bundles/iptables: introduce, add to home.router
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
f355d1ec7b
commit
f65e216828
GPG key ID:
12E3D2136B818350
5 changed files with 166 additions and 0 deletions
85
bundles/iptables/files/iptables-enforce
Normal file
85
bundles/iptables/files/iptables-enforce
Normal file
|
|
@ -0,0 +1,85 @@
|
|||
#!/bin/bash
|
||||
|
||||
% if not node.metadata.get('iptables', {}).get('enabled', True):
|
||||
exit 0
|
||||
% endif
|
||||
|
||||
lock_try=0
|
||||
while ! mkdir /run/bw-iptables.lock >/dev/null 2>&1
|
||||
do
|
||||
((lock_try++))
|
||||
if (( lock_try == 10 ))
|
||||
then
|
||||
echo 'FATAL: iptables-enforce: Could not get lock!' >&2
|
||||
exit 1
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
trap 'rmdir /run/bw-iptables.lock' EXIT
|
||||
|
||||
iptables_both()
|
||||
{
|
||||
iptables "$@"
|
||||
ip6tables "$@"
|
||||
}
|
||||
|
||||
iptables_both -P INPUT DROP
|
||||
iptables_both -P OUTPUT ACCEPT
|
||||
iptables_both -P FORWARD DROP
|
||||
iptables_both -F
|
||||
iptables_both -X
|
||||
iptables_both -t nat -F
|
||||
iptables_both -t nat -X
|
||||
iptables_both -t nat -Z
|
||||
iptables_both -t filter -F
|
||||
iptables_both -t filter -X
|
||||
iptables_both -t filter -Z
|
||||
iptables_both -t mangle -F
|
||||
iptables_both -t mangle -X
|
||||
iptables_both -t mangle -Z
|
||||
|
||||
# Workaround for CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
|
||||
# https://www.openwall.com/lists/oss-security/2019/06/17/5
|
||||
# https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html
|
||||
iptables_both -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
|
||||
|
||||
# Dummy rules to make sure the conntrack table(s) will be updated.
|
||||
iptables_both -I INPUT -m state --state NEW,ESTABLISHED,RELATED
|
||||
iptables_both -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED
|
||||
iptables_both -I FORWARD -m state --state NEW,ESTABLISHED,RELATED
|
||||
|
||||
# open up local loopback
|
||||
iptables_both -A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Set Up counting rules
|
||||
% for ip in sorted(ipv4):
|
||||
iptables -A INPUT -d ${ip}
|
||||
iptables -A OUTPUT -s ${ip}
|
||||
% endfor
|
||||
|
||||
% for ip in sorted(ipv6):
|
||||
ip6tables -A INPUT -d ${ip}
|
||||
ip6tables -A OUTPUT -s ${ip}
|
||||
% endfor
|
||||
|
||||
iptables -A INPUT -p ICMP --icmp-type timestamp-request -j DROP
|
||||
iptables -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP
|
||||
# allow ICMP -- answers for IPv4 are covered by conntrack
|
||||
iptables -A INPUT -p icmp -j ACCEPT
|
||||
|
||||
# ICMP6 is used for so many things, we should under no circumstances
|
||||
# ignore it and thus should not rely on any conntrack heuristics.
|
||||
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
|
||||
|
||||
# Allow incoming answers. Install this first (before the larger ruleset
|
||||
# from /etc/network/iptables-rules.d/), so that iptables can match/exit
|
||||
# early.
|
||||
iptables_both -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
shopt -s nullglob
|
||||
for i in /etc/iptables-rules.d/*
|
||||
do
|
||||
. "$i"
|
||||
done
|
||||
|
||||
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -
|
||||
Loading…
Add table
Add a link
Reference in a new issue