iiab/roles/network/templates/gateway/iiab-gen-iptables

#!/bin/bash -x

################################################################################
#                                                                              #
# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN:                   #
#                                                                              #
#   /etc/iiab/local_vars.yml                                                   #
#                                                                              #
# This firewall variable must be an integer {0...5} as follows:                #
#                                                                              #
#   0 = none                                                                   #
#   1 = ssh only                                                               #
#   2 = ssh + http-or-https (for Admin Console's box.lan/admin too)            #
#   3 = ssh + http-or-https + common IIAB services  <--  THIS IS THE DEFAULT   #
#   4 = ssh + http-or-https + common IIAB services + Samba                     #
#   5 = all but databases                                                      #
#                                                                              #
# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network   #
#                                                                              #
################################################################################

# To further customize your iptables firewall, it's generally best to edit:
# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
# And then run: cd /opt/iiab/iiab; ./iiab-network

# IIAB Networking Doc:
# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables

{% if is_debuntu %}
IPTABLES=/sbin/iptables
IPTABLES_DATA=/etc/iptables.up.rules
{% else %}
IPTABLES=/usr/sbin/iptables
IPTABLES_DATA=/etc/sysconfig/iptables
{% endif %}

source {{ iiab_env_file }}
lan=$IIAB_LAN_DEVICE
wan=$IIAB_WAN_DEVICE
echo -e "\nLAN: $lan"
echo -e "WAN: $wan\n"
#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
#echo -e "Network Mode: $network_mode\n"

# "Good thing we replace this file; should be treated like Squid below" ?
ports_externally_visible={{ ports_externally_visible }}
#services_externally_visible= [deprecated]
gw_block_https={{ gw_block_https }}
ssh_port={{ ssh_port }}
#gui_wan= [no longer needed]
gui_port={{ gui_port }}
iiab_gateway_enabled={{ iiab_gateway_enabled }}
block_DNS={{ block_DNS }}

azuracast_ports="{{ azuracast_port_range_prefix }}000:{{ azuracast_port_range_prefix }}100"
azuracast_https_port={{ azuracast_https_port }}
azuracast_http_port={{ azuracast_http_port }}
calibre_port={{ calibre_port }}
calibreweb_port={{ calibreweb_port }}
cups_port={{ cups_port }}
internetarchive_port={{ internetarchive_port }}
kalite_server_port={{ kalite_server_port }}
kiwix_port={{ kiwix_port }}
kolibri_http_port={{ kolibri_http_port }}
minetest_port={{ minetest_port }}
mosquitto_port={{ mosquitto_port }}
nodered_port={{ nodered_port }}
pbx_enabled={{ pbx_enabled }}
pbx_http_port={{ pbx_http_port }}
pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
pbx_data_ports={{ pbx_data_ports }}
sugarizer_port={{ sugarizer_port }}
transmission_http_port={{ transmission_http_port }}
transmission_peer_port={{ transmission_peer_port }}

samba_udp_ports={{ samba_udp_ports }}
samba_tcp_mports={{ samba_tcp_mports }}

echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
    echo "EXITING: an integer is required"
    exit 1
elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
    echo "EXITING: it must be in the range {0...5}"
    exit 1
fi

#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
# Load iptables kernel modules
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
#fi

# Delete all existing firewall rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# FIRST MATCH WINS - establish iptable rules, starting at the top:
# (verify the resulting rule set by running 'iptables -L -v')
# New to iptables?  Run/read 'man iptables' & 'man iptables-extensions'

# Always accept loopback traffic
$IPTABLES -A INPUT -i lo -j ACCEPT

# Disable access to databases, on LAN-side and WAN-side
# SunRPC
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
# MySQL
$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
# PostgreSQL - not needed listens on lo only
$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
# CouchDB
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP

# Allow established connections, and those not coming from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT

# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT

#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
if [ "$wan" != "none" ]; then

    # 1 = ssh only
    if [ "$ports_externally_visible" -ge 1 ]; then
        $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
    if [ "$ports_externally_visible" -ge 2 ]; then
        # For now this is implemented using Admin Console variable "gui_port" from:
        # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95
        $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 3 = ssh + http-or-https + common IIAB services
    if [ "$ports_externally_visible" -ge 3 ]; then
        $IPTABLES -A INPUT -p tcp --dport $azuracast_ports -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $azuracast_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $azuracast_https_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT

        if [ "$pbx_enabled" == "True" ]; then
            $IPTABLES -A INPUT -p tcp --dport $pbx_http_port -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
            $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
        fi

        $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
    fi

    # 4 = ssh + http-or-https + common IIAB services + Samba
    if [ "$ports_externally_visible" -ge 4 ]; then
        $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
    fi

    if [ "$lan" != "none" ]; then
        # Typically False, to keep client machines (e.g. students) off the Internet
        if [ "$iiab_gateway_enabled" == "True" ]; then
            $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
        fi

        # 3 or 4 IP forwarding rules
        $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
        # Block https traffic except if directed at server
        if [ "$gw_block_https" == "True" ]; then
            $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
        fi
        # Allow outgoing connections from the LAN side
        $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
        # Don't forward from the outside to the inside
        $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
        # Enable routing (kernel IP forwarding)
        echo 1 > /proc/sys/net/ipv4/ip_forward
    fi

    # 5 = "all but databases"
    if [ "$ports_externally_visible" -lt 5 ]; then
        # Drop everything else arriving via WAN
        $IPTABLES -A INPUT -i $wan -j DROP
    fi
fi

# TCP & UDP block of DNS port 53 if truly nec
if [ "$block_DNS" == "True" ]; then
    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
    $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
fi

# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
if [ "$HTTPCACHE_ON" == "True" ]; then
    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
fi

# Save the whole rule set
{% if is_debuntu %}
netfilter-persistent save
{% else %}
iptables-save > $IPTABLES_DATA
{% endif %}

exit 0