From e20016e60a0e962d779666feefa63ccd7b45a47d Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Fri, 4 Oct 2019 21:57:24 +0200 Subject: [PATCH] Initial commit --- sysconfig/ip6tables | 23 +++++++++++++++ sysconfig/ip6tables-config | 59 ++++++++++++++++++++++++++++++++++++++ sysconfig/ipset | 45 +++++++++++++++++++++++++++++ sysconfig/ipset.README | 47 ++++++++++++++++++++++++++++++ sysconfig/iptables | 40 ++++++++++++++++++++++++++ sysconfig/iptables-config | 59 ++++++++++++++++++++++++++++++++++++++ systemd/ipset.service | 24 ++++++++++++++++ 7 files changed, 297 insertions(+) create mode 100644 sysconfig/ip6tables create mode 100644 sysconfig/ip6tables-config create mode 100644 sysconfig/ipset create mode 100644 sysconfig/ipset.README create mode 100644 sysconfig/iptables create mode 100644 sysconfig/iptables-config create mode 100644 systemd/ipset.service diff --git a/sysconfig/ip6tables b/sysconfig/ip6tables new file mode 100644 index 0000000..5b268b0 --- /dev/null +++ b/sysconfig/ip6tables @@ -0,0 +1,23 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:fwd_ext_filter - [0:0] +-A INPUT -p tcp -m tcp -s 2a00:14b0:4200:3380:134::1/128 --dport 9000:9999 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP +-A FORWARD -d fec0:0:0:ffff::/64 -j ACCEPT +-A FORWARD -i eno2 -j fwd_ext_filter +-A FORWARD -i eno50.+ -j fwd_ext_filter +-A FORWARD -i ens2d1.+ -j fwd_ext_filter +-A FORWARD -o eno2 -j fwd_ext_filter +-A FORWARD -o eno50.+ -j fwd_ext_filter +-A FORWARD -o ens2d1.+ -j fwd_ext_filter +-A fwd_ext_filter -m set --match-set reserved_IPv6 dst -j DROP +-A fwd_ext_filter -m set --match-set reserved_IPv6 src -j DROP +#-A fwd_ext_filter -m set --match-set transit_IPv6 dst -j ACCEPT +#-A fwd_ext_filter -m set --match-set transit_IPv6 src -j ACCEPT +-A fwd_ext_filter -j ACCEPT +COMMIT diff --git a/sysconfig/ip6tables-config b/sysconfig/ip6tables-config new file mode 100644 index 0000000..7fe480c --- /dev/null +++ b/sysconfig/ip6tables-config @@ -0,0 +1,59 @@ +# Load additional ip6tables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IP6TABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets stopped +# (e.g. on system shutdown). +IP6TABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets +# restarted. +IP6TABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/ip6tables if +# 'service ip6tables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IP6TABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IP6TABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IP6TABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IP6TABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IP6TABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for ip6tables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IP6TABLES_RESTORE_WAIT=600 + +# Set wait interval option for ip6tables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IP6TABLES_RESTORE_WAIT > 0 +#IP6TABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/sysconfig/ipset b/sysconfig/ipset new file mode 100644 index 0000000..9934ba2 --- /dev/null +++ b/sysconfig/ipset @@ -0,0 +1,45 @@ +create transit_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters +add transit_IPv4_tmp 185.117.213.0/24 +add transit_IPv4_tmp 185.66.192.0/22 +add transit_IPv4_tmp 193.96.224.0/24 +add transit_IPv4_tmp 77.87.48.0/21 +add transit_IPv4_tmp 185.161.128.0/22 +swap transit_IPv4_tmp transit_IPv4 +destroy transit_IPv4_tmp +create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters +add reserved_IPv4_tmp 0.0.0.0/8 +add reserved_IPv4_tmp 10.0.0.0/8 +add reserved_IPv4_tmp 100.64.0.0/10 +add reserved_IPv4_tmp 127.0.0.0/8 +add reserved_IPv4_tmp 169.254.0.0/16 +add reserved_IPv4_tmp 172.16.0.0/12 +add reserved_IPv4_tmp 192.0.0.0/24 +add reserved_IPv4_tmp 192.0.2.0/24 +add reserved_IPv4_tmp 192.168.0.0/16 +add reserved_IPv4_tmp 198.18.0.0/15 +add reserved_IPv4_tmp 198.51.100.0/24 +add reserved_IPv4_tmp 203.0.113.0/24 +add reserved_IPv4_tmp 224.0.0.0/4 +add reserved_IPv4_tmp 240.0.0.0/4 +swap reserved_IPv4_tmp reserved_IPv4 +destroy reserved_IPv4_tmp +create transit_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters +add transit_IPv6_tmp 2001:67c:2d50::/48 +add transit_IPv6_tmp 2001:bf7::/32 +add transit_IPv6_tmp 2a03:2260::/30 +add transit_IPv6_tmp 2a03:2267::/32 +add transit_IPv6_tmp 2a06:8782::/32 +add transit_IPv6_tmp 2001:67c:1550::/48 +add transit_IPv6_tmp 2a07:c480::/29 +swap transit_IPv6_tmp transit_IPv6 +destroy transit_IPv6_tmp +create reserved_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters +add reserved_IPv6_tmp ::/96 +add reserved_IPv6_tmp 2001:10::/28 +add reserved_IPv6_tmp 2001:db8::/32 +add reserved_IPv6_tmp 3ffe::/16 +add reserved_IPv6_tmp fc00::/7 +add reserved_IPv6_tmp fec0::/10 +add reserved_IPv6_tmp ff00::/8 +swap reserved_IPv6_tmp reserved_IPv6 +destroy reserved_IPv6_tmp diff --git a/sysconfig/ipset.README b/sysconfig/ipset.README new file mode 100644 index 0000000..fe7deb4 --- /dev/null +++ b/sysconfig/ipset.README @@ -0,0 +1,47 @@ +README for /etc/sysconfig/ipset +------------------------------- + +ipset does not have a nice way like iptables-restore to restore them and before iptables loads the sets must be loaded already, otherwise iptables-restore will fail to restore the firewall settings. + +Thus there are some tricks used to allow safe update of ipsets. + + +If you want to... + +... add a net to an existing ip set: +1. Lookup the name of the existing ip set (e.g. transit_IPv4) and add _tmp to it: transit_IPv4_tmp +2. Add a line similar to the following to /etc/sysconfig/ipset: + add transit_IPv4_tmp 185.117.213.0/24 +3. Run the following command (this restarts iptables): + # systemctl restart ipset +4. Run the following command to verify that the net has been added, but use the real name of the set: + # ipset list transit_IPv4 +You're done. + + +... create a new ip set: +1. Think of a new sensible name (e.g. reserved_IPv4) +2. If the structure of the set is exactly the same as an existing set, you can skip to step 3 and just copy the lines from an existing set, otherwise: + a. Use "ipset create" (man ipset) to create the set and "ipset add" to add one entry + b. Run "ipset save" (displays to stdout) and copy the lines to create your new set and add the first entry +3. Update /etc/systemd/system/ipset.service... + a. by adding a new line (obviously use the name of your set and add "family inet6" if it's IPv6): + ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net + b. and adding a new line with the name of your set with an added _tmp at the end: + ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp + c. Run the following command: + # systemctl daemon-reload +4. Update /etc/sysconfig/ipset... + a. by adding a create line for your set with an added _tmp at the end: + create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters + b. by adding the add line for your set with an added _tmp at the end: + add reserved_IPv4_tmp 240.0.0.0/4 + c. by adding a swap line for your set first with an added _tmp then without the _tmp: + swap reserved_IPv4_tmp reserved_IPv4 + d. by adding a destroy line for the set with _tmp at the end: + destroy reserved_IPv4_tmp +5. Run the following command (this restarts iptables): + # systemctl restart ipset +6. Run the following command to verify that the set has been added, but use the real name of the set: + # ipset list transit_IPv4 +You're done. diff --git a/sysconfig/iptables b/sysconfig/iptables new file mode 100644 index 0000000..e60a18f --- /dev/null +++ b/sysconfig/iptables @@ -0,0 +1,40 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +# +# WARNING: DO NOT ACTIVATE ANY KIND OF LOGGING, LOGGING KILLS THE SERVER +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:fwd_ext_filter - [0:0] +-A INPUT -p tcp -m tcp --dport ssh -d 193.96.224.249 -j DROP +-A INPUT -p udp -m udp --dport 53 -j DROP +-A INPUT -p tcp -m tcp --dport 5000 -s 193.96.224.250 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5000 -j DROP +-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP +-A INPUT -j ACCEPT +#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +#-A INPUT -p icmp -j ACCEPT +#-A INPUT -i lo -j ACCEPT +#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +#-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -s 10.112.0.0/16 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT +-A FORWARD -s 100.64.112.0/24 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT +-A FORWARD -i eno2 -j fwd_ext_filter +-A FORWARD -i eno50.+ -j fwd_ext_filter +-A FORWARD -i ens2d1.+ -j fwd_ext_filter +-A FORWARD -o eno2 -j fwd_ext_filter +-A FORWARD -o eno50.+ -j fwd_ext_filter +-A FORWARD -o ens2d1.+ -j fwd_ext_filter +-A fwd_ext_filter -m set --match-set reserved_IPv4 src -j DROP +-A fwd_ext_filter -m set --match-set reserved_IPv4 dst -j DROP +-A fwd_ext_filter -j ACCEPT +#-A fwd_ext_filter -m set --match-set transit_IPv4 src -j ACCEPT +#-A fwd_ext_filter -m set --match-set transit_IPv4 dst -j ACCEPT +# DO NOT ACTIVATE THE NEXT LINE, IT KILLS THE SERVER +#-A fwd_ext_filter -j LOG --log-prefix drop_log +# DO NOT ACTIVATE THE PREVIOUS LINE, IT KILLS THE SERVER +#-A fwd_ext_filter -j DROP +COMMIT diff --git a/sysconfig/iptables-config b/sysconfig/iptables-config new file mode 100644 index 0000000..3d7e176 --- /dev/null +++ b/sysconfig/iptables-config @@ -0,0 +1,59 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/systemd/ipset.service b/systemd/ipset.service new file mode 100644 index 0000000..d528ce0 --- /dev/null +++ b/systemd/ipset.service @@ -0,0 +1,24 @@ +[Unit] +Description=Loads ip sets for iptables from /etc/sysconfig/ipset +Before=iptables.service ip6tables.service +After=syslog.target +AssertPathExists=/etc/sysconfig/ipset + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=-/sbin/ipset create transit_IPv4 hash:net +ExecStartPre=-/sbin/ipset destroy transit_IPv4_tmp +ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net +ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp +ExecStartPre=-/sbin/ipset create transit_IPv6 hash:net family inet6 +ExecStartPre=-/sbin/ipset destroy transit_IPv6_tmp +ExecStartPre=-/sbin/ipset create reserved_IPv6 hash:net family inet6 +ExecStartPre=-/sbin/ipset destroy reserved_IPv6_tmp +ExecStart=/bin/sh -c "/sbin/ipset restore < /etc/sysconfig/ipset" +ExecStop=/sbin/ipset destroy +StandardOutput=syslog +StandardError=syslog + +[Install] +RequiredBy=iptables.service ip6tables.service