smeserver/smeserver-packetfilter
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for e-smith-packetfilter on Wed 12 Jul 09:02:33 BST 2023

Browse Source
This commit is contained in:
Brian Read
2023-07-12 09:02:33 +01:00
parent b2c0968fc3
commit 4a060af783
87 changed files with 2343 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
root/etc/e-smith/db/configuration/defaults/masq/DenylogTarget Normal file
View File

@@ -0,0 +1 @@
drop

1
root/etc/e-smith/db/configuration/defaults/masq/Logging Normal file
View File

@@ -0,0 +1 @@
most

1
root/etc/e-smith/db/configuration/defaults/masq/Stealth Normal file
View File

@@ -0,0 +1 @@
no

1
root/etc/e-smith/db/configuration/defaults/masq/Trace Normal file
View File

@@ -0,0 +1 @@
disabled

1
root/etc/e-smith/db/configuration/defaults/masq/pptp Normal file
View File

@@ -0,0 +1 @@
yes

1
root/etc/e-smith/db/configuration/defaults/masq/status Normal file
View File

@@ -0,0 +1 @@
enabled

1
root/etc/e-smith/db/configuration/defaults/masq/type Normal file
View File

@@ -0,0 +1 @@
service

1
root/etc/e-smith/db/configuration/defaults/ulogd/status Normal file
View File

@@ -0,0 +1 @@
enabled

1
root/etc/e-smith/db/configuration/defaults/ulogd/type Normal file
View File

@@ -0,0 +1 @@
service

1
root/etc/e-smith/db/configuration/force/ulogd/status Normal file
View File

@@ -0,0 +1 @@
enabled

1
root/etc/e-smith/templates.metadata/etc/rc.d/init.d/masq Normal file
View File

@@ -0,0 +1 @@
PERMS=0755

1
root/etc/e-smith/templates.metadata/etc/ulogd.conf Normal file
View File

@@ -0,0 +1 @@
PERMS=0600

23
root/etc/e-smith/templates/etc/logrotate.d/ulogd/50log Normal file
View File

@@ -0,0 +1,23 @@
/var/log/ulogd/ulogd.log \{
missingok
notifempty
weekly
compress
sharedscripts
postrotate
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
endscript
\}
/var/log/iptables/*.log \{
missingok
notifempty
daily
compress
sharedscripts
postrotate
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
endscript
\}

20
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions Normal file
View File

@@ -0,0 +1,20 @@
{
my $internalif = $InternalInterface{Name};
my $outernet = ($SystemMode eq "serveronly") ?
$LocalIP : '$(/sbin/e-smith/config get ExternalIP)';
$OUT .= <<HERE;
INTERNALIF=$internalif
OUTERNET=$outernet
if [ -z "\$OUTERNET" ]
then
OUTERNET=1.1.1.1 # Put in placeholder address, to ensure correct iptables syntax
fi
HERE
if ($SystemMode ne "serveronly")
{ $OUT .= " OUTERIF=".$ExternalInterface{Name} }
else
{ $OUT .= "# OUTERIF='there_isnt_one'"; }
}

124
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions Normal file
View File

@@ -0,0 +1,124 @@
{
@tcp_acl_rules = ();
# Define a function which can be used in subsequent fragments
# This function collects a list of TCP ports, and whether
# or not inbound TCP connections are permitted to the port
# The list is later used in the "adjust" section of the overall
# mask script to set up chains and rules which implement the
# policy
sub allow_tcp_in
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @tcp_acl_rules, " adjust_tcp_in $port $target";
return "";
}
@udp_acl_rules = ();
# This function collects a list of UDP ports, and whether
# or not inbound UDP packets are permitted to the port
# The list is later used in the "adjust" section of the overall
# mask script to set up chains and rules which implement the
# policy
sub allow_udp_in
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @udp_acl_rules, " adjust_udp_in $port $target";
return "";
}
@tcp_forward_acl_rules = ();
# This function performs the same function as allow_tcp_in, except that
# it works with the FORWARD chain instead of the INPUT chain.
sub allow_tcp_forward
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @tcp_forward_acl_rules, " adjust_tcp_in $port $target";
return "";
}
@udp_forward_acl_rules = ();
# This function performs the same function as allow_udp_in, except that
# it works with the FORWARD chain instead of the INPUT chain.
sub allow_udp_forward
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @udp_forward_acl_rules, " adjust_udp_in $port $target";
return "";
}
"";
}
adjust_tcp_in() \{
local dport=$1
local target=$2
local chain=$3
local dnet=$4
# Add the rule requested.
rule="/sbin/iptables --append $chain --protocol tcp --dport $dport"
if [ -n "$dnet" ]; then
rule="$rule --destination $dnet"
fi
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
$rule
\}
adjust_udp_in() \{
local dport=$1
local target=$2
local chain=$3
local dnet=$4
# Add the rule requested.
rule="/sbin/iptables --append $chain --protocol udp --dport $dport"
if [ -n "$dnet" ]; then
rule="$rule --destination $dnet"
fi
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
$rule
\}
get_safe_id() \{
# Expect arguments of, chain_name, table, mode, where mode can be either
# find or new
local chain_name=$1
local table=$2
local mode=$3
# Find the existing numbered chain.
current=$(/sbin/iptables --table $table --list $chain_name --numeric |\
sed -n '3s/ .*//p')
if [ "x$current" = "x" ]; then
# We didn't find it.
echo "ERROR: Cannot find chain $chain_name in table $table" 1>&2
exit 1
fi
# If we're in find mode, return this chain.
case "$mode" in
find)
echo $current ;;
new)
# Make sure the number on this chain doesn't conflict with our
# process ID.
current_id=$(echo $current |\
sed -n -e "s/^$chain_name//" -e "s/^_//p")
if [ "x$current_id" = "x" ]
then
echo "ERROR: Cannot find process ID on chain name" 1>&2
exit 1
fi
# If it conflicts with our process ID, add one to ours.
if [ $current_id -eq $$ ]
then
echo $\{chain_name\}_$(expr $$ + 1)
else
echo $\{chain_name\}_$$
fi
;;
esac
\}

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/00start Normal file
View File

@@ -0,0 +1,5 @@
case "$1" in
start)
echo -n "Enabling IP masquerading: "

36
root/etc/e-smith/templates/etc/rc.d/init.d/masq/01localNetworks Normal file
View File

@@ -0,0 +1,36 @@
{
#----------------------------------------------------------------------
# This template defines both:
# - our local network/netmask ($primaryLocalNet)
# - a list of all our local networks from the networks database.
#----------------------------------------------------------------------
$OUT = "";
# We won't use "my" for @locals, so that we can use it in other fragments
@locals = ();
use esmith::util;
my ($network, $broadcast) =
esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);
$primaryLocalNet = "$network/$LocalNetmask";
push @locals, $primaryLocalNet;
use esmith::NetworksDB;
$nets = esmith::NetworksDB->open;
foreach my $network ($nets->get_all_by_prop(type => 'network'))
{
my $key = $network->key;
my $mask = $network->prop('Mask');
push @locals, "$key/$mask";
}
# Remove duplicates.
my %count = ();
foreach my $net (@locals)
{
$count{$net}++;
}
@locals = keys %count;
}

6
root/etc/e-smith/templates/etc/rc.d/init.d/masq/10RemoveUserChains Normal file
View File

@@ -0,0 +1,6 @@
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t filter
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle

3
root/etc/e-smith/templates/etc/rc.d/init.d/masq/10flush Normal file
View File

@@ -0,0 +1,3 @@
/sbin/iptables --flush FORWARD
/sbin/iptables --flush INPUT
/sbin/iptables --flush OUTPUT

2
root/etc/e-smith/templates/etc/rc.d/init.d/masq/10masq_ftp Normal file
View File

@@ -0,0 +1,2 @@
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

22
root/etc/e-smith/templates/etc/rc.d/init.d/masq/20NewChainDenyLog Normal file
View File

@@ -0,0 +1,22 @@
{
# We need to be sure that we have enough rules to replace when we adjust the
# ruleset. We currently have three settings for packetlogging - "all",
# "most" and "some".
#
# "some" equates to this:
#
# ...
# /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
# /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
# /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
# /sbin/iptables --replace denylog 4 --jump ULOG ...
# ...
#
# After we do the logging with rule 4, we need rule 5 to drop the packet.
}
/sbin/iptables --new-chain denylog
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP

20
root/etc/e-smith/templates/etc/rc.d/init.d/masq/30AdjustTOS Normal file
View File

@@ -0,0 +1,20 @@
{
my @tcp_minimize_delay = ();
if ($masq{TCPMinimizeDelay})
{
@tcp_minimize_delay = split ',', $masq{TCPMinimizeDelay};
}
$ports = "@tcp_minimize_delay";
$ports = 'pass' unless $ports;
$OUT = '';
}
# Set telnet, www, smtp, pop3 and FTP for minimum delay
for port in {$ports}
do
if [ $port != 'pass' ]
then
/sbin/iptables --table mangle --append OUTPUT \
--protocol tcp --dport $port \
-j TOS --set-tos Minimize-Delay
fi
done

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/30SetMasqTimeouts Normal file
View File

@@ -0,0 +1,5 @@
# TODO - this hasn't yet been converted for iptables - does it
# need to be?
# set timeouts for tcp tcpfin udp
#/sbin/iptables --masquerading --set 14400 60 600

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowEstablished Normal file
View File

@@ -0,0 +1,8 @@
/sbin/iptables --new-chain state_chk
# Allow any already established or related connection
/sbin/iptables --append state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
# We filter all input and forwarded traffic this way
/sbin/iptables --append INPUT -j state_chk
/sbin/iptables --append FORWARD -j state_chk

16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowLocal Normal file
View File

@@ -0,0 +1,16 @@
# Create a new chain to handle local traffic
/sbin/iptables --new-chain local_chk
/sbin/iptables --new-chain local_chk_1
# Accept any traffic initiated on "local" interfaces
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append local_chk_1 \
! --in-interface $OUTERIF -j ACCEPT
fi
/sbin/iptables --append local_chk -j local_chk_1
# We filter all input and forwarded traffic this way
/sbin/iptables --append INPUT -j local_chk
/sbin/iptables --append FORWARD -j local_chk

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40DenyMulticast Normal file
View File

@@ -0,0 +1,7 @@
# Drop all multicast traffic. Note that anything on from a local network
# will have already been accepted via the local_chk chain.
/sbin/iptables --append INPUT -s 224.0.0.0/4 -j denylog
/sbin/iptables --append INPUT -d 224.0.0.0/4 -j denylog
/sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j denylog
/sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j denylog

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40masqLAN Normal file
View File

@@ -0,0 +1,8 @@
/sbin/iptables --table nat --new-chain PostroutingOutbound
/sbin/iptables --table nat --append PostroutingOutbound \
--source $OUTERNET -j ACCEPT
/sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append POSTROUTING -t nat \
--out-interface $OUTERIF -j PostroutingOutbound
fi

10
root/etc/e-smith/templates/etc/rc.d/init.d/masq/41AllowDHCPC Executable file
View File

@@ -0,0 +1,10 @@
{
if ($ExternalDHCP eq "on")
#DHCP CLIENT ALLOW - I'm not sure that we need this, since it
# could be covered by connection tracking.
{
$OUT .= <<'HERE';
/sbin/iptables --append INPUT -p udp --dport 67:68 -i ${OUTERIF:-$INTERNALIF} -j ACCEPT
HERE
}
}

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CheckICMPIn Normal file
View File

@@ -0,0 +1,7 @@
/sbin/iptables --new-chain InboundICMP
/sbin/iptables --new-chain InboundICMP_1
/sbin/iptables --append INPUT --protocol icmp --jump InboundICMP
/sbin/iptables --append InboundICMP --protocol icmp --jump InboundICMP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol icmp --jump denylog
/sbin/iptables --append InboundICMP --protocol icmp --jump denylog

6
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CheckTCPForward Normal file
View File

@@ -0,0 +1,6 @@
/sbin/iptables --new-chain ForwardedTCP
/sbin/iptables --new-chain ForwardedTCP_1
/sbin/iptables --append FORWARD --protocol tcp --syn --jump ForwardedTCP
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump ForwardedTCP_1
# Catch any returns.
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump denylog

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CheckTCPInput Normal file
View File

@@ -0,0 +1,7 @@
/sbin/iptables --new-chain InboundTCP
/sbin/iptables --new-chain InboundTCP_1
/sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump InboundTCP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog

6
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CheckUDPForward Normal file
View File

@@ -0,0 +1,6 @@
/sbin/iptables --new-chain ForwardedUDP
/sbin/iptables --new-chain ForwardedUDP_1
/sbin/iptables --append FORWARD --protocol udp --jump ForwardedUDP
/sbin/iptables --append ForwardedUDP --protocol udp --jump ForwardedUDP_1
# Catch any returns.
/sbin/iptables --append ForwardedUDP --protocol udp --jump denylog

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42CheckUDPInput Normal file
View File

@@ -0,0 +1,9 @@
/sbin/iptables --new-chain InboundUDP
/sbin/iptables --new-chain InboundUDP_1
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
--jump InboundUDP
/sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
--jump denylog
/sbin/iptables --append InboundUDP --protocol udp --jump denylog

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowDHCPS Executable file
View File

@@ -0,0 +1,9 @@
{
my $status = $dhcpd{status} || 'disabled';
if ($status eq 'enabled')
{
$OUT .= <<'HERE';
/sbin/iptables --append INPUT -p udp --sport 67:68 -i $INTERNALIF -j ACCEPT
HERE
}
}

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/85PolicyForward Normal file
View File

@@ -0,0 +1,5 @@
{
## Set Default rule on FORWARD chain to denylog
}
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --append FORWARD --jump denylog

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/85PolicyInput Normal file
View File

@@ -0,0 +1,5 @@
{
## Set default policy
}
/sbin/iptables --policy INPUT DROP
/sbin/iptables --append INPUT --jump denylog

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/85PolicyOutput Normal file
View File

@@ -0,0 +1,5 @@
{
## Set default policy
}
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --append OUTPUT --jump ACCEPT

4
root/etc/e-smith/templates/etc/rc.d/init.d/masq/86startdone Normal file
View File

@@ -0,0 +1,4 @@
$0 adjust
echo "done"
;;

13
root/etc/e-smith/templates/etc/rc.d/init.d/masq/89adjustStart Normal file
View File

@@ -0,0 +1,13 @@
adjust)
status=$(/sbin/e-smith/config getprop masq status)
if [ $status = "disabled" ]
then
exit 0
fi
test -z "$2" && exec chpst -l /var/lock/masq.adjust $0 adjust with_lock
trace=$(/sbin/e-smith/config getprop masq Trace)
if [ $trace = "enabled" ]; then
# Toggle trace off.
$0 trace
fi

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedTCP00Start Normal file
View File

@@ -0,0 +1,7 @@
{
$OUT .=<<'EOF';
OLD_ForwardedTCP=$(get_safe_id ForwardedTCP filter find)
NEW_ForwardedTCP=$(get_safe_id ForwardedTCP filter new)
/sbin/iptables --new-chain $NEW_ForwardedTCP
EOF
}

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedTCP50adjust_tcp Normal file
View File

@@ -0,0 +1,7 @@
{
# Append all our forwarding rules.
foreach my $rule (@tcp_forward_acl_rules)
{
$OUT .= "$rule \$NEW_ForwardedTCP\n";
}
}

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedTCP99Finish Normal file
View File

@@ -0,0 +1,9 @@
{
# Activate the chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace ForwardedTCP 1 \
--jump $NEW_ForwardedTCP
/sbin/iptables --flush $OLD_ForwardedTCP
/sbin/iptables --delete-chain $OLD_ForwardedTCP
EOF
}

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedUDP00Start Normal file
View File

@@ -0,0 +1,8 @@
{
# Repeat this exercise for the ForwardedUDP chain.
$OUT .=<<'EOF';
OLD_ForwardedUDP=$(get_safe_id ForwardedUDP filter find)
NEW_ForwardedUDP=$(get_safe_id ForwardedUDP filter new)
/sbin/iptables --new-chain $NEW_ForwardedUDP
EOF
}

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedUDP50adjust_udp Normal file
View File

@@ -0,0 +1,7 @@
{
# Append our forwarding rules.
foreach my $rule (@udp_forward_acl_rules)
{
$OUT .= "$rule \$NEW_ForwardedUDP\n";
}
}

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90ForwardedUDP99Finish Normal file
View File

@@ -0,0 +1,9 @@
{
# Activate the new chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace ForwardedUDP 1 \
--jump $NEW_ForwardedUDP
/sbin/iptables --flush $OLD_ForwardedUDP
/sbin/iptables --delete-chain $OLD_ForwardedUDP
EOF
}

10
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP00Start Normal file
View File

@@ -0,0 +1,10 @@
{
# Find the current InboundTCP_$$ chain, and create a new one.
$OUT .=<<'EOF';
OLD_InboundTCP=$(get_safe_id InboundTCP filter find)
NEW_InboundTCP=$(get_safe_id InboundTCP filter new)
/sbin/iptables --new-chain $NEW_InboundTCP
EOF
$OUT .= " /sbin/iptables --append \$NEW_InboundTCP \\! " .
"--destination \$OUTERNET --jump denylog\n";
}

14
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP05RejectIDENT Normal file
View File

@@ -0,0 +1,14 @@
{
return "" if $oidentd{status} eq "enabled";
return <<'END_REJECT_IDENT';
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
--destination $OUTERNET \
--jump REJECT \
--reject-with tcp-reset
END_REJECT_IDENT
}

44
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP10filter_tcp Normal file
View File

@@ -0,0 +1,44 @@
{
@tcpsvcs = ($DB->get_all_by_prop( TCPPort => '\d+'), $DB->get_all_by_prop( TCPPorts => '\d+(,\d+|:\d+)*'));
foreach my $filter ( sort {$a->key cmp $b->key} @tcpsvcs )
{
my %props = $filter->props();
my @ports = grep { $_ } split /[;,]/, ($props{TCPPort} || '').",".($props{TCPPorts} || '');
my $deny_hosts = $props{DenyHosts} || '';
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
unless ( ($props{status} || 'disabled') eq 'enabled')
{
$allow_hosts = '';
}
unless ( ($props{access} || 'private') eq 'public')
{
$allow_hosts = '';
}
$OUT .= " # " . $filter->key . ": TCPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
{
foreach my $host (split(',', $deny_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
--destination \$OUTERNET --src $host --jump denylog
HERE
}
foreach my $host (split(',', $allow_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
--destination \$OUTERNET --src $host --jump ACCEPT
HERE
}
}
}
}

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP50adjust_tcp Normal file
View File

@@ -0,0 +1,7 @@
{
# Append all our inbound tcp rules to it.
foreach my $rule (@tcp_acl_rules)
{
$OUT .= "$rule \$NEW_InboundTCP\n";
}
}

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP99Finish Normal file
View File

@@ -0,0 +1,9 @@
{
# Having created a new Inbound TCP chain, activate it and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace InboundTCP 1 \
--jump $NEW_InboundTCP
/sbin/iptables --flush $OLD_InboundTCP
/sbin/iptables --delete-chain $OLD_InboundTCP
EOF
}

10
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP00Start Normal file
View File

@@ -0,0 +1,10 @@
{
# Find the current InboundUDP_$$ chain and create a new one.
$OUT .=<<'EOF';
OLD_InboundUDP=$(get_safe_id InboundUDP filter find)
NEW_InboundUDP=$(get_safe_id InboundUDP filter new)
/sbin/iptables --new-chain $NEW_InboundUDP
EOF
$OUT .= " /sbin/iptables --append \$NEW_InboundUDP \\! " .
"--destination \$OUTERNET --jump denylog\n";
}

44
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP10filter_udp Normal file
View File

@@ -0,0 +1,44 @@
{
@udpsvcs = ($DB->get_all_by_prop( UDPPort => '\d+'), $DB->get_all_by_prop( UDPPorts => '\d+(,\d+|:\d+)*'));
foreach my $filter ( sort {$a->key cmp $b->key} @udpsvcs )
{
my %props = $filter->props();
my @ports = grep { $_ } split /[;,]/, ($props{UDPPort} || '').",".($props{UDPPorts} || '');
my $deny_hosts = $props{DenyHosts} || '';
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
unless ( ($props{status} || 'disabled') eq 'enabled')
{
$allow_hosts = '';
}
unless ( ($props{access} || 'private') eq 'public')
{
$allow_hosts = '';
}
$OUT .= " # " . $filter->key . ": UDPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
{
foreach my $host (split(',', $deny_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
--destination \$OUTERNET --src $host --jump denylog
HERE
}
foreach my $host (split(',', $allow_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
--destination \$OUTERNET --src $host --jump ACCEPT
HERE
}
}
}
}

7
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP50adjust_udp Normal file
View File

@@ -0,0 +1,7 @@
{
# Append all our inbound udp rules to it.
foreach my $rule (@udp_acl_rules)
{
$OUT .= "$rule \$NEW_InboundUDP\n";
}
}

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP99Finish Normal file
View File

@@ -0,0 +1,9 @@
{
# Having created a new Inbound UDP chain, activate it and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace InboundUDP 1 \
--jump $NEW_InboundUDP
/sbin/iptables --flush $OLD_InboundUDP
/sbin/iptables --delete-chain $OLD_InboundUDP
EOF
}

29
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog Normal file
View File

@@ -0,0 +1,29 @@
{
my $logging = $masq{Logging} || "none";
my $target = $masq{DenylogTarget} eq "drop" ? 'DROP' : 'REJECT';
if ( $logging eq "none" )
{
$OUT .= " /sbin/iptables --replace denylog 1 --jump $target";
}
elsif ($logging eq "all")
{
$OUT .= <<"HERE";
/sbin/iptables --replace denylog 1 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
/sbin/iptables --replace denylog 2 --jump $target
/sbin/iptables --replace denylog 3 --jump $target
/sbin/iptables --replace denylog 4 --jump $target
/sbin/iptables --replace denylog 5 --jump $target
HERE
}
else
{
$OUT .= <<"HERE";
/sbin/iptables --replace denylog 1 -p udp --dport 520 --jump $target
/sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump $target
/sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump $target
/sbin/iptables --replace denylog 4 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
/sbin/iptables --replace denylog 5 --jump $target
HERE
}
}

41
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustICMPIn Normal file
View File

@@ -0,0 +1,41 @@
# Find the current InboundICMP_$$ chain, and create a new one.
IBI=$(get_safe_id InboundICMP filter find)
new=$(get_safe_id InboundICMP filter new)
/sbin/iptables --new-chain $new
{
my $stealth = $masq{Stealth} || 'no';
if ($stealth eq 'yes')
{
$OUT .= <<HERE;
/sbin/iptables --append \$new --proto icmp \\
--icmp-type echo-request --in-interface \${OUTERIF:-\$INTERNALIF} --jump denylog
HERE
}
# We want to be very selective on the ICMPs we accept to stop
# route hijacking
my @OKicmpTypes = (
qw(
echo-request
echo-reply
destination-unreachable
source-quench
time-exceeded
parameter-problem
) );
foreach my $icmpType (@OKicmpTypes)
{
$OUT .= <<HERE;
/sbin/iptables --append \$new --proto icmp \\
--icmp-type $icmpType --jump ACCEPT
HERE
}
# Having created a new Inbound ICMP chain, activate it and
# destroy the old.
}
/sbin/iptables --append $new --jump denylog
/sbin/iptables --replace InboundICMP 1 --jump $new
/sbin/iptables --flush "$IBI"
/sbin/iptables --delete-chain "$IBI"

2
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustMasq Normal file
View File

@@ -0,0 +1,2 @@
/sbin/iptables --table nat --replace PostroutingOutbound 1 \
--source $OUTERNET -j ACCEPT

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90local_chk00Start Normal file
View File

@@ -0,0 +1,8 @@
{
$OUT .=<<'EOF';
OLD_local_chk=$(get_safe_id local_chk filter find)
NEW_local_chk=$(get_safe_id local_chk filter new)
/sbin/iptables --new-chain $NEW_local_chk
/sbin/iptables -A $NEW_local_chk --in-interface lo -j ACCEPT
EOF
}

19
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90local_chk50networks Normal file
View File

@@ -0,0 +1,19 @@
{
$OUT = "";
my $locals = "@locals";
if (@locals)
{
# Make a new local_chk chain and add any networks found in networks db
foreach my $local (@locals)
{
# If the network is a remote vpn subnet, restrict it to the VPN
# interface.
my ($net, $msk) = split /\//, $local;
my $netrec = $nets->get($net);
die "Can't find network $net in networks db!\n" unless $netrec;
$OUT .= "/sbin/iptables -A \$NEW_local_chk -s $local";
$OUT .= " --in-interface " . $netrec->prop('VPNif') if ( $netrec->prop('VPNif') );
$OUT .= " -j ACCEPT\n";
}
}
}

9
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90local_chk99Finish Normal file
View File

@@ -0,0 +1,9 @@
{
# Activate the chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace local_chk 1 \
--jump $NEW_local_chk
/sbin/iptables --flush $OLD_local_chk
/sbin/iptables --delete-chain $OLD_local_chk
EOF
}

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/92adjustEnd Normal file
View File

@@ -0,0 +1,5 @@
if [ $trace = "enabled" ]; then
# Toggle trace back on.
$0 trace
fi
;;

14
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98MasqStart Normal file
View File

@@ -0,0 +1,14 @@
{
# #####START MASQ#####
# masqstart)
# echo ""
# echo -n "Starting IP Masquerading:"
# ## Read Masq Rules
# # . $CONFIG_DIR/pmfirewall.rules.masq
# echo " Done!"
# echo ""
# echo "Internal: $INTERNALIF $INTERNALNET"
# echo "External: $OUTERIF $OUTERNET"
# echo "" ;;
#
}

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98MasqStop Normal file
View File

@@ -0,0 +1,8 @@
masqstop)
echo ""
echo -n "Shuting down IP Masquerading:"
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD DROP
echo " Done!"
echo "" ;;

6
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98restart Normal file
View File

@@ -0,0 +1,6 @@
restart)
$0 stop
$0 start
;;

8
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98status Normal file
View File

@@ -0,0 +1,8 @@
status)
echo $"Table: filter"
/sbin/iptables --list -n
echo $"Table: nat"
/sbin/iptables -t nat --list -n
echo $"Table: mangle"
/sbin/iptables -t mangle --list -n
;;

38
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98stop Normal file
View File

@@ -0,0 +1,38 @@
{
#####STOP FIREWALL####
}
stop)
echo ""
echo -n "Shutting down IP masquerade and firewall rules:"
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT {
# Set "safe" default mode.
($SystemMode eq "serveronly") ? "ACCEPT" : "DROP"
}
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F
{
$OUT .= '';
# Allow forwarding of local addresses, as we might be a VPN endpoint
# in serveronly mode
# @locals contains a list of local networks, with the real local
# network first
my @mylocals = @locals;
my $local = shift @mylocals;
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
" -d $local -j ACCEPT\n";
foreach my $network (@mylocals)
{
$OUT .= " /sbin/iptables --append FORWARD -s $network" .
" -d $local -j ACCEPT\n";
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
" -d $network -j ACCEPT\n";
}
} /sbin/iptables -X
echo " Done!"
echo "" ;;

15
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98trace Normal file
View File

@@ -0,0 +1,15 @@
trace)
trace=$(/sbin/e-smith/config getprop masq Trace)
if [ $trace = "enabled" ]; then
action="stop"
echo "Disabling iptables-trace..."
/sbin/e-smith/config setprop masq Trace disabled
else
action="start"
echo "Enabling iptables-trace..."
/sbin/e-smith/config setprop masq Trace enabled
fi
/etc/init.d/iptables-trace $action
;;

6
root/etc/e-smith/templates/etc/rc.d/init.d/masq/98usage Normal file
View File

@@ -0,0 +1,6 @@
*)
echo "Usage: masq \{start|stop|restart|...\}"
exit 1
esac
exit 0

7
root/etc/e-smith/templates/etc/ulogd.conf/10global Normal file
View File

@@ -0,0 +1,7 @@
[global]
nlgroup=1
logfile=/var/log/ulogd/ulogd.log
loglevel=5
rmem=131071
bufsize=150000

38
root/etc/e-smith/templates/etc/ulogd.conf/20plugins Normal file
View File

@@ -0,0 +1,38 @@
######################################################################
# PLUGIN OPTIONS
######################################################################
# We have to configure and load all the plugins we want to use
# general rules:
#
# 0. don't specify any plugin for ulogd to load them all
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below
#plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
#plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/lib64/ulogd/ulogd_output_XML.so"
#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so"
#plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so"
#plugin="/usr/lib64/ulogd/ulogd_output_JSON.so"

4
root/etc/e-smith/templates/etc/ulogd.conf/30stacks Normal file
View File

@@ -0,0 +1,4 @@
#our base stack ULOG to LOGEMU
stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

10
root/etc/e-smith/templates/etc/ulogd.conf/40configs Normal file
View File

@@ -0,0 +1,10 @@
[ulog1]
# denylog:
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
nlgroup=1
[emu1]
file="/var/log/iptables/denylog.log"
sync=1

96
root/etc/rc.d/init.d/iptables-trace Executable file
View File

@@ -0,0 +1,96 @@
#!/bin/bash
# $Id: iptables-trace,v 1.14 2004/11/13 00:31:15 apc Exp $
# Tony Clayton <t ny-netfilter@clayt n.ca>
# You may use and edit this code freely. If you make changes to
# it that are generally useful, please email them to me and/or
# post them on the netfilter mailing list <netfilter@lists.netfilter.org>
LOGPREFIX='${table:0:1}:${chain:0:14}:$rulenumber:${target:0:14}'
MAXPREFIXSIZE=27
PRINT=0
IPTABLES="iptables"
log_entry() {
local action=$1
local table=$3 cmd=$4 chain=$5
local rulenumber="-"
shift 5
if [ "$last_chain" != "$chain" ]; then
rulenum=1
fi
case $action in
(add|addpolicy)
local rulespec
if [ "$action" = "add" ]; then
cmd="-I"
rulespec=$rulenum
rulenumber=$rulenum
let rulenum=$rulenum+2
fi
while [ "$1" != "-j" ]; do
rulespec="$rulespec $1"
shift;
done
shift;
target=$1
eval prefix="${LOGPREFIX}"
$IPTABLES -t $table $cmd $chain $rulespec -j LOG \
--log-prefix "*${prefix:0:$MAXPREFIXSIZE}:"
;;
(skip)
let rulenum=$rulenum+1
;;
(delete)
$IPTABLES -t $table -D $chain $rulenum
;;
esac
last_chain=$chain
}
start() {
for table in $(cat /proc/net/ip_tables_names); do
rulenum=1
iptables-save -t $table | grep '^-' | \
while read rule; do
log_entry add -t $table $rule
done
# log default policy for each chain
iptables-save -t $table | grep '^:' | tr -d : | \
while read chain target rest; do
if [ "$target" != "-" ]; then
log_entry addpolicy -t $table -A $chain -j $target
fi
done
done
}
stop() {
for table in $(cat /proc/net/ip_tables_names); do
iptables-save -t $table | grep '^-' | \
while read cmd; do
echo $cmd | grep -q -e '--log-prefix "\*'
if [ $? -eq 0 ]; then
log_entry delete -t $table $cmd
else
log_entry skip -t $table $cmd
fi
done
done
}
case "$1" in
start) start
;;
stop) stop
;;
start_test) IPTABLES="echo iptables"; start
;;
stop_test) IPTABLES="echo iptables"; stop
;;
*) echo $"Usage: $0 {start|stop}"
exit 1
esac
exit 0

1
root/etc/yum/post-actions/ulogd.action Normal file
View File

@@ -0,0 +1 @@
ulogd:any:/sbin/e-smith/expand-template /etc/logrotate.d/ulogd

0
root/run/ulog/.gitignore vendored Normal file
View File

18
root/usr/lib/systemd/system/masq.service Normal file
View File

@@ -0,0 +1,18 @@
[Unit]
Description=masq, the Koozali SME Server firewall script
Before=network-pre.target
Wants=network-pre.target
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service firewalld.service
[Service]
Type=oneshot
ExecStartPre=/sbin/e-smith/service-status masq
ExecStart=/etc/rc.d/init.d/masq start
ExecStop=/etc/rc.d/init.d/masq stop
ExecReload=/etc/rc.d/init.d/masq adjust
RemainAfterExit=yes
[Install]
WantedBy=sme-server.target

3
root/usr/lib/systemd/system/sme-server.target.d/53koozali.conf Normal file
View File

@@ -0,0 +1,3 @@
[Unit]
Wants=ulogd.service

17
root/usr/lib/systemd/system/ulogd.service Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=Netfilter Userspace Logging Daemon
Before=masq.service
[Service]
User=root
Group=root
Restart=always
TimeoutSec=0
Type=forking
PIDFile=/run/ulog/ulogd.pid
ExecStart=/usr/sbin/ulogd --daemon --uid ulog --pidfile /run/ulog/ulogd.pid
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=sme-server.target multi-user.target

1
root/usr/lib/tmpfiles.d/ulog.conf Normal file
View File

@@ -0,0 +1 @@
d /run/ulog 2755 ulog ulog

0
root/var/service/.gitignore vendored Normal file
View File