Initial commit

2019-10-04 21:57:24 +02:00 · 2019-10-04 21:57:24 +02:00 · e20016e60a
commit e20016e60a
7 changed files with 297 additions and 0 deletions
--- a/sysconfig/ip6tables
+++ b/sysconfig/ip6tables
@ -0,0 +1,23 @@
+# sample configuration for ip6tables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:fwd_ext_filter - [0:0]
+-A INPUT -p tcp -m tcp -s 2a00:14b0:4200:3380:134::1/128 --dport 9000:9999 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP
+-A FORWARD -d fec0:0:0:ffff::/64 -j ACCEPT
+-A FORWARD -i eno2 -j fwd_ext_filter
+-A FORWARD -i eno50.+ -j fwd_ext_filter
+-A FORWARD -i ens2d1.+ -j fwd_ext_filter
+-A FORWARD -o eno2 -j fwd_ext_filter
+-A FORWARD -o eno50.+ -j fwd_ext_filter
+-A FORWARD -o ens2d1.+ -j fwd_ext_filter
+-A fwd_ext_filter -m set --match-set reserved_IPv6 dst -j DROP
+-A fwd_ext_filter -m set --match-set reserved_IPv6 src -j DROP
+#-A fwd_ext_filter -m set --match-set transit_IPv6 dst -j ACCEPT
+#-A fwd_ext_filter -m set --match-set transit_IPv6 src -j ACCEPT
+-A fwd_ext_filter -j ACCEPT
+COMMIT
--- a/sysconfig/ip6tables-config
+++ b/sysconfig/ip6tables-config
@ -0,0 +1,59 @@
+# Load additional ip6tables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IP6TABLES_MODULES=""
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets stopped
+# (e.g. on system shutdown).
+IP6TABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets
+# restarted.
+IP6TABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/ip6tables if
+# 'service ip6tables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IP6TABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IP6TABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IP6TABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IP6TABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IP6TABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
+
+# Set wait option for ip6tables-restore calls in seconds
+#   Default: 600
+# Set to 0 to deactivate the wait.
+#IP6TABLES_RESTORE_WAIT=600
+
+# Set wait interval option for ip6tables-restore calls in microseconds
+#   Default: 1000000
+# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
+# second.
+# Only usable with IP6TABLES_RESTORE_WAIT > 0
+#IP6TABLES_RESTORE_WAIT_INTERVAL=1000000
--- a/sysconfig/ipset
+++ b/sysconfig/ipset
@ -0,0 +1,45 @@
+create transit_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
+add transit_IPv4_tmp 185.117.213.0/24
+add transit_IPv4_tmp 185.66.192.0/22
+add transit_IPv4_tmp 193.96.224.0/24
+add transit_IPv4_tmp 77.87.48.0/21
+add transit_IPv4_tmp 185.161.128.0/22
+swap transit_IPv4_tmp transit_IPv4
+destroy transit_IPv4_tmp
+create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
+add reserved_IPv4_tmp 0.0.0.0/8
+add reserved_IPv4_tmp 10.0.0.0/8
+add reserved_IPv4_tmp 100.64.0.0/10
+add reserved_IPv4_tmp 127.0.0.0/8
+add reserved_IPv4_tmp 169.254.0.0/16
+add reserved_IPv4_tmp 172.16.0.0/12
+add reserved_IPv4_tmp 192.0.0.0/24
+add reserved_IPv4_tmp 192.0.2.0/24
+add reserved_IPv4_tmp 192.168.0.0/16
+add reserved_IPv4_tmp 198.18.0.0/15
+add reserved_IPv4_tmp 198.51.100.0/24
+add reserved_IPv4_tmp 203.0.113.0/24
+add reserved_IPv4_tmp 224.0.0.0/4
+add reserved_IPv4_tmp 240.0.0.0/4
+swap reserved_IPv4_tmp reserved_IPv4
+destroy reserved_IPv4_tmp
+create transit_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters
+add transit_IPv6_tmp 2001:67c:2d50::/48
+add transit_IPv6_tmp 2001:bf7::/32
+add transit_IPv6_tmp 2a03:2260::/30
+add transit_IPv6_tmp 2a03:2267::/32
+add transit_IPv6_tmp 2a06:8782::/32
+add transit_IPv6_tmp 2001:67c:1550::/48
+add transit_IPv6_tmp 2a07:c480::/29
+swap transit_IPv6_tmp transit_IPv6
+destroy transit_IPv6_tmp
+create reserved_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters
+add reserved_IPv6_tmp ::/96
+add reserved_IPv6_tmp 2001:10::/28
+add reserved_IPv6_tmp 2001:db8::/32
+add reserved_IPv6_tmp 3ffe::/16
+add reserved_IPv6_tmp fc00::/7
+add reserved_IPv6_tmp fec0::/10
+add reserved_IPv6_tmp ff00::/8
+swap reserved_IPv6_tmp reserved_IPv6
+destroy reserved_IPv6_tmp
--- a/sysconfig/ipset.README
+++ b/sysconfig/ipset.README
@ -0,0 +1,47 @@
+README for /etc/sysconfig/ipset
+-------------------------------
+
+ipset does not have a nice way like iptables-restore to restore them and before iptables loads the sets must be loaded already, otherwise iptables-restore will fail to restore the firewall settings.
+
+Thus there are some tricks used to allow safe update of ipsets.
+
+
+If you want to...
+
+... add a net to an existing ip set:
+1. Lookup the name of the existing ip set (e.g. transit_IPv4) and add _tmp to it: transit_IPv4_tmp
+2. Add a line similar to the following to /etc/sysconfig/ipset:
+	add transit_IPv4_tmp 185.117.213.0/24
+3. Run the following command (this restarts iptables):
+	# systemctl restart ipset
+4. Run the following command to verify that the net has been added, but use the real name of the set:
+	# ipset list transit_IPv4
+You're done.
+
+
+... create a new ip set:
+1. Think of a new sensible name (e.g. reserved_IPv4)
+2. If the structure of the set is exactly the same as an existing set, you can skip to step 3 and just copy the lines from an existing set, otherwise:
+	a. Use "ipset create" (man ipset) to create the set and "ipset add" to add one entry
+	b. Run "ipset save" (displays to stdout) and copy the lines to create your new set and add the first entry
+3. Update /etc/systemd/system/ipset.service...
+	a. by adding a new line (obviously use the name of your set and add "family inet6" if it's IPv6):
+		ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net
+	b. and adding a new line with the name of your set with an added _tmp at the end:
+		ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp
+	c. Run the following command:
+		# systemctl daemon-reload
+4. Update /etc/sysconfig/ipset...
+	a. by adding a create line for your set with an added _tmp at the end:
+		create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
+	b. by adding the add line for your set with an added _tmp at the end:
+		add reserved_IPv4_tmp 240.0.0.0/4
+	c. by adding a swap line for your set first with an added _tmp then without the _tmp:
+		swap reserved_IPv4_tmp reserved_IPv4
+	d. by adding a destroy line for the set with _tmp at the end:
+		destroy reserved_IPv4_tmp
+5. Run the following command (this restarts iptables):
+	# systemctl restart ipset
+6. Run the following command to verify that the set has been added, but use the real name of the set:
+	# ipset list transit_IPv4
+You're done.
--- a/sysconfig/iptables
+++ b/sysconfig/iptables
@ -0,0 +1,40 @@
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+#
+# WARNING: DO NOT ACTIVATE ANY KIND OF LOGGING, LOGGING KILLS THE SERVER
+#
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:fwd_ext_filter - [0:0]
+-A INPUT -p tcp -m tcp --dport ssh -d 193.96.224.249 -j DROP
+-A INPUT -p udp -m udp --dport 53 -j DROP
+-A INPUT -p tcp -m tcp --dport 5000 -s 193.96.224.250 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5000 -j DROP
+-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP
+-A INPUT -j ACCEPT
+#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+#-A INPUT -p icmp -j ACCEPT
+#-A INPUT -i lo -j ACCEPT
+#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+#-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -s 10.112.0.0/16 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT
+-A FORWARD -s 100.64.112.0/24 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT
+-A FORWARD -i eno2 -j fwd_ext_filter
+-A FORWARD -i eno50.+ -j fwd_ext_filter
+-A FORWARD -i ens2d1.+ -j fwd_ext_filter
+-A FORWARD -o eno2 -j fwd_ext_filter
+-A FORWARD -o eno50.+ -j fwd_ext_filter
+-A FORWARD -o ens2d1.+ -j fwd_ext_filter
+-A fwd_ext_filter -m set --match-set reserved_IPv4 src -j DROP
+-A fwd_ext_filter -m set --match-set reserved_IPv4 dst -j DROP
+-A fwd_ext_filter -j ACCEPT
+#-A fwd_ext_filter -m set --match-set transit_IPv4 src -j ACCEPT
+#-A fwd_ext_filter -m set --match-set transit_IPv4 dst -j ACCEPT
+# DO NOT ACTIVATE THE NEXT LINE, IT KILLS THE SERVER
+#-A fwd_ext_filter -j LOG --log-prefix drop_log
+# DO NOT ACTIVATE THE PREVIOUS LINE, IT KILLS THE SERVER
+#-A fwd_ext_filter -j DROP
+COMMIT
--- a/sysconfig/iptables-config
+++ b/sysconfig/iptables-config
@ -0,0 +1,59 @@
+# Load additional iptables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IPTABLES_MODULES=""
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
+IPTABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IPTABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
+
+# Set wait option for iptables-restore calls in seconds
+#   Default: 600
+# Set to 0 to deactivate the wait.
+#IPTABLES_RESTORE_WAIT=600
+
+# Set wait interval option for iptables-restore calls in microseconds
+#   Default: 1000000
+# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
+# second.
+# Only usable with IPTABLES_RESTORE_WAIT > 0
+#IPTABLES_RESTORE_WAIT_INTERVAL=1000000
--- a/systemd/ipset.service
+++ b/systemd/ipset.service
@ -0,0 +1,24 @@
+[Unit]
+Description=Loads ip sets for iptables from /etc/sysconfig/ipset
+Before=iptables.service ip6tables.service
+After=syslog.target
+AssertPathExists=/etc/sysconfig/ipset
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=-/sbin/ipset create transit_IPv4 hash:net
+ExecStartPre=-/sbin/ipset destroy transit_IPv4_tmp
+ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net
+ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp
+ExecStartPre=-/sbin/ipset create transit_IPv6 hash:net family inet6
+ExecStartPre=-/sbin/ipset destroy transit_IPv6_tmp
+ExecStartPre=-/sbin/ipset create reserved_IPv6 hash:net family inet6
+ExecStartPre=-/sbin/ipset destroy reserved_IPv6_tmp
+ExecStart=/bin/sh -c "/sbin/ipset restore < /etc/sysconfig/ipset"
+ExecStop=/sbin/ipset destroy
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+RequiredBy=iptables.service ip6tables.service