From 402198433754f156b0dd7e11fa4cbb292f769673 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Tue, 9 Jul 2019 10:11:18 +0200 Subject: [PATCH] Updated ifg.usr.f30 (iptables -> nftables). --- sources/ifg.usr.f30/envvars | 2 +- .../firstboot/10_iptables_reset.sh | 2 +- .../ifg.usr.f30/firstboot/10_setupnftables.sh | 19 ++ .../firstboot/11_iptables_set_ifg_rules.sh | 2 +- .../firstboot/12_iptables_log_dropped.sh | 1 + .../ifg.usr.f30/firstboot/13_iptables_save.sh | 1 + sources/ifg.usr.f30/firstboot/nftables.config | 293 ++++++++++++++++++ .../postinstall/10_setupservices.sh | 2 +- .../install/etc/sysconfig/nftables.conf | 1 + 9 files changed, 319 insertions(+), 4 deletions(-) create mode 100755 sources/ifg.usr.f30/firstboot/10_setupnftables.sh create mode 100644 sources/ifg.usr.f30/firstboot/nftables.config create mode 100644 sources/ifg.usr.f30/postinstall/install/etc/sysconfig/nftables.conf diff --git a/sources/ifg.usr.f30/envvars b/sources/ifg.usr.f30/envvars index 03031a0..ccf11d8 100644 --- a/sources/ifg.usr.f30/envvars +++ b/sources/ifg.usr.f30/envvars @@ -1,2 +1,2 @@ BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils rootfiles rsyslog tar vim-minimal" -SPEC_PACKAGES="iptables iptables-services" +SPEC_PACKAGES="nftables" diff --git a/sources/ifg.usr.f30/firstboot/10_iptables_reset.sh b/sources/ifg.usr.f30/firstboot/10_iptables_reset.sh index f63b04d..a63f9ea 100755 --- a/sources/ifg.usr.f30/firstboot/10_iptables_reset.sh +++ b/sources/ifg.usr.f30/firstboot/10_iptables_reset.sh @@ -1,5 +1,5 @@ #!/bin/sh - +exit 0 REAL_PATH=$(realpath $(dirname $0)) diff --git a/sources/ifg.usr.f30/firstboot/10_setupnftables.sh b/sources/ifg.usr.f30/firstboot/10_setupnftables.sh new file mode 100755 index 0000000..7532482 --- /dev/null +++ b/sources/ifg.usr.f30/firstboot/10_setupnftables.sh @@ -0,0 +1,19 @@ +#!/bin/sh +set -x + + +REAL_PATH=$(realpath $(dirname $0)) + + +nft list ruleset +nft list ruleset | grep ^table | sed 's/ {$//' | while read TABLE_SPEC +do + nft flush $TABLE_SPEC + nft delete $TABLE_SPEC +done +#exit 0 + +nft --echo --file $REAL_PATH/nftables.config +nft list ruleset >/etc/nftables/ifg.nft + +systemctl enable nftables.service diff --git a/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh b/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh index e4c7734..c1cc705 100755 --- a/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh +++ b/sources/ifg.usr.f30/firstboot/11_iptables_set_ifg_rules.sh @@ -1,5 +1,5 @@ #!/bin/sh - +exit 0 REAL_PATH=$(realpath $(dirname $0)) diff --git a/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh b/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh index b419bf6..db6992e 100755 --- a/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh +++ b/sources/ifg.usr.f30/firstboot/12_iptables_log_dropped.sh @@ -1,5 +1,6 @@ #!/bin/sh #set -x +exit 0 ################################ # iptables command diff --git a/sources/ifg.usr.f30/firstboot/13_iptables_save.sh b/sources/ifg.usr.f30/firstboot/13_iptables_save.sh index 85932f3..4135372 100755 --- a/sources/ifg.usr.f30/firstboot/13_iptables_save.sh +++ b/sources/ifg.usr.f30/firstboot/13_iptables_save.sh @@ -1,4 +1,5 @@ #!/bin/sh #set -x +exit 0 /sbin/iptables-save >/etc/sysconfig/iptables diff --git a/sources/ifg.usr.f30/firstboot/nftables.config b/sources/ifg.usr.f30/firstboot/nftables.config new file mode 100644 index 0000000..75ec6e3 --- /dev/null +++ b/sources/ifg.usr.f30/firstboot/nftables.config @@ -0,0 +1,293 @@ +#!/usr/sbin/nft -f + + +################################ +# interface definitions +################################ + +# internal interface +define INTERNAL_IF = ifg + +# loopback interface +define LOOPBACK_IF = lo + +# perimeter interface +define PERIMETER_IF = eth0 + +################################ +# address definitions +################################ + +# loopback address +define LOOPBACK_IP = 127.0.0.1 + +# public addresses +define PUBLIC_EFG_IP = 194.149.40.146 +define PUBLIC_NS_IP = 194.149.40.147 +define PUBLIC_VPN_IP = 194.149.40.148 +define PUBLIC_WS_IP = 194.149.40.149 +define PUBLIC_IP_150 = 194.149.40.150 +define PUBLIC_MINECRAFT_IP = 194.149.40.151 +define PUBLIC_IP_152 = 194.149.40.152 +define PUBLIC_IP_153 = 194.149.40.153 +define PUBLIC_IP_154 = 194.149.40.154 +define PUBLIC_IP_155 = 194.149.40.155 +define PUBLIC_IP_156 = 194.149.40.156 +define PUBLIC_RX300_IP = 194.149.40.157 +define PUBLIC_DL360E_IP = 194.149.40.158 + +define PUBLIC_IP_194 = 84.2.25.194 +define PUBLIC_IP_195 = 84.2.25.195 +define PUBLIC_IP_196 = 84.2.25.196 +define PUBLIC_IP_197 = 84.2.25.197 +define PUBLIC_IP_198 = 84.2.25.198 +define PUBLIC_IP_199 = 84.2.25.199 +define PUBLIC_IP_200 = 84.2.25.200 +define PUBLIC_IP_201 = 84.2.25.201 +define PUBLIC_IP_202 = 84.2.25.202 +define PUBLIC_IP_203 = 84.2.25.203 +define PUBLIC_IP_204 = 84.2.25.204 +define PUBLIC_IP_205 = 84.2.25.205 +define PUBLIC_IP_206 = 84.2.25.206 + +# efg address (perimeter network) +define EFG_PERIMETER_IP = 192.168.173.254 + +# service address (perimeter network) +#define SVC_PERIMETER_IP = 192.168.173.253 + +# transfer web server address (perimeter network) +define XFR_PERIMETER_IP = 192.168.173.251 + +# subversion address (perimeter network) +#define SVN_PERIMETER_IP = 192.168.173.250 + +# web server address (perimeter network) +define WS_PERIMETER_IP = 192.168.173.249 + +# perimeter name server address (perimeter network) +define PNS_PERIMETER_IP = 192.168.173.174 + +# external name server address (perimeter network) +define ENS_PERIMETER_IP = 192.168.173.64 + +# ifg address (perimeter network) +define IFG_PERIMETER_IP = 192.168.173.1 + +# ifg addresses (internal network) +define IFG_USR_IP = 10.228.109.254 +define IFG_SR_IP = 192.168.42.254 +define IFG_IN_IP = 192.168.43.254 + +# dvredmine address (internal network) +define DVREDMINE_INTERNAL_IP = 10.228.62.193 + +# minicrm address (internal network) +define MINICRM_INTERNAL_IP = 10.228.109.133 + +# store address (internal network) +define STORE_INTERNAL_IP = 10.228.109.250 + +# service address (internal network) +define SVC_INTERNAL_IP = 10.228.109.253 + +# vpn address (internal network) +define VPN_INTERNAL_IP = 10.228.109.236 + +# primary name server address (internal network) +define PNS_INTERNAL_IP = 10.228.109.174 + +# internal name server address (internal network) +define INS_INTERNAL_IP = 10.228.109.104 + +# worksheet address (internal network) +define WORKSHEET_SR_IP = 192.168.42.248 + +################################ +# network definitions +################################ + +# internal networks +define USR_NET = 10.228.0.0/16 +define SR_NET = 192.168.42.0/24 +define IN_NET = 192.168.43.0/24 +define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET } + +# perimeter network +define PERIMETER_NET = 192.168.173.0/24 + +# vpn client network +define VPN_NET = 172.16.223.0/24 + +# peep-bo network +define PEEP_BO_NET = 10.162.104.0/24 + +################################ +# port definitions +################################ + +#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } +define WS_PORTS = { 80, 443 } + + +################################ +# reset nftables +################################ + +create table inet ifg_filter +create table ip ifg_nat + +create chain inet ifg_filter input { type filter hook input priority 0; policy drop; } +create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; } +create chain inet ifg_filter output { type filter hook output priority 0; policy drop; } +create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; } + + +################################ +# NAT prerouting rules +################################ + +add rule ip ifg_nat prerouting \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ + ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \ + counter dnat $WS_PERIMETER_IP + + +################################ +# FILTER input rules +################################ + +add rule inet ifg_filter input \ + ct state established \ + ip protocol udp \ + iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \ + ip daddr $IFG_USR_IP udp dport 1024-65535 \ + counter accept comment "DNS replies" + +add rule inet ifg_filter input \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter input \ + counter log prefix "INPUT" + + +################################ +# FILTER forward rules +################################ + +add rule inet ifg_filter forward \ + ct state established, related \ + iifname $PERIMETER_IF \ + oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \ + counter accept comment "Established sessions" + +add rule inet ifg_filter forward \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \ + oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ + counter accept comment "Internet access" + +add rule inet ifg_filter forward \ + ct state new, established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \ + counter accept comment "Webserver access" + +add rule inet ifg_filter forward \ + ct state new \ + ip protocol udp \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \ + counter accept comment "DNS zone notification" + +add rule inet ifg_filter forward \ + ct state new \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \ + counter accept comment "DNS zone transfer requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \ + counter accept comment "DNS zone transfer replies" + +add rule inet ifg_filter forward \ + ip protocol udp \ + iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \ + counter accept comment "Incoming VPN traffic" + +add rule inet ifg_filter forward \ + iifname $INTERNAL_IF \ + oifname $INTERNAL_IF \ + counter accept comment "Internal traffic" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \ + counter accept comment "Redmine requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Redmine replies" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \ + counter accept comment "MiniCRM requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "MiniCRM replies" + +add rule inet ifg_filter forward \ + ip protocol tcp \ + iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \ + counter accept comment "Worksheet requests" + +add rule inet ifg_filter forward \ + ct state established \ + ip protocol tcp \ + iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \ + counter accept comment "Worksheet replies" + +add rule inet ifg_filter forward \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter forward \ + counter log prefix "FORWARD" + + +################################ +# FILTER output rules +################################ + +add rule inet ifg_filter output \ + ct state new \ + ip protocol udp \ + ip saddr $IFG_USR_IP udp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \ + counter accept comment "DNS requests" + +add rule inet ifg_filter output \ + ip protocol icmp \ + counter accept comment "ICMP" + +add rule inet ifg_filter output \ + counter log prefix "OUTPUT" diff --git a/sources/ifg.usr.f30/postinstall/10_setupservices.sh b/sources/ifg.usr.f30/postinstall/10_setupservices.sh index 80c2db2..5250ed4 100755 --- a/sources/ifg.usr.f30/postinstall/10_setupservices.sh +++ b/sources/ifg.usr.f30/postinstall/10_setupservices.sh @@ -1,7 +1,7 @@ #!/bin/sh -systemctl enable iptables.service +#systemctl enable iptables.service systemctl enable NetworkManager-wait-online.service systemctl mask wpa_supplicant.service diff --git a/sources/ifg.usr.f30/postinstall/install/etc/sysconfig/nftables.conf b/sources/ifg.usr.f30/postinstall/install/etc/sysconfig/nftables.conf new file mode 100644 index 0000000..e6bf91c --- /dev/null +++ b/sources/ifg.usr.f30/postinstall/install/etc/sysconfig/nftables.conf @@ -0,0 +1 @@ +include /etc/nftables/ifg.nft -- 2.54.0