iiab/roles/network/templates/gateway/iiab-gen-iptables

#!/bin/bash -x

################################################################################
#                                                                              #
# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN:                   #
#                                                                              #
#   /etc/iiab/local_vars.yml                                                   #
#                                                                              #
# This firewall variable must be an integer {0...5} as follows:                #
#                                                                              #
#   0 = none                                                                   #
#   1 = ssh only                                                               #
#   2 = ssh + http-or-https (for Admin Console's box.lan/admin too)            #
#   3 = ssh + http-or-https + common IIAB services  <--  THIS IS THE DEFAULT   #
#   4 = ssh + http-or-https + common IIAB services + Samba                     #
#   5 = all but databases                                                      #
#                                                                              #
# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network   #
#                                                                              #
################################################################################

# To further customize your iptables firewall, it's generally best to edit:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network

# IIAB Networking Doc:
# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables

{% if is_debuntu %}
IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules
{% else %}
IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}

source {{ iiab_env_file }}
lan=$IIAB_LAN_DEVICE
wan=$IIAB_WAN_DEVICE
iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED
echo -e "\nLAN: $lan"
echo -e "WAN: $wan\n"
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n"

# "Good thing we replace this file; should be treated like Squid below" ?
ports_externally_visible={{ ports_externally_visible }}
gw_block_https={{ gw_block_https }}
sshd_port={{ sshd_port }}
#gui_wan= [no longer needed]
gui_port={{ gui_port }}
block_DNS={{ block_DNS }}

azuracast_ports="{{ azuracast_port_range_prefix }}000:{{ azuracast_port_range_prefix }}100"
azuracast_https_port={{ azuracast_https_port }}
azuracast_http_port={{ azuracast_http_port }}
calibre_port={{ calibre_port }}
calibreweb_port={{ calibreweb_port }}
cups_port={{ cups_port }}
internetarchive_port={{ internetarchive_port }}
kalite_server_port={{ kalite_server_port }}
kiwix_port={{ kiwix_port }}
kolibri_http_port={{ kolibri_http_port }}
minetest_port={{ minetest_port }}
mosquitto_port={{ mosquitto_port }}
nodered_port={{ nodered_port }}
pbx_enabled={{ pbx_enabled }}
pbx_http_port={{ pbx_http_port }}
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
pbx_data_ports={{ pbx_data_ports }}
sugarizer_port={{ sugarizer_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}
jupyterhub_port={{ jupyterhub_port }}

samba_udp_ports={{ samba_udp_ports }}
samba_tcp_mports={{ samba_tcp_mports }}

echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
    echo "EXITING: an integer is required"
    exit 1
elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
    echo "EXITING: it must be in the range {0...5}"
    exit 1
fi

# Delete all existing firewall rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# FIRST MATCH WINS - establish iptable rules, starting at the top:
# (verify the resulting rule set by running 'iptables -L -v')
# New to iptables?  Run/read 'man iptables' & 'man iptables-extensions'

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT

# Disable access to databases, on LAN-side and WAN-side
# SunRPC
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# MySQL
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# PostgreSQL - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# CouchDB
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP

# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT

# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT

#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
if [ "$wan" != "none" ]; then

    # 1 = ssh only
    if [ "$ports_externally_visible" -ge 1 ]; then
        $IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
    if [ "$ports_externally_visible" -ge 2 ]; then
        # For now this is implemented using Admin Console variable "gui_port" from:
        # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95
        $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 3 = ssh + http-or-https + common IIAB services
    if [ "$ports_externally_visible" -ge 3 ]; then
        $IPTABLES -A INPUT -p tcp --dport $azuracast_ports -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $azuracast_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $azuracast_https_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT

        if [ "$pbx_enabled" == "True" ]; then
            $IPTABLES -A INPUT -p tcp --dport $pbx_http_port -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
        fi

        $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 4 = ssh + http-or-https + common IIAB services + Samba
    if [ "$ports_externally_visible" -ge 4 ]; then
        $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
    fi

    if [ "$lan" != "none" ]; then
        # Typically False, to keep client machines (e.g. students) off the Internet
        if [ "$iiab_gateway_enabled" == "True" ]; then
            $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
        fi

        # 3 or 4 IP forwarding rules
        $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
        # Block https traffic except if directed at server
        if [ "$gw_block_https" == "True" ]; then
            $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
        fi
        # Allow outgoing connections from the LAN side
        $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
        # Don't forward from the outside to the inside
        $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
        # Enable routing (kernel IP forwarding)
        echo 1 > /proc/sys/net/ipv4/ip_forward
    fi

    # 5 = "all but databases"
    if [ "$ports_externally_visible" -lt 5 ]; then
        # Drop everything else arriving via WAN
        $IPTABLES -A INPUT -i $wan -j DROP
    fi
fi

# TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then
    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
    $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi

# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then
    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi

# Save the whole rule set
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}

exit 0
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`#!/bin/bash -x`
Comments/spacing readability 2019-05-18 22:13:39 +00:00
iptables doc tweak 2019-05-23 23:39:44 +00:00			`################################################################################`
			`# #`
			`# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN: #`
			`# #`
			`# /etc/iiab/local_vars.yml #`
			`# #`
			`# This firewall variable must be an integer {0...5} as follows: #`
			`# #`
			`# 0 = none #`
			`# 1 = ssh only #`
			`# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too) #`
			`# 3 = ssh + http-or-https + common IIAB services <-- THIS IS THE DEFAULT #`
			`# 4 = ssh + http-or-https + common IIAB services + Samba #`
			`# 5 = all but databases #`
			`# #`
			`# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network #`
			`# #`
			`################################################################################`

			`# To further customize your iptables firewall, it's generally best to edit:`
How to edit iiab-gen-iptables 2019-05-19 10:30:16 +00:00			`# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables`
			`# And then run: cd /opt/iiab/iiab; ./iiab-network`

iptables doc tweak 2019-05-23 23:39:44 +00:00			`# IIAB Networking Doc:`
			`# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables`

patch 0002 2017-05-27 23:10:45 +00:00			`{% if is_debuntu %}`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`IPTABLES=/sbin/iptables`
			`IPTABLES_DATA=/etc/iptables.up.rules`
			`{% else %}`
			`IPTABLES=/usr/sbin/iptables`
			`IPTABLES_DATA=/etc/sysconfig/iptables`
			`{% endif %}`

iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`source {{ iiab_env_file }}`
			`lan=$IIAB_LAN_DEVICE`
			`wan=$IIAB_WAN_DEVICE`
use iiab.env as reference for state of iiab_gateway_enabled Opens up the posibility of gateway-on\|off scripts like hotspot-on\|off 2021-04-12 14:21:51 +00:00			`iiab_gateway_enabled=$IIAB_GATEWAY_ENABLED`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`echo -e "\nLAN: $lan"`
output tweak 2019-05-24 04:03:21 +00:00			`echo -e "WAN: $wan\n"`
Enable masquerade only when "$lan" != "none" 2019-05-23 15:25:55 +00:00			#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} \| gawk '{print $3}'`
			`#echo -e "Network Mode: $network_mode\n"`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00
			`# "Good thing we replace this file; should be treated like Squid below" ?`
			`ports_externally_visible={{ ports_externally_visible }}`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`gw_block_https={{ gw_block_https }}`
Release Cleanup of validate_vars, default_vars, local_vars, Stages 0-4, SSHD 2020-09-24 23:01:11 +00:00			`sshd_port={{ sshd_port }}`
{{ services_externally_visible }} fails, deprecate it 2019-05-25 10:33:21 +00:00			`#gui_wan= [no longer needed]`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`gui_port={{ gui_port }}`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`block_DNS={{ block_DNS }}`

Azuracast ports in iiab-gen-iptables 2019-06-19 06:28:47 +00:00			`azuracast_ports="{{ azuracast_port_range_prefix }}000:{{ azuracast_port_range_prefix }}100"`
			`azuracast_https_port={{ azuracast_https_port }}`
			`azuracast_http_port={{ azuracast_http_port }}`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`calibre_port={{ calibre_port }}`
open calibreweb_port (8083) requested by @m-anish 2019-01-31 19:35:11 +00:00			`calibreweb_port={{ calibreweb_port }}`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`cups_port={{ cups_port }}`
Rename distweb to internetarchive 2019-04-23 00:59:57 +00:00			`internetarchive_port={{ internetarchive_port }}`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`kalite_server_port={{ kalite_server_port }}`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`kiwix_port={{ kiwix_port }}`
Update iiab-gen-iptables 2018-07-17 05:10:37 +00:00			`kolibri_http_port={{ kolibri_http_port }}`
minetest add port and include in 9 addons 2019-02-06 17:00:01 +00:00			`minetest_port={{ minetest_port }}`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`mosquitto_port={{ mosquitto_port }}`
			`nodered_port={{ nodered_port }}`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`pbx_enabled={{ pbx_enabled }}`
Move freepbx from being hosted at pbx.lan to <ip>:8888 2019-06-20 04:30:55 +00:00			`pbx_http_port={{ pbx_http_port }}`
Open PBX ports on WAN when pbx_enabled is true 2019-02-10 15:19:35 +00:00			`pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}`
			`pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}`
			`pbx_data_ports={{ pbx_data_ports }}`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`sugarizer_port={{ sugarizer_port }}`
			`transmission_http_port={{ transmission_http_port }}`
			`transmission_peer_port={{ transmission_peer_port }}`
displayed the ted notebook on raspi-os 2021-03-09 22:57:39 +00:00			`jupyterhub_port={{ jupyterhub_port }}`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00
open samba ports 2019-05-15 14:01:38 +00:00			`samba_udp_ports={{ samba_udp_ports }}`
			`samba_tcp_mports={{ samba_tcp_mports }}`

iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`echo -e "\nports_externally_visible: "$ports_externally_visible"\n"`
			`if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then`
			`echo "EXITING: an integer is required"`
			`exit 1`
			`elif [ "$ports_externally_visible" -lt 0 ] \|\| [ "$ports_externally_visible" -gt 5 ]; then`
			`echo "EXITING: it must be in the range {0...5}"`
			`exit 1`
			`fi`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`# Delete all existing firewall rules`
			`$IPTABLES -F`
			`$IPTABLES -t nat -F`
			`$IPTABLES -X`

Comment points to iptables docs 2019-05-21 07:09:58 +00:00			`# FIRST MATCH WINS - establish iptable rules, starting at the top:`
			`# (verify the resulting rule set by running 'iptables -L -v')`
			`# New to iptables? Run/read 'man iptables' & 'man iptables-extensions'`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00
			`# Always accept loopback traffic`
			`$IPTABLES -A INPUT -i lo -j ACCEPT`

			`# Disable access to databases, on LAN-side and WAN-side`
			`# SunRPC`
			`$IPTABLES -A INPUT -p tcp --dport 111 -j DROP`
			`$IPTABLES -A INPUT -p udp --dport 111 -j DROP`
			`# MySQL`
			`$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP`
			`$IPTABLES -A INPUT -p udp --dport 3306 -j DROP`
			`# PostgreSQL - not needed listens on lo only`
			`$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP`
			`$IPTABLES -A INPUT -p udp --dport 5432 -j DROP`
			`# CouchDB`
			`$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP`
			`$IPTABLES -A INPUT -p udp --dport 5984 -j DROP`

initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`# Allow established connections, and those not coming from the outside`
			`$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT`

add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then`
			`if [ "$wan" != "none" ]; then`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# 1 = ssh only`
			`if [ "$ports_externally_visible" -ge 1 ]; then`
Release Cleanup of validate_vars, default_vars, local_vars, Stages 0-4, SSHD 2020-09-24 23:01:11 +00:00			`$IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`fi`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)`
			`if [ "$ports_externally_visible" -ge 2 ]; then`
iptables $gui_port comment 2019-05-21 07:30:40 +00:00			`# For now this is implemented using Admin Console variable "gui_port" from:`
			`# https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT`
Open PBX ports on WAN when pbx_enabled is true 2019-02-10 15:19:35 +00:00			`fi`
open samba ports 2019-05-15 14:01:38 +00:00
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# 3 = ssh + http-or-https + common IIAB services`
			`if [ "$ports_externally_visible" -ge 3 ]; then`
Azuracast ports in iiab-gen-iptables 2019-06-19 06:28:47 +00:00			`$IPTABLES -A INPUT -p tcp --dport $azuracast_ports -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $azuracast_http_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $azuracast_https_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT`
Merge branch 'master' into mitra 2019-05-25 05:11:24 +00:00			`$IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00			`$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00
			`if [ "$pbx_enabled" == "True" ]; then`
Move freepbx from being hosted at pbx.lan to <ip>:8888 2019-06-20 04:30:55 +00:00			`$IPTABLES -A INPUT -p tcp --dport $pbx_http_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT`
			`fi`
iiab-gen-iptables 15+ core port rules alphabetized 2019-05-21 07:57:04 +00:00
			`$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT`
Packaging for PR #2719 to promote JupyterHub Notebooks 2021-04-15 18:14:14 +00:00			`$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT`
displayed the ted notebook on raspi-os 2021-03-09 22:57:39 +00:00			`$IPTABLES -A INPUT -p tcp --dport $jupyterhub_port -m state --state NEW -i $wan -j ACCEPT`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`fi`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# 4 = ssh + http-or-https + common IIAB services + Samba`
			`if [ "$ports_externally_visible" -ge 4 ]; then`
			`$IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT`
			`$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT`
			`fi`

Apply @jvonau's "$lan" != "none" to fwd'ing (not just masq'ing) 2019-05-24 03:42:55 +00:00			`if [ "$lan" != "none" ]; then`
			`# Typically False, to keep client machines (e.g. students) off the Internet`
			`if [ "$iiab_gateway_enabled" == "True" ]; then`
			`$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE`
			`fi`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00
Apply @jvonau's "$lan" != "none" to fwd'ing (not just masq'ing) 2019-05-24 03:42:55 +00:00			`# 3 or 4 IP forwarding rules`
			`$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT`
			`# Block https traffic except if directed at server`
			`if [ "$gw_block_https" == "True" ]; then`
			`$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP`
			`fi`
			`# Allow outgoing connections from the LAN side`
			`$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT`
			`# Don't forward from the outside to the inside`
			`$IPTABLES -A FORWARD -i $wan -o $lan -j DROP`
			`# Enable routing (kernel IP forwarding)`
			`echo 1 > /proc/sys/net/ipv4/ip_forward`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`fi`

			`# 5 = "all but databases"`
			`if [ "$ports_externally_visible" -lt 5 ]; then`
			`# Drop everything else arriving via WAN`
			`$IPTABLES -A INPUT -i $wan -j DROP`
			`fi`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`fi`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`# TCP & UDP block of DNS port 53 if truly nec`
Update iiab-gen-iptables 2018-10-03 18:47:21 +00:00			`if [ "$block_DNS" == "True" ]; then`
Adds spaces in variables after {{ and before }} Fixes various warnings in Travis CI [EXTRA0001] Variables should have spaces after {{ and before }} 2017-10-20 04:36:10 +00:00			`$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53`
			`$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`fi`

add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env`
add in template dir rebase bassed upon copy in cut out obvious dead code working on put-204 make users a sqlite db sqlite db has users, and agent info android timeouts not yet working android 5 and 6 both work. lost mac return to a working version for the MAC. Missing the splash android,mac,windows all appear to work sqlite get status of execute row == Null initialize lasttimestamp with ajax call when home is triggered remove commented code, move towards logging vs print statements add logging with the -l flag no changes to default_vars.yml drop iptables captive portal stuff not using port 8090, and dnsmasq missed deleting trap_enabled fixes for 6.7 defaults add in template dir rebase bassed upon copy in cut out obvious dead code working on put-204 make users a sqlite db sqlite db has users, and agent info android timeouts not yet working android 5 and 6 both work. lost mac return to a working version for the MAC. Missing the splash android,mac,windows all appear to work sqlite get status of execute row == Null initialize lasttimestamp with ajax call when home is triggered remove commented code, move towards logging vs print statements drop iptables captive portal stuff not using port 8090, and dnsmasq missed deleting trap_enabled fixes for 6.7 defaults dispense with apache logs for captive portal, use the rotating portal.log instead bring in clean defaults and py Squash debugging details remove backup file still cannot dispense with cna on iphone. mac escape from cna broke with these changes captive comes after iiab in apache config one filename wrong logging used for debug, lost mac escape from cna typos got mac/iphone full browser back remove dead code python was not creating db, or putting ip when first encountered 2018-08-24 00:26:20 +00:00			`if [ "$HTTPCACHE_ON" == "True" ]; then`
iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00			`fi`

iiab-gen-iptables uses ports_externally_visible {0...5} 2019-05-19 09:42:58 +00:00			`# Save the whole rule set`
add WAN-side rules even if Appliance (if WAN exists!) 2019-05-21 06:06:47 +00:00			`{% if is_debuntu %}`
			`netfilter-persistent save`
			`{% else %}`
			`iptables-save > $IPTABLES_DATA`
			`{% endif %}`

			`exit 0`