external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

add WAN-side rules even if Appliance (if WAN exists!)

Browse source
This commit is contained in:
A Holt 2019-05-21 02:06:47 -04:00 committed by GitHub
parent c74053ef52
commit 52fdf8983b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 78 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

37
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -77,13 +77,13 @@ elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt
exit 1 exit 1
fi fi
if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then #if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
# Load iptables kernel modules # Load iptables kernel modules
/sbin/modprobe ip_tables /sbin/modprobe ip_tables
/sbin/modprobe iptable_filter /sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat /sbin/modprobe iptable_nat
fi #fi
# Delete all existing firewall rules # Delete all existing firewall rules
$IPTABLES -F $IPTABLES -F
@ -110,27 +110,16 @@ $IPTABLES -A INPUT -p udp --dport 5432 -j DROP
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP $IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP $IPTABLES -A INPUT -p udp --dport 5984 -j DROP
save_rules_and_exit() {
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0
}
if [ "$wan" == "none" ] || [ "$network_mode" == "Appliance" ]; then
save_rules_and_exit
fi
# Allow established connections, and those not coming from the outside # Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
# Allow mDNS from WAN-side too (WHY OUT OF CURIOSITY?) # Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
if [ "$wan" != "none" ]; then
# 1 = ssh only # 1 = ssh only
if [ "$ports_externally_visible" -ge 1 ]; then if [ "$ports_externally_visible" -ge 1 ]; then
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
@ -172,7 +161,7 @@ if [ "$ports_externally_visible" -ge 4 ]; then
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
fi fi
# Typically False, to keep students off the Internet # Typically False, to keep client machines (e.g. students) off the Internet
if [ "$iiab_gateway_enabled" == "True" ]; then if [ "$iiab_gateway_enabled" == "True" ]; then
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi fi
@ -196,16 +185,24 @@ if [ "$ports_externally_visible" -lt 5 ]; then
$IPTABLES -A INPUT -i $wan -j DROP $IPTABLES -A INPUT -i $wan -j DROP
fi fi
fi
# TCP & UDP block of DNS port 53 if truly nec # TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then if [ "$block_DNS" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi fi
# If Squid enabled, indicated by /etc/iiab/iiab.env # If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi fi
# Save the whole rule set # Save the whole rule set
save_rules_and_exit {% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}
exit 0