From: Zoltán Felleg Date: Tue, 8 Mar 2022 16:16:23 +0000 (+0100) Subject: Updated ifg.in (added webserver - pki letsencrypt rsync rules). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=a6efa87c28989c04ba24dd50fcd663b8fd3a6975;p=user-lxc.git Updated ifg.in (added webserver - pki letsencrypt rsync rules). --- diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config index a6954b2..a931146 100644 --- a/sources/ifg.in/c3d/firstboot/data/nftables.config +++ b/sources/ifg.in/c3d/firstboot/data/nftables.config @@ -63,10 +63,6 @@ define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe define IFG_SR_IPV4 = 192.168.42.254 define IFG_IN_IPV4 = 192.168.43.254 -# service address (internal network) -define SVC_INTERNAL_IPV4 = 10.228.109.253 -define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd - # store address (internal network) define STORE_INTERNAL_IPV4 = 10.228.109.250 define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68 @@ -82,8 +78,9 @@ define VPN_INTERNAL_IPV4 = 10.228.109.236 define SNS_INTERNAL_IPV4 = 10.228.109.204 define SNS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dcc -# primary name server address (internal network) -define PNS_INTERNAL_IPV4 = 10.228.109.174 +# public key infrastructure server address (internal network) +define PKI_INTERNAL_IPV4 = 10.228.109.171 +define PKI_INTERNAL_IPV6 = 2a02:d400:0:f268:c:18ff:fe03:6dab # name server 1 address (internal network) define NS1_INTERNAL_IPV4 = 10.228.109.159 @@ -92,10 +89,6 @@ define NS1_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d9f # minicrm address (internal network) define MINICRM_INTERNAL_IPV4 = 10.228.109.133 -# internal name server address (internal network) -define INS_INTERNAL_IPV4 = 10.228.109.104 -define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68 - # name server 2 address (internal network) define NS2_INTERNAL_IPV4 = 10.228.92.159 define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f @@ -140,24 +133,24 @@ define WS_PORTS = { 80, 443 } # reset nftables ################################ -create table ip ifg_filter -create table ip ifg_nat -create table ip6 ifg_filter +create table ip ifg-filter +create table ip ifg-nat +create table ip6 ifg-filter -create chain ip ifg_filter input { type filter hook input priority 0; policy drop; } -create chain ip ifg_filter forward { type filter hook forward priority 0; policy drop; } -create chain ip ifg_filter output { type filter hook output priority 0; policy drop; } -create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; } -create chain ip6 ifg_filter input { type filter hook input priority 0; policy drop; } -create chain ip6 ifg_filter forward { type filter hook forward priority 0; policy drop; } -create chain ip6 ifg_filter output { type filter hook output priority 0; policy drop; } +create chain ip ifg-filter input { type filter hook input priority 0; policy drop; } +create chain ip ifg-filter forward { type filter hook forward priority 0; policy drop; } +create chain ip ifg-filter output { type filter hook output priority 0; policy drop; } +create chain ip ifg-nat prerouting { type nat hook prerouting priority 0; policy accept; } +create chain ip6 ifg-filter input { type filter hook input priority 0; policy drop; } +create chain ip6 ifg-filter forward { type filter hook forward priority 0; policy drop; } +create chain ip6 ifg-filter output { type filter hook output priority 0; policy drop; } ################################ # NAT prerouting rules ################################ -add rule ip ifg_nat prerouting \ +add rule ip ifg-nat prerouting \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \ @@ -168,22 +161,22 @@ add rule ip ifg_nat prerouting \ # FILTER input rules ################################ -add rule ip ifg_filter input \ +add rule ip ifg-filter input \ ct state established \ ip protocol udp \ iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \ ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule ip6 ifg_filter input \ +add rule ip6 ifg-filter input \ ct state established \ iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \ ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" -add rule ip ifg_filter input \ +add rule ip ifg-filter input \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 ifg_filter input \ +add rule ip6 ifg-filter input \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -201,13 +194,13 @@ add rule ip6 ifg_filter input \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip ifg_filter input \ +add rule ip ifg-filter input \ ip protocol gre \ counter accept comment "GRE" -add rule ip ifg_filter input \ +add rule ip ifg-filter input \ counter log prefix "INPUT" -add rule ip6 ifg_filter input \ +add rule ip6 ifg-filter input \ counter log prefix "INPUT" @@ -215,174 +208,194 @@ add rule ip6 ifg_filter input \ # FILTER forward rules ################################ -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established, related \ iifname $PERIMETER_IF \ oifname $INTERNAL_IF ip daddr $INTERNAL_IPV4_NETS \ counter accept comment "Established sessions" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state established, related \ iifname $PERIMETER_IF \ oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \ counter accept comment "Established sessions" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \ oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ counter accept comment "Internet access" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \ oifname $PERIMETER_IF \ counter accept comment "Internet access" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state new, established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ counter accept comment "Webserver access" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state new, established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $SSH_PORT \ counter accept comment "Webserver SSH access" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state new \ ip protocol udp \ iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \ counter accept comment "DNS zone notification" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state new \ iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \ oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \ counter accept comment "DNS zone notification" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state new \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \ counter accept comment "DNS zone transfer requests" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state new \ iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \ oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \ counter accept comment "DNS zone transfer requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \ oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state established \ iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \ oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol udp \ iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \ + counter accept comment "Webserver letsencrypt transfer requests" +add rule ip6 ifg-filter forward \ + iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \ + counter accept comment "Webserver letsencrypt transfer requests" + +add rule ip ifg-filter forward \ + ct state established \ + iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ + counter accept comment "Webserver letsencrypt transfer replies" +add rule ip6 ifg-filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \ + oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ + counter accept comment "Webserver letsencrypt transfer replies" + +add rule ip ifg-filter forward \ iifname $INTERNAL_IF \ oifname $INTERNAL_IF \ counter accept comment "Internal traffic" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport 80 \ counter accept comment "Store requests" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip6 daddr $STORE_INTERNAL_IPV6 tcp dport 80 \ counter accept comment "Store requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Store replies" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state established \ iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \ oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ counter accept comment "Store replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \ counter accept comment "Wiki requests" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \ counter accept comment "Wiki requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Wiki replies" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ ct state established \ iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \ oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ counter accept comment "Wiki replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \ counter accept comment "Redmine requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Redmine replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \ counter accept comment "MiniCRM requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "MiniCRM replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \ counter accept comment "Worksheet requests" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ counter accept comment "Worksheet replies" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -400,9 +413,9 @@ add rule ip6 ifg_filter forward \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip ifg_filter forward \ +add rule ip ifg-filter forward \ counter log prefix "FORWARD" -add rule ip6 ifg_filter forward \ +add rule ip6 ifg-filter forward \ counter log prefix "FORWARD" @@ -410,22 +423,22 @@ add rule ip6 ifg_filter forward \ # FILTER output rules ################################ -add rule ip ifg_filter output \ +add rule ip ifg-filter output \ ct state new \ ip protocol udp \ ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \ oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \ counter accept comment "DNS requests" -add rule ip6 ifg_filter output \ +add rule ip6 ifg-filter output \ ct state new \ ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \ oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \ counter accept comment "DNS requests" -add rule ip ifg_filter output \ +add rule ip ifg-filter output \ ip protocol icmp \ counter accept comment "ICMP" -add rule ip6 ifg_filter output \ +add rule ip6 ifg-filter output \ icmpv6 type { destination-unreachable, \ echo-reply, \ echo-request, \ @@ -443,7 +456,7 @@ add rule ip6 ifg_filter output \ time-exceeded } \ counter accept comment "ICMPv6" -add rule ip ifg_filter output \ +add rule ip ifg-filter output \ counter log prefix "OUTPUT" -add rule ip6 ifg_filter output \ +add rule ip6 ifg-filter output \ counter log prefix "OUTPUT"