diff options
Diffstat (limited to 'roles/common/files')
| -rw-r--r-- | roles/common/files/etc/ldap/schema/fripost.ldif | 15 | ||||
| -rwxr-xr-x | roles/common/files/etc/network/if-post-down.d/iptables | 15 | ||||
| -rwxr-xr-x | roles/common/files/etc/network/if-pre-up.d/iptables | 15 | ||||
| -rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 15 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 16 |
5 files changed, 62 insertions, 14 deletions
diff --git a/roles/common/files/etc/ldap/schema/fripost.ldif b/roles/common/files/etc/ldap/schema/fripost.ldif index 6ec55dc..851988e 100644 --- a/roles/common/files/etc/ldap/schema/fripost.ldif +++ b/roles/common/files/etc/ldap/schema/fripost.ldif @@ -1,24 +1,35 @@ # Fripost's LDAP schema -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org> # -# Licensed under the GNU GPL version 3 or higher. +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # Load this file with # # ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif # # It will load the schema. To perform modifications, the easiest way is to # # * Save the database: slapcat -b 'o=mailHosting,dc=fripost,dc=dev' > /tmp/db.ldif # * Save the configuration: slapcat -n0 > /tmp/config.ldif # * Backup slap.d: cp -a /etc/ldap/slapd.d/ /tmp/slap.d_back # * Edit the schema in /tmp/config.ldif # * Load the new config: mkdir -m 0700 /tmp/slapd.d_new && slapadd -F /tmp/slapd.d_new -n0 -l /tmp/config.ldif # * Stop slapd: /etc/init.d/slapd stop # * Load the new config: rm -rf /etc/ldap/slapd.d/ && mv /tmp/slapd.d_new /etc/ldap/slapd.d && chown -R openldap:openldap /etc/ldap/slapd.d # * Create indexes: sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=dev' # * Start slapd: /etc/init.d/slapd start # If it fails, remove the existing database and see what's wrong # rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'o=mailHosting,dc=fripost,dc=org' -l /tmp/db.ldif # # diff --git a/roles/common/files/etc/network/if-post-down.d/iptables b/roles/common/files/etc/network/if-post-down.d/iptables index 944ff3a..d27977d 100755 --- a/roles/common/files/etc/network/if-post-down.d/iptables +++ b/roles/common/files/etc/network/if-post-down.d/iptables @@ -1,27 +1,36 @@ #!/bin/sh -# + # A post-down hook to flush ip tables and delete custom chains in the # loaded v4 and v6 rulesets. +# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org> # -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. # -# Licensed under the GNU GPL version 3 or higher. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin # Ignore the loopback interface; run the script for ifdown only. [ "$IFACE" != lo -a "$MODE" = stop ] || exit 0 case "$ADDRFAM" in inet) ipts=/sbin/iptables-save; ipt=/sbin/iptables;; inet6) ipts=/sbin/ip6tables-save; ipt=/sbin/ip6tables;; *) exit 0 esac $ipts | sed -nr 's/^\*//p' | \ while read table; do $ipt -t "$table" -F $ipt -t "$table" -X done diff --git a/roles/common/files/etc/network/if-pre-up.d/iptables b/roles/common/files/etc/network/if-pre-up.d/iptables index 644211f..2b83cdc 100755 --- a/roles/common/files/etc/network/if-pre-up.d/iptables +++ b/roles/common/files/etc/network/if-pre-up.d/iptables @@ -1,30 +1,39 @@ #!/bin/bash -# + # A pre-up hook to auto-(re)load the iptables rulesets whenever the # network is brought up. If the action fails, an alert message is passed # to syslogd. +# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org> # -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. # -# Licensed under the GNU GPL version 3 or higher. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. set -uo pipefail PATH=/usr/sbin:/usr/bin:/sbin:/bin # NOTE: syslog starts after networking during the boot process, messages # won't be logged at boot time. log="/usr/bin/logger -st firewall" # Ignore the loopback interface; run the script for ifup only. [ "$IFACE" != lo -a "$MODE" = start ] || exit 0 # We support only IPv4 and IPv6. [ "$ADDRFAM" = inet -o "$ADDRFAM" = inet6 ] || exit 0 $log -p user.info -- "Loading $ADDRFAM firewall on interface $IFACE." case "$ADDRFAM" in inet) iptr=/sbin/iptables-restore; rules=rules.v4;; inet6)iptr=/sbin/ip6tables-restore; rules=rules.v6;; esac diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index db9f979..4a84112 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -1,29 +1,38 @@ #!/bin/sh -# + # A post-up/down hook to automatically create/delete a 'sec' VLAN # device, and a dedicated, host-scoped, IP for IPSec (v4 only). +# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org> # -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. # -# Licensed under the GNU GPL version 3 or higher. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin ifsec=sec0 ipsec=172.16.0.1/32 # /!\ This mark much match that in /usr/local/sbin/update-firewall.sh. secmark=0xA99 # Ignore the loopback interface and non inet4 families. [ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 # Only the device with the default, globally-scoped route, is of # interest here. [ "$( /bin/ip -4 route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ = \ "$IFACE" ] || exit 0 diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 41407e8..4050e9e 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -1,42 +1,52 @@ #!/bin/bash -# + # Create iptables (v4 and v6) rules. Unless one of [-f] or [-c] is # given, or if the ruleset is unchanged, a confirmation is asked after # loading the new rulesets; if the user answers No or doesn't answer, # the old ruleset is restored. If the user answer Yes (or if the flag # [-f] is given), the new ruleset is made persistent (requires a pre-up # hook) by moving it to /etc/iptables/rules.v[46]. # # The [-c] flag switch to dry-run (check) mode. The rulesets are not # applied, but merely checked against the existing ones. The return # value is 0 iff. they do not differ. # # This firewall is only targeted towards end-servers, not gateways. In # particular, there is no NAT'ing at the moment. # # Dependencies: netmask(1) # -# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. # -# Licensed under the GNU GPL version 3 or higher. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin timeout=10 force=0 check=0 verbose=0 addrfam= secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { cat >&2 <<- EOF Usage: $0 [OPTIONS] |