -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip --dport 6277 -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Mail (additional smtp ports IN) # --- echononl "\t\tMail (additional smtp ports IN)" if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then for _port in ${smtpd_additional_listen_port_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do $ipt -A INPUT -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT fi done done echo_done else echo_skipped fi # --- # - Mailservice (Submission/SMTPS/POP/IMAP Server) # --- echononl "\t\tMailservice (Submission/SMTPS/POP/IMAP Server)" if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_server_ips_arr[@]} ; do # mail ports # $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_server_ips_arr[@]} -gt 0 ]] if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mail_server_ip_arr[@]} ; do # mail ports # $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_server_ip_arr[@]} -gt 0 ]] ; then echo_done else echo_skipped fi # --- # - Mail Client (Submission/SMTPS/POPS/IMAPS) out only # --- echononl "\t\tMail Client (Submission/SMTPS/POPS/IMAPS) out only" if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] || [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] ; then for _ip in ${mail_client_ips_arr[@]} ; do # mail ports # $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#mail_client_ips_arr[@]} -gt 0 ]] if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mail_client_ip_arr[@]} ; do # mail ports # $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $mail_user_ports -m conntrack --ctstate NEW -j ACCEPT done fi # if [[ ${#forward_mail_client_ip_arr[@]} -gt 0 ]] ; then echo_done else echo_skipped fi # --- # - (local) Dovecot auth service # --- echononl "\t\t(local) Dovecot auth service" if [[ -n "$dovecot_auth_service" ]] && $dovecot_auth_service ; then if [[ ${#dovecot_auth_allowed_network_arr[@]} -gt 0 ]] && [[ -n "$dovecot_auth_port" ]]; then for _ip in ${dovecot_auth_allowed_network_arr[@]} ; do $ipt -A INPUT -p tcp -s $_ip --dport $dovecot_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_failed fi else echo_skipped fi # --- # - HTTP(S) OUT # --- echononl "\t\tHTTP(S) out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - HTTP(S) (local) Webserver # --- echononl "\t\tHTTP(S) (local) Webserver" if [[ ${#http_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#http_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${http_server_ip_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_http_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_http_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $http_ports -m conntrack --ctstate NEW -j ACCEPT done fi fi echo_done else echo_skipped fi # --- # - Mattermost Service # --- echononl "\t\tMattermost (MM) Service" if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mm_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mm_server_ip_arr[@]} ; do $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done if [[ ${#forward_mm_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mm_server_ip_arr[@]} ; do $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mm_udp_ports_in -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $mm_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi fi echo_done else echo_skipped fi # --- # - FTP out only" # --- echononl "\t\tFTP out only (using CT target)" # - (Re)define helper # - setup_ftp_conntrack_helper_output # - Used for different ftpdata recent lists 'ftpdata_out_$j' # - declare -i j=1 for _dev in ${ext_if_arr[@]} ; do # - (1) # - # - Open FTP connection and add the destination ip (--rdest) to ftpdata recent list 'ftpdata_out_$j'. # - if can_use_recent ; then $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW \ -m recent --name ftpdata_out_$j --rdest --set -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp -m conntrack --ctstate NEW --dport 1024: \ -m recent --name ftpdata_out_$j --rdest --update --seconds 1800 --reap -j ACCEPT else warn "xt_recent not available; FTP out-only FTPS workaround disabled (data connections may fail)." # Allow control connection; non-TLS data connections may still work via helper/RELATED $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT fi ((i++)) # - Accept (helper ftp) related connections # - if can_use_helper_match; then $ipt -A OUTPUT -m conntrack --ctstate RELATED -m helper --helper ftp -o $_dev -p tcp --dport 1024: -j ACCEPT else warn "helper match not available; allowing RELATED ftp data without helper restriction" $ipt -A OUTPUT -m conntrack --ctstate RELATED -o $_dev -p tcp --dport 1024: -j ACCEPT fi done echo_done #echononl "\t\tFTP out only" # #for _dev in ${ext_if_arr[@]} ; do # # (Datenkanal aktiv) # $ipt -A INPUT -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) # $ipt -A OUTPUT -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) # $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # if $kernel_activate_forwarding ; then # # (Datenkanal aktiv) # $ipt -A FORWARD -i $_dev -p tcp --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # (Datenkanal passiv) # $ipt -A FORWARD -o $_dev -p tcp --sport $unprivports --dport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # (Kontrollverbindung) # $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ftp_port -m conntrack --ctstate NEW -j ACCEPT # fi #done # #echo_done # --- # - FTP Server" # --- echononl "\t\tFTP Server (using CT target)" if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then # - Used for different ftpdata recent lists 'ftpdata_$i' declare -i i=1 # - (Re)define helper # - # - !! Note: !! # - for both, local FTP server (ftp_server_ip_arr) # - and forward to FTP server (forward_ftp_server_ip_arr) # - setup_ftp_conntrack_helper_prerouting if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${ftp_server_ip_arr[@]} ; do # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic # - ====================================================== # - # - Workaround: # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear # - (2) accept packets of the formaly created recent list 'ftpdata_$i! # - # ===== # - (1) # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - if can_use_recent ; then $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \ -m recent --name ftpdata_$i --set -j ACCEPT $ipt -A INPUT -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT else warn "xt_recent not available; relaxing FTPS workaround for FTP server $_ip (opening passive range)." # Control connection $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT # Passive data ports (less strict without xt_recent) $ipt -A INPUT -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT fi # - Accept (helper ftp) related connections # - $ipt -A INPUT -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT ((i++)) done fi if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_ftp_server_ip_arr[@]} ; do # ===== # - # - ip_conntrack_ftp cannot see the TLS-encrypted traffic # - ====================================================== # - # - Workaround: # - (1) add source ip to a 'recent list' named 'ftpdata_$i! if ftp control connections appear # - (2) accept packets of the formaly created recent list 'ftpdata_$i! # - # ===== # - (1) # - # - Accept initial FTP connection and add the source ip to ftpdata recent list 'ftpdata_$i'. # - if can_use_recent ; then $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port \ -m recent --name ftpdata_$i --set -j ACCEPT $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --sport 1024: -d $_ip --dport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW --dport 1024: -s $_ip --sport $ftp_passive_port_range \ -m recent --name ftpdata_$i --update --seconds 1800 --reap -j ACCEPT else warn "xt_recent not available; relaxing FTPS workaround for forwarded FTP server $_ip (opening passive range)." # Control connection to forwarded server $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $standard_ftp_port -j ACCEPT # Passive data ports to server (less strict without xt_recent) $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -d $_ip --dport $ftp_passive_port_range -j ACCEPT # Return traffic from server passive ports $ipt -A FORWARD -p tcp -m conntrack --ctstate NEW -s $_ip --sport $ftp_passive_port_range \ --dport 1024: -j ACCEPT fi # - Accept (helper ftp) related connections # - if can_use_helper_match; then $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -d $_ip -p tcp --dport 1024: -j ACCEPT else warn "helper match not available; allowing RELATED ftp data without helper restriction" $ipt -A FORWARD -m conntrack --ctstate RELATED -d $_ip -p tcp --dport 1024: -j ACCEPT fi if can_use_helper_match; then $ipt -A FORWARD -m conntrack --ctstate RELATED -m helper --helper ftp -s $_ip -p tcp --sport 1024: -j ACCEPT else warn "helper match not available; allowing RELATED ftp data without helper restriction" $ipt -A FORWARD -m conntrack --ctstate RELATED -s $_ip -p tcp --sport 1024: -j ACCEPT fi ((i++)) done fi echo_done else echo_skipped fi #echononl "\t\tFTP Server" # #if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] ; then # if [[ ${#ftp_server_ip_arr[@]} -gt 0 ]] ; then # for _ip in ${ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) # $ipt -A OUTPUT -p tcp -s $_ip --sport $standard_ftp_data_port20 -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) # $ipt -A INPUT -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung # $ipt -A INPUT -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # # if [[ ${#forward_ftp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # for _ip in ${forward_ftp_server_ip_arr[@]} ; do # # (Datenkanal aktiv) # $ipt -A FORWARD -p tcp -s $_ip --sport $standard_ftp_data_port -m conntrack --ctstate NEW -j ACCEPT # # Datenkanal (passiver modus) # $ipt -A FORWARD -p tcp -d $_ip --dport $unprivports --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # # - Kontrollverbindung # $ipt -A FORWARD -p tcp -d $_ip --dport $standard_ftp_port --sport $unprivports -m conntrack --ctstate NEW -j ACCEPT # done # fi # # echo_done #else # echo_skipped #fi # --- # - XMPP Service (Jabber) # --- echononl "\t\tXMPP Service" if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#xmpp_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_xmpp_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_xmpp_server_ip_arr[@]} ; do for _port in ${xmmp_tcp_in_port_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done for _port in ${xmmp_tcp_out_port_arr[@]} ; do $ipt -A FORWARD -p tcp -s $_ip --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - XMPP Remote Dovecote Out Service # --- echononl "\t\tXMPP Remote Dovecote Out Service" if [[ ${#xmmp_remote_out_service_arr[@]} -gt 0 ]] ; then for _dev in "${ext_if_arr[@]}" ; do for _val in "${xmmp_remote_out_service_arr[@]}" ; do IFS=':' read -a _val_arr <<< "${_val}" $ipt -A OUTPUT -o $_dev -p tcp -d ${_val_arr[0]} --dport ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT done done echo_done else echo_skipped fi # --- # - Mumble Service # --- echononl "\t\tMumble Service" if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#mumble_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${mumble_server_ip_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_mumble_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_mumble_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $mumble_ports -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Jitsi Video Conferencing Service # --- echononl "\t\tJitsi Meet Video Conferencing Service Incomming Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi $ipt -A INPUT -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do if ! containsElement "$_ip" "${http_server_ip_arr[@]}" || [[ "$jitsi_tcp_ports" != "$standard_http_ports" ]] ; then $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $jitsi_tcp_ports -m conntrack --ctstate NEW -j ACCEPT fi $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi echononl "\t\tJitsi Meet Video Conferencing Service Outgoing Ports" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jitsi_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $jitsi_tcp_ports_out -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $_ip -m multiport --dports $jitsi_udp_ports_out -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi echononl "\t\tJitsi Meet Dovecot Authentication" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] ; then if $jitsi_dovecot_auth && [[ -n "$jitsi_dovecot_host" ]] && [[ -n "$jitsi_dovecot_port" ]] ; then if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] ; then $ipt -A OUTPUT -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi if [[ ${#forward_jitsi_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then $ipt -A FORWARD -p tcp -d $jitsi_dovecot_host --dport $jitsi_dovecot_port -m conntrack --ctstate NEW -j ACCEPT fi echo_done else echo_skipped fi else echo_skipped fi echononl "\t\tJitsi Remote Jibri Client" if [[ ${#jitsi_server_ip_arr[@]} -gt 0 ]] \ && $jitsi_jibri_remote_auth \ && [[ ${#jitsi_jibri_remote_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jitsi_jibri_remote_ip_arr[@]} ; do $ipt -A INPUT -p tcp -s $_ip --dport $jitsi_jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT done echo_done else echo_skipped fi # --- # - Jibri Recording / Streaming Service # --- echononl "\t\tJibri Recording / Streaming Service" if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]]; then if [[ -z "$jibri_remote_jitsi_server" ]]; then echo_skipped else if [[ ${#jibri_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${jibri_server_ip_arr[@]} ; do $ipt -A OUTPUT -p tcp -s $_ip -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_jibri_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_jibri_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -d $jibri_remote_jitsi_server --dport $jibri_remote_auth_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -s $_ip -d $jibri_remote_jitsi_server -m multiport --dports $standard_jitsi_udp_port_range -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p tcp -s $_ip -m multiport --dports $default_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT done fi echo_done fi else echo_skipped fi # --- # - TURN Service (for NC Talk App) # --- echononl "\t\tTURN Service (for NC Talk App) both: udp and tcp" if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] ; then if [[ ${#nc_turn_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${nc_turn_server_ip_arr[@]} ; do $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi if [[ ${#forward_nc_turn_server_ip_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _ip in ${forward_nc_turn_server_ip_arr[@]} ; do $ipt -A FORWARD -p tcp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -p udp -d $_ip -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT done fi echo_done else echo_skipped fi # --- # - Timeserver (Port 37 NOT NTP!)" # --- echononl "\t\tTimeserver (Port 37 NOT NTP!) out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_timeserver_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - NTP out only" # --- echononl "\t\tNTP out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p udp --dport $standard_ntp_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - NTP local Service" # --- echononl "\t\tNTP local Service" if [[ -n "$local_ntp_service" ]] && $local_ntp_service ; then if [[ -z "$ntp_allowed_net" ]] ; then echo_failed else $ipt -A OUTPUT -p udp -d $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A INPUT -p udp -s $ntp_allowed_net --dport $ntp_port -m conntrack --ctstate NEW -j ACCEPT echo_done fi else echo_skipped fi # --- # - LDAP out only # --- echononl "\t\tLDAP out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - LDAPS out only # --- echononl "\t\tLDAPS out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - Whois out only # --- echononl "\t\tWhois out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_whois_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - PGP Keyserver out only # --- echononl "\t\tPGP/GPG Key server - out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_pgp_keyserver_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done # --- # - GIT out only # --- echononl "\t\tGIT out only" for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p tcp --dport $standard_git_port -m conntrack --ctstate NEW -j ACCEPT fi done echo_done echo # --- # - Special TCP Ports OUT # --- echononl "\t\tSpecial TCP Ports OUT" if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] ; then if [[ ${#tcp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_tcp_out_port_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${tcp_out_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi # --- # - Special UDP Ports OUT # --- echononl "\t\tSpecial UDP Ports OUT" if [[ ${#udp_out_port_arr[@]} -gt 0 ]] || [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then if [[ ${#udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${udp_out_port_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi if [[ ${#forward_udp_out_port_arr[@]} -gt 0 ]] ; then for _dev in ${ext_if_arr[@]} ; do for _port in ${forward_udp_out_port_arr[@]} ; do $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT done done fi echo_done else echo_skipped fi echo # ------------- # --- Portforwarding # ------------- # --- # - Portforwarding TCP # --- echononl "\t\tPortforwarding TCP" if [[ ${#portforward_tcp_arr[@]} -gt 0 ]] ; then for _val in "${portforward_tcp_arr[@]}" ; do # - Split value # - IFS=':' read -a _val_arr <<< "${_val}" # - Allow Packets IN # - $ipt -A INPUT -i ${_val_arr[0]} -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # - Allow Packets FORWARD # - $ipt -A FORWARD -i ${_val_arr[0]} -p tcp -d ${_val_arr[3]} --dport ${_val_arr[4]} -m conntrack --ctstate NEW -j ACCEPT _job_id="$(ps ax | grep "TCP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]}" | grep -v grep | awk '{print$1}')" if [[ -n "$_job_id" ]]; then kill ${_job_id} > /dev/null 2>&1 fi socat TCP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]} TCP:${_val_arr[3]}:${_val_arr[4]} & done echo_done else echo_skipped fi echononl "\t\tPortforwarding UDP" if [[ ${#portforward_udp_arr[@]} -gt 0 ]] ; then for _val in "${portforward_udp_arr[@]}" ; do # - Split value # - IFS=':' read -a _val_arr <<< "${_val}" # - Allow Packets IN # - $ipt -A INPUT -i ${_val_arr[0]} -p udp -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT # - Allow Packets FORWARD # - $ipt -A FORWARD -i ${_val_arr[0]} -p udp -d ${_val_arr[3]} --dport ${_val_arr[4]} -m conntrack --ctstate NEW -j ACCEPT _job_id="$(ps ax | grep "UDP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]}" | grep -v grep | awk '{print$1}')" if [[ -n "$_job_id" ]]; then kill ${_job_id} > /dev/null 2>&1 fi socat UDP4-LISTEN:${_val_arr[2]},fork,bind=${_val_arr[1]} UDP:${_val_arr[3]}:${_val_arr[4]} & done echo_done else echo_skipped fi echo # --- # - UNIX Traceroute # --- echononl "\t\tUNIX Traceroute" # versendet udp packete im gegensatz zu tracert von windows # der icmp-echo-request pakete versendet # einige implementierungen von traceroute (linux) erm�lichens # die option -I und versenden dann ebenfalls icmp-echo-request pakete for _dev in ${ext_if_arr[@]} ; do $ipt -A OUTPUT -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT $ipt -A INPUT -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -o $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT $ipt -A FORWARD -i $_dev -p udp -m conntrack --ctstate NEW --dport 33434:33530 -j ACCEPT fi done echo_done # --- # - Ping # --- echononl "\t\tPing" $ipt -A INPUT -p icmp -j ACCEPT $ipt -A OUTPUT -p icmp -j ACCEPT if $kernel_activate_forwarding ; then $ipt -A FORWARD -p icmp -j ACCEPT fi #for _dev in ${ext_if_arr[@]} ; do # $ipt -A INPUT -i $_dev -p icmp -j ACCEPT # $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT # if $kernel_activate_forwarding ; then # $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT # $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT # fi #done #for _dev in ${local_if_arr[@]} ; do # $ipt -A INPUT -i $_dev -p icmp -j ACCEPT # $ipt -A OUTPUT -o $_dev -p icmp -j ACCEPT # if $kernel_activate_forwarding ; then # $ipt -A FORWARD -i $_dev -p icmp -j ACCEPT # $ipt -A FORWARD -o $_dev -p icmp -j ACCEPT # fi #done echo_done # --- # - log all rejected traffic # --- echo echononl "\tLogging all rejected traffic" if $log_rejected || $log_all ; then $ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" $ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" if $kernel_activate_forwarding ; then #$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:" $ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):" fi echo_done else echo_skipped fi # --- # - Drop all other # --- echo echononl "\tDrop all other on all interfaces" $ipt -A INPUT -j DROP $ipt -A OUTPUT -j DROP $ipt -A FORWARD -j DROP echo_done # ------------- # ------------- Reload Fail2Ban if installed # ------------- if ${FAIL2BAN_WAS_RUNNING}; then echo echononl "\tReloading fail2ban.." $fail2ban_client reload > /dev/null 2>&1 if [ "$?" = "0" ]; then echo_done else # Fallback: reload + restart jails if needed $fail2ban_client reload --restart > /dev/null 2>&1 if [ "$?" = "0" ]; then echo_done else echo_skipped warn "Fail2ban reload failed. Leaving fail2ban unchanged. Check: fail2ban-client -d and /var/log/fail2ban.log" fi fi else # fail2ban not running before; do not start it here : fi echo exit 0 # ------------ Portforwarding ------------- # # - # - !! NOTICE: # - you need also portforwarding enabled at the kernel # - echo 1 >/proc/sys/net/ipv4/ip_forward # # # ---------------------------------------------- # : --> ::80 # ---------------------------------------------- # #$ipt -A FORWARD [-i ] -p tcp --dport -d -j ACCEPT #$ipt -A FORWARD [-o ] -p tcp --sport -s -j ACCEPT # #$ipt -t nat -A PREROUTING [-i ] -p tcp --dport [-d ] -j DNAT --to-destination : #$ipt -t nat -A POSTROUTING -d -j MASQUERADE # # # ----------------------------------------------- # www-alt.oopen.de --> www-neu.oopen.de # # 46.4.129.3:80 --> 83.223.86.130:80 # 46.4.129.3:443 --> 83.223.86.130:443 # ----------------------------------------------- # #$ipt -A FORWARD -p tcp -m multiport --dports 80,443 -d 83.223.86.130 -j ACCEPT #$ipt -A FORWARD -p tcp -m multiport --sports 80,443 -s 83.223.86.130 -j ACCEPT # #$ipt -t nat -A PREROUTING -p tcp --dport 80 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:80 #$ipt -t nat -A PREROUTING -p tcp --dport 443 -d 46.4.129.3 -j DNAT --to-destination 83.223.86.130:443 #$ipt -t nat -A POSTROUTING -d 83.223.86.130 -j MASQUERADE # # - # ---------- Ende Portforwarding ---------- #