From ec9834f7d775ce5a00e0d0b1178188ac29e3a242 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sun, 19 May 2019 05:42:58 -0400 Subject: [PATCH] iiab-gen-iptables uses ports_externally_visible {0...5} --- .../templates/gateway/iiab-gen-iptables | 194 +++++++++++------- 1 file changed, 117 insertions(+), 77 deletions(-) diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index 4c63bfbe3..adc780315 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -1,6 +1,5 @@ #!/bin/bash -x -source {{ iiab_env_file }} {% if is_debuntu %} IPTABLES=/sbin/iptables IPTABLES_DATA=/etc/iptables.up.rules @@ -8,53 +7,25 @@ IPTABLES_DATA=/etc/iptables.up.rules IPTABLES=/usr/sbin/iptables IPTABLES_DATA=/etc/sysconfig/iptables {% endif %} -LANIF=$IIAB_LAN_DEVICE -WANIF=$IIAB_WAN_DEVICE -MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'` -clear_fw() { -$IPTABLES -F -$IPTABLES -t nat -F -$IPTABLES -X +source {{ iiab_env_file }} +lan=$IIAB_LAN_DEVICE +wan=$IIAB_WAN_DEVICE +network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'` +echo -e "\nLAN: $lan" +echo -e "WAN: $wan" +echo -e "Network Mode: $network_mode\n" -# First match wins -# Always accept loopback traffic -$IPTABLES -A INPUT -i lo -j ACCEPT - -# Always drop rpc -$IPTABLES -A INPUT -p tcp --dport 111 -j DROP -$IPTABLES -A INPUT -p udp --dport 111 -j DROP -# MySQL -$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP -$IPTABLES -A INPUT -p udp --dport 3306 -j DROP -# PostgreSQL - not needed listens on lo only -$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP -$IPTABLES -A INPUT -p udp --dport 5432 -j DROP -# CouchDB -$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP -$IPTABLES -A INPUT -p udp --dport 5984 -j DROP -} - -if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then - clear_fw - # Save the rule set - {% if is_debuntu %} - netfilter-persistent save - {% else %} - iptables-save > $IPTABLES_DATA - {% endif %} - exit 0 -fi -lan=$LANIF -wan=$WANIF - -# Good thing we replace this file; should be treated like Squid (that used to be?) below +# "Good thing we replace this file; should be treated like Squid below" ? +ports_externally_visible={{ ports_externally_visible }} +#services_externally_visible={{ services_externally_visible }} gw_block_https={{ gw_block_https }} ssh_port={{ ssh_port }} -gui_wan={{ gui_wan }} +#gui_wan={{ gui_wan }} gui_port={{ gui_port }} iiab_gateway_enabled={{ iiab_gateway_enabled }} -services_externally_visible={{ services_externally_visible }} +block_DNS={{ block_DNS }} + calibre_port={{ calibre_port }} calibreweb_port={{ calibreweb_port }} kiwix_port={{ kiwix_port }} @@ -67,40 +38,107 @@ sugarizer_port={{ sugarizer_port }} nodered_port={{ nodered_port }} mosquitto_port={{ mosquitto_port }} minetest_port={{ minetest_port }} +pbx_enabled={{ pbx_enabled }} pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }} pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }} pbx_data_ports={{ pbx_data_ports }} -pbx_enabled={{ pbx_enabled }} -samba_enabled={{ samba_enabled }} samba_udp_ports={{ samba_udp_ports }} samba_tcp_mports={{ samba_tcp_mports }} -block_DNS={{ block_DNS }} +################################################################################ +# # +# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN: # +# # +# /etc/iiab/local_vars.yml # +# # +# It must be an integer {0...5} as follows: # +# # +# 0 = none # +# 1 = ssh only # +# 2 = ssh + Admin Console # +# 3 = ssh + Admin Console + common IIAB services <-- THIS IS THE DEFAULT # +# 4 = ssh + Admin Console + common IIAB services + Samba # +# 5 = all but databases # +# # +# Then enable it in iptables by running 'cd /opt/iiab/iiab; ./iiab-network' # +# # +################################################################################ -echo "LAN is $lan and WAN is $wan" +echo -e "\nports_externally_visible: "$ports_externally_visible"\n" +if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then + echo "EXITING: an integer is required" + exit 1 +elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then + echo "EXITING: it must be in the range {0...5}" + exit 1 +fi -# Delete all existing rules -/sbin/modprobe ip_tables -/sbin/modprobe iptable_filter -/sbin/modprobe ip_conntrack -/sbin/modprobe iptable_nat -clear_fw +if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then + # Load iptables kernel modules + /sbin/modprobe ip_tables + /sbin/modprobe iptable_filter + /sbin/modprobe ip_conntrack + /sbin/modprobe iptable_nat +fi + +# Delete all existing firewall rules +$IPTABLES -F +$IPTABLES -t nat -F +$IPTABLES -X + +# First Match Wins - establish iptable rules, starting at the top: +# (you can verify the resulting rule set by running 'iptables -L -v') + +# Always accept loopback traffic +$IPTABLES -A INPUT -i lo -j ACCEPT + +# Disable access to databases, on LAN-side and WAN-side +# SunRPC +$IPTABLES -A INPUT -p tcp --dport 111 -j DROP +$IPTABLES -A INPUT -p udp --dport 111 -j DROP +# MySQL +$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP +$IPTABLES -A INPUT -p udp --dport 3306 -j DROP +# PostgreSQL - not needed listens on lo only +$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP +$IPTABLES -A INPUT -p udp --dport 5432 -j DROP +# CouchDB +$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP +$IPTABLES -A INPUT -p udp --dport 5984 -j DROP + +save_rules_and_exit() { +{% if is_debuntu %} + netfilter-persistent save +{% else %} + iptables-save > $IPTABLES_DATA +{% endif %} + + exit 0 +} + +if [ "$wan" == "none" ] || [ "$network_mode" == "Appliance" ]; then + save_rules_and_exit +fi # Allow established connections, and those not coming from the outside $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT +$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT -# Allow mDNS +# Allow mDNS from WAN-side too (WHY OUT OF CURIOSITY?) $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT -# When run as gateway -$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT +# 1 = ssh only +if [ "$ports_externally_visible" -ge 1 ]; then + $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT +fi -if [ "$gui_wan" == "True" ]; then +# 2 = ssh + Admin Console +if [ "$ports_externally_visible" -ge 2 ]; then $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT fi -if [ "$services_externally_visible" == "True" ]; then +# 3 = ssh + Admin Console + common IIAB services +if [ "$ports_externally_visible" -ge 3 ]; then $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT @@ -119,46 +157,48 @@ if [ "$services_externally_visible" == "True" ]; then $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT fi - - if [ "$samba_enabled" == "True" ]; then - $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT - $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT - fi fi +# 4 = ssh + Admin Console + common IIAB services + Samba +if [ "$ports_externally_visible" -ge 4 ]; then + $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT + $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT +fi + +# Typically False, to keep students off the Internet if [ "$iiab_gateway_enabled" == "True" ]; then $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE fi +# 3 or 4 IP forwarding rules $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT - # Block https traffic except if directed at server if [ "$gw_block_https" == "True" ]; then $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP fi - # Allow outgoing connections from the LAN side $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT - # Don't forward from the outside to the inside $IPTABLES -A FORWARD -i $wan -o $lan -j DROP -$IPTABLES -A INPUT -i $wan -j DROP +# Enable routing (kernel IP forwarding) +echo 1 > /proc/sys/net/ipv4/ip_forward +# 5 = "all but databases" +if [ "$ports_externally_visible" -lt 5 ]; then + # Drop everything else arriving via WAN + $IPTABLES -A INPUT -i $wan -j DROP +fi + +# TCP & UDP block of DNS port 53 if truly nec if [ "$block_DNS" == "True" ]; then $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 fi +# If Squid enabled, indicated by /etc/iiab/iiab.env if [ "$HTTPCACHE_ON" == "True" ]; then - $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 fi -# Enable routing -echo 1 > /proc/sys/net/ipv4/ip_forward -# Save the whole rule set now -{% if is_debuntu %} -netfilter-persistent save -{% else %} -iptables-save > $IPTABLES_DATA -{% endif %} -exit 0 +# Save the whole rule set +save_rules_and_exit