diff options
| author | Sven Gothel <[email protected]> | 2013-06-04 19:37:29 +0200 |
|---|---|---|
| committer | Sven Gothel <[email protected]> | 2013-06-04 19:37:29 +0200 |
| commit | 29391e7aedaa17779069305872dd3196c929f65f (patch) | |
| tree | 248c40a882b94641bcba39176b0e2b448d914731 | |
| parent | 4f170e86e6e650df9a20166b18ebc7729d14ca47 (diff) | |
rename folder dirs w/ numeric prefix, indicating order of steps to perform.
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/README.txt (renamed from server/setup/zfs_linux_bringup/README.txt) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh (renamed from server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/apt-sources.list (renamed from server/setup/zfs_linux_bringup/apt-sources.list) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/chroot-chroot.sh (renamed from server/setup/zfs_linux_bringup/chroot-chroot.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/chroot-mount.sh (renamed from server/setup/zfs_linux_bringup/chroot-mount.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/chroot-umount.sh (renamed from server/setup/zfs_linux_bringup/chroot-umount.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/etc_fstab.txt (renamed from server/setup/zfs_linux_bringup/etc_fstab.txt) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/grub_custom.cfg (renamed from server/setup/zfs_linux_bringup/grub_custom.cfg) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs (renamed from server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh (renamed from server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh (renamed from server/setup/zfs_linux_bringup/zfs02-create-datasets.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/zfs03-export_import.sh (renamed from server/setup/zfs_linux_bringup/zfs03-export_import.sh) | 0 | ||||
| -rw-r--r-- | server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh (renamed from server/setup/zfs_linux_bringup/zfs04-system-populate.sh) | 0 | ||||
| -rwxr-xr-x | server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure | 303 | ||||
| -rwxr-xr-x | server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure | 285 | ||||
| -rwxr-xr-x | server/setup/02-firewall/etc/iptables/iptables_all | 56 | ||||
| -rw-r--r-- | server/setup/02-firewall/etc/network/interfaces | 22 |
17 files changed, 666 insertions, 0 deletions
diff --git a/server/setup/zfs_linux_bringup/README.txt b/server/setup/01-zfs_linux_bringup/README.txt index 5307abc..5307abc 100644 --- a/server/setup/zfs_linux_bringup/README.txt +++ b/server/setup/01-zfs_linux_bringup/README.txt diff --git a/server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh b/server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh index 7c43ed2..7c43ed2 100644 --- a/server/setup/zfs_linux_bringup/apt-install-zfs_kernel_etc.sh +++ b/server/setup/01-zfs_linux_bringup/apt-install-zfs_kernel_etc.sh diff --git a/server/setup/zfs_linux_bringup/apt-sources.list b/server/setup/01-zfs_linux_bringup/apt-sources.list index b7d90e2..b7d90e2 100644 --- a/server/setup/zfs_linux_bringup/apt-sources.list +++ b/server/setup/01-zfs_linux_bringup/apt-sources.list diff --git a/server/setup/zfs_linux_bringup/chroot-chroot.sh b/server/setup/01-zfs_linux_bringup/chroot-chroot.sh index 2786bca..2786bca 100644 --- a/server/setup/zfs_linux_bringup/chroot-chroot.sh +++ b/server/setup/01-zfs_linux_bringup/chroot-chroot.sh diff --git a/server/setup/zfs_linux_bringup/chroot-mount.sh b/server/setup/01-zfs_linux_bringup/chroot-mount.sh index a719301..a719301 100644 --- a/server/setup/zfs_linux_bringup/chroot-mount.sh +++ b/server/setup/01-zfs_linux_bringup/chroot-mount.sh diff --git a/server/setup/zfs_linux_bringup/chroot-umount.sh b/server/setup/01-zfs_linux_bringup/chroot-umount.sh index f53d3b9..f53d3b9 100644 --- a/server/setup/zfs_linux_bringup/chroot-umount.sh +++ b/server/setup/01-zfs_linux_bringup/chroot-umount.sh diff --git a/server/setup/zfs_linux_bringup/etc_fstab.txt b/server/setup/01-zfs_linux_bringup/etc_fstab.txt index 8f5f16f..8f5f16f 100644 --- a/server/setup/zfs_linux_bringup/etc_fstab.txt +++ b/server/setup/01-zfs_linux_bringup/etc_fstab.txt diff --git a/server/setup/zfs_linux_bringup/grub_custom.cfg b/server/setup/01-zfs_linux_bringup/grub_custom.cfg index 1402481..1402481 100644 --- a/server/setup/zfs_linux_bringup/grub_custom.cfg +++ b/server/setup/01-zfs_linux_bringup/grub_custom.cfg diff --git a/server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs b/server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs index 328cfca..328cfca 100644 --- a/server/setup/zfs_linux_bringup/initramfs-tools.scripts.zfs +++ b/server/setup/01-zfs_linux_bringup/initramfs-tools.scripts.zfs diff --git a/server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh b/server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh index dc0c80d..dc0c80d 100644 --- a/server/setup/zfs_linux_bringup/zfs01-create_config-pool.sh +++ b/server/setup/01-zfs_linux_bringup/zfs01-create_config-pool.sh diff --git a/server/setup/zfs_linux_bringup/zfs02-create-datasets.sh b/server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh index c8a0d3a..c8a0d3a 100644 --- a/server/setup/zfs_linux_bringup/zfs02-create-datasets.sh +++ b/server/setup/01-zfs_linux_bringup/zfs02-create-datasets.sh diff --git a/server/setup/zfs_linux_bringup/zfs03-export_import.sh b/server/setup/01-zfs_linux_bringup/zfs03-export_import.sh index 90a5cbe..90a5cbe 100644 --- a/server/setup/zfs_linux_bringup/zfs03-export_import.sh +++ b/server/setup/01-zfs_linux_bringup/zfs03-export_import.sh diff --git a/server/setup/zfs_linux_bringup/zfs04-system-populate.sh b/server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh index ae1b109..ae1b109 100644 --- a/server/setup/zfs_linux_bringup/zfs04-system-populate.sh +++ b/server/setup/01-zfs_linux_bringup/zfs04-system-populate.sh diff --git a/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure new file mode 100755 index 0000000..a9813cb --- /dev/null +++ b/server/setup/02-firewall/etc/iptables/ip4tables_bad_fwdmz_good-secure @@ -0,0 +1,303 @@ +#! /bin/sh + +#set -x + +action=$1 +shift + +# +#* Single end device with untrusted inet connection +# + +ETH_EXTERN=eth0 +IP_EXTERN_SELF=$( /sbin/ip -o -f inet addr show dev $ETH_EXTERN scope global | awk ' { print $4; } ' ) +IP_EXTERN_GW=$( /sbin/ip -o -f inet route show dev $ETH_EXTERN | grep default | awk ' { print $3; } ' ) + +## +## + +IPTABLES=/sbin/iptables + +if [ "$action" != "start" -a "$action" != "stop" ] ; then + echo usage $0 \( start \| stop \) + echo + echo $0 start + echo $0 stop + exit 1 +fi + +if [ "$action" = "stop" ] ; then + echo "IPTABLES rules down" + + $IPTABLES -F acl_external_input + $IPTABLES -F acl_srv_connect + $IPTABLES -F acl_srv_web + $IPTABLES -F acl_srv_shared + $IPTABLES -F acl_srv_email + $IPTABLES -F acl_srv_login_sec + $IPTABLES -F INPUT + $IPTABLES -F FORWARD + + $IPTABLES -X acl_external_input + $IPTABLES -X acl_srv_connect + $IPTABLES -X acl_srv_web + $IPTABLES -X acl_srv_shared + $IPTABLES -X acl_srv_email + $IPTABLES -X acl_srv_login_sec + + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT + + exit 0 +fi + +if [ "$action" = "start" ] ; then + echo "IPTABLES rules up" + + # Anti-spoofing + # + # Since we don't have any asymmetric routing, + # we can simply turn on anti-spoofing for all interfaces. + # + #for f in /proc/sys/net/ipv4/conf/*ppp*/rp_filter; do echo 1 > $f; done + + echo 1 > /proc/sys/net/ipv4/conf/$ETH_EXTERN/rp_filter + + /sbin/modprobe iptable_filter + /sbin/modprobe iptable_mangle + /sbin/modprobe iptable_nat + /sbin/modprobe ip_tables + /sbin/modprobe ipt_LOG + /sbin/modprobe ipt_MASQUERADE + /sbin/modprobe ipt_NETMAP + /sbin/modprobe ipt_REDIRECT + /sbin/modprobe ipt_REJECT + /sbin/modprobe ipt_ULOG + /sbin/modprobe nf_conntrack_ipv4 + /sbin/modprobe nf_conntrack_sane + /sbin/modprobe nf_conntrack_sip + /sbin/modprobe nf_conntrack_snmp + /sbin/modprobe nf_conntrack_tftp + /sbin/modprobe nf_nat_ftp + /sbin/modprobe nf_nat_h323 + /sbin/modprobe nf_nat_irc + /sbin/modprobe nf_nat + /sbin/modprobe nf_nat_pptp + /sbin/modprobe nf_nat_sip + /sbin/modprobe nf_nat_snmp_basic + /sbin/modprobe nf_nat_tftp + + $IPTABLES -P INPUT DROP + $IPTABLES -P FORWARD DROP + $IPTABLES -P OUTPUT ACCEPT + + $IPTABLES -N acl_external_input + $IPTABLES -N acl_srv_connect + $IPTABLES -N acl_srv_web + $IPTABLES -N acl_srv_shared + $IPTABLES -N acl_srv_email + $IPTABLES -N acl_srv_login_sec + + ################################################################### + ################################################################### + # + + # INPUT -> user chains + # + # Unfortunately, we only know (in the FORWARD chain) the outgoing interface. + # Thus, to figure out what interface the packet came in on, + # we use the source address (the anti-spoofing prevents address faking). + # + # Note that we log anything which doesn't match any of these (obviously, this should never happen). + # + + # + # INPUT Allow FIREWALL itself ! + # + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT + $IPTABLES -p all -A INPUT -i lo -j ACCEPT + + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j acl_external_input + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW4-IN: rej acl_ext input " + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j REJECT + + # + # INPUT Log & Reject any + # + $IPTABLES -p all -A INPUT -j LOG --log-level debug --log-prefix "FW4-IN: rej ANY input " + $IPTABLES -p all -A INPUT -j REJECT + + # + ################################################################### + ################################################################### + ################################################################### + # + + # FORWARD -> user chains + # + + # + # FORWARD Allow FIREWALL itself ! + # + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT + $IPTABLES -p all -A FORWARD -i lo -j ACCEPT + + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j acl_external_input + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW4-FWD: rej acl_ext input " + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j REJECT + + # + # FORWARD Log & Reject any + # + $IPTABLES -p all -A FORWARD -j LOG --log-level debug --log-prefix "FW4-FWD: rej ANY input " + $IPTABLES -p all -A FORWARD -j REJECT + + # + # + ######################################################################################################################### + ######################################################################################################################### + ######################################################################################################################### + # + # acl_extern_ + # + + # + # Allow fragments (second etc. parts of a huge packet ..) + # Allow icmp notification: 3/4 destination-unreachable/fragmentation-needed + # + # ATTENTION .. can be anything (ICMP), but the very 1st will be filtered ok ! + # + $IPTABLES -A acl_external_input -p icmp --icmp-type echo-request -m limit --limit 5/s -j ACCEPT + + $IPTABLES -A acl_external_input -p icmp --icmp-type destination-unreachable -j ACCEPT + $IPTABLES -A acl_external_input -p icmp --icmp-type time-exceeded -j ACCEPT + $IPTABLES -A acl_external_input -p icmp --icmp-type parameter-problem -j ACCEPT + $IPTABLES -A acl_external_input -p icmp --icmp-type timestamp-request -j ACCEPT + + $IPTABLES -p all -A acl_external_input -j acl_srv_connect # includes: allow to answer .. + $IPTABLES -p all -A acl_external_input -j acl_srv_login_sec + $IPTABLES -p all -A acl_external_input -j acl_srv_web + $IPTABLES -p all -A acl_external_input -j acl_srv_shared + $IPTABLES -p all -A acl_external_input -j acl_srv_email + + # --syn == "--tcp-flags SYN,RST,ACK SYN" + #$IPTABLES -p tcp -A acl_external_input ! --syn -j LOG --log-level debug --log-prefix "FW4-Ext: rej INET !syn " + #$IPTABLES -p tcp -A acl_external_input ! --syn -j REJECT + #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j LOG --log-level debug --log-prefix "FW4-Ext: rej INET !resp " + #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j REJECT + + # + ######################################################################################################################### + ######################################################################################################################### + ######################################################################################################################### + # + # INPUT Allow acl_srv_shared + # + # FTP, SAMBA, GNUnet clients + # + + # ANONYMOUS FTP + # + #$IPTABLES -p tcp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT + #$IPTABLES -p udp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT + + $IPTABLES -p tcp -A acl_srv_shared --dport git -j ACCEPT + $IPTABLES -p udp -A acl_srv_shared --dport git -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_login_sec + # + # SSH + # + + # SSH + # + #$IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j LOG --log-level debug --log-prefix "FW4-ACL_SSH: " + $IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j ACCEPT + $IPTABLES -p udp -A acl_srv_login_sec --dport ssh -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_email + # + # POP3s, SMTP + # + + # IMAPs + # + $IPTABLES -p tcp -A acl_srv_email --dport imaps -j ACCEPT + + # POP3s + # + $IPTABLES -p tcp -A acl_srv_email --dport pop3s -j ACCEPT + + # ident + # + $IPTABLES -p tcp -A acl_srv_email --dport ident -j ACCEPT + + # SMTPs + # + $IPTABLES -p tcp -A acl_srv_email --dport smtp -j ACCEPT + $IPTABLES -p tcp -A acl_srv_email --dport smtps -j ACCEPT + + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_web + # + # HTTP, NTP + # + + # HTTP + # + $IPTABLES -p tcp -A acl_srv_web --dport http -j ACCEPT + $IPTABLES -p tcp -A acl_srv_web --dport https -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport http-alt -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport webcache -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport squid -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_connect + # + # ICMP, NTP, DHCP, DNS, ANSWER + # + + # IPSEC + # + $IPTABLES -p ah -A acl_srv_connect -j ACCEPT + $IPTABLES -p esp -A acl_srv_connect -j ACCEPT + + # DHCP .. TFTP + # + $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport mdns -s $IP_EXTERN_SELF -j ACCEPT # + $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:tftp -s $IP_EXTERN_GW -j ACCEPT # + $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:69 -s $IP_EXTERN_GW -j ACCEPT # + + # DNS + # + # $IPTABLES -p tcp -A acl_srv_connect --dport mdns -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport mdns -j ACCEPT + # $IPTABLES -p tcp -A acl_srv_connect --dport domain -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport domain -j ACCEPT + # $IPTABLES -p tcp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT + + # + # acl_srv_connect Allow * to answer, + # only for known connections - no new unknown ones ! + # + $IPTABLES -p all -A acl_srv_connect -m state --state ESTABLISHED,RELATED -j ACCEPT + + # + # + ######################################################################################################################### +fi + diff --git a/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure b/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure new file mode 100755 index 0000000..ada1c94 --- /dev/null +++ b/server/setup/02-firewall/etc/iptables/ip6tables_bad_fwdmz_good-secure @@ -0,0 +1,285 @@ +#! /bin/sh + +# set -x + +action=$1 +shift + +# +#* Single end device with untrusted inet connection +# + +ETH_EXTERN=eth0 +IP_EXTERN_SELF=$( /sbin/ip -o -f inet6 addr show dev $ETH_EXTERN scope global | awk ' { print $4; } ' ) +IP_EXTERN_GW=$( /sbin/ip -o -f inet6 route show dev $ETH_EXTERN | grep default | awk ' { print $3; } ' ) + +## +## + +IPTABLES=/sbin/ip6tables + +if [ "$action" != "start" -a "$action" != "stop" ] ; then + echo usage $0 \( start \| stop \) + echo + echo $0 start + echo $0 stop + exit 1 +fi + +if [ "$action" = "stop" ] ; then + echo "IPTABLES rules down" + + $IPTABLES -F acl_external_input + $IPTABLES -F acl_srv_connect + $IPTABLES -F acl_srv_web + $IPTABLES -F acl_srv_shared + $IPTABLES -F acl_srv_email + $IPTABLES -F acl_srv_login_sec + $IPTABLES -F INPUT + $IPTABLES -F FORWARD + + $IPTABLES -X acl_external_input + $IPTABLES -X acl_srv_connect + $IPTABLES -X acl_srv_web + $IPTABLES -X acl_srv_shared + $IPTABLES -X acl_srv_email + $IPTABLES -X acl_srv_login_sec + + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT + + exit 0 +fi + +if [ "$action" = "start" ] ; then + echo "IPTABLES rules up" + + # Anti-spoofing + # + # Since we don't have any asymmetric routing, + # we can simply turn on anti-spoofing for all interfaces. + # + #for f in /proc/sys/net/ipv4/conf/*ppp*/rp_filter; do echo 1 > $f; done + + $IPTABLES -P INPUT DROP + + $IPTABLES -N acl_external_input + $IPTABLES -N acl_srv_connect + $IPTABLES -N acl_srv_web + $IPTABLES -N acl_srv_shared + $IPTABLES -N acl_srv_email + $IPTABLES -N acl_srv_login_sec + + ################################################################### + ################################################################### + # + + # INPUT -> user chains + # + # Unfortunately, we only know (in the FORWARD chain) the outgoing interface. + # Thus, to figure out what interface the packet came in on, + # we use the source address (the anti-spoofing prevents address faking). + # + # Note that we log anything which doesn't match any of these (obviously, this should never happen). + # + + # + # INPUT Allow FIREWALL itself ! + # + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT + $IPTABLES -p all -A INPUT -i lo -j ACCEPT + + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j acl_external_input + + #$IPTABLES -p tcp -A INPUT -i $ETH_EXTERN --tcp-flags ACK ACK -j LOG \ + # --log-level debug --log-prefix "FW6-IN: ack " + $IPTABLES -p tcp -A INPUT -i $ETH_EXTERN --tcp-flags ACK ACK -j ACCEPT + + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW6-IN: rej acl_ext input " + $IPTABLES -p all -A INPUT -i $ETH_EXTERN -j REJECT + + # + # INPUT Log & Reject any + # + $IPTABLES -p all -A INPUT -j LOG --log-level debug --log-prefix "FW6-IN: rej ANY input " + $IPTABLES -p all -A INPUT -j REJECT + + # + ################################################################### + ################################################################### + ################################################################### + # + + # FORWARD -> user chains + # + + # + # FORWARD Allow FIREWALL itself ! + # + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -s $IP_EXTERN_SELF -j ACCEPT + $IPTABLES -p all -A FORWARD -i lo -j ACCEPT + + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j acl_external_input + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j LOG --log-level debug --log-prefix "FW6-FWD: rej acl_ext input " + $IPTABLES -p all -A FORWARD -i $ETH_EXTERN -j REJECT + + # + # FORWARD Log & Reject any + # + $IPTABLES -p all -A FORWARD -j LOG --log-level debug --log-prefix "FW6-FWD: rej ANY input " + $IPTABLES -p all -A FORWARD -j REJECT + + # + # + ######################################################################################################################### + ######################################################################################################################### + ######################################################################################################################### + # + # acl_extern_ + # + + # + # Allow fragments (second etc. parts of a huge packet ..) + # Allow icmpv6 notification: 3/4 destination-unreachable/fragmentation-needed + # + # ATTENTION .. can be anything (ICMP), but the very 1st will be filtered ok ! + # + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type echo-request -m limit --limit 5/s -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT + + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT + $IPTABLES -A acl_external_input -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT + + $IPTABLES -p all -A acl_external_input -j acl_srv_connect # includes: allow to answer .. + $IPTABLES -p all -A acl_external_input -j acl_srv_login_sec + $IPTABLES -p all -A acl_external_input -j acl_srv_web + $IPTABLES -p all -A acl_external_input -j acl_srv_shared + $IPTABLES -p all -A acl_external_input -j acl_srv_email + + # --syn == "--tcp-flags SYN,RST,ACK SYN" + #$IPTABLES -p tcp -A acl_external_input ! --syn -j LOG --log-level debug --log-prefix "FW6-Ext: rej INET !syn " + #$IPTABLES -p tcp -A acl_external_input ! --syn -j REJECT + #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j LOG --log-level debug --log-prefix "FW6-Ext: rej INET !resp " + #$IPTABLES -p all -A acl_external_input -m state ! --state ESTABLISHED,RELATED -j REJECT + + # + ######################################################################################################################### + ######################################################################################################################### + ######################################################################################################################### + # + # INPUT Allow acl_srv_shared + # + # FTP, SAMBA, GNUnet clients + # + + # ANONYMOUS FTP + # + #$IPTABLES -p tcp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT + #$IPTABLES -p udp -A acl_srv_shared --dport ftp-data:ftp -j ACCEPT + + $IPTABLES -p tcp -A acl_srv_shared --dport git -j ACCEPT + $IPTABLES -p udp -A acl_srv_shared --dport git -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_login_sec + # + # SSH + # + + # SSH + # + #$IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j LOG --log-level debug --log-prefix "FW6-ACL_SSH: " + $IPTABLES -p tcp -A acl_srv_login_sec --dport ssh -j ACCEPT + $IPTABLES -p udp -A acl_srv_login_sec --dport ssh -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_email + # + # POP3s, SMTP + # + + # IMAPs + # + $IPTABLES -p tcp -A acl_srv_email --dport imaps -j ACCEPT + + # POP3s + # + $IPTABLES -p tcp -A acl_srv_email --dport pop3s -j ACCEPT + + # ident + # + $IPTABLES -p tcp -A acl_srv_email --dport ident -j ACCEPT + + # SMTPs + # + $IPTABLES -p tcp -A acl_srv_email --dport smtp -j ACCEPT + $IPTABLES -p tcp -A acl_srv_email --dport smtps -j ACCEPT + + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_web + # + # HTTP, NTP + # + + # HTTP + # + $IPTABLES -p tcp -A acl_srv_web --dport http -j ACCEPT + $IPTABLES -p tcp -A acl_srv_web --dport https -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport http-alt -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport webcache -j ACCEPT + #$IPTABLES -p tcp -A acl_srv_web --dport squid -j ACCEPT + + # + # + ######################################################################################################################### + # + # INPUT Allow acl_srv_connect + # + # ICMP, NTP, DHCP, DNS, ANSWER + # + + # IPSEC + # + #$IPTABLES -p ah -A acl_srv_connect -j ACCEPT + $IPTABLES -p esp -A acl_srv_connect -j ACCEPT + + # DHCP .. TFTP + # + $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport mdns -s $IP_EXTERN_SELF -j ACCEPT # + $IPTABLES -p udp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:tftp -s $IP_EXTERN_GW -j ACCEPT # + $IPTABLES -p tcp -A acl_srv_connect -i $ETH_EXTERN --dport bootps:69 -s $IP_EXTERN_GW -j ACCEPT # + + # DNS + # + # $IPTABLES -p tcp -A acl_srv_connect --dport mdns -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport mdns -j ACCEPT + # $IPTABLES -p tcp -A acl_srv_connect --dport domain -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport domain -j ACCEPT + # $IPTABLES -p tcp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT + # $IPTABLES -p udp -A acl_srv_connect --dport netbios-ns:netbios-ssn -j ACCEPT + + # + # acl_srv_connect Allow * to answer, + # only for known connections - no new unknown ones ! + # + $IPTABLES -p all -A acl_srv_connect -m state --state ESTABLISHED,RELATED -j ACCEPT + + # + # + ######################################################################################################################### +fi + diff --git a/server/setup/02-firewall/etc/iptables/iptables_all b/server/setup/02-firewall/etc/iptables/iptables_all new file mode 100755 index 0000000..95af1e1 --- /dev/null +++ b/server/setup/02-firewall/etc/iptables/iptables_all @@ -0,0 +1,56 @@ +#! /bin/bash + +case "$1" in + start) + echo "iptables-all start" + + #/etc/iptables/ipv6_6to4_tunnel start + #/etc/iptables/ip_tc start + #/etc/iptables/ip_alias start + #/etc/iptables/ip_route start + + #sleep 1s + #/etc/init.d/rpcbind start + #/etc/init.d/named start + #/etc/init.d/dhcp6s start + #/etc/init.d/dhcpd start + #/etc/init.d/radvd start + #/etc/init.d/ypserv start + #/etc/init.d/yppasswdd start + #/etc/init.d/nfsserver start + + echo -n "iptables setup init" + /etc/iptables/ip6tables_bad_fwdmz_good-secure start + /etc/iptables/ip4tables_bad_fwdmz_good-secure start + ;; + + stop) + echo "iptables-all stop" + + /etc/iptables/ip4tables_bad_fwdmz_good-secure stop + /etc/iptables/ip6tables_bad_fwdmz_good-secure stop + + #/etc/init.d/nfsserver stop + #/etc/init.d/yppasswdd stop + #/etc/init.d/ypserv stop + #/etc/init.d/radvd stop + #/etc/init.d/dhcpd stop + #/etc/init.d/dhcp6s stop + #/etc/init.d/named stop + #/etc/init.d/rpcbind stop + + #/etc/iptables/ip_route stop + #/etc/iptables/ip_alias stop + #/etc/iptables/ip_tc stop + #/etc/iptables/ipv6_6to4_tunnel stop + ;; + + restart) + $0 stop && $0 start || return=$rc_failed + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + diff --git a/server/setup/02-firewall/etc/network/interfaces b/server/setup/02-firewall/etc/network/interfaces new file mode 100644 index 0000000..0156198 --- /dev/null +++ b/server/setup/02-firewall/etc/network/interfaces @@ -0,0 +1,22 @@ +### Hetzner Online AG - installimage +# Loopback device: +auto lo +iface lo inet loopback + +# device: eth0 +auto eth0 +iface eth0 inet static + address 144.76.84.101 + broadcast 144.76.84.127 + netmask 255.255.255.224 + gateway 144.76.84.97 + # default route to access subnet + up route add -net 144.76.84.96 netmask 255.255.255.224 gw 144.76.84.97 eth0 + # firewall + up /etc/iptables/iptables_all start + down /etc/iptables/iptables_all stop + +iface eth0 inet6 static + address 2a01:4f8:192:1164::2 + netmask 64 + gateway fe80::1 |