From 2011199bf9c4fb36c934b2ff7d522971bc4f8dae Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 19 Jan 2019 00:53:46 +0100 Subject: added firewall script for all network setups --- .../templates/firewall/elevate-festival.sh.j2 | 49 ++++++++++++++++++++-- .../media/templates/firewall/elevate-office.sh.j2 | 33 +++++++++++++-- .../media/templates/firewall/lan-only.sh.j2 | 33 +++++++++++++-- .../media/templates/firewall/r3-with-lan.sh.j2 | 49 ++++++++++++++++++++-- roles/elevate/media/templates/firewall/r3.sh.j2 | 43 +++++++++++++++++-- 5 files changed, 187 insertions(+), 20 deletions(-) (limited to 'roles/elevate/media/templates/firewall') diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 index 041e441b..5e7bd98b 100644 --- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 +++ b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 @@ -15,13 +15,39 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="{{ network.primary.ip }}" +LAN_NETMASK="{{ network.primary.mask }}" + +EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}" +EXT_IPADDR="{{ network_zones.dom.prefix | ipaddr(network_zones.dom.offsets[inventory_hostname]) | ipaddr('address/prefix') }}" + +EXT_SERVICES_TCP="80 443 22000" +EXT_SERVICES_UDP="" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT + for port in $EXT_SERVICES_TCP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT + done + for port in $EXT_SERVICES_UDP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT + done + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +57,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +71,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +87,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } diff --git a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 b/roles/elevate/media/templates/firewall/elevate-office.sh.j2 index 041e441b..19cea0db 100644 --- a/roles/elevate/media/templates/firewall/elevate-office.sh.j2 +++ b/roles/elevate/media/templates/firewall/elevate-office.sh.j2 @@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="192.168.0.250" +LAN_NETMASK="255.255.255.0" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +41,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +55,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +71,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } diff --git a/roles/elevate/media/templates/firewall/lan-only.sh.j2 b/roles/elevate/media/templates/firewall/lan-only.sh.j2 index 041e441b..9a7db67a 100644 --- a/roles/elevate/media/templates/firewall/lan-only.sh.j2 +++ b/roles/elevate/media/templates/firewall/lan-only.sh.j2 @@ -15,13 +15,23 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="{{ network.primary.ip }}" +LAN_NETMASK="{{ network.primary.mask }}" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +41,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +55,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +71,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } diff --git a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 index 041e441b..4ac1509c 100644 --- a/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 +++ b/roles/elevate/media/templates/firewall/r3-with-lan.sh.j2 @@ -15,13 +15,39 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +LAN_IF="{{ network.primary.interface }}" +LAN_IPADDR="{{ network.primary.ip }}" +LAN_NETMASK="{{ network.primary.mask }}" + +EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}" +EXT_IPADDR="89.106.211.61" + +EXT_SERVICES_TCP="80 443 22000" +EXT_SERVICES_UDP="" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT + + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT + for port in $EXT_SERVICES_TCP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT + done + for port in $EXT_SERVICES_UDP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT + done + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +57,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +71,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +87,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } diff --git a/roles/elevate/media/templates/firewall/r3.sh.j2 b/roles/elevate/media/templates/firewall/r3.sh.j2 index 041e441b..8959951d 100644 --- a/roles/elevate/media/templates/firewall/r3.sh.j2 +++ b/roles/elevate/media/templates/firewall/r3.sh.j2 @@ -15,13 +15,33 @@ MANGLE="$IPTABLES -t mangle" FILTER6="$IP6TABLES -t filter" MANGLE6="$IP6TABLES -t mangle" +EXT_IF="{{ network.primary.interface }}.{{ network_zones.dom.vlan }}" +EXT_IPADDR="89.106.211.61" + +EXT_SERVICES_TCP="80 443 22000" +EXT_SERVICES_UDP="" + ######################### # IPv4 UP # ######################### ipv4_up() { - # don't do anything here + $FILTER -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT + for port in $EXT_SERVICES_TCP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p tcp --dport $port -j ACCEPT + done + for port in $EXT_SERVICES_UDP; do + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p udp --dport $port -j ACCEPT + done + $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -31,7 +51,11 @@ ipv4_up() { ######################### ipv6_up() { - # don't do anything here + $FILTER -A INPUT -i lo -j ACCEPT + + $FILTER -P INPUT DROP + $FILTER -P FORWARD DROP + echo -n "success" } @@ -41,7 +65,13 @@ ipv6_up() { ######################### ipv4_down() { - # don't do anything here + $MANGLE -F + $NAT -F + $FILTER -F + $FILTER -P INPUT ACCEPT + $FILTER -P FORWARD ACCEPT + $FILTER -P OUTPUT ACCEPT + echo -n "success" } @@ -51,6 +81,11 @@ ipv4_down() { ######################### ipv6_down() { - # don't do anything here + $MANGLE6 -F + $FILTER6 -F + $FILTER6 -P INPUT ACCEPT + $FILTER6 -P FORWARD ACCEPT + $FILTER6 -P OUTPUT ACCEPT + echo -n "success" } -- cgit v1.2.3