From 7badb6ea198c94b79984abee073ca3bf3c4809c7 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 19 Feb 2021 22:53:24 -0500 Subject: [PATCH] splitting iptables scripts --- scripts/subinstallers/ip6tables.sh | 24 +++++++++ scripts/subinstallers/iptables.sh | 59 +---------------------- scripts/subinstallers/iptables_cleanup.sh | 33 +++++++++++++ scripts/subinstallers/iptables_docker.sh | 6 +++ scripts/subinstallers/vars.sh | 7 +++ 5 files changed, 72 insertions(+), 57 deletions(-) create mode 100644 scripts/subinstallers/ip6tables.sh create mode 100644 scripts/subinstallers/iptables_cleanup.sh create mode 100644 scripts/subinstallers/iptables_docker.sh create mode 100644 scripts/subinstallers/vars.sh diff --git a/scripts/subinstallers/ip6tables.sh b/scripts/subinstallers/ip6tables.sh new file mode 100644 index 0000000..6d102fe --- /dev/null +++ b/scripts/subinstallers/ip6tables.sh @@ -0,0 +1,24 @@ +#!/bin/bash + + +# resetting ip6tables rules +sudo ip6tables -F +sudo ip6tables -t nat -F +sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true + +# ip6tables: log and drop chain +sudo ip6tables -N MISTBORN_LOG_DROP +sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4 +sudo ip6tables -A MISTBORN_LOG_DROP -j DROP + +# ip6tables +echo "Setting ip6tables rules" +sudo ip6tables -P INPUT ACCEPT +sudo ip6tables -I INPUT -i lo -j ACCEPT +sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP + +sudo ip6tables -P INPUT DROP +sudo ip6tables -P FORWARD DROP +sudo ip6tables -P OUTPUT ACCEPT + diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index b209428..f429c45 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -4,6 +4,8 @@ set -e figlet "Mistborn: Configuring Firewall" +source ./scripts/subinstallers/vars.sh + echo "stop iptables wrappers" if [ "$DISTRO" == "ubuntu" ]; then # Disable UFW @@ -11,12 +13,6 @@ if [ "$DISTRO" == "ubuntu" ]; then sudo systemctl disable ufw || true fi -# default interface -iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') - -# real public interface -riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') - # resetting iptables sudo iptables -F sudo iptables -t nat -F @@ -73,54 +69,3 @@ sudo iptables -t nat -I POSTROUTING -o $iface -j MASQUERADE # sudo iptables -t nat -I POSTROUTING -o $riface -j MASQUERADE #fi -# resetting ip6tables rules -sudo ip6tables -F -sudo ip6tables -t nat -F -sudo ip6tables -X MISTBORN_LOG_DROP 2>/dev/null || true - -# ip6tables: log and drop chain -sudo ip6tables -N MISTBORN_LOG_DROP -sudo ip6tables -A MISTBORN_LOG_DROP -m limit --limit 6/min -j LOG --log-prefix "[Mistborn-IPTables-Dropped]: " --log-level 4 -sudo ip6tables -A MISTBORN_LOG_DROP -j DROP - -# ip6tables -echo "Setting ip6tables rules" -sudo ip6tables -P INPUT ACCEPT -sudo ip6tables -I INPUT -i lo -j ACCEPT -sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP - -sudo ip6tables -P INPUT DROP -sudo ip6tables -P FORWARD DROP -sudo ip6tables -P OUTPUT ACCEPT - -# iptables-persistent -if [ ! "$(dpkg-query -l iptables-persistent)" ]; then - echo "Installing iptables-persistent" - - # answer variables - echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections - echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections - - # install - sudo -E apt-get install -y iptables-persistent ipset -else - echo "Saving iptables rules" - sudo bash -c "iptables-save > /etc/iptables/rules.v4" - echo "Saving ip6tables rules" - sudo bash -c "ip6tables-save > /etc/iptables/rules.v6" -fi - -# IP forwarding -sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf - -# VM Overcommit Memory -sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf - -# Force re-read of sysctl.conf -sudo sysctl -p /etc/sysctl.conf - -# rsyslog to create /var/log/iptables.log -sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/ -sudo chown root:root /etc/rsyslog.d/15-iptables.conf -sudo systemctl restart rsyslog diff --git a/scripts/subinstallers/iptables_cleanup.sh b/scripts/subinstallers/iptables_cleanup.sh new file mode 100644 index 0000000..7ecad95 --- /dev/null +++ b/scripts/subinstallers/iptables_cleanup.sh @@ -0,0 +1,33 @@ +#!/bin/bash + + +# iptables-persistent +if [ ! "$(dpkg-query -l iptables-persistent)" ]; then + echo "Installing iptables-persistent" + + # answer variables + echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections + + # install + sudo -E apt-get install -y iptables-persistent ipset +else + echo "Saving iptables rules" + sudo bash -c "iptables-save > /etc/iptables/rules.v4" + echo "Saving ip6tables rules" + sudo bash -c "ip6tables-save > /etc/iptables/rules.v6" +fi + +# IP forwarding +sudo sed -i 's/.*net.ipv4.ip_forward.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf + +# VM Overcommit Memory +sudo grep -i "vm.overcommit_memory" /etc/sysctl.conf && sudo sed -i 's/.*vm.overcommit_memory.*/vm.overcommit_memory=1/' /etc/sysctl.conf || echo "vm.overcommit_memory=1" | sudo tee -a /etc/sysctl.conf + +# Force re-read of sysctl.conf +sudo sysctl -p /etc/sysctl.conf + +# rsyslog to create /var/log/iptables.log +sudo cp ./scripts/conf/15-iptables.conf /etc/rsyslog.d/ +sudo chown root:root /etc/rsyslog.d/15-iptables.conf +sudo systemctl restart rsyslog diff --git a/scripts/subinstallers/iptables_docker.sh b/scripts/subinstallers/iptables_docker.sh new file mode 100644 index 0000000..2dfa95e --- /dev/null +++ b/scripts/subinstallers/iptables_docker.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +source ./scripts/subinstallers/vars.sh + +sudo iptables -N DOCKER-USER || true +sudo iptables -I DOCKER-USER -i $iface -j MISTBORN_INT_LOG_DROP diff --git a/scripts/subinstallers/vars.sh b/scripts/subinstallers/vars.sh new file mode 100644 index 0000000..1469752 --- /dev/null +++ b/scripts/subinstallers/vars.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# default interface +iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') + +# real public interface +riface=$(ip -o -4 route get 1.1.1.1 | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')