From 421d14a4c2a6ffabd19cf80597d45591a1fd3f87 Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Tue, 23 Aug 2022 05:00:55 +0100 Subject: [PATCH] Updated rc.firewall* scripts. --- rc.d/{rc.firewall-hypervisors => rc.firewall} | 48 +++-- ...c.firewall-guests => rc.firewall-complete} | 48 +++-- rc.d/rc.firewall-float | 72 +++---- rc.d/rc.firewall-hosts | 187 ------------------ rc.d/rc.firewall-hypervisor-fry | 157 --------------- 5 files changed, 109 insertions(+), 403 deletions(-) rename rc.d/{rc.firewall-hypervisors => rc.firewall} (70%) rename rc.d/{rc.firewall-guests => rc.firewall-complete} (80%) delete mode 100755 rc.d/rc.firewall-hosts delete mode 100755 rc.d/rc.firewall-hypervisor-fry diff --git a/rc.d/rc.firewall-hypervisors b/rc.d/rc.firewall similarity index 70% rename from rc.d/rc.firewall-hypervisors rename to rc.d/rc.firewall index e43001c..ae62580 100755 --- a/rc.d/rc.firewall-hypervisors +++ b/rc.d/rc.firewall @@ -1,11 +1,13 @@ #!/bin/bash # The name of the main external interface. -EX_IF="br0" +EX_IF="eth0" -# The IP ranges from where to accept unfiltered connections. -UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') -UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') +# The IP ranges from where to accept unfiltered connections +# |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----| +UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk') +# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----| +UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169') start_firewall() { @@ -39,20 +41,34 @@ start_firewall() { # Drop unroutable IPs on the external interface. iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP - iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP - iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP - iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + + # Allow local nets if our IP is in the same range. + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + fi # Allow all loopback traffic. iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT # Allow unrestricted access from our IPs. - for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do - iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do + iptables -A INPUT -i "$EX_IF" --s "$ENTRY" -j ACCEPT done - for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do - ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do + ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT done # Allow packets of established connections and those related to them. @@ -76,7 +92,7 @@ start_firewall() { ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT - # Allow SSH. + # Allow SSH (from anywhere). iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT @@ -130,10 +146,16 @@ case "$1" in ;; 'restart') stop_firewall + sleep 0.5 start_firewall ;; *) echo "Usage: $BASH_SOURCE " >&2 - ERR=1 + exit 1 ;; esac + +# Restart fail2ban to re-create the ban chains. +[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null + +exit 0 diff --git a/rc.d/rc.firewall-guests b/rc.d/rc.firewall-complete similarity index 80% rename from rc.d/rc.firewall-guests rename to rc.d/rc.firewall-complete index 7bc7ca9..456182c 100755 --- a/rc.d/rc.firewall-guests +++ b/rc.d/rc.firewall-complete @@ -3,9 +3,11 @@ # The name of the main external interface. EX_IF="eth0" -# The IP ranges from where to accept unfiltered connections. -UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') -UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') +# The IP ranges from where to accept unfiltered connections +# |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----| +UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk') +# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----| +UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169') start_firewall() { @@ -39,20 +41,34 @@ start_firewall() { # Drop unroutable IPs on the external interface. iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP - iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP - iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP - iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + + # Allow local nets if our IP is in the same range. + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + fi # Allow all loopback traffic. iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT # Allow unrestricted access from our IPs. - for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do - iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do + iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT done - for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do - ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do + ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT done # Allow packets of established connections and those related to them. @@ -128,6 +144,10 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT + # Service: tftp. + iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 69 -m conntrack --ctstate NEW -j ACCEPT + ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 69 -m conntrack --ctstate NEW -j ACCEPT + # Set default policies. iptables -P INPUT DROP ip6tables -P INPUT DROP @@ -178,10 +198,16 @@ case "$1" in ;; 'restart') stop_firewall + sleep 0.5 start_firewall ;; *) echo "Usage: $BASH_SOURCE " >&2 - ERR=1 + exit 1 ;; esac + +# Restart fail2ban to re-create the ban chains. +[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null + +exit 0 diff --git a/rc.d/rc.firewall-float b/rc.d/rc.firewall-float index 1461c29..ca76259 100755 --- a/rc.d/rc.firewall-float +++ b/rc.d/rc.firewall-float @@ -4,14 +4,16 @@ EX_IF="eth0" # IP addresses. -PRIMARYIP="216.119.155.FIXME" -PRIMARYIP6="2a02:2498:e004:2a::FIXME" -FLOATINGIP="216.119.155.FIXME" -FLOATINGIP6="2a02:2498:e004:2a::FIXME" +PRIMARYIP="" +PRIMARYIP6="" +FLOATINGIP="" +FLOATINGIP6="" -# The IP ranges from where to accept unfiltered connections. -UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') -UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') +# The IP ranges from where to accept unfiltered connections +# |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----| +UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk') +# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----| +UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169') start_firewall() { @@ -45,20 +47,34 @@ start_firewall() { # Drop unroutable IPs on the external interface. iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP - iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP - iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP - iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + + # Allow local nets if our IP is in the same range. + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP + fi + if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT + else + iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP + fi # Allow all loopback traffic. iptables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT # Allow unrestricted access from our IPs. - for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do - iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do + iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT done - for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do - ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT + for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do + ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT done # Allow packets of established connections and those related to them. @@ -86,12 +102,6 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT - # Service: DNS. - iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT - # Service: HTTP{,S}. iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT @@ -112,10 +122,6 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT - # Service: SMTP and submission. - iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT - # Service: IMAP{,S}. iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT @@ -124,16 +130,6 @@ start_firewall() { iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT - # Service: Bittorrent. - iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - # Set default policies. iptables -P INPUT DROP ip6tables -P INPUT DROP @@ -184,10 +180,16 @@ case "$1" in ;; 'restart') stop_firewall + sleep 0.5 start_firewall ;; *) echo "Usage: $BASH_SOURCE " >&2 - ERR=1 + exit 1 ;; esac + +# Restart fail2ban to re-create the ban chains. +[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null + +exit 0 diff --git a/rc.d/rc.firewall-hosts b/rc.d/rc.firewall-hosts deleted file mode 100755 index 7bc7ca9..0000000 --- a/rc.d/rc.firewall-hosts +++ /dev/null @@ -1,187 +0,0 @@ -#!/bin/bash - -# The name of the main external interface. -EX_IF="eth0" - -# The IP ranges from where to accept unfiltered connections. -UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') -UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') - - -start_firewall() { - # Disable ICMP redirects. - # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform - # the sending host that it should forward subsequent packets to that same destination through a different gateway. - echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" - echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" - echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" - - # Flush old rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X - - # Drop invalid packets on all interfaces. - iptables -A INPUT -m conntrack --ctstate INVALID -j DROP - ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP - - # Drop unroutable IPs on the external interface. - iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP - ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP - iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP - iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP - iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP - - # Allow all loopback traffic. - iptables -A INPUT -i lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - - # Allow unrestricted access from our IPs. - for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do - iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT - done - for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do - ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT - done - - # Allow packets of established connections and those related to them. - iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # Allow pings. - iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT - - # Allow certain types of ICMP informational packets. - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT - - # Allow SSH. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT - - # Service: DNS. - iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT - - # Service: HTTP{,S}. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT - - # Service: FTP{,S}. - # Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down, - # change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working. - modprobe nf_conntrack_ftp - echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - - # Service: rsync. - iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT - - # Service: SMTP and submission. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT - - # Service: IMAP{,S}. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT - - # Service: POP3{,S}. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT - - # Service: Bittorrent. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT - - # Set default policies. - iptables -P INPUT DROP - ip6tables -P INPUT DROP - iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections. - ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections. - iptables -P FORWARD DROP - ip6tables -P FORWARD DROP -} - -stop_firewall() { - # Set default policies to ACCEPT. - iptables -P INPUT ACCEPT - ip6tables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - ip6tables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - ip6tables -P FORWARD ACCEPT - - # Flush rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X - - # Reset ICMP redirects. - cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" - cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" - cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" -} - - -case "$1" in - 'start') - start_firewall - ;; - 'stop') - stop_firewall - ;; - 'restart') - stop_firewall - start_firewall - ;; - *) - echo "Usage: $BASH_SOURCE " >&2 - ERR=1 - ;; -esac diff --git a/rc.d/rc.firewall-hypervisor-fry b/rc.d/rc.firewall-hypervisor-fry deleted file mode 100755 index e9fbb02..0000000 --- a/rc.d/rc.firewall-hypervisor-fry +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash - -# The name of the main external interface. -EX_IF="eth1" - -# The name of the VM network bridge interface. -BR_IF="br0" - -# The IP ranges to accept unfiltered connections from. -UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') -UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') - - -start_firewall() { - # Disable ICMP redirects. - # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform - # the sending host that it should forward subsequent packets to that same destination through a different gateway. - echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" - echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" - echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" - - # Proxy ARP is required for the VMs to use the network. - echo 1 >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp" - - # Flush old rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X - - # Drop invalid packets on all interfaces. - iptables -A INPUT -m conntrack --ctstate INVALID -j DROP - ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP - - # Drop unroutable IPs on the external interface. - iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP - ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP - iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP - iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP - iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP - - # Drop the IPs that we've usurped. - iptables -A FORWARD -o "$EX_IF" -s 216.119.155.56/31 -j DROP - iptables -A FORWARD -o "$EX_IF" -s 216.119.155.62/31 -j DROP - iptables -A FORWARD -i "$EX_IF" -d 216.119.155.56/31 -j DROP - iptables -A FORWARD -i "$EX_IF" -d 216.119.155.62/31 -j DROP - - # Allow all loopback traffic. - iptables -A INPUT -i lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - - # Allow all traffic from the bridged network. - iptables -A INPUT -i "$BR_IF" -j ACCEPT - ip6tables -A INPUT -i "$BR_IF" -j ACCEPT - - # Allow unrestricted access from our IPs. - for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do - iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT - done - for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do - ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT - done - - # Allow packets of established connections and those related to them. - iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - - # Allow pings. - iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT - - # Allow certain types of ICMP informational packets. - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT - iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT - - # Allow SSH. - iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT - ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT - - iptables -P INPUT DROP - ip6tables -P INPUT DROP - iptables -P FORWARD ACCEPT - ip6tables -P FORWARD ACCEPT - iptables -P OUTPUT ACCEPT - ip6tables -P OUTPUT ACCEPT -} - -stop_firewall() { - # Set default policies to ACCEPT. - iptables -P INPUT ACCEPT - ip6tables -P INPUT ACCEPT - iptables -P OUTPUT ACCEPT - ip6tables -P OUTPUT ACCEPT - iptables -P FORWARD ACCEPT - ip6tables -P FORWARD ACCEPT - - # Flush rules. - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -t mangle -F - ip6tables -t mangle -F - - # Delete any custom chains. - iptables -X - ip6tables -X - iptables -t nat -X - ip6tables -t nat -X - iptables -t mangle -X - ip6tables -t mangle -X - - # Disable proxy ARP. - cat /proc/sys/net/ipv4/conf/default/proxy_arp >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp" - - # Reset ICMP redirects. - cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects" - cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects" - cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects" -} - - -case "$1" in - 'start') - start_firewall - ;; - 'stop') - stop_firewall - ;; - 'restart') - stop_firewall - start_firewall - ;; - *) - echo "Usage: $BASH_SOURCE " >&2 - ERR=1 - ;; -esac