external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-03-09 15:40:17 +00:00
Code Issues Releases Wiki Activity

Comments/spacing readability

Browse source
This commit is contained in:
A Holt 2019-05-18 18:13:39 -04:00 committed by GitHub
parent a7aab7c605
commit e2c8b5cde6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

33
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -1,4 +1,5 @@
#!/bin/bash -x #!/bin/bash -x
source {{ iiab_env_file }} source {{ iiab_env_file }}
{% if is_debuntu %} {% if is_debuntu %}
IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables
@ -16,27 +17,27 @@ $IPTABLES -F
$IPTABLES -t nat -F $IPTABLES -t nat -F
$IPTABLES -X $IPTABLES -X
# first match wins # First match wins
# Always accept loopback traffic # Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
# Always drop rpc # Always drop rpc
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP $IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP $IPTABLES -A INPUT -p udp --dport 111 -j DROP
# mysql # MySQL
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP $IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP $IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# postgres - not needed listens on lo only # PostgreSQL - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP $IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP $IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# couchdb # CouchDB
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP $IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP $IPTABLES -A INPUT -p udp --dport 5984 -j DROP
} }
if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
clear_fw clear_fw
# save the rule set # Save the rule set
{% if is_debuntu %} {% if is_debuntu %}
netfilter-persistent save netfilter-persistent save
{% else %} {% else %}
@ -47,7 +48,7 @@ fi
lan=$LANIF lan=$LANIF
wan=$WANIF wan=$WANIF
# Good thing we replace this file should be treated like squid below # Good thing we replace this file; should be treated like Squid (that used to be?) below
gw_block_https={{ gw_block_https }} gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }} ssh_port={{ ssh_port }}
gui_wan={{ gui_wan }} gui_wan={{ gui_wan }}
@ -77,10 +78,8 @@ samba_tcp_mports={{ samba_tcp_mports }}
block_DNS={{ block_DNS }} block_DNS={{ block_DNS }}
echo "LAN is $lan and WAN is $wan" echo "LAN is $lan and WAN is $wan"
#
# delete all existing rules.
#
# Delete all existing rules
/sbin/modprobe ip_tables /sbin/modprobe ip_tables
/sbin/modprobe iptable_filter /sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack
@ -94,7 +93,7 @@ $IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
# Allow mDNS # Allow mDNS
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
#when run as gateway # When run as gateway
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
if [ "$gui_wan" == "True" ]; then if [ "$gui_wan" == "True" ]; then
@ -133,15 +132,15 @@ fi
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
#Block https traffic except if directed at server # Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi fi
# Allow outgoing connections from the LAN side. # Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside. # Don't forward from the outside to the inside
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
$IPTABLES -A INPUT -i $wan -j DROP $IPTABLES -A INPUT -i $wan -j DROP
@ -154,9 +153,9 @@ if [ "$HTTPCACHE_ON" == "True" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi fi
# Enable routing. # Enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# save the whole rule set now # Save the whole rule set now
{% if is_debuntu %} {% if is_debuntu %}
netfilter-persistent save netfilter-persistent save
{% else %} {% else %}