chadmed/gentoo-asahi-releng
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add a simple packet filter for demeter

Browse source 
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
This commit is contained in:
Andreas K. Hüttel 2021-07-03 20:55:09 +02:00
parent 949bc0a212
commit b1653f03b6
No known key found for this signature in database
GPG key ID: 4C49F79E54D0A206
3 changed files with 1198 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

522
config/fwbuilder/demeter.fw Executable file
View file

@ -0,0 +1,522 @@
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.3.7
#
# Generated Sat Jul 3 20:39:41 2021 CEST by huettel
#
# files: * demeter.fw /etc/demeter.fw
#
# Compiled for iptables (any version)
#
# This is an example of a firewall protecting a host ( a server or a workstation). Only SSH access to the host is permitted. Host has dynamic address.
FWBDEBUG=""
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="lsmod"
MODPROBE="modprobe"
IPTABLES="iptables"
IP6TABLES="ip6tables"
IPTABLES_RESTORE="iptables-restore"
IP6TABLES_RESTORE="ip6tables-restore"
IP="ip"
IFCONFIG="ifconfig"
VCONFIG="vconfig"
BRCTL="brctl"
IFENSLAVE="ifenslave"
IPSET="ipset"
LOGGER="logger"
log() {
echo "$1"
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr_internal() {
dev=$1
name=$2
af=$3
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
find_program() {
PGM=$1
which $PGM >/dev/null 2>&1 || {
echo "\"$PGM\" not found"
exit 1
}
}
check_tools() {
find_program which
find_program $IPTABLES
find_program $MODPROBE
find_program $IP
}
reset_iptables_v4() {
local list
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
while read table; do
list=$($IPTABLES -t $table -L -n)
printf "%s" "$list" | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done < /proc/net/ip_tables_names
}
reset_iptables_v6() {
local list
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
while read table; do
list=$($IP6TABLES -t $table -L -n)
printf "%s" "$list" | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done < /proc/net/ip6_tables_names
}
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
}
load_modules() {
:
OPTS=$1
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
echo $OPTS | grep -q nat && {
MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
}
echo $OPTS | grep -q ipv6 && {
MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
}
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
}
verify_interfaces() {
:
echo "Verifying interfaces: eth0 lo"
for i in eth0 lo ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
# Configure interfaces
update_addresses_of_interface "lo 127.0.0.1/8" ""
getaddr eth0 i_eth0
getaddr6 eth0 i_eth0_v6
getnet eth0 i_eth0_network
getnet6 eth0 i_eth0_v6_network
}
script_body() {
# ================ IPv4
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'filter', rule set Policy
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
# anti spoofing rule
$IPTABLES -N In_RULE_0
for i_eth0 in $i_eth0_list
do
test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0
done
for i_eth0 in $i_eth0_list
do
test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0
done
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0 -j DROP
#
# Rule 1 (lo)
#
echo "Rule 1 (lo)"
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
# SSH Access to the host; useful ICMP
# types; ping request
$IPTABLES -N Cid4543X4142577.0
for i_eth0 in $i_eth0_list
do
test -n "$i_eth0" && $IPTABLES -A OUTPUT -d $i_eth0 -m state --state NEW -j Cid4543X4142577.0
done
$IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPTABLES -A Cid4543X4142577.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPTABLES -A Cid4543X4142577.0 -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
for i_eth0 in $i_eth0_list
do
test -n "$i_eth0" && $IPTABLES -A INPUT -s $i_eth0 -m state --state NEW -j ACCEPT
done
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
$IPTABLES -A OUTPUT -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state NEW -j DROP
$IPTABLES -A FORWARD -m state --state NEW -j DROP
}
ip_forward() {
:
echo 1 > /proc/sys/net/ipv4/ip_forward
}
reset_all() {
:
reset_iptables_v4
}
block_action() {
reset_all
}
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
check_iptables() {
IP_TABLES="$1"
[ ! -e $IP_TABLES ] && return 151
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
[ -z "$NF_TABLES" ] && return 152
return 0
}
status_action() {
check_iptables "/proc/net/ip_tables_names"
ret_ipv4=$?
check_iptables "/proc/net/ip6_tables_names"
ret_ipv6=$?
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
echo "iptables modules are not loaded"
}
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
echo "Firewall is not configured"
}
exit 3
}
# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'
cmd=$1
test -z "$cmd" && {
cmd="start"
}
case "$cmd" in
start)
log "Activating firewall script generated Sat Jul 3 20:39:41 2021 by huettel"
check_tools
prolog_commands
check_run_time_address_table_files
load_modules " "
configure_interfaces
verify_interfaces
reset_all
script_body
ip_forward
epilog_commands
RETVAL=$?
;;
stop)
stop_action
RETVAL=$?
;;
status)
status_action
RETVAL=$?
;;
block)
block_action
RETVAL=$?
;;
reload)
$0 stop
$0 start
RETVAL=$?
;;
interfaces)
configure_interfaces
RETVAL=$?
;;
test_interfaces)
FWBDEBUG="echo"
configure_interfaces
RETVAL=$?
;;
*)
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
;;
esac
exit $RETVAL