firewalld / iptables.service past F17
Reindl Harald
h.reindl at thelounge.net
Tue Apr 24 00:32:44 UTC 2012
Am 24.04.2012 02:08, schrieb Oron Peled:
> Looks like this transition (as is currently planned) is going to
> break many setups. I want to show the three following use-cases
> which may be severely broken by this transition.
exactly this is the problem
i have attached my ip-tables script making at home a software-router
with forwarding of two different networks from my LAN via openvpn
and a static route
i only stripped the config-block and comments
but as you can see there are many useful decisions
by $HOSTNAME and this is only one of my scripts for
two machines
______________-
another one is built the same way and serves 20 machines
while partly rules are for all machines, others depeding as
in my example on the hostname and there are a lot of really
useful and well thought specific drop/forward/reject rules
based on hostname and source/destination networks
this script has about 50 KB and a handful of bash-includes
well, one may say "unmaintainable" - but it is, it
has a good documentation and structure and we are using
it as reference for each "iptables.sh" needed where ever
it is practically impossible to convert this stuff because
nobody did write it down in one day, it is grown and maintained
over years with the whole infrastructure - yes you MAYBE CAN
try to re-implement all this rules in firewalld
but would you do this really in a production environment
in a security layer and how do you test from scratch?
please do not come now "why fedora in prodction"
because it just works if things are not careless removed
from the distribution - so please do not take away power
featureswhich are not really hurt to maintain
firewalld is at least another interface for netfilter
why want anybody take away perfectly working ones?
-------------- next part --------------
#! /bin/bash
<strippd block with var-definitions>
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
PUBLIC_PORTS="21,80,6666,$SSH_PORT"
LAN_PORTS="25 143 443 465 587 993 $VMWARE_PORTS 2000 $RDP_PORTS $SMB_PORTS $AVAHI_PORT"
else
PUBLIC_PORTS="80,$SSH_PORT"
LAN_PORTS="25 143 443 465 587 993 2000 $SMB_PORTS $AVAHI_PORT"
fi
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
for i in $CHAINS; do $IPTABLES -t $i -Z; done
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT ! -i lo -m state --state INVALID -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p udp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT ! -i lo -f -j DROP
$IPTABLES -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p all -s 10.0.0.253 -m state --state NEW -j DROP
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
RATE_WHITELIST_RANGE="$LAN_RHSOFT"
else
RATE_WHITELIST_RANGE="$LAN_LOUNGE"
fi
$IPTABLES -A INPUT ! -s 127.0.0.1 -p tcp -m multiport --destination-port $BLOCKED_PORTS -m state --state NEW -j REJECT --reject-with tcp-reset
PORTSCAN_TRIGGERS_1="19,24,52,79,109,142,442,464,548,586,631,992,994,3305"
PORTSCAN_TRIGGERS_2="23,3389,5900,5920,5922,5930,5931,5950"
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan1 --rcheck --seconds 2 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan1 --remove
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m limit --limit 10/h -j LOG --log-prefix "Portscan: "
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m tcp -m recent --name portscan1 --set -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan2 --rcheck --seconds 2 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan2 --remove
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_2 -m tcp -m recent --name portscan2 --set -j REJECT --reject-with tcp-reset
# -------------------------------------------------------------------------------------------------------------------------------------------
# ROUTER / VPN-FORWARDING
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
$IPTABLES -A INPUT -i eth1 -s $WAN_RHSOFT,$WAN_RHSOFT_BROADCAST,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP
$IPTABLES -A OUTPUT -o eth1 -s $WAN_RHSOFT_BROADCAST,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP
$IPTABLES -A FORWARD -i eth1 -o br0 -d $LAN_RHSOFT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i br0 -o eth1 -s $LAN_RHSOFT -j ACCEPT
$IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_RHSOFT -j MASQUERADE
$IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_LOUNGE -d $LAN_RHSOFT -j ACCEPT
$IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_LOUNGE -j ACCEPT
$IPTABLES -A POSTROUTING -o tap0 -t nat -s $LAN_RHSOFT -j MASQUERADE
$IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_SOUTH -d $LAN_RHSOFT -j ACCEPT
$IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_SOUTH -j ACCEPT
$IPTABLES -A FORWARD -i br0 -o vmnet8 -s $LAN_RHSOFT -d $LAN_VMWARE -j ACCEPT
$IPTABLES -A FORWARD -i vmnet8 -o br0 -s $LAN_VMWARE -d $LAN_RHSOFT -j ACCEPT
$IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $LAN_RHSOFT -j MASQUERADE
$IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 5060 -j DNAT --to-destination $RHSOFT_VOIP
$IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 50600 -j DNAT --to-destination $RHSOFT_HANDY
$IPTABLES -A FORWARD -j DROP
fi
if [ "$HOSTNAME" != "$HOSTNAME_HOME" ]; then
$IPTABLES -A INPUT -i br0 -s 0.0.0.0/8,192.168.0.0/24,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24 -j DROP
$IPTABLES -A OUTPUT -o br0 -d 0.0.0.0/8,192.168.0.0/24,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24 -j DROP
$IPTABLES -A INPUT -i br0 -m iprange --src-range 10.0.1.0-10.255.255.255 -j DROP
$IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 10.0.1.0-10.255.255.255 -j DROP
$IPTABLES -A INPUT -i br0 -m iprange --src-range 192.168.2.0-192.168.195.255 -j DROP
$IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 192.168.2.0-192.168.195.255 -j DROP
$IPTABLES -A INPUT -i br0 -m iprange --src-range 192.168.197.0-192.168.255.255 -j DROP
$IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 192.168.197.0-192.168.255.255 -j DROP
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$BLOCK_RANGES_ACTIVE" == "1" ]; then
source /scripts/iptables/ranges-block.sh
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
else
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth1 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
$IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
$IPTABLES -I INPUT -p tcp -i br0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i br0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i br0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
$IPTABLES -A INPUT -p tcp --sport 1024: -s $RHSOFT_TESTSERVER --dport 25 -j ACCEPT
RATE_WHITELIST_RANGE="$LAN_RHSOFT"
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$ALLOW_RANGES_ACTIVE" == "1" ]; then
source /scripts/iptables/ranges-allow.sh
else
$IPTABLES -A INPUT -p tcp -m multiport --destination-port $PUBLIC_PORTS -m state --state NEW --syn -j ACCEPT
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
$IPTABLES -A INPUT -p udp -m multiport --destination-port 6881,7881,8881,56882 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 56882 -m state --state NEW --syn -j ACCEPT
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
$IPTABLES -A INPUT -p udp -s $LAN_RHSOFT,$LAN_LOUNGE -m multiport --destination-port 1900 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN_RHSOFT,$LAN_LOUNGE -m multiport --destination-port 49200,50500 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN_RHSOFT,$LAN_LOUNGE,$WAN_LOUNGE --dport 8000 -m state --state NEW --syn -j ACCEPT
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
SOURCE="$LAN_RHSOFT"
else
SOURCE="$LAN_LOUNGE"
fi
COUNTER=0
PORT_LIST=""
for PORT in $LAN_PORTS; do
COUNTER=`expr $COUNTER + 1`
if [ "$PORT_LIST" == "" ]; then
PORT_LIST="$PORT"
else
PORT_LIST="$PORT_LIST,$PORT"
fi
if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
$IPTABLES -A INPUT -p tcp -s $SOURCE,$OPENVAS -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
PORT_LIST=""
COUNTER="0"
fi
done
if [ "$PORT_LIST" != "" ]; then
$IPTABLES -A INPUT -p tcp -s $SOURCE,$OPENVAS -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp --sport 1024: -s $LAN_RHSOFT,$LAN_LOUNGE --dport $AVAHI_PORT -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 1024: -s $LAN_RHSOFT,$LAN_LOUNGE --dport $AVAHI_PORT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN_RHSOFT,$LAN_LOUNGE,$RHSOFT_ARRAKIS,$RHSOFT_TESTSERVER --sport 1024: --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024: -s $OFFICE_VPN_IP,$RHSOFT_VPN_IP,$ESX1_MASTER,$OPENVAS --dport 3306 -m state --state NEW --syn -j ACCEPT
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_OFFICE" ]; then
COUNTER=0
PORT_LIST=""
for PORT in $LAN_PORTS; do
COUNTER=`expr $COUNTER + 1`
if [ "$PORT_LIST" == "" ]; then
PORT_LIST="$PORT"
else
PORT_LIST="$PORT_LIST,$PORT"
fi
if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
$IPTABLES -A INPUT -p tcp -s $WAN_RHSOFT -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
PORT_LIST=""
COUNTER="0"
fi
done
if [ "$PORT_LIST" != "" ]; then
$IPTABLES -A INPUT -p tcp -s $WAN_RHSOFT -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
fi
else
COUNTER=0
PORT_LIST=""
for PORT in $LAN_PORTS; do
COUNTER=`expr $COUNTER + 1`
if [ "$PORT_LIST" == "" ]; then
PORT_LIST="$PORT"
else
PORT_LIST="$PORT_LIST,$PORT"
fi
if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
$IPTABLES -A INPUT -p tcp -s $OFFICE_WAN_IP,$OFFICE_VPN_IP -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
PORT_LIST=""
COUNTER="0"
fi
done
if [ "$PORT_LIST" != "" ]; then
$IPTABLES -A INPUT -p tcp -s $OFFICE_WAN_IP,$OFFICE_VPN_IP -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp -s 10.0.0.132 -m multiport --destination-port 139,445 -m state --state NEW --syn -j ACCEPT
fi
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
$IPTABLES -A INPUT -p udp --sport 1024: -s $WAN_LOUNGE,$LAN_LOUNGE,$LAN_RHSOFT --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024: -s $WAN_LOUNGE,$LAN_LOUNGE,$LAN_RHSOFT --dport 53 -j ACCEPT
fi
$IPTABLES -A INPUT -p udp -s $LAN_VMWARE -m multiport --destination-port 53,123 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN_VMWARE -m multiport --destination-port 25,53,139,143,445,3306 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $WAN_LOUNGE,$LAN_RHSOFT,$LAN_LOUNGE,$RHSOFT_TESTSERVER,$RHSOFT_ARRAKIS --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state NEW -j DROP
# -------------------------------------------------------------------------------------------------------------------------------------------
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -j DROP
# -------------------------------------------------------------------------------------------------------------------------------------------
/sbin/iptables-save > /etc/sysconfig/iptables
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120424/9c3d5943/attachment-0001.sig>
More information about the devel
mailing list