added iptables scripts

ipt

@@ -0,0 +1 @@
+sudo iptables -L -n -v --line-numbers $*

ipt-static-ruleset

@@ -0,0 +1,123 @@
+#######################################################################################################################
+# Firewall configuration for this host ################################################################################
+#######################################################################################################################
+
+# Allow minimum for all VLANS (ping, dhcp, dns, ntp)
+sudo iptables -A INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept incomming pings"
+sudo iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept outgoing pings"
+sudo iptables -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept incomming dhcp"
+sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept outgoing dhcp"
+sudo iptables -A INPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept incomming dns"
+sudo iptables -A INPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept incomming dns"
+sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept outgoing dns"
+sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept outgoing dns"
+sudo iptables -A INPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept incomming ntp"
+sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept outgoing ntp"
+
+# Allow some usefull outgoing traffic for all VLANS (ssh)
+sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "accept outgoing ssh"
+
+
+# Allow established and related trafic
+sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all incomming established and related trafic"
+sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all outgoing established and related trafic"
+
+# Allow everything for trusted networks
+sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device"
+sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device"
+sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device"
+sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device"
+
+sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet"
+
+# Add reject rule for propper feedback
+sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic"
+
+
+
+#######################################################################################################################
+# Cros VLAN forwarding ################################################################################################
+#######################################################################################################################
+# General
+sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
+sudo iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "forward all established and related traffic"
+sudo iptables -A FORWARD -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "forward all pings"
+sudo iptables -A FORWARD -j ACCEPT -p udp --dport 123 -m comment --comment "forward all ntp request"
+sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forward all ntp request"
+
+#---------------------
+# -> VLAN10 (Internet)
+#---------------------
+# Allow VLAN30 full access to the internet
+sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet"
+sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10"
+# Allow VLAN40 access to to http,https
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet"
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher"
+# Allow VLAN60 access to to http,https
+sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet"
+
+#--------------------
+# -> VLAN20 (Network)
+#--------------------
+# Allow VLAN30 full access
+sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20"
+
+#--------------------------------------
+# -> VLAN30 (Family) - VERY RESTRICTIVE
+#--------------------------------------
+# Allow VLAN40 and VLAN50 access to the mqtt port
+sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30"
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30"
+sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)"
+
+
+#-------------------------------
+# -> VLAN40 (Untrusted Internet)
+#-------------------------------
+# Allow VLAN30 full access
+sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40"
+
+#---------------------------------
+# -> VLAN50 (Untrusted no Internet
+#---------------------------------
+# Allow VLAN30 full access
+sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50"
+
+#------------------
+# -> VLAN60 (Gäste)
+#------------------
+
+
+
+#----------------------
+# Masquerade traffic to
+#----------------------
+sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10"
+sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20"
+sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30"
+sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40"
+sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50"
+
+
+
+
+#######################################################################################################################
+# Change policy to drop all remainig ##################################################################################
+#######################################################################################################################
+sudo iptables -P INPUT DROP
+sudo iptables -P OUTPUT DROP
+sudo iptables -P FORWARD DROP
+
+
+
+#######################################################################################################################
+# Show configuration ##################################################################################################
+#######################################################################################################################
+sudo iptables -L -n -v --line-numbers
+
+
+echo "********************************************************************************************"
+echo "* -> Execute sudo sh -c \"iptables-save > /etc/iptables/rules.v4\""
+echo "********************************************************************************************"
+

vlanm

@@ -0,0 +1,98 @@
+#!/bin/python3
+#
+import argparse
+from getpass import getpass
+import re
+import subprocess
+
+def device_by_vlan(n):
+    return 'eth0' if n == 10 else 'eth0.%d' % n
+
+def iprange_by_vlan(n):
+    return '192.168.0.0/24' if n == 10 else '192.168.%d.0/24' % n
+
+def get_iptables_info():
+    global password
+    my_cmd = "sudo -S iptables -L -n -v --line-numbers".split()
+    cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",)
+    return cmd.stdout
+
+def get_rule_num(chain, comment):
+    required_chain = False
+    for line in get_iptables_info().split('\n'):
+        if line.strip().lower().startswith('chain'):
+            required_chain = line.strip().lower().startswith('chain ' + chain.strip().lower())
+        if required_chain:
+            rule_num = None
+            try:
+                rule_num = int(line.split()[0])
+            except:
+                pass
+            else:
+                s = re.search(r'\/\*(.*?)\*\/', line)
+                if s is not None:
+                    if s.group(1).strip() == comment:
+                        return rule_num
+
+
+
+if __name__ == "__main__":
+    global password
+
+    prog = 'vlan manager'
+    description = 'Add and removes iptable rules for a given vlan'
+    epilog = 'Text at the bottom of help'
+    parser = argparse.ArgumentParser(prog=prog, description=description, epilog=epilog)
+    parser.add_argument('-v', '--vlan_number', type=int, required=True, help="Define the vlan to be used")
+    parser.add_argument('-o', '--open_to_internet', action='store_true', help="Toggle rule: Open vlan to the internet")
+    parser.add_argument('-l', '--log_to_internet', action='store_true', help="Toggle rule: Log vlan to the internet")
+
+    args = parser.parse_args()
+
+    UID_O = 'VLANM_RULE__OPEN_TO_INTERNET_%d' % args.vlan_number
+    UID_L = 'VLANM_RULE__LOG_TO_INTERNET_%d' % args.vlan_number
+
+    if args.open_to_internet:
+        password = getpass("password: ")
+        print()
+        rn = get_rule_num('forward', UID_O)
+        if rn is None:
+            print("Add rule:", UID_O)
+        else:
+            print("Remove rule:", UID_O)
+        if getpass('Proceed? [Y/n]') in ['', 'y', 'Y']:
+            if rn is None:
+                my_cmd = ['sudo',  '-S', 'iptables', '-A', 'FORWARD', '-j', 'ACCEPT', '-i', device_by_vlan(args.vlan_number), '-o', 'eth0', '!', '-d', '192.168.0.0/16', '-m', 'comment', '--comment', UID_O]
+                cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",)
+                print(cmd.stdout)
+            else:
+                my_cmd = ['sudo', '-S', 'iptables', '-D', 'FORWARD', str(rn)]
+                cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",)
+                print(cmd.stdout)
+    elif args.log_to_internet:
+        password = getpass("password: ")
+        print()
+        rn = get_rule_num('forward', UID_L)
+        if rn is None:
+            print("Add rule:", UID_L)
+        else:
+            print("Remove rule:", UID_L)
+        if getpass('Proceed? [Y/n]') in ['', 'y', 'Y']:
+            if rn is None:
+                my_cmd = ['sudo', '-S', 'iptables', '-A', 'FORWARD', '-j', 'LOG', '-i', device_by_vlan(args.vlan_number), '-o', 'eth0', '!', '-d', '192.168.0.0/16', '-m', 'comment', '--comment', UID_L]
+                cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",)
+                print(cmd.stdout)
+                print("Use 'sudo ~/bin/ftail /var/log/kern.log' to view the logs.")
+            else:
+                my_cmd = ['sudo', '-S', 'iptables', '-D', 'FORWARD', str(rn)]
+                cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",)
+                print(cmd.stdout)
+
+
+    else:
+        print("************************")
+        print("* No action specified! *")
+        print("************************")
+        print()
+        parser.print_help()
+