Initial commit
This commit is contained in:
commit
e20016e60a
23
sysconfig/ip6tables
Normal file
23
sysconfig/ip6tables
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# sample configuration for ip6tables service
|
||||||
|
# you can edit this manually or use system-config-firewall
|
||||||
|
# please do not ask us to add additional ports/services to this default configuration
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:fwd_ext_filter - [0:0]
|
||||||
|
-A INPUT -p tcp -m tcp -s 2a00:14b0:4200:3380:134::1/128 --dport 9000:9999 -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP
|
||||||
|
-A FORWARD -d fec0:0:0:ffff::/64 -j ACCEPT
|
||||||
|
-A FORWARD -i eno2 -j fwd_ext_filter
|
||||||
|
-A FORWARD -i eno50.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -i ens2d1.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -o eno2 -j fwd_ext_filter
|
||||||
|
-A FORWARD -o eno50.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -o ens2d1.+ -j fwd_ext_filter
|
||||||
|
-A fwd_ext_filter -m set --match-set reserved_IPv6 dst -j DROP
|
||||||
|
-A fwd_ext_filter -m set --match-set reserved_IPv6 src -j DROP
|
||||||
|
#-A fwd_ext_filter -m set --match-set transit_IPv6 dst -j ACCEPT
|
||||||
|
#-A fwd_ext_filter -m set --match-set transit_IPv6 src -j ACCEPT
|
||||||
|
-A fwd_ext_filter -j ACCEPT
|
||||||
|
COMMIT
|
59
sysconfig/ip6tables-config
Normal file
59
sysconfig/ip6tables-config
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# Load additional ip6tables modules (nat helpers)
|
||||||
|
# Default: -none-
|
||||||
|
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
|
||||||
|
# are loaded after the firewall rules are applied. Options for the helpers are
|
||||||
|
# stored in /etc/modprobe.conf.
|
||||||
|
IP6TABLES_MODULES=""
|
||||||
|
|
||||||
|
# Save current firewall rules on stop.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets stopped
|
||||||
|
# (e.g. on system shutdown).
|
||||||
|
IP6TABLES_SAVE_ON_STOP="no"
|
||||||
|
|
||||||
|
# Save current firewall rules on restart.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets
|
||||||
|
# restarted.
|
||||||
|
IP6TABLES_SAVE_ON_RESTART="no"
|
||||||
|
|
||||||
|
# Save (and restore) rule and chain counter.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Save counters for rules and chains to /etc/sysconfig/ip6tables if
|
||||||
|
# 'service ip6tables save' is called or on stop or restart if SAVE_ON_STOP or
|
||||||
|
# SAVE_ON_RESTART is enabled.
|
||||||
|
IP6TABLES_SAVE_COUNTER="no"
|
||||||
|
|
||||||
|
# Numeric status output
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print IP addresses and port numbers in numeric format in the status output.
|
||||||
|
IP6TABLES_STATUS_NUMERIC="yes"
|
||||||
|
|
||||||
|
# Verbose status output
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print info about the number of packets and bytes plus the "input-" and
|
||||||
|
# "outputdevice" in the status output.
|
||||||
|
IP6TABLES_STATUS_VERBOSE="no"
|
||||||
|
|
||||||
|
# Status output with numbered lines
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print a counter/number for every rule in the status output.
|
||||||
|
IP6TABLES_STATUS_LINENUMBERS="yes"
|
||||||
|
|
||||||
|
# Reload sysctl settings on start and restart
|
||||||
|
# Default: -none-
|
||||||
|
# Space separated list of sysctl items which are to be reloaded on start.
|
||||||
|
# List items will be matched by fgrep.
|
||||||
|
#IP6TABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
|
||||||
|
|
||||||
|
# Set wait option for ip6tables-restore calls in seconds
|
||||||
|
# Default: 600
|
||||||
|
# Set to 0 to deactivate the wait.
|
||||||
|
#IP6TABLES_RESTORE_WAIT=600
|
||||||
|
|
||||||
|
# Set wait interval option for ip6tables-restore calls in microseconds
|
||||||
|
# Default: 1000000
|
||||||
|
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
|
||||||
|
# second.
|
||||||
|
# Only usable with IP6TABLES_RESTORE_WAIT > 0
|
||||||
|
#IP6TABLES_RESTORE_WAIT_INTERVAL=1000000
|
45
sysconfig/ipset
Normal file
45
sysconfig/ipset
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
create transit_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
|
||||||
|
add transit_IPv4_tmp 185.117.213.0/24
|
||||||
|
add transit_IPv4_tmp 185.66.192.0/22
|
||||||
|
add transit_IPv4_tmp 193.96.224.0/24
|
||||||
|
add transit_IPv4_tmp 77.87.48.0/21
|
||||||
|
add transit_IPv4_tmp 185.161.128.0/22
|
||||||
|
swap transit_IPv4_tmp transit_IPv4
|
||||||
|
destroy transit_IPv4_tmp
|
||||||
|
create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
|
||||||
|
add reserved_IPv4_tmp 0.0.0.0/8
|
||||||
|
add reserved_IPv4_tmp 10.0.0.0/8
|
||||||
|
add reserved_IPv4_tmp 100.64.0.0/10
|
||||||
|
add reserved_IPv4_tmp 127.0.0.0/8
|
||||||
|
add reserved_IPv4_tmp 169.254.0.0/16
|
||||||
|
add reserved_IPv4_tmp 172.16.0.0/12
|
||||||
|
add reserved_IPv4_tmp 192.0.0.0/24
|
||||||
|
add reserved_IPv4_tmp 192.0.2.0/24
|
||||||
|
add reserved_IPv4_tmp 192.168.0.0/16
|
||||||
|
add reserved_IPv4_tmp 198.18.0.0/15
|
||||||
|
add reserved_IPv4_tmp 198.51.100.0/24
|
||||||
|
add reserved_IPv4_tmp 203.0.113.0/24
|
||||||
|
add reserved_IPv4_tmp 224.0.0.0/4
|
||||||
|
add reserved_IPv4_tmp 240.0.0.0/4
|
||||||
|
swap reserved_IPv4_tmp reserved_IPv4
|
||||||
|
destroy reserved_IPv4_tmp
|
||||||
|
create transit_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters
|
||||||
|
add transit_IPv6_tmp 2001:67c:2d50::/48
|
||||||
|
add transit_IPv6_tmp 2001:bf7::/32
|
||||||
|
add transit_IPv6_tmp 2a03:2260::/30
|
||||||
|
add transit_IPv6_tmp 2a03:2267::/32
|
||||||
|
add transit_IPv6_tmp 2a06:8782::/32
|
||||||
|
add transit_IPv6_tmp 2001:67c:1550::/48
|
||||||
|
add transit_IPv6_tmp 2a07:c480::/29
|
||||||
|
swap transit_IPv6_tmp transit_IPv6
|
||||||
|
destroy transit_IPv6_tmp
|
||||||
|
create reserved_IPv6_tmp hash:net family inet6 hashsize 1024 maxelem 65536 counters
|
||||||
|
add reserved_IPv6_tmp ::/96
|
||||||
|
add reserved_IPv6_tmp 2001:10::/28
|
||||||
|
add reserved_IPv6_tmp 2001:db8::/32
|
||||||
|
add reserved_IPv6_tmp 3ffe::/16
|
||||||
|
add reserved_IPv6_tmp fc00::/7
|
||||||
|
add reserved_IPv6_tmp fec0::/10
|
||||||
|
add reserved_IPv6_tmp ff00::/8
|
||||||
|
swap reserved_IPv6_tmp reserved_IPv6
|
||||||
|
destroy reserved_IPv6_tmp
|
47
sysconfig/ipset.README
Normal file
47
sysconfig/ipset.README
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
README for /etc/sysconfig/ipset
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
ipset does not have a nice way like iptables-restore to restore them and before iptables loads the sets must be loaded already, otherwise iptables-restore will fail to restore the firewall settings.
|
||||||
|
|
||||||
|
Thus there are some tricks used to allow safe update of ipsets.
|
||||||
|
|
||||||
|
|
||||||
|
If you want to...
|
||||||
|
|
||||||
|
... add a net to an existing ip set:
|
||||||
|
1. Lookup the name of the existing ip set (e.g. transit_IPv4) and add _tmp to it: transit_IPv4_tmp
|
||||||
|
2. Add a line similar to the following to /etc/sysconfig/ipset:
|
||||||
|
add transit_IPv4_tmp 185.117.213.0/24
|
||||||
|
3. Run the following command (this restarts iptables):
|
||||||
|
# systemctl restart ipset
|
||||||
|
4. Run the following command to verify that the net has been added, but use the real name of the set:
|
||||||
|
# ipset list transit_IPv4
|
||||||
|
You're done.
|
||||||
|
|
||||||
|
|
||||||
|
... create a new ip set:
|
||||||
|
1. Think of a new sensible name (e.g. reserved_IPv4)
|
||||||
|
2. If the structure of the set is exactly the same as an existing set, you can skip to step 3 and just copy the lines from an existing set, otherwise:
|
||||||
|
a. Use "ipset create" (man ipset) to create the set and "ipset add" to add one entry
|
||||||
|
b. Run "ipset save" (displays to stdout) and copy the lines to create your new set and add the first entry
|
||||||
|
3. Update /etc/systemd/system/ipset.service...
|
||||||
|
a. by adding a new line (obviously use the name of your set and add "family inet6" if it's IPv6):
|
||||||
|
ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net
|
||||||
|
b. and adding a new line with the name of your set with an added _tmp at the end:
|
||||||
|
ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp
|
||||||
|
c. Run the following command:
|
||||||
|
# systemctl daemon-reload
|
||||||
|
4. Update /etc/sysconfig/ipset...
|
||||||
|
a. by adding a create line for your set with an added _tmp at the end:
|
||||||
|
create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
|
||||||
|
b. by adding the add line for your set with an added _tmp at the end:
|
||||||
|
add reserved_IPv4_tmp 240.0.0.0/4
|
||||||
|
c. by adding a swap line for your set first with an added _tmp then without the _tmp:
|
||||||
|
swap reserved_IPv4_tmp reserved_IPv4
|
||||||
|
d. by adding a destroy line for the set with _tmp at the end:
|
||||||
|
destroy reserved_IPv4_tmp
|
||||||
|
5. Run the following command (this restarts iptables):
|
||||||
|
# systemctl restart ipset
|
||||||
|
6. Run the following command to verify that the set has been added, but use the real name of the set:
|
||||||
|
# ipset list transit_IPv4
|
||||||
|
You're done.
|
40
sysconfig/iptables
Normal file
40
sysconfig/iptables
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
# sample configuration for iptables service
|
||||||
|
# you can edit this manually or use system-config-firewall
|
||||||
|
# please do not ask us to add additional ports/services to this default configuration
|
||||||
|
#
|
||||||
|
# WARNING: DO NOT ACTIVATE ANY KIND OF LOGGING, LOGGING KILLS THE SERVER
|
||||||
|
#
|
||||||
|
*filter
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:fwd_ext_filter - [0:0]
|
||||||
|
-A INPUT -p tcp -m tcp --dport ssh -d 193.96.224.249 -j DROP
|
||||||
|
-A INPUT -p udp -m udp --dport 53 -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 5000 -s 193.96.224.250 -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 5000 -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --dport 9000:9999 -j DROP
|
||||||
|
-A INPUT -j ACCEPT
|
||||||
|
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
#-A INPUT -p icmp -j ACCEPT
|
||||||
|
#-A INPUT -i lo -j ACCEPT
|
||||||
|
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||||
|
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
-A FORWARD -s 10.112.0.0/16 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT
|
||||||
|
-A FORWARD -s 100.64.112.0/24 -d 10.112.0.0/16 ! -o eno50.310 -j ACCEPT
|
||||||
|
-A FORWARD -i eno2 -j fwd_ext_filter
|
||||||
|
-A FORWARD -i eno50.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -i ens2d1.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -o eno2 -j fwd_ext_filter
|
||||||
|
-A FORWARD -o eno50.+ -j fwd_ext_filter
|
||||||
|
-A FORWARD -o ens2d1.+ -j fwd_ext_filter
|
||||||
|
-A fwd_ext_filter -m set --match-set reserved_IPv4 src -j DROP
|
||||||
|
-A fwd_ext_filter -m set --match-set reserved_IPv4 dst -j DROP
|
||||||
|
-A fwd_ext_filter -j ACCEPT
|
||||||
|
#-A fwd_ext_filter -m set --match-set transit_IPv4 src -j ACCEPT
|
||||||
|
#-A fwd_ext_filter -m set --match-set transit_IPv4 dst -j ACCEPT
|
||||||
|
# DO NOT ACTIVATE THE NEXT LINE, IT KILLS THE SERVER
|
||||||
|
#-A fwd_ext_filter -j LOG --log-prefix drop_log
|
||||||
|
# DO NOT ACTIVATE THE PREVIOUS LINE, IT KILLS THE SERVER
|
||||||
|
#-A fwd_ext_filter -j DROP
|
||||||
|
COMMIT
|
59
sysconfig/iptables-config
Normal file
59
sysconfig/iptables-config
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# Load additional iptables modules (nat helpers)
|
||||||
|
# Default: -none-
|
||||||
|
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
|
||||||
|
# are loaded after the firewall rules are applied. Options for the helpers are
|
||||||
|
# stored in /etc/modprobe.conf.
|
||||||
|
IPTABLES_MODULES=""
|
||||||
|
|
||||||
|
# Save current firewall rules on stop.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
|
||||||
|
# (e.g. on system shutdown).
|
||||||
|
IPTABLES_SAVE_ON_STOP="no"
|
||||||
|
|
||||||
|
# Save current firewall rules on restart.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
|
||||||
|
# restarted.
|
||||||
|
IPTABLES_SAVE_ON_RESTART="no"
|
||||||
|
|
||||||
|
# Save (and restore) rule and chain counter.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Save counters for rules and chains to /etc/sysconfig/iptables if
|
||||||
|
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
|
||||||
|
# SAVE_ON_RESTART is enabled.
|
||||||
|
IPTABLES_SAVE_COUNTER="no"
|
||||||
|
|
||||||
|
# Numeric status output
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print IP addresses and port numbers in numeric format in the status output.
|
||||||
|
IPTABLES_STATUS_NUMERIC="yes"
|
||||||
|
|
||||||
|
# Verbose status output
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print info about the number of packets and bytes plus the "input-" and
|
||||||
|
# "outputdevice" in the status output.
|
||||||
|
IPTABLES_STATUS_VERBOSE="no"
|
||||||
|
|
||||||
|
# Status output with numbered lines
|
||||||
|
# Value: yes|no, default: yes
|
||||||
|
# Print a counter/number for every rule in the status output.
|
||||||
|
IPTABLES_STATUS_LINENUMBERS="yes"
|
||||||
|
|
||||||
|
# Reload sysctl settings on start and restart
|
||||||
|
# Default: -none-
|
||||||
|
# Space separated list of sysctl items which are to be reloaded on start.
|
||||||
|
# List items will be matched by fgrep.
|
||||||
|
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
|
||||||
|
|
||||||
|
# Set wait option for iptables-restore calls in seconds
|
||||||
|
# Default: 600
|
||||||
|
# Set to 0 to deactivate the wait.
|
||||||
|
#IPTABLES_RESTORE_WAIT=600
|
||||||
|
|
||||||
|
# Set wait interval option for iptables-restore calls in microseconds
|
||||||
|
# Default: 1000000
|
||||||
|
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
|
||||||
|
# second.
|
||||||
|
# Only usable with IPTABLES_RESTORE_WAIT > 0
|
||||||
|
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
24
systemd/ipset.service
Normal file
24
systemd/ipset.service
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Loads ip sets for iptables from /etc/sysconfig/ipset
|
||||||
|
Before=iptables.service ip6tables.service
|
||||||
|
After=syslog.target
|
||||||
|
AssertPathExists=/etc/sysconfig/ipset
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStartPre=-/sbin/ipset create transit_IPv4 hash:net
|
||||||
|
ExecStartPre=-/sbin/ipset destroy transit_IPv4_tmp
|
||||||
|
ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net
|
||||||
|
ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp
|
||||||
|
ExecStartPre=-/sbin/ipset create transit_IPv6 hash:net family inet6
|
||||||
|
ExecStartPre=-/sbin/ipset destroy transit_IPv6_tmp
|
||||||
|
ExecStartPre=-/sbin/ipset create reserved_IPv6 hash:net family inet6
|
||||||
|
ExecStartPre=-/sbin/ipset destroy reserved_IPv6_tmp
|
||||||
|
ExecStart=/bin/sh -c "/sbin/ipset restore < /etc/sysconfig/ipset"
|
||||||
|
ExecStop=/sbin/ipset destroy
|
||||||
|
StandardOutput=syslog
|
||||||
|
StandardError=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
RequiredBy=iptables.service ip6tables.service
|
Loading…
Reference in a new issue