nftables #41
4 changed files with 0 additions and 223 deletions
|
@ -1,85 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
% if not node.metadata.get('iptables/enabled', True):
|
|
||||||
exit 0
|
|
||||||
% endif
|
|
||||||
|
|
||||||
lock_try=0
|
|
||||||
while ! mkdir /run/bw-iptables.lock >/dev/null 2>&1
|
|
||||||
do
|
|
||||||
((lock_try++))
|
|
||||||
if (( lock_try == 10 ))
|
|
||||||
then
|
|
||||||
echo 'FATAL: iptables-enforce: Could not get lock!' >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
sleep 1
|
|
||||||
done
|
|
||||||
trap 'rmdir /run/bw-iptables.lock' EXIT
|
|
||||||
|
|
||||||
iptables_both()
|
|
||||||
{
|
|
||||||
iptables "$@"
|
|
||||||
ip6tables "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
iptables_both -P INPUT DROP
|
|
||||||
iptables_both -P OUTPUT ACCEPT
|
|
||||||
iptables_both -P FORWARD DROP
|
|
||||||
iptables_both -F
|
|
||||||
iptables_both -X
|
|
||||||
iptables_both -t nat -F
|
|
||||||
iptables_both -t nat -X
|
|
||||||
iptables_both -t nat -Z
|
|
||||||
iptables_both -t filter -F
|
|
||||||
iptables_both -t filter -X
|
|
||||||
iptables_both -t filter -Z
|
|
||||||
iptables_both -t mangle -F
|
|
||||||
iptables_both -t mangle -X
|
|
||||||
iptables_both -t mangle -Z
|
|
||||||
|
|
||||||
# Workaround for CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
|
|
||||||
# https://www.openwall.com/lists/oss-security/2019/06/17/5
|
|
||||||
# https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html
|
|
||||||
iptables_both -I INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
|
|
||||||
|
|
||||||
# Dummy rules to make sure the conntrack table(s) will be updated.
|
|
||||||
iptables_both -I INPUT -m state --state NEW,ESTABLISHED,RELATED
|
|
||||||
iptables_both -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED
|
|
||||||
iptables_both -I FORWARD -m state --state NEW,ESTABLISHED,RELATED
|
|
||||||
|
|
||||||
# open up local loopback
|
|
||||||
iptables_both -A INPUT -i lo -j ACCEPT
|
|
||||||
|
|
||||||
# Set Up counting rules
|
|
||||||
% for ip in sorted(ipv4):
|
|
||||||
iptables -A INPUT -d ${ip}
|
|
||||||
iptables -A OUTPUT -s ${ip}
|
|
||||||
% endfor
|
|
||||||
|
|
||||||
% for ip in sorted(ipv6):
|
|
||||||
ip6tables -A INPUT -d ${ip}
|
|
||||||
ip6tables -A OUTPUT -s ${ip}
|
|
||||||
% endfor
|
|
||||||
|
|
||||||
iptables -A INPUT -p ICMP --icmp-type timestamp-request -j DROP
|
|
||||||
iptables -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP
|
|
||||||
# allow ICMP -- answers for IPv4 are covered by conntrack
|
|
||||||
iptables -A INPUT -p icmp -j ACCEPT
|
|
||||||
|
|
||||||
# ICMP6 is used for so many things, we should under no circumstances
|
|
||||||
# ignore it and thus should not rely on any conntrack heuristics.
|
|
||||||
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
|
|
||||||
|
|
||||||
# Allow incoming answers. Install this first (before the larger ruleset
|
|
||||||
# from /etc/network/iptables-rules.d/), so that iptables can match/exit
|
|
||||||
# early.
|
|
||||||
iptables_both -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
|
|
||||||
shopt -s nullglob
|
|
||||||
for i in /etc/iptables-rules.d/*
|
|
||||||
do
|
|
||||||
. "$i"
|
|
||||||
done
|
|
||||||
|
|
||||||
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -
|
|
|
@ -1,11 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Run iptables-enforce after networkd startup
|
|
||||||
Requires=network-online.target
|
|
||||||
After=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/local/sbin/iptables-enforce
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,66 +0,0 @@
|
||||||
directories = {
|
|
||||||
'/etc/iptables-rules.d': {
|
|
||||||
'purge': True,
|
|
||||||
'triggers': {
|
|
||||||
'action:iptables_enforce',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
files = {
|
|
||||||
'/etc/systemd/system/iptables-enforce.service': {
|
|
||||||
'triggers': {
|
|
||||||
'action:systemd-reload',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
'/usr/local/sbin/iptables-enforce': {
|
|
||||||
'content_type': 'mako',
|
|
||||||
'context': repo.libs.tools.resolve_identifier(repo, node.name),
|
|
||||||
'mode': '0700',
|
|
||||||
'triggers': {
|
|
||||||
'action:iptables_enforce',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
enforce_deps = {
|
|
||||||
'directory:/etc/iptables-rules.d',
|
|
||||||
'file:/usr/local/sbin/iptables-enforce',
|
|
||||||
}
|
|
||||||
|
|
||||||
for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
|
|
||||||
files[f'/etc/iptables-rules.d/20-{bundle}'] = {
|
|
||||||
# We must never use sorted() here. Bundles might rely on their order.
|
|
||||||
'content': '\n'.join(rules) + '\n',
|
|
||||||
'triggers': {
|
|
||||||
'action:iptables_enforce',
|
|
||||||
},
|
|
||||||
}
|
|
||||||
enforce_deps.add(f'file:/etc/iptables-rules.d/20-{bundle}')
|
|
||||||
|
|
||||||
if 'custom_rules' in node.metadata.get('iptables', {}):
|
|
||||||
files['/etc/iptables-rules.d/40-custom'] = {
|
|
||||||
'content': '\n'.join(node.metadata['iptables']['custom_rules']) + '\n',
|
|
||||||
'triggers': {
|
|
||||||
'action:iptables_enforce',
|
|
||||||
},
|
|
||||||
}
|
|
||||||
enforce_deps.add('file:/etc/iptables-rules.d/40-custom')
|
|
||||||
|
|
||||||
|
|
||||||
actions = {
|
|
||||||
'iptables_enforce': {
|
|
||||||
'command': '/usr/local/sbin/iptables-enforce',
|
|
||||||
'triggered': True,
|
|
||||||
'needs': enforce_deps,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
svc_systemd = {
|
|
||||||
'iptables-enforce': {
|
|
||||||
'running': None,
|
|
||||||
'needs': {
|
|
||||||
'file:/etc/systemd/system/iptables-enforce.service',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
|
@ -1,61 +0,0 @@
|
||||||
from bundlewrap.exceptions import BundleError
|
|
||||||
|
|
||||||
defaults = {
|
|
||||||
'pacman': {
|
|
||||||
'packages': {
|
|
||||||
'iptables': {},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
@metadata_reactor.provides(
|
|
||||||
'iptables/bundle_rules/iptables',
|
|
||||||
)
|
|
||||||
def port_rules_to_iptables(metadata):
|
|
||||||
# Using this, bundles can simply set up port based rules. This
|
|
||||||
# reactor will then take care of converting those rules to actual
|
|
||||||
# iptables rules
|
|
||||||
ruleset = set()
|
|
||||||
|
|
||||||
# Plese note we do not set any defaults for ports. Bundles are
|
|
||||||
# expected to know themselves which default to use.
|
|
||||||
for portdef, targets in metadata.get('iptables/port_rules', {}).items():
|
|
||||||
if '/' in portdef:
|
|
||||||
port, proto = portdef.split('/', 2)
|
|
||||||
|
|
||||||
if proto not in {'udp'}:
|
|
||||||
raise BundleError(f'iptables/port_rules: illegal identifier {portdef} in metadata for {node.name}')
|
|
||||||
else:
|
|
||||||
port = portdef
|
|
||||||
proto = 'tcp'
|
|
||||||
|
|
||||||
for target in targets:
|
|
||||||
if port == '*' and target == '*':
|
|
||||||
raise BundleError('iptables/port_rules: setting both port and target to * is unsupported')
|
|
||||||
|
|
||||||
comment = f'-m comment --comment "iptables port_rules {target}"'
|
|
||||||
|
|
||||||
if port != '*':
|
|
||||||
port_str = f'--dport {port}'
|
|
||||||
else:
|
|
||||||
port_str = ''
|
|
||||||
|
|
||||||
if target == '*':
|
|
||||||
ruleset.add(f'iptables_both -A INPUT -p {proto} {port_str} {comment} -j ACCEPT')
|
|
||||||
else:
|
|
||||||
resolved = repo.libs.tools.resolve_identifier(repo, target)
|
|
||||||
|
|
||||||
for address in resolved['ipv4']:
|
|
||||||
ruleset.add(f'iptables -A INPUT -p {proto} -s {address} {port_str} {comment} -j ACCEPT')
|
|
||||||
|
|
||||||
for address in resolved['ipv6']:
|
|
||||||
ruleset.add(f'ip6tables -A INPUT -p {proto} -s {address} {port_str} {comment} -j ACCEPT')
|
|
||||||
|
|
||||||
return {
|
|
||||||
'iptables': {
|
|
||||||
'bundle_rules': {
|
|
||||||
# order does not matter here.
|
|
||||||
'iptables': list(sorted(ruleset)),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
Loading…
Reference in a new issue