mirror of
https://github.com/iiab/iiab.git
synced 2025-02-13 19:52:06 +00:00
7f9957aa55
* expand zim_versions_idx to include menuItem name, mediaCount, articleCount, size * create a stub menuItem if none exists * remember to change consumer of zim_version_idx in iiab-admin * comment out some debugging prints * do not change the name of a variable in iiab.ini * consistent variable names for *_enabled * start work on menus for enabled iiab roles * changes to display cups in home menu * remove reference to admin console which may not be installed * print error message * dict.get errors * handle undefined menuItem" * handle undefined menuItem again * some work on logos * break out the zim_versions_idx routines for use by update_menus in admin-console * remove old menuDef creation code * new variable names for zim_versions_idx * missing the tags data in zim_versions_idx * un-break-apart iiab-make-kiwix-lib.py * return an empty string * make size human_readable * getting console and iiab to work together on menus * add the new zim_date field to zim_versions_idx * get the latest into repo * found lost code iiab-make-kiwix-lib.py * Create Lokole admin user during setup * Add requested content to lokole readme Per iiab/iiab#1293 * Update default password * Add Lokole-IIAB user manual * Update default_vars.yml * Update local_vars_min.yml * Update local_vars_min.yml * Update local_vars_medium.yml * Update local_vars_min.yml * Update default_vars.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update default_vars.yml * Update default_vars.yml * Update local_vars_min.yml * Update local_vars_medium.yml * Update local_vars_big.yml * Update default_vars.yml * Update default_vars.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update local_vars_min.yml * Update default_vars.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update local_vars_min.yml * Change admin username to uppercase * Revert "Lokole: change admin to Admin per IIAB app norms" * Update main.yml * Update README.rst * Update capture-wsgi.py * Update main.yml * Update main.yml * Update default_vars.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update local_vars_min.yml * Update main.yml * Update main.yml * Update main.yml * Update main.yml * Update default_vars.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update local_vars_min.yml * Address TODOs in Lokole documentation See https://github.com/ascoderu/opwen-webapp/issues/81 * Update main.yml * Update local_vars_big.yml * Update local_vars_medium.yml * Update local_vars_big.yml * Update local_vars_min.yml * Update default_vars.yml * expand zim_versions_idx to include menuItem name, mediaCount, articleCount, size * create a stub menuItem if none exists * remember to change consumer of zim_version_idx in iiab-admin * comment out some debugging prints * do not change the name of a variable in iiab.ini * consistent variable names for *_enabled * start work on menus for enabled iiab roles * changes to display cups in home menu * remove reference to admin console which may not be installed * print error message * dict.get errors * handle undefined menuItem" * handle undefined menuItem again * some work on logos * break out the zim_versions_idx routines for use by update_menus in admin-console * remove old menuDef creation code * new variable names for zim_versions_idx * missing the tags data in zim_versions_idx * un-break-apart iiab-make-kiwix-lib.py * return an empty string * make size human_readable * getting console and iiab to work together on menus * add the new zim_date field to zim_versions_idx * get the latest into repo * found lost code iiab-make-kiwix-lib.py
138 lines
4.4 KiB
Bash
Executable file
138 lines
4.4 KiB
Bash
Executable file
#!/bin/bash -x
|
|
source {{ iiab_env_file }}
|
|
{% if is_debuntu %}
|
|
IPTABLES=/sbin/iptables
|
|
IPTABLES_DATA=/etc/iptables.up.rules
|
|
{% else %}
|
|
IPTABLES=/usr/sbin/iptables
|
|
IPTABLES_DATA=/etc/sysconfig/iptables
|
|
{% endif %}
|
|
LANIF=$IIAB_LAN_DEVICE
|
|
WANIF=$IIAB_WAN_DEVICE
|
|
MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
|
|
|
|
clear_fw() {
|
|
$IPTABLES -F
|
|
$IPTABLES -t nat -F
|
|
$IPTABLES -X
|
|
|
|
# first match wins
|
|
# Always accept loopback traffic
|
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
|
|
|
# Always drop rpc
|
|
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
|
|
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
|
|
# mysql
|
|
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
|
|
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
|
|
# postgres - not needed listens on lo only
|
|
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
|
|
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
|
|
# couchdb
|
|
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
|
|
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
|
|
}
|
|
|
|
if [ "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
|
|
clear_fw
|
|
# save the rule set
|
|
{% if is_debuntu %}
|
|
netfilter-persistent save
|
|
{% else %}
|
|
iptables-save > $IPTABLES_DATA
|
|
{% endif %}
|
|
exit 0
|
|
fi
|
|
lan=$LANIF
|
|
wan=$WANIF
|
|
|
|
# Good thing we replace this file should be treated like squid below
|
|
gw_block_https={{ gw_block_https }}
|
|
ssh_port={{ ssh_port }}
|
|
gui_wan={{ gui_wan }}
|
|
gui_port={{ gui_port }}
|
|
iiab_gateway_enabled={{ iiab_gateway_enabled }}
|
|
services_externally_visible={{ services_externally_visible }}
|
|
calibre_port={{ calibre_port }}
|
|
kiwix_port={{ kiwix_port }}
|
|
kalite_server_port={{ kalite_server_port }}
|
|
kolibri_http_port={{ kolibri_http_port }}
|
|
cups_port={{ cups_port }}
|
|
transmission_http_port={{ transmission_http_port }}
|
|
transmission_peer_port={{ transmission_peer_port }}
|
|
sugarizer_port={{ sugarizer_port }}
|
|
block_DNS={{ block_DNS }}
|
|
|
|
echo "LAN is $lan and WAN is $wan"
|
|
#
|
|
# delete all existing rules.
|
|
#
|
|
|
|
/sbin/modprobe ip_tables
|
|
/sbin/modprobe iptable_filter
|
|
/sbin/modprobe ip_conntrack
|
|
/sbin/modprobe iptable_nat
|
|
clear_fw
|
|
|
|
# Allow established connections, and those not coming from the outside
|
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
|
|
|
|
# Allow mDNS
|
|
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
|
|
|
|
#when run as gateway
|
|
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
|
|
|
|
if [ "$gui_wan" == "True" ]; then
|
|
$IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
|
|
fi
|
|
|
|
if [ "$services_externally_visible" == "True" ]; then
|
|
$IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
|
|
$IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
|
|
fi
|
|
|
|
if [ "$iiab_gateway_enabled" == "True" ]; then
|
|
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
|
|
fi
|
|
|
|
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
#Block https traffic except if directed at server
|
|
if [ "$gw_block_https" == "True" ]; then
|
|
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
|
|
fi
|
|
|
|
# Allow outgoing connections from the LAN side.
|
|
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
|
|
|
|
# Don't forward from the outside to the inside.
|
|
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
|
|
$IPTABLES -A INPUT -i $wan -j DROP
|
|
|
|
if [ "$block_DNS" == "True" ]; then
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
|
fi
|
|
|
|
if [ "$HTTPCACHE_ON" == "True" ]; then
|
|
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
|
|
fi
|
|
|
|
# Enable routing.
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
# save the whole rule set now
|
|
{% if is_debuntu %}
|
|
netfilter-persistent save
|
|
{% else %}
|
|
iptables-save > $IPTABLES_DATA
|
|
{% endif %}
|
|
exit 0
|