From 6260f8bce49a0ade5e239e923524ecf27ebf8b27 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zolt=C3=A1n=20Felleg?= Date: Wed, 9 Mar 2022 12:42:35 +0100 Subject: [PATCH] Updated ifg.in (added git, mercurial and subversion nft rules). --- .../ifg.in/c3d/firstboot/data/nftables.config | 188 ++++++++++-------- .../var/named/pm.useribm.hu.zonesource | 2 +- 2 files changed, 108 insertions(+), 82 deletions(-) diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config index a931146..97f8163 100644 --- a/sources/ifg.in/c3d/firstboot/data/nftables.config +++ b/sources/ifg.in/c3d/firstboot/data/nftables.config @@ -46,10 +46,22 @@ define XFR_PERIMETER_IPV4 = 192.168.173.251 define WS_PERIMETER_IPV4 = 192.168.173.249 define WS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adf9 +# subversion server address (perimeter network) +define SVN_PERIMETER_IPV4 = 192.168.173.212 +define SVN_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:add4 + # perimeter name server address (perimeter network) define PNS_PERIMETER_IPV4 = 192.168.173.174 define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae +# mercurial server address (perimeter network) +define HG_PERIMETER_IPV4 = 192.168.173.87 +define HG_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad57 + +# git server address (perimeter network) +define GIT_PERIMETER_IPV4 = 192.168.173.79 +define GIT_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad4f + # external name server address (perimeter network) define ENS_PERIMETER_IPV4 = 192.168.173.64 define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40 @@ -89,6 +101,10 @@ define NS1_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d9f # minicrm address (internal network) define MINICRM_INTERNAL_IPV4 = 10.228.109.133 +# fedora directory server address (internal network) +define FDS_INTERNAL_IPV4 = 10.228.109.64 +define FDS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d40 + # name server 2 address (internal network) define NS2_INTERNAL_IPV4 = 10.228.92.159 define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f @@ -108,7 +124,9 @@ define INTERNAL_IPV4_NET = 10.228.0.0/16 define INTERNAL_IPV6_NET = 2a02:d400:0000:f268::/64 define SR_IPV4_NET = 192.168.42.0/24 define IN_IPV4_NET = 192.168.43.0/24 -define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, $SR_IPV4_NET, $IN_IPV4_NET } +define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \ + $SR_IPV4_NET, \ + $IN_IPV4_NET } # perimeter network define PERIMETER_NET = 192.168.173.0/24 @@ -125,8 +143,7 @@ define PEEP_BO_NET = 10.162.104.0/24 ################################ #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 } -define SSH_PORT = 22 -define WS_PORTS = { 80, 443 } +define FDS_PORTS = { ldap, ldaps } ################################ @@ -153,7 +170,7 @@ create chain ip6 ifg-filter output { type filter hook output priority 0; policy add rule ip ifg-nat prerouting \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ - ip daddr $PUBLIC_WS_IPV4 tcp dport $WS_PORTS \ + ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \ counter dnat $WS_PERIMETER_IPV4 comment "Webserver access" @@ -164,12 +181,14 @@ add rule ip ifg-nat prerouting \ add rule ip ifg-filter input \ ct state established \ ip protocol udp \ - iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \ + iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, \ + $NS2_INTERNAL_IPV4 } udp sport domain \ ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \ counter accept comment "DNS replies" add rule ip6 ifg-filter input \ ct state established \ - iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \ + iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, \ + $NS2_INTERNAL_IPV6 } udp sport domain \ ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \ counter accept comment "DNS replies" @@ -232,50 +251,56 @@ add rule ip ifg-filter forward \ ct state new, established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \ counter accept comment "Webserver access" add rule ip ifg-filter forward \ ct state new, established \ ip protocol tcp \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $SSH_PORT \ + oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport ssh \ counter accept comment "Webserver SSH access" add rule ip ifg-filter forward \ ct state new \ ip protocol udp \ iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \ - counter accept comment "DNS zone notification" + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, \ + $PNS_PERIMETER_IPV4 } udp dport domain \ + counter accept comment "DNS zone notifications" add rule ip6 ifg-filter forward \ ct state new \ iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \ - oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \ - counter accept comment "DNS zone notification" + oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, \ + $PNS_PERIMETER_IPV6 } udp dport domain \ + counter accept comment "DNS zone notifications" add rule ip ifg-filter forward \ ct state new \ ip protocol tcp \ - iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \ + iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, \ + $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport domain \ counter accept comment "DNS zone transfer requests" add rule ip6 ifg-filter forward \ ct state new \ - iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \ + iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, \ + $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport domain \ counter accept comment "DNS zone transfer requests" add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \ - oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport domain \ + oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, \ + $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" add rule ip6 ifg-filter forward \ ct state established \ - iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \ - oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \ + iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport domain \ + oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, \ + $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \ counter accept comment "DNS zone transfer replies" add rule ip ifg-filter forward \ @@ -284,26 +309,6 @@ add rule ip ifg-filter forward \ oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \ counter accept comment "Incoming VPN traffic" -add rule ip ifg-filter forward \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \ - counter accept comment "Webserver letsencrypt transfer requests" -add rule ip6 ifg-filter forward \ - iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \ - counter accept comment "Webserver letsencrypt transfer requests" - -add rule ip ifg-filter forward \ - ct state established \ - iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Webserver letsencrypt transfer replies" -add rule ip6 ifg-filter forward \ - ct state established \ - iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \ - oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ - counter accept comment "Webserver letsencrypt transfer replies" - add rule ip ifg-filter forward \ iifname $INTERNAL_IF \ oifname $INTERNAL_IF \ @@ -312,85 +317,104 @@ add rule ip ifg-filter forward \ add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $STORE_INTERNAL_IPV4 tcp dport 80 \ - counter accept comment "Store requests" + oifname $INTERNAL_IF ip daddr { $DVREDMINE_INTERNAL_IPV4, \ + $STORE_INTERNAL_IPV4, \ + $WIKI_INTERNAL_IPV4 } tcp dport http \ + counter accept comment "Redmine, store and wiki requests" add rule ip6 ifg-filter forward \ iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr $STORE_INTERNAL_IPV6 tcp dport 80 \ - counter accept comment "Store requests" + oifname $INTERNAL_IF ip6 daddr { $STORE_INTERNAL_IPV6, \ + $WIKI_INTERNAL_IPV6 } tcp dport http \ + counter accept comment "Store and wiki requests" add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \ + iifname $INTERNAL_IF ip saddr { $DVREDMINE_INTERNAL_IPV4, \ + $STORE_INTERNAL_IPV4, \ + $WIKI_INTERNAL_IPV4 } tcp sport http \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Store replies" + counter accept comment "Redmine, store and wiki replies" add rule ip6 ifg-filter forward \ ct state established \ - iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \ + iifname $INTERNAL_IF ip6 saddr { $STORE_INTERNAL_IPV6, \ + $WIKI_INTERNAL_IPV6 } tcp sport http \ oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ - counter accept comment "Store replies" + counter accept comment "Store and wiki replies" add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \ - counter accept comment "Wiki requests" -add rule ip6 ifg-filter forward \ - iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \ - counter accept comment "Wiki requests" + oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \ + counter accept comment "MiniCRM requests" add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \ + iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Wiki replies" -add rule ip6 ifg-filter forward \ - ct state established \ - iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \ - oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ - counter accept comment "Wiki replies" + counter accept comment "MiniCRM replies" add rule ip ifg-filter forward \ ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IPV4 tcp dport 80 \ - counter accept comment "Redmine requests" + oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \ + counter accept comment "Worksheet requests" add rule ip ifg-filter forward \ ct state established \ ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IPV4 tcp sport 80 \ + iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Redmine replies" + counter accept comment "Worksheet replies" add rule ip ifg-filter forward \ - ip protocol tcp \ - iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IPV4 tcp dport 8080 \ - counter accept comment "MiniCRM requests" + iifname $PERIMETER_IF ip saddr { $GIT_PERIMETER_IPV4, \ + $HG_PERIMETER_IPV4, \ + $SVN_PERIMETER_IPV4 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip daddr $FDS_INTERNAL_IPV4 tcp dport { ldap, ldaps } \ + counter accept comment "Git, mercurial and subversion directory server requests" +add rule ip6 ifg-filter forward \ + iifname $PERIMETER_IF ip6 saddr { $GIT_PERIMETER_IPV6, \ + $HG_PERIMETER_IPV6, \ + $SVN_PERIMETER_IPV6 } tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $FDS_INTERNAL_IPV6 tcp dport { ldap, ldaps } \ + counter accept comment "Git, mercurial and subversion directory server requests" add rule ip ifg-filter forward \ ct state established \ - ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IPV4 tcp sport 8080 \ - oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "MiniCRM replies" + iifname $INTERNAL_IF ip saddr $FDS_INTERNAL_IPV4 tcp sport { ldap, ldaps } \ + oifname $PERIMETER_IF ip daddr { $GIT_PERIMETER_IPV4, \ + $HG_PERIMETER_IPV4, \ + $SVN_PERIMETER_IPV4 } tcp dport 1024-65535 \ + counter accept comment "Git, mercurial and subversion directory server replies" +add rule ip6 ifg-filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $FDS_INTERNAL_IPV6 tcp sport {ldap, ldaps } \ + oifname $PERIMETER_IF ip6 daddr { $GIT_PERIMETER_IPV6, \ + $HG_PERIMETER_IPV6, \ + $SVN_PERIMETER_IPV6 } tcp dport 1024-65535 \ + counter accept comment "Git, mercurial and subversion directory server replies" add rule ip ifg-filter forward \ - ip protocol tcp \ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IPV4 tcp dport 8079 \ - counter accept comment "Worksheet requests" + oifname $INTERNAL_IF ip daddr $PKI_INTERNAL_IPV4 tcp dport rsync \ + counter accept comment "Webserver letsencrypt transfer requests" +add rule ip6 ifg-filter forward \ + iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \ + oifname $INTERNAL_IF ip6 daddr $PKI_INTERNAL_IPV6 tcp dport rsync \ + counter accept comment "Webserver letsencrypt transfer requests" add rule ip ifg-filter forward \ ct state established \ - ip protocol tcp \ - iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IPV4 tcp sport 8079 \ + iifname $INTERNAL_IF ip saddr $PKI_INTERNAL_IPV4 tcp sport rsync \ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \ - counter accept comment "Worksheet replies" + counter accept comment "Webserver letsencrypt transfer replies" +add rule ip6 ifg-filter forward \ + ct state established \ + iifname $INTERNAL_IF ip6 saddr $PKI_INTERNAL_IPV6 tcp sport rsync \ + oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \ + counter accept comment "Webserver letsencrypt transfer replies" add rule ip ifg-filter forward \ ip protocol icmp \ @@ -427,12 +451,14 @@ add rule ip ifg-filter output \ ct state new \ ip protocol udp \ ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \ - oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \ + oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, \ + $NS2_INTERNAL_IPV4 } udp dport domain \ counter accept comment "DNS requests" add rule ip6 ifg-filter output \ ct state new \ ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \ - oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \ + oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, \ + $NS2_INTERNAL_IPV6 } udp dport domain \ counter accept comment "DNS requests" add rule ip ifg-filter output \ diff --git a/sources/sns.in/c3d/postinstall/install-data/var/named/pm.useribm.hu.zonesource b/sources/sns.in/c3d/postinstall/install-data/var/named/pm.useribm.hu.zonesource index fd511c4..2b38d41 100644 --- a/sources/sns.in/c3d/postinstall/install-data/var/named/pm.useribm.hu.zonesource +++ b/sources/sns.in/c3d/postinstall/install-data/var/named/pm.useribm.hu.zonesource @@ -27,7 +27,7 @@ xfr IN A 192.168.173.246 ; xf xfr IN AAAA 2a02:d400:0000:f2ad:000c:18ff:fe03:adf6 vc IN A 192.168.173.223 ; vc (version control) vc IN AAAA 2a02:d400:0000:f2ad:000c:18ff:fe03:addf -svn IN A 192.168.173.212 ; hg +svn IN A 192.168.173.212 ; sv svn IN AAAA 2a02:d400:0000:f2ad:000c:18ff:fe03:add4 dvredmine IN A 192.168.173.193 ; rm dvredmine IN AAAA 2a02:d400:0000:f2ad:000c:18ff:fe03:adc1 -- 2.54.0