Add 'mail_client_ips', 'restrict_local_service_to_net', 'restrict_local_net_to_net'.

2017-07-18 15:30:23 +02:00
parent 6d2a9d8d8d
commit 8bbc845adf
4 changed files with 511 additions and 40 deletions
--- a/ipt-firewall-vserver.conf.sample
+++ b/ipt-firewall-vserver.conf.sample
@@ -197,19 +197,6 @@ local_munin_service=false
 munin_remote_port="4949"


-# -------------
-# - Protocols Out
-# -------------
-
-# - Rsync Protocol
-# -
-# - Needed for some integrated provider of clamav-unofficial-sigs
-# -
-local_rsync_out=false
-rsync_out_ips=""
-rsync_ports="873"
-
-
 # -------------
 # --- Services local Network
 # -------------
@@ -238,6 +225,71 @@ vserver_ips="$guest_ips"

 broadcast_ips=""

+
+# -------------
+# - Protocols Out
+# -------------
+
+# - Rsync Protocol
+# -
+# - Needed for some integrated provider of clamav-unofficial-sigs
+# -
+local_rsync_out=false
+rsync_out_ips=""
+rsync_ports="873"
+
+
+# -------------
+# ---- Restrict local Servive to given (extern) IP-Address/Network
+# -------------
+
+# - restrict_local_service_to_net
+# - 
+# - restrict_local_service_to_net="ext-net:local-address:port:protocol"
+# -
+# - Note:
+# - =====
+# -    - Only 'tcp' and 'udp' are allowed valuse for protocol.
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -
+# - Use this parameter to (only) give some extern netwoks access to special local 
+# - services.
+# -
+# - Example:
+# -    allow access from 194.150.169.139 to tcp service at 83.223.86.98 on port 1036
+# -    allow access from 86.73.85.0/24 to https service at 83.223.86.98
+# -
+# -    restrict_local_service_to_net="194.150.169.139/32:83.223.86.98:1036:tcp 
+# -                                    86.73.85.0/24:83.223.86.98:443:tcp"
+# -
+# - Blank separated list
+# -
+restrict_local_service_to_net=""
+
+
+# -------------
+# ---- Restrict local Network to given extern IP-Address/Network
+# -------------
+
+# - restrict_local_net_to_net
+# -
+# -    restrict_local_net_to_net="<src-ext-net>:<dst-local-net> [<src-ext-net>:<dst-local-net>] [..]"
+# -
+# - All traffic from the given first network to the given second network is allowed
+# -
+# - Note:
+# - =====
+# -    - Traffic recieved on natted interfaces will be ommitted!
+# -    - If you want allow both directions, you have to make two entries - one for evry directions.
+# -
+# - Example:
+# -   allow_ext_net_to_local_net="86.223.85.0/24:86.223.73.192/26
+# -                               83.223.86.96/32:86.223.73.0/24"
+# - 
+# - Blank separated list
+# -
+restrict_local_net_to_net=""
+
 # - Remote Munin Server
 # -
 munin_remote_ip="83.223.86.99"
@@ -263,6 +315,10 @@ smtpd_ips=""
 # -
 mail_server_ips=""

+# - Mail Client (smtps/pop(s)/imap(s)
+# -
+mail_client_ips=""
+
 # - FTP Server
 # -
 ftp_server_ips=""
@@ -288,9 +344,11 @@ local_xymon_client=false
 # -------------

 # - TCP Ports
+# -
 tcp_out_ports=""

 # - UDP Ports
+# -
 udp_out_ports=""


@@ -348,6 +406,35 @@ create_iperf_rules=true
 # -
 kernel_activate_forwarding=false

+# - Activate kernel support for dynamic IP adresses
+# - (not needed in case of static IP)
+# -
+# - see also https://www.frozentux.net/iptables-tutorial/other/ip_dynaddr.txt
+# -
+# - The values for the ip_dynaddr sysctl are [*]:
+# -
+# -   1:  To enable:
+# -   2:  To enable verbosity:
+# -   4:  To enable RST-provoking:
+# -   8:  To enable asymetric routing work-around [**]
+# -
+# -  [*] At boot, by default no address rewriting is attempted.
+# -  [**] This code is currently totaly untested.
+# -
+# - Flags can be combined by adding them. Common settings
+# - would be:
+# -
+# - To enable rewriting in quiet mode:
+# -   # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable rewriting in verbose mode:
+# -   # echo 3 > /proc/sys/net/ipv4/ip_dynaddr
+# - To enable quiet RST-provoking mode (1+4):
+# -   # echo 5 > /proc/sys/net/ipv4/ip_dynaddr
+# - ...
+# -
+kernel_support_dynaddr=false
+dynaddr_flag="5"
+

 # -------------
 # --- Kernel related - Adjust Kernel Parameters (Security/Tuning)
@@ -498,6 +585,22 @@ for _dev in $unprotected_ifs ; do
   unprotected_if_arr+=("$_dev")
 done

+# ---
+# - Restrict local Servive to given IP-Address/Network
+# ---
+declare -a restrict_local_service_to_net_arr
+for _val in $restrict_local_service_to_net ; do
+   restrict_local_service_to_net_arr+=("$_val")
+done
+
+# ---
+# - Restrict local Network to given IP-Address/Network
+# ---
+declare -a restrict_local_net_to_net_arr
+for _val in $restrict_local_net_to_net ; do
+   restrict_local_net_to_net_arr+=("$_val")
+done
+
 # ---
 # - Generally block ports
 # ---
@@ -560,13 +663,22 @@ for _ip in $smtpd_ips ; do
 done

 # ---
-# - Mail POP/IMAP Server
+# - Mail Services (smtps/pop(s)/imap(s)
 # ---
 declare -a mail_server_ips_arr
 for _ip in $mail_server_ips ; do
   mail_server_ips_arr+=("$_ip")
 done

+# ---
+# - Mail client (smtps/pop(s)/imap(s)
+# ---
+# local
+declare -a mail_client_ips_arr
+for _ip in $mail_client_ips ; do
+   mail_client_ips_arr+=("$_ip")
+done
+
 # ---
 # - IP Addresses Mumble Server
 # ---