iiab-gen-iptables uses ports_externally_visible {0...5}

roles/network/templates/gateway/iiab-gen-iptables

@@ -1,6 +1,5 @@
 #!/bin/bash -x
 
-source {{ iiab_env_file }}
 {% if is_debuntu %}
 IPTABLES=/sbin/iptables
 IPTABLES_DATA=/etc/iptables.up.rules
@@ -8,53 +7,25 @@ IPTABLES_DATA=/etc/iptables.up.rules
 IPTABLES=/usr/sbin/iptables
 IPTABLES_DATA=/etc/sysconfig/iptables
 {% endif %}
-LANIF=$IIAB_LAN_DEVICE
-WANIF=$IIAB_WAN_DEVICE
-MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
 
-clear_fw() {
+source {{ iiab_env_file }}
-$IPTABLES -F
+lan=$IIAB_LAN_DEVICE
-$IPTABLES -t nat -F
+wan=$IIAB_WAN_DEVICE
-$IPTABLES -X
+network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
+echo -e "\nLAN: $lan"
+echo -e "WAN: $wan"
+echo -e "Network Mode: $network_mode\n"
 
-# First match wins
+# "Good thing we replace this file; should be treated like Squid below" ?
-# Always accept loopback traffic
+ports_externally_visible={{ ports_externally_visible }}
-$IPTABLES -A INPUT -i lo -j ACCEPT
+#services_externally_visible={{ services_externally_visible }}
-
-# Always drop rpc
-$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
-$IPTABLES -A INPUT -p udp --dport 111 -j DROP
-# MySQL
-$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
-$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
-# PostgreSQL - not needed listens on lo only
-$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
-$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
-# CouchDB
-$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
-$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
-}
-
-if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
-    clear_fw
-    # Save the rule set
-	{% if is_debuntu %}
-	netfilter-persistent save
-	{% else %}
-	iptables-save > $IPTABLES_DATA
-	{% endif %}
-    exit 0
-fi
-lan=$LANIF
-wan=$WANIF
-
-# Good thing we replace this file; should be treated like Squid (that used to be?) below
 gw_block_https={{ gw_block_https }}
 ssh_port={{ ssh_port }}
-gui_wan={{ gui_wan }}
+#gui_wan={{ gui_wan }}
 gui_port={{ gui_port }}
 iiab_gateway_enabled={{ iiab_gateway_enabled }}
-services_externally_visible={{ services_externally_visible }}
+block_DNS={{ block_DNS }}
+
 calibre_port={{ calibre_port }}
 calibreweb_port={{ calibreweb_port }}
 kiwix_port={{ kiwix_port }}
@@ -67,40 +38,107 @@ sugarizer_port={{ sugarizer_port }}
 nodered_port={{ nodered_port }}
 mosquitto_port={{ mosquitto_port }}
 minetest_port={{ minetest_port }}
+pbx_enabled={{ pbx_enabled }}
 pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
 pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
 pbx_data_ports={{ pbx_data_ports }}
-pbx_enabled={{ pbx_enabled }}
-samba_enabled={{ samba_enabled }}
 samba_udp_ports={{ samba_udp_ports }}
 samba_tcp_mports={{ samba_tcp_mports }}
 
-block_DNS={{ block_DNS }}
+################################################################################
+#                                                                              #
+# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN:                   #
+#                                                                              #
+#   /etc/iiab/local_vars.yml                                                   #
+#                                                                              #
+# It must be an integer {0...5} as follows:                                    #
+#                                                                              #
+#   0 = none                                                                   #
+#   1 = ssh only                                                               #
+#   2 = ssh + Admin Console                                                    #
+#   3 = ssh + Admin Console + common IIAB services  <--  THIS IS THE DEFAULT   #
+#   4 = ssh + Admin Console + common IIAB services + Samba                     #
+#   5 = all but databases                                                      #
+#                                                                              #
+# Then enable it in iptables by running 'cd /opt/iiab/iiab; ./iiab-network'    #
+#                                                                              #
+################################################################################
 
-echo "LAN is $lan and WAN is $wan"
+echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
+if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
+    echo "EXITING: an integer is required"
+    exit 1
+elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
+    echo "EXITING: it must be in the range {0...5}"
+    exit 1
+fi
 
-# Delete all existing rules
+if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
-/sbin/modprobe ip_tables
+    # Load iptables kernel modules
-/sbin/modprobe iptable_filter
+    /sbin/modprobe ip_tables
-/sbin/modprobe ip_conntrack
+    /sbin/modprobe iptable_filter
-/sbin/modprobe iptable_nat
+    /sbin/modprobe ip_conntrack
-clear_fw
+    /sbin/modprobe iptable_nat
+fi
+
+# Delete all existing firewall rules
+$IPTABLES -F
+$IPTABLES -t nat -F
+$IPTABLES -X
+
+# First Match Wins - establish iptable rules, starting at the top:
+# (you can verify the resulting rule set by running 'iptables -L -v')
+
+# Always accept loopback traffic
+$IPTABLES -A INPUT -i lo -j ACCEPT
+
+# Disable access to databases, on LAN-side and WAN-side
+# SunRPC
+$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
+$IPTABLES -A INPUT -p udp --dport 111 -j DROP
+# MySQL
+$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
+$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
+# PostgreSQL - not needed listens on lo only
+$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
+$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
+# CouchDB
+$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
+$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
+
+save_rules_and_exit() {
+{% if is_debuntu %}
+    netfilter-persistent save
+{% else %}
+    iptables-save > $IPTABLES_DATA
+{% endif %}
+
+    exit 0
+}
+
+if [ "$wan" == "none" ] || [ "$network_mode" == "Appliance" ]; then
+    save_rules_and_exit
+fi
 
 # Allow established connections, and those not coming from the outside
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
 
-# Allow mDNS
+# Allow mDNS from WAN-side too (WHY OUT OF CURIOSITY?)
 $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
 
-# When run as gateway
+# 1 = ssh only
-$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+if [ "$ports_externally_visible" -ge 1 ]; then
+    $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+fi
 
-if [ "$gui_wan" == "True" ]; then
+# 2 = ssh + Admin Console
+if [ "$ports_externally_visible" -ge 2 ]; then
     $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
 fi
 
-if [ "$services_externally_visible" == "True" ]; then
+# 3 = ssh + Admin Console + common IIAB services
+if [ "$ports_externally_visible" -ge 3 ]; then
     $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
     $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
     $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
@@ -119,46 +157,48 @@ if [ "$services_externally_visible" == "True" ]; then
         $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
         $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
     fi
-
-    if [ "$samba_enabled" == "True" ]; then
-        $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
-        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
-    fi
 fi
 
+# 4 = ssh + Admin Console + common IIAB services + Samba
+if [ "$ports_externally_visible" -ge 4 ]; then
+    $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
+    $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
+fi
+
+# Typically False, to keep students off the Internet
 if [ "$iiab_gateway_enabled" == "True" ]; then
     $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
 fi
 
+# 3 or 4 IP forwarding rules
 $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
-
 # Block https traffic except if directed at server
 if [ "$gw_block_https" == "True" ]; then
     $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
 fi
-
 # Allow outgoing connections from the LAN side
 $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
-
 # Don't forward from the outside to the inside
 $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
-$IPTABLES -A INPUT -i $wan -j DROP
+# Enable routing (kernel IP forwarding)
+echo 1 > /proc/sys/net/ipv4/ip_forward
 
+# 5 = "all but databases"
+if [ "$ports_externally_visible" -lt 5 ]; then
+    # Drop everything else arriving via WAN
+    $IPTABLES -A INPUT -i $wan -j DROP
+fi
+
+# TCP & UDP block of DNS port 53 if truly nec
 if [ "$block_DNS" == "True" ]; then
     $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
     $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
 fi
 
+# If Squid enabled, indicated by /etc/iiab/iiab.env
 if [ "$HTTPCACHE_ON" == "True" ]; then
     $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
 fi
 
-# Enable routing
+# Save the whole rule set
-echo 1 > /proc/sys/net/ipv4/ip_forward
+save_rules_and_exit
-# Save the whole rule set now
-{% if is_debuntu %}
-netfilter-persistent save
-{% else %}
-iptables-save > $IPTABLES_DATA
-{% endif %}
-exit 0