firewalld / iptables.service past F17

Reindl Harald h.reindl at thelounge.net
Tue Apr 24 00:32:44 UTC 2012 

Am 24.04.2012 02:08, schrieb Oron Peled:
> Looks like this transition (as is currently planned) is going to
> break many setups. I want to show the three following use-cases
> which may be severely broken by this transition.

exactly this is the problem

i have attached my ip-tables script making at home a software-router
with forwarding of two different networks from my LAN via openvpn
and a static route

i only stripped the config-block and comments

but as you can see there are many useful decisions
by $HOSTNAME and this is only one of my scripts for
two machines
______________-

another one is built the same way and serves 20 machines
while partly rules are for all machines, others depeding as
in my example on the hostname and there are a lot of really
useful and well thought specific drop/forward/reject rules
based on hostname and source/destination networks

this script has about 50 KB and a handful of bash-includes

well, one may say "unmaintainable" - but it is, it
has a good documentation and structure and we are using
it as reference for each "iptables.sh" needed where ever

it is practically impossible to convert this stuff because
nobody did write it down in one day, it is grown and maintained
over years with the whole infrastructure - yes you MAYBE CAN
try to re-implement all this rules in firewalld

but would you do this really in a production environment
in a security layer and how do you test from scratch?

please do not come now "why fedora in prodction"
because it just works if things are not careless removed
from the distribution - so please do not take away power
featureswhich are not really hurt to maintain

firewalld is at least another interface for netfilter
why want anybody take away perfectly working ones?
-------------- next part --------------
#! /bin/bash

<strippd block with var-definitions>

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 PUBLIC_PORTS="21,80,6666,$SSH_PORT"
 LAN_PORTS="25 143 443 465 587 993 $VMWARE_PORTS 2000 $RDP_PORTS $SMB_PORTS $AVAHI_PORT"
else
 PUBLIC_PORTS="80,$SSH_PORT"
 LAN_PORTS="25 143 443 465 587 993 2000 $SMB_PORTS $AVAHI_PORT"
fi

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED"
for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED"
for i in $CHAINS; do $IPTABLES -t $i -Z; done

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT ! -i lo -m state --state INVALID -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p udp -m state --state NEW --dport 0 -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT ! -i lo -f -j DROP
$IPTABLES -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p all -s 10.0.0.253 -m state --state NEW -j DROP

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 RATE_WHITELIST_RANGE="$LAN_RHSOFT"
else
 RATE_WHITELIST_RANGE="$LAN_LOUNGE"
fi
$IPTABLES -A INPUT ! -s 127.0.0.1 -p tcp -m multiport --destination-port $BLOCKED_PORTS  -m state --state NEW -j REJECT --reject-with tcp-reset

PORTSCAN_TRIGGERS_1="19,24,52,79,109,142,442,464,548,586,631,992,994,3305"
PORTSCAN_TRIGGERS_2="23,3389,5900,5920,5922,5930,5931,5950"
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan1 --rcheck --seconds 2 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan1 --remove
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m limit --limit 10/h -j LOG --log-prefix "Portscan: "
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_1 -m tcp -m recent --name portscan1 --set -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan2 --rcheck --seconds 2 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m recent --name portscan2 --remove
$IPTABLES -A INPUT ! -i lo ! -s $RATE_WHITELIST_RANGE -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS_2 -m tcp -m recent --name portscan2 --set -j REJECT --reject-with tcp-reset

# -------------------------------------------------------------------------------------------------------------------------------------------
# ROUTER / VPN-FORWARDING
# -------------------------------------------------------------------------------------------------------------------------------------------
if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 $IPTABLES -A INPUT  -i eth1 -s $WAN_RHSOFT,$WAN_RHSOFT_BROADCAST,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP
 $IPTABLES -A OUTPUT -o eth1 -s $WAN_RHSOFT_BROADCAST,0.0.0.0/8,10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j DROP
 $IPTABLES -A FORWARD -i eth1 -o br0 -d $LAN_RHSOFT -m state --state RELATED,ESTABLISHED -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o eth1 -s $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A POSTROUTING -o eth1 -t nat -s $LAN_RHSOFT -j MASQUERADE
 $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_LOUNGE -d $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_LOUNGE -j ACCEPT
 $IPTABLES -A POSTROUTING -o tap0 -t nat -s $LAN_RHSOFT -j MASQUERADE
 $IPTABLES -A FORWARD -i tap0 -o br0 -s $LAN_SOUTH -d $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o tap0 -s $LAN_RHSOFT -d $LAN_SOUTH -j ACCEPT
 $IPTABLES -A FORWARD -i br0 -o vmnet8 -s $LAN_RHSOFT -d $LAN_VMWARE -j ACCEPT
 $IPTABLES -A FORWARD -i vmnet8 -o br0 -s $LAN_VMWARE -d $LAN_RHSOFT -j ACCEPT
 $IPTABLES -A POSTROUTING -o vmnet8 -t nat -s $LAN_RHSOFT -j MASQUERADE
 $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 5060 -j DNAT --to-destination $RHSOFT_VOIP
 $IPTABLES -A PREROUTING -t nat -i eth1 -s $LOUNGE_VOIP -p udp -m multiport --destination-port 50600 -j DNAT --to-destination $RHSOFT_HANDY
 $IPTABLES -A FORWARD -j DROP
fi

if [ "$HOSTNAME" != "$HOSTNAME_HOME" ]; then
 $IPTABLES -A INPUT  -i br0 -s 0.0.0.0/8,192.168.0.0/24,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24 -j DROP
 $IPTABLES -A OUTPUT -o br0 -d 0.0.0.0/8,192.168.0.0/24,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24 -j DROP
 $IPTABLES -A INPUT  -i br0 -m iprange --src-range 10.0.1.0-10.255.255.255 -j DROP
 $IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 10.0.1.0-10.255.255.255 -j DROP
 $IPTABLES -A INPUT  -i br0 -m iprange --src-range 192.168.2.0-192.168.195.255 -j DROP
 $IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 192.168.2.0-192.168.195.255 -j DROP
 $IPTABLES -A INPUT  -i br0 -m iprange --src-range 192.168.197.0-192.168.255.255 -j DROP
 $IPTABLES -A OUTPUT -o br0 -m iprange --dst-range 192.168.197.0-192.168.255.255 -j DROP
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$BLOCK_RANGES_ACTIVE" == "1" ]; then
 source /scripts/iptables/ranges-block.sh
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 $IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i eth0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
 $IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i eth1 ! -s $WAN_LOUNGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
else
 $IPTABLES -I INPUT -p tcp -i eth0  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i eth0  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i eth0  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
 $IPTABLES -I INPUT -p tcp -i eth1  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i eth1  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i eth1  ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
 $IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i bond0 ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
 $IPTABLES -I INPUT -p tcp -i br0   ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --set
 $IPTABLES -I INPUT -p tcp -i br0   ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j REJECT --reject-with tcp-reset
 $IPTABLES -I INPUT -p tcp -i br0   ! -s $RATE_WHITELIST_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -m limit --limit 10/m -j LOG --log-prefix "Rate-Control: "
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 $IPTABLES -A INPUT -p tcp --sport 1024: -s $RHSOFT_TESTSERVER --dport 25 -j ACCEPT
 RATE_WHITELIST_RANGE="$LAN_RHSOFT"
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$ALLOW_RANGES_ACTIVE" == "1" ]; then
 source /scripts/iptables/ranges-allow.sh
else
 $IPTABLES -A INPUT -p tcp -m multiport --destination-port $PUBLIC_PORTS -m state --state NEW --syn -j ACCEPT
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

$IPTABLES -A INPUT -p udp -m multiport --destination-port 6881,7881,8881,56882 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 56882 -m state --state NEW --syn -j ACCEPT

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 $IPTABLES -A INPUT -p udp -s $LAN_RHSOFT,$LAN_LOUNGE -m multiport --destination-port 1900 -j ACCEPT
 $IPTABLES -A INPUT -p tcp -s $LAN_RHSOFT,$LAN_LOUNGE -m multiport --destination-port 49200,50500 -m state --state NEW --syn -j ACCEPT
 $IPTABLES -A INPUT -p tcp -s $LAN_RHSOFT,$LAN_LOUNGE,$WAN_LOUNGE --dport 8000 -m state --state NEW --syn -j ACCEPT
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 SOURCE="$LAN_RHSOFT"
else
 SOURCE="$LAN_LOUNGE"
fi
COUNTER=0
PORT_LIST=""
for PORT in $LAN_PORTS; do
 COUNTER=`expr $COUNTER + 1`
 if [ "$PORT_LIST" == "" ]; then
  PORT_LIST="$PORT"
 else
  PORT_LIST="$PORT_LIST,$PORT"
 fi
 if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
  $IPTABLES -A INPUT -p tcp -s $SOURCE,$OPENVAS -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
  PORT_LIST=""
  COUNTER="0"
 fi
done
if [ "$PORT_LIST" != "" ]; then
 $IPTABLES -A INPUT -p tcp -s $SOURCE,$OPENVAS -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
fi
$IPTABLES -A INPUT -p tcp --sport 1024: -s $LAN_RHSOFT,$LAN_LOUNGE --dport $AVAHI_PORT -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 1024: -s $LAN_RHSOFT,$LAN_LOUNGE --dport $AVAHI_PORT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN_RHSOFT,$LAN_LOUNGE,$RHSOFT_ARRAKIS,$RHSOFT_TESTSERVER --sport 1024: --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024: -s $OFFICE_VPN_IP,$RHSOFT_VPN_IP,$ESX1_MASTER,$OPENVAS --dport 3306 -m state --state NEW --syn -j ACCEPT

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_OFFICE" ]; then
  COUNTER=0
  PORT_LIST=""
  for PORT in $LAN_PORTS; do
   COUNTER=`expr $COUNTER + 1`
   if [ "$PORT_LIST" == "" ]; then
    PORT_LIST="$PORT"
   else
    PORT_LIST="$PORT_LIST,$PORT"
   fi
   if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
    $IPTABLES -A INPUT -p tcp -s $WAN_RHSOFT -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
    PORT_LIST=""
    COUNTER="0"
   fi
  done
  if [ "$PORT_LIST" != "" ]; then
   $IPTABLES -A INPUT -p tcp -s $WAN_RHSOFT -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
  fi
else
  COUNTER=0
  PORT_LIST=""
  for PORT in $LAN_PORTS; do
   COUNTER=`expr $COUNTER + 1`
   if [ "$PORT_LIST" == "" ]; then
    PORT_LIST="$PORT"
   else
    PORT_LIST="$PORT_LIST,$PORT"
   fi
   if [ "$COUNTER" -ge "$RULE_PORT_LIMIT" ]; then
    $IPTABLES -A INPUT -p tcp -s $OFFICE_WAN_IP,$OFFICE_VPN_IP -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
    PORT_LIST=""
    COUNTER="0"
   fi
  done
  if [ "$PORT_LIST" != "" ]; then
   $IPTABLES -A INPUT -p tcp -s $OFFICE_WAN_IP,$OFFICE_VPN_IP -m multiport --destination-port $PORT_LIST -m state --state NEW --syn -j ACCEPT
  fi
  $IPTABLES -A INPUT -p tcp -s 10.0.0.132 -m multiport --destination-port 139,445 -m state --state NEW --syn -j ACCEPT
fi

# -------------------------------------------------------------------------------------------------------------------------------------------

if [ "$HOSTNAME" == "$HOSTNAME_HOME" ]; then
 $IPTABLES -A INPUT -p udp --sport 1024: -s $WAN_LOUNGE,$LAN_LOUNGE,$LAN_RHSOFT --dport 53 -j ACCEPT
 $IPTABLES -A INPUT -p tcp --sport 1024: -s $WAN_LOUNGE,$LAN_LOUNGE,$LAN_RHSOFT --dport 53 -j ACCEPT
fi

$IPTABLES -A INPUT -p udp -s $LAN_VMWARE -m multiport --destination-port 53,123 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LAN_VMWARE -m multiport --destination-port 25,53,139,143,445,3306 -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $WAN_LOUNGE,$LAN_RHSOFT,$LAN_LOUNGE,$RHSOFT_TESTSERVER,$RHSOFT_ARRAKIS --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state NEW -j DROP

# -------------------------------------------------------------------------------------------------------------------------------------------

$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -j DROP

# -------------------------------------------------------------------------------------------------------------------------------------------

/sbin/iptables-save > /etc/sysconfig/iptables
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120424/9c3d5943/attachment-0001.sig>

More information about the devel mailing list