diff options
Diffstat (limited to 'roles/common/files/usr')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 8840174..a1589de 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -95,40 +95,41 @@ iptdiff() { fi [ $rv1 -eq 0 ] || log "WARN: The IP$v firewall is not up to date! Please run '$0'." [ $rv2 -eq 0 ] || log "WARN: The current IP$v firewall is not persistent! Please run '$0'." return $(( $rv1 | $rv2 )) } [ -n "$WAN" -o -n "$WAN6" ] || fatal "Error: couldn't find a network interface" # Store the existing table /sbin/iptables-save -t filter > "$oldv4table" /sbin/ip6tables-save -t filter > "$oldv6table" # The usual chains in filter, along with the desired default policies. cat > "$newv4table" <<- EOF *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] + :fail2ban - [0:0] EOF cp -f "$newv4table" "$newv6table" # Also, keep fail2ban chains tgrep ':fail2ban-' # (Host-to-host) IPSec tunnels come first. TODO: test IPSec on IPv6. tgrep ' -m policy --dir (in|out) --pol ipsec .* --proto esp -j ACCEPT$' # Allow any IPsec ESP protocol packets to be sent and received. iptables -A INPUT -i $WAN -p esp -j ACCEPT iptables -A OUTPUT -o $WAN -p esp -j ACCEPT ip6tables -A INPUT -i $WAN6 -p esp -j ACCEPT ip6tables -A OUTPUT -o $WAN6 -p esp -j ACCEPT # Then we have the fail2ban traps @@ -164,40 +165,47 @@ for ip6 in fc00::/7 fec0::/10 do ip6tables -A INPUT -i $WAN6 -s "$ip6" -j DROP ip6tables -A INPUT -i $WAN6 -d "$ip6" -j DROP done # DROP INVALID packets immediately. for chain in INPUT OUTPUT; do iptables -A $chain -m state --state INVALID -j DROP ip6tables -A $chain -m state --state INVALID -j DROP done # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +# Prepare fail2ban. We make fail2ban insert its rules in a dedicated +# chain, so that it doesn't mess up the existing rules. +# XXX: As of Wheezy, fail2ban is IPv4 only. See +# https://github.com/fail2ban/fail2ban/issues/39 for the current +# state of the art. +iptables -A INPUT -i $WAN -j fail2ban + # Allow all input/output to/from the loopback interface. iptables -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT ip6tables -A INPUT -i lo -s ::1/128 -d ::1/128 lo -j ACCEPT ip6tables -A OUTPUT -o lo -s ::1/128 -d ::1/128 lo -j ACCEPT # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done directly # by the kernel (net.ipv4.icmp_ratelimit and net.ipv4.icmp_ratemask # runtime options). See icmp(7). for type in echo-reply destination-unreachable echo-request; do iptables -A INPUT -i $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT iptables -A OUTPUT -o $WAN -p icmp -m icmp --icmp-type $type -j ACCEPT done ip6tables -A INPUT -i $WAN6 -p icmpv6 -j ACCEPT ################################################################################## |