2017-05-27 18:09:50 +00:00
|
|
|
#!/bin/bash -x
|
2019-05-18 22:13:39 +00:00
|
|
|
|
2017-05-27 23:10:45 +00:00
|
|
|
{% if is_debuntu %}
|
2017-05-27 18:09:50 +00:00
|
|
|
IPTABLES=/sbin/iptables
|
|
|
|
|
IPTABLES_DATA=/etc/iptables.up.rules
|
|
|
|
|
{% else %}
|
|
|
|
|
IPTABLES=/usr/sbin/iptables
|
|
|
|
|
IPTABLES_DATA=/etc/sysconfig/iptables
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
source {{ iiab_env_file }}
|
|
|
|
|
lan=$IIAB_LAN_DEVICE
|
|
|
|
|
wan=$IIAB_WAN_DEVICE
|
|
|
|
|
network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
|
|
|
|
|
echo -e "\nLAN: $lan"
|
|
|
|
|
echo -e "WAN: $wan"
|
|
|
|
|
echo -e "Network Mode: $network_mode\n"
|
|
|
|
|
|
|
|
|
|
# "Good thing we replace this file; should be treated like Squid below" ?
|
|
|
|
|
ports_externally_visible={{ ports_externally_visible }}
|
|
|
|
|
#services_externally_visible={{ services_externally_visible }}
|
2017-05-27 18:09:50 +00:00
|
|
|
gw_block_https={{ gw_block_https }}
|
|
|
|
|
ssh_port={{ ssh_port }}
|
2019-05-19 09:42:58 +00:00
|
|
|
#gui_wan={{ gui_wan }}
|
2017-05-27 18:09:50 +00:00
|
|
|
gui_port={{ gui_port }}
|
2017-06-09 23:25:56 +00:00
|
|
|
iiab_gateway_enabled={{ iiab_gateway_enabled }}
|
2019-05-19 09:42:58 +00:00
|
|
|
block_DNS={{ block_DNS }}
|
|
|
|
|
|
2017-05-27 18:09:50 +00:00
|
|
|
calibre_port={{ calibre_port }}
|
2019-01-31 19:35:11 +00:00
|
|
|
calibreweb_port={{ calibreweb_port }}
|
2017-05-27 18:09:50 +00:00
|
|
|
kiwix_port={{ kiwix_port }}
|
|
|
|
|
kalite_server_port={{ kalite_server_port }}
|
2018-07-17 05:10:37 +00:00
|
|
|
kolibri_http_port={{ kolibri_http_port }}
|
2019-01-10 22:26:47 +00:00
|
|
|
cups_port={{ cups_port }}
|
2018-08-18 04:13:16 +00:00
|
|
|
transmission_http_port={{ transmission_http_port }}
|
2018-08-18 04:20:00 +00:00
|
|
|
transmission_peer_port={{ transmission_peer_port }}
|
2018-05-18 22:35:09 +00:00
|
|
|
sugarizer_port={{ sugarizer_port }}
|
2019-01-15 13:43:39 +00:00
|
|
|
nodered_port={{ nodered_port }}
|
|
|
|
|
mosquitto_port={{ mosquitto_port }}
|
2019-02-06 17:00:01 +00:00
|
|
|
minetest_port={{ minetest_port }}
|
2019-05-19 09:42:58 +00:00
|
|
|
pbx_enabled={{ pbx_enabled }}
|
2019-02-10 15:19:35 +00:00
|
|
|
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
|
|
|
|
|
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
|
|
|
|
|
pbx_data_ports={{ pbx_data_ports }}
|
2019-05-15 14:01:38 +00:00
|
|
|
samba_udp_ports={{ samba_udp_ports }}
|
|
|
|
|
samba_tcp_mports={{ samba_tcp_mports }}
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
################################################################################
|
|
|
|
|
# #
|
|
|
|
|
# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN: #
|
|
|
|
|
# #
|
|
|
|
|
# /etc/iiab/local_vars.yml #
|
|
|
|
|
# #
|
|
|
|
|
# It must be an integer {0...5} as follows: #
|
|
|
|
|
# #
|
|
|
|
|
# 0 = none #
|
|
|
|
|
# 1 = ssh only #
|
|
|
|
|
# 2 = ssh + Admin Console #
|
|
|
|
|
# 3 = ssh + Admin Console + common IIAB services <-- THIS IS THE DEFAULT #
|
|
|
|
|
# 4 = ssh + Admin Console + common IIAB services + Samba #
|
|
|
|
|
# 5 = all but databases #
|
|
|
|
|
# #
|
|
|
|
|
# Then enable it in iptables by running 'cd /opt/iiab/iiab; ./iiab-network' #
|
|
|
|
|
# #
|
|
|
|
|
################################################################################
|
|
|
|
|
|
|
|
|
|
echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
|
|
|
|
|
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
|
|
|
|
|
echo "EXITING: an integer is required"
|
|
|
|
|
exit 1
|
|
|
|
|
elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
|
|
|
|
|
echo "EXITING: it must be in the range {0...5}"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
|
|
|
|
|
# Load iptables kernel modules
|
|
|
|
|
/sbin/modprobe ip_tables
|
|
|
|
|
/sbin/modprobe iptable_filter
|
|
|
|
|
/sbin/modprobe ip_conntrack
|
|
|
|
|
/sbin/modprobe iptable_nat
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# Delete all existing firewall rules
|
|
|
|
|
$IPTABLES -F
|
|
|
|
|
$IPTABLES -t nat -F
|
|
|
|
|
$IPTABLES -X
|
|
|
|
|
|
|
|
|
|
# First Match Wins - establish iptable rules, starting at the top:
|
|
|
|
|
# (you can verify the resulting rule set by running 'iptables -L -v')
|
|
|
|
|
|
|
|
|
|
# Always accept loopback traffic
|
|
|
|
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
|
|
|
|
|
|
|
|
|
# Disable access to databases, on LAN-side and WAN-side
|
|
|
|
|
# SunRPC
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
|
|
|
|
|
# MySQL
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
|
|
|
|
|
# PostgreSQL - not needed listens on lo only
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
|
|
|
|
|
# CouchDB
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
|
|
|
|
|
|
|
|
|
|
save_rules_and_exit() {
|
|
|
|
|
{% if is_debuntu %}
|
|
|
|
|
netfilter-persistent save
|
|
|
|
|
{% else %}
|
|
|
|
|
iptables-save > $IPTABLES_DATA
|
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if [ "$wan" == "none" ] || [ "$network_mode" == "Appliance" ]; then
|
|
|
|
|
save_rules_and_exit
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
|
|
|
|
|
# Allow established connections, and those not coming from the outside
|
|
|
|
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
2019-05-19 09:42:58 +00:00
|
|
|
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# Allow mDNS from WAN-side too (WHY OUT OF CURIOSITY?)
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# 1 = ssh only
|
|
|
|
|
if [ "$ports_externally_visible" -ge 1 ]; then
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# 2 = ssh + Admin Console
|
|
|
|
|
if [ "$ports_externally_visible" -ge 2 ]; then
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
fi
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# 3 = ssh + Admin Console + common IIAB services
|
|
|
|
|
if [ "$ports_externally_visible" -ge 3 ]; then
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
|
2018-07-17 05:10:37 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
|
2019-01-31 19:35:11 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
|
2019-01-10 22:26:47 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
|
2018-05-18 22:35:09 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
|
2019-01-15 13:43:39 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
|
2018-08-16 18:54:55 +00:00
|
|
|
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
|
2019-02-06 17:00:01 +00:00
|
|
|
$IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
|
2019-02-10 15:19:35 +00:00
|
|
|
|
|
|
|
|
if [ "$pbx_enabled" == "True" ]; then
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
fi
|
2019-05-19 09:42:58 +00:00
|
|
|
fi
|
2019-05-15 14:01:38 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# 4 = ssh + Admin Console + common IIAB services + Samba
|
|
|
|
|
if [ "$ports_externally_visible" -ge 4 ]; then
|
|
|
|
|
$IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
|
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
|
2017-05-27 18:09:50 +00:00
|
|
|
fi
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# Typically False, to keep students off the Internet
|
2017-06-09 23:25:56 +00:00
|
|
|
if [ "$iiab_gateway_enabled" == "True" ]; then
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
|
|
|
|
|
fi
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# 3 or 4 IP forwarding rules
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
|
2019-05-18 22:13:39 +00:00
|
|
|
# Block https traffic except if directed at server
|
|
|
|
|
if [ "$gw_block_https" == "True" ]; then
|
2018-07-05 17:24:20 +00:00
|
|
|
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
|
2017-10-20 04:36:10 +00:00
|
|
|
fi
|
2019-05-18 22:13:39 +00:00
|
|
|
# Allow outgoing connections from the LAN side
|
2018-12-05 21:03:12 +00:00
|
|
|
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
|
2019-05-18 22:13:39 +00:00
|
|
|
# Don't forward from the outside to the inside
|
2017-05-27 18:09:50 +00:00
|
|
|
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
|
2019-05-19 09:42:58 +00:00
|
|
|
# Enable routing (kernel IP forwarding)
|
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
|
|
|
|
|
|
# 5 = "all but databases"
|
|
|
|
|
if [ "$ports_externally_visible" -lt 5 ]; then
|
|
|
|
|
# Drop everything else arriving via WAN
|
|
|
|
|
$IPTABLES -A INPUT -i $wan -j DROP
|
|
|
|
|
fi
|
2017-05-27 18:09:50 +00:00
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# TCP & UDP block of DNS port 53 if truly nec
|
2018-10-03 18:47:21 +00:00
|
|
|
if [ "$block_DNS" == "True" ]; then
|
2017-10-20 04:36:10 +00:00
|
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
|
|
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
2017-05-27 18:09:50 +00:00
|
|
|
fi
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# If Squid enabled, indicated by /etc/iiab/iiab.env
|
add in template dir
rebase bassed upon copy in
cut out obvious dead code
working on put-204
make users a sqlite db
sqlite db has users, and agent info
android timeouts not yet working
android 5 and 6 both work. lost mac
return to a working version for the MAC. Missing the splash
android,mac,windows all appear to work
sqlite get status of execute row == Null
initialize lasttimestamp with ajax call when home is triggered
remove commented code, move towards logging vs print statements
add logging with the -l flag
no changes to default_vars.yml
drop iptables captive portal stuff not using port 8090, and dnsmasq
missed deleting trap_enabled
fixes for 6.7 defaults
add in template dir
rebase bassed upon copy in
cut out obvious dead code
working on put-204
make users a sqlite db
sqlite db has users, and agent info
android timeouts not yet working
android 5 and 6 both work. lost mac
return to a working version for the MAC. Missing the splash
android,mac,windows all appear to work
sqlite get status of execute row == Null
initialize lasttimestamp with ajax call when home is triggered
remove commented code, move towards logging vs print statements
drop iptables captive portal stuff not using port 8090, and dnsmasq
missed deleting trap_enabled
fixes for 6.7 defaults
dispense with apache logs for captive portal, use the rotating portal.log instead
bring in clean defaults and py
Squash debugging details
remove backup file
still cannot dispense with cna on iphone. mac escape from cna broke with these changes
captive comes after iiab in apache config
one filename wrong
logging used for debug, lost mac escape from cna
typos
got mac/iphone full browser back
remove dead code
python was not creating db, or putting ip when first encountered
2018-08-24 00:26:20 +00:00
|
|
|
if [ "$HTTPCACHE_ON" == "True" ]; then
|
2019-05-19 09:42:58 +00:00
|
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
|
2017-05-27 18:09:50 +00:00
|
|
|
fi
|
|
|
|
|
|
2019-05-19 09:42:58 +00:00
|
|
|
# Save the whole rule set
|
|
|
|
|
save_rules_and_exit
|
