Slackware/bootstrap
1
0
Fork 0
Code Releases Wiki Activity

Updated rc.firewall* scripts.

Browse source
This commit is contained in:
Darren 'Tadgy' Austin 2022-08-23 05:00:55 +01:00
commit 421d14a4c2
5 changed files with 109 additions and 403 deletions
Download patch file Download diff file Expand all files Collapse all files

42
rc.d/rc.firewall-hypervisors → rc.d/rc.firewall
View file

@ -1,11 +1,13 @@
#!/bin/bash #!/bin/bash
# The name of the main external interface. # The name of the main external interface.
EX_IF="br0" EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections. # The IP ranges from where to accept unfiltered connections
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') # |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----|
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk')
# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----|
UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169')
start_firewall() { start_firewall() {
@ -39,20 +41,34 @@ start_firewall() {
# Drop unroutable IPs on the external interface. # Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
# Allow local nets if our IP is in the same range.
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
fi
# Allow all loopback traffic. # Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs. # Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT iptables -A INPUT -i "$EX_IF" --s "$ENTRY" -j ACCEPT
done done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done done
# Allow packets of established connections and those related to them. # Allow packets of established connections and those related to them.
@ -76,7 +92,7 @@ start_firewall() {
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH. # Allow SSH (from anywhere).
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
@ -130,10 +146,16 @@ case "$1" in
;; ;;
'restart') 'restart')
stop_firewall stop_firewall
sleep 0.5
start_firewall start_firewall
;; ;;
*) *)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2 echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1 exit 1
;; ;;
esac esac
# Restart fail2ban to re-create the ban chains.
[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
exit 0

42
rc.d/rc.firewall-guests → rc.d/rc.firewall-complete
View file

@ -3,9 +3,11 @@
# The name of the main external interface. # The name of the main external interface.
EX_IF="eth0" EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections. # The IP ranges from where to accept unfiltered connections
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') # |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----|
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk')
# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----|
UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169')
start_firewall() { start_firewall() {
@ -39,20 +41,34 @@ start_firewall() {
# Drop unroutable IPs on the external interface. # Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
# Allow local nets if our IP is in the same range.
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
fi
# Allow all loopback traffic. # Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs. # Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done done
# Allow packets of established connections and those related to them. # Allow packets of established connections and those related to them.
@ -128,6 +144,10 @@ start_firewall() {
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: tftp.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 69 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 69 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies. # Set default policies.
iptables -P INPUT DROP iptables -P INPUT DROP
ip6tables -P INPUT DROP ip6tables -P INPUT DROP
@ -178,10 +198,16 @@ case "$1" in
;; ;;
'restart') 'restart')
stop_firewall stop_firewall
sleep 0.5
start_firewall start_firewall
;; ;;
*) *)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2 echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1 exit 1
;; ;;
esac esac
# Restart fail2ban to re-create the ban chains.
[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
exit 0

66
rc.d/rc.firewall-float
View file

@ -4,14 +4,16 @@
EX_IF="eth0" EX_IF="eth0"
# IP addresses. # IP addresses.
PRIMARYIP="216.119.155.FIXME" PRIMARYIP=""
PRIMARYIP6="2a02:2498:e004:2a::FIXME" PRIMARYIP6=""
FLOATINGIP="216.119.155.FIXME" FLOATINGIP=""
FLOATINGIP6="2a02:2498:e004:2a::FIXME" FLOATINGIP6=""
# The IP ranges from where to accept unfiltered connections. # The IP ranges from where to accept unfiltered connections
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169') # |-- UK Servers --| |---------------------------------- UK2 -----------------------------------| |-- Linode ---| |- L'Servers --| |----- Home -----|
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64') UNFILTERED_RANGES_V4=('5.101.171.210/28' '91.109.244.7' '91.109.244.8' '91.109.244.9' '91.109.244.10' '91.109.244.11' '88.80.191.137' '185.176.90.169' 'afterdark.org.uk')
# |---- UK Servers -----| |------- UK2 --------| |----------- Linode -----------| |---- LoveServers -----|
UNFILTERED_RANGES_V6=('2a01:a500:2981:1::/64' '2a02:2498:1:227::/64' '2a01:7e00::f03c:93ff:fe86:afae' '2a07:4580:b0d:57f::169')
start_firewall() { start_firewall() {
@ -45,20 +47,34 @@ start_firewall() {
# Drop unroutable IPs on the external interface. # Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
# Allow local nets if our IP is in the same range.
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1)" == "10" ]]; then
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "172.16" ]]; then
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
fi
if [[ "$(ip -br a s "$EX_IF" | awk -e '{printf $3}' | cut -d. -f1,2)" == "192.168" ]]; then
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j ACCEPT
else
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
fi
# Allow all loopback traffic. # Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs. # Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT iptables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do for ENTRY in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -s "$ENTRY" -j ACCEPT
done done
# Allow packets of established connections and those related to them. # Allow packets of established connections and those related to them.
@ -86,12 +102,6 @@ start_firewall() {
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}. # Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
@ -112,10 +122,6 @@ start_firewall() {
iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}. # Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
@ -124,16 +130,6 @@ start_firewall() {
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies. # Set default policies.
iptables -P INPUT DROP iptables -P INPUT DROP
ip6tables -P INPUT DROP ip6tables -P INPUT DROP
@ -184,10 +180,16 @@ case "$1" in
;; ;;
'restart') 'restart')
stop_firewall stop_firewall
sleep 0.5
start_firewall start_firewall
;; ;;
*) *)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2 echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1 exit 1
;; ;;
esac esac
# Restart fail2ban to re-create the ban chains.
[[ -x /etc/rc.d/rc.fail2ban ]] && /etc/rc.d/rc.fail2ban restart >/dev/null
exit 0

187
rc.d/rc.firewall-hosts
View file

@ -1,187 +0,0 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth0"
# The IP ranges from where to accept unfiltered connections.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
# Service: DNS.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
# Service: HTTP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
# Service: FTP{,S}.
# Note: This is a very permissive configuration - it leaves the high ports completely open. To close it down,
# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
modprobe nf_conntrack_ftp
echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper # Required to allow nf_conntrack_ftp to actually work.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Service: rsync.
iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
# Service: SMTP and submission.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
# Service: IMAP{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
# Service: POP3{,S}.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
# Service: Bittorrent.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
# Set default policies.
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
ip6tables -P OUTPUT ACCEPT # We don't firewall outgoing connections.
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac

157
rc.d/rc.firewall-hypervisor-fry
View file

@ -1,157 +0,0 @@
#!/bin/bash
# The name of the main external interface.
EX_IF="eth1"
# The name of the VM network bridge interface.
BR_IF="br0"
# The IP ranges to accept unfiltered connections from.
UNFILTERED_RANGES_V4=('212.78.94.73' '216.119.155.58-216.119.155.62' '91.109.244.7-91.109.244.11' '185.176.90.169')
UNFILTERED_RANGES_V6=('2a02:2498:e004:2a::/64' '2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
start_firewall() {
# Disable ICMP redirects.
# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
# the sending host that it should forward subsequent packets to that same destination through a different gateway.
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
# Proxy ARP is required for the VMs to use the network.
echo 1 >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
# Flush old rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Drop invalid packets on all interfaces.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop unroutable IPs on the external interface.
iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
# Drop the IPs that we've usurped.
iptables -A FORWARD -o "$EX_IF" -s 216.119.155.56/31 -j DROP
iptables -A FORWARD -o "$EX_IF" -s 216.119.155.62/31 -j DROP
iptables -A FORWARD -i "$EX_IF" -d 216.119.155.56/31 -j DROP
iptables -A FORWARD -i "$EX_IF" -d 216.119.155.62/31 -j DROP
# Allow all loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Allow all traffic from the bridged network.
iptables -A INPUT -i "$BR_IF" -j ACCEPT
ip6tables -A INPUT -i "$BR_IF" -j ACCEPT
# Allow unrestricted access from our IPs.
for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
done
for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
done
# Allow packets of established connections and those related to them.
iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow pings.
iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# Allow certain types of ICMP informational packets.
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
# Allow SSH.
iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
}
stop_firewall() {
# Set default policies to ACCEPT.
iptables -P INPUT ACCEPT
ip6tables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
ip6tables -P FORWARD ACCEPT
# Flush rules.
iptables -F
ip6tables -F
iptables -t nat -F
ip6tables -t nat -F
iptables -t mangle -F
ip6tables -t mangle -F
# Delete any custom chains.
iptables -X
ip6tables -X
iptables -t nat -X
ip6tables -t nat -X
iptables -t mangle -X
ip6tables -t mangle -X
# Disable proxy ARP.
cat /proc/sys/net/ipv4/conf/default/proxy_arp >"/proc/sys/net/ipv4/conf/$EX_IF/proxy_arp"
# Reset ICMP redirects.
cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
}
case "$1" in
'start')
start_firewall
;;
'stop')
stop_firewall
;;
'restart')
stop_firewall
start_firewall
;;
*)
echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
ERR=1
;;
esac