#!/bin/sh # # This is automatically generated file. DO NOT MODIFY ! # # Firewall Builder fwb_ipt v5.0.1.3585 # # Generated Thu Nov 10 11:59:21 2011 PST by vadim # # files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw # # Compiled for iptables (any version) # # This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside. # Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0 FWBDEBUG="" PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" export PATH LSMOD="/bin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" IPTABLES_RESTORE="/sbin/iptables-restore" IP6TABLES_RESTORE="/sbin/ip6tables-restore" IP="/sbin/ip" IFCONFIG="/sbin/ifconfig" VCONFIG="/sbin/vconfig" BRCTL="/sbin/brctl" IFENSLAVE="/sbin/ifenslave" IPSET="/usr/sbin/ipset" LOGGER="/usr/bin/logger" log() { echo "$1" which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1" } getInterfaceVarName() { echo $1 | sed 's/\./_/' } getaddr_internal() { dev=$1 name=$2 af=$3 L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getnet_internal() { dev=$1 name=$2 af=$3 L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!') test -z "$L" && { eval "$name=''" return } eval "${name}_list=\"$L\"" } getaddr() { getaddr_internal $1 $2 "-4" } getaddr6() { getaddr_internal $1 $2 "-6" } getnet() { getnet_internal $1 $2 "-4" } getnet6() { getnet_internal $1 $2 "-6" } # function getinterfaces is used to process wildcard interfaces getinterfaces() { NAME=$1 $IP link show | grep ": $NAME" | while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } diff_intf() { func=$1 list1=$2 list2=$3 cmd=$4 for intf in $list1 do echo $list2 | grep -q $intf || { # $vlan is absent in list 2 $func $intf $cmd } done } find_program() { PGM=$1 which $PGM >/dev/null 2>&1 || { echo "\"$PGM\" not found" exit 1 } } check_tools() { find_program which find_program $IPTABLES find_program $MODPROBE find_program $IP } reset_iptables_v4() { $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names | while read table; do $IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done } reset_iptables_v6() { $IP6TABLES -P OUTPUT DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P FORWARD DROP cat /proc/net/ip6_tables_names | while read table; do $IP6TABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IP6TABLES -t $table -F $chain fi done $IP6TABLES -t $table -X done } P2P_INTERFACE_WARNING="" missing_address() { address=$1 cmd=$2 oldIFS=$IFS IFS="@" set $address addr=$1 interface=$2 IFS=$oldIFS $IP addr show dev $interface | grep -q POINTOPOINT && { test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet" P2P_INTERFACE_WARNING="yes" return } test "$cmd" = "add" && { echo "# Adding ip address: $interface $addr" echo $addr | grep -q ':' && { $FWBDEBUG $IP addr $cmd $addr dev $interface } || { $FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface } } test "$cmd" = "del" && { echo "# Removing ip address: $interface $addr" $FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1 } $FWBDEBUG $IP link set $interface up } list_addresses_by_scope() { interface=$1 scope=$2 ignore_list=$3 $IP addr ls dev $interface | \ awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \ while read addr; do echo "${addr}@$interface" done | sort } update_addresses_of_interface() { ignore_list=$2 set $1 interface=$1 shift FWB_ADDRS=$( for addr in $*; do echo "${addr}@$interface" done | sort ) CURRENT_ADDRS_ALL_SCOPES="" CURRENT_ADDRS_GLOBAL_SCOPE="" $IP link show dev $interface >/dev/null 2>&1 && { CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list") CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list") } || { echo "# Interface $interface does not exist" # Stop the script if we are not in test mode test -z "$FWBDEBUG" && exit 1 } diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del } clear_addresses_except_known_interfaces() { $IP link show | sed 's/://g' | awk -v IGNORED="$*" \ 'BEGIN { split(IGNORED,ignored_arr); for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;} } (/state/ && !($2 in ignored_dict)) {print $2;}' | \ while read intf; do echo "# Removing addresses not configured in fwbuilder from interface $intf" $FWBDEBUG $IP addr flush dev $intf scope global $FWBDEBUG $IP link set $intf down done } check_file() { test -r "$2" || { echo "Can not find file $2 referenced by address table object $1" exit 1 } } check_run_time_address_table_files() { : } load_modules() { : echo "Modules are loaded only at startup!" } verify_interfaces() { : echo "Verifying interfaces: eth0 eth1 lo" for i in eth0 eth1 lo ; do $IP link show "$i" > /dev/null 2>&1 || { log "Interface $i does not exist" exit 1 } done } prolog_commands() { echo "Running prolog script" } epilog_commands() { echo "Running epilog script" } run_epilog_and_exit() { epilog_commands exit $1 } configure_interfaces() { for runstop in keepalived conntrackd network ; do /etc/init.d/${runstop} stop done /sbin/ifclear all for runstart in management network keepalived conntrackd ; do /etc/init.d/${runstart} start done } script_body() { # ================ IPv4 # ================ Table 'filter', automatic rules # accept established sessions $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # client DNS for the firewall # ================ Table 'nat', rule set NAT # # Rule 0 (NAT) # echo "Rule 0 (NAT)" # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 172.24.0.1 # # Rule 1 (NAT) # echo "Rule 1 (NAT)" # $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-ports 3128 # ================ Table 'filter', rule set Policy # # Rule -8 VRRP (automatic) # echo "Rule -8 VRRP (automatic)" # $IPTABLES -A OUTPUT -o lo -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -7 VRRP (automatic) # echo "Rule -7 VRRP (automatic)" # $IPTABLES -A INPUT -i lo -p vrrp -s 127.0.0.1 -d 224.0.0.18 -j ACCEPT # # Rule -6 VRRP (automatic) # echo "Rule -6 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth1 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -5 VRRP (automatic) # echo "Rule -5 VRRP (automatic)" # $IPTABLES -A INPUT -i eth1 -p vrrp -s 192.168.1.3 -d 224.0.0.18 -j ACCEPT # # Rule -4 VRRP (automatic) # echo "Rule -4 VRRP (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p vrrp -d 224.0.0.18 -j ACCEPT # # Rule -3 VRRP (automatic) # echo "Rule -3 VRRP (automatic)" # $IPTABLES -A INPUT -i eth0 -p vrrp -s 172.24.0.3 -d 224.0.0.18 -j ACCEPT # # Rule -2 CONNTRACK (automatic) # echo "Rule -2 CONNTRACK (automatic)" # $IPTABLES -A OUTPUT -o eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule -1 CONNTRACK (automatic) # echo "Rule -1 CONNTRACK (automatic)" # $IPTABLES -A INPUT -i eth0 -p udp -m udp -d 225.0.0.50 --dport 3780 -j ACCEPT # # Rule 0 (eth0) # echo "Rule 0 (eth0)" # # anti spoofing rule $IPTABLES -N In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 172.24.0.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0 $IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0 $IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY " $IPTABLES -A In_RULE_0 -j DROP # # Rule 1 (lo) # echo "Rule 1 (lo)" # $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # # Rule 2 (eth0) # echo "Rule 2 (eth0)" # $IPTABLES -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 3 (eth0) # echo "Rule 3 (eth0)" # # "firewall is part of any" OFF $IPTABLES -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o ! eth0 -m state --state NEW -j ACCEPT # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # # "firewall is part of any" OFF $IPTABLES -A FORWARD -i eth0 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -o eth0 -m state --state NEW -j ACCEPT # # Rule 5 (eth0,eth1) # echo "Rule 5 (eth0,eth1)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid8117X67022.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.0 $IPTABLES -A Cid8117X67022.0 -d 172.24.0.1 -j ACCEPT $IPTABLES -A Cid8117X67022.0 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid8117X67022.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8117X67022.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -N Cid8117X67022.1 $IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid8117X67022.1 $IPTABLES -A Cid8117X67022.1 -d 172.24.0.1 -j ACCEPT $IPTABLES -A Cid8117X67022.1 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid8117X67022.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid8117X67022.1 -d 192.168.1.2 -j ACCEPT # # Rule 6 (cl1 intf 0,1) # echo "Rule 6 (cl1 intf 0,1)" # $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -N Cid39519X67022.0 $IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.0 $IPTABLES -A Cid39519X67022.0 -d 172.24.0.1 -j ACCEPT $IPTABLES -A Cid39519X67022.0 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid39519X67022.0 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid39519X67022.0 -d 192.168.1.2 -j ACCEPT $IPTABLES -N Cid39519X67022.1 $IPTABLES -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j Cid39519X67022.1 $IPTABLES -A Cid39519X67022.1 -d 172.24.0.1 -j ACCEPT $IPTABLES -A Cid39519X67022.1 -d 172.24.0.2 -j ACCEPT $IPTABLES -A Cid39519X67022.1 -d 192.168.1.1 -j ACCEPT $IPTABLES -A Cid39519X67022.1 -d 192.168.1.2 -j ACCEPT # # Rule 7 (eth0,eth1) # echo "Rule 7 (eth0,eth1)" # # "firewall is part of any" OFF $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 8 (cl1 intf 0,1) # echo "Rule 8 (cl1 intf 0,1)" # # "firewall is part of any" OFF $IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # Rule 9 (global) # echo "Rule 9 (global)" # # SSH Access to firewall is permitted # only from internal network $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT # # Rule 10 (global) # echo "Rule 10 (global)" # # Firewall uses one of the machines # on internal network for DNS $IPTABLES -N RULE_10 $IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10 $IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.0/24 --dport 53 -m state --state NEW -j RULE_10 $IPTABLES -A RULE_10 -j LOG --log-level info --log-prefix "RULE 10 -- ACCEPT " $IPTABLES -A RULE_10 -j ACCEPT # # Rule 11 (global) # echo "Rule 11 (global)" # # All other attempts to connect to # the firewall are denied and logged $IPTABLES -N RULE_11 $IPTABLES -A OUTPUT -d 172.24.0.1 -m state --state NEW -j RULE_11 $IPTABLES -A OUTPUT -d 172.24.0.2 -m state --state NEW -j RULE_11 $IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_11 $IPTABLES -A OUTPUT -d 192.168.1.2 -m state --state NEW -j RULE_11 $IPTABLES -A INPUT -m state --state NEW -j RULE_11 $IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY " $IPTABLES -A RULE_11 -j DROP # # Rule 12 (global) # echo "Rule 12 (global)" # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 13 (global) # echo "Rule 13 (global)" # $IPTABLES -N RULE_13 $IPTABLES -A OUTPUT -m state --state NEW -j RULE_13 $IPTABLES -A INPUT -m state --state NEW -j RULE_13 $IPTABLES -A FORWARD -m state --state NEW -j RULE_13 $IPTABLES -A RULE_13 -j LOG --log-level info --log-prefix "RULE 13 -- DENY " $IPTABLES -A RULE_13 -j DROP } ip_forward() { : echo 1 > /proc/sys/net/ipv4/ip_forward } reset_all() { : reset_iptables_v4 } block_action() { reset_all } stop_action() { reset_all $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } check_iptables() { IP_TABLES="$1" [ ! -e $IP_TABLES ] && return 151 NF_TABLES=$(cat $IP_TABLES 2>/dev/null) [ -z "$NF_TABLES" ] && return 152 return 0 } status_action() { check_iptables "/proc/net/ip_tables_names" ret_ipv4=$? check_iptables "/proc/net/ip6_tables_names" ret_ipv6=$? [ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0 [ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && { echo "iptables modules are not loaded" } [ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && { echo "Firewall is not configured" } exit 3 } # See how we were called. # For backwards compatibility missing argument is equivalent to 'start' cmd=$1 test -z "$cmd" && { cmd="start" } case "$cmd" in start) log "Activating firewall script generated Thu Nov 10 11:59:21 2011 by vadim" log "Database was cluster-tests.fwb" check_tools check_run_time_address_table_files prolog_commands load_modules "nat " configure_interfaces verify_interfaces reset_all script_body ip_forward epilog_commands RETVAL=$? ;; stop) stop_action RETVAL=$? ;; status) status_action RETVAL=$? ;; block) block_action RETVAL=$? ;; reload) $0 stop $0 start RETVAL=$? ;; interfaces) configure_interfaces RETVAL=$? ;; test_interfaces) FWBDEBUG="echo" configure_interfaces RETVAL=$? ;; *) echo "Usage $0 {start|stop|status|block|reload|interfaces|test_interfaces}" ;; esac exit $RETVAL