#!/bin/bash # $Id$ # # /etc/rc.d/rc.lockdownwizard # # Basic firewall to protect Loadbalancer.org appliance. # # Import configuration... source /etc/rc.d/rc.lockdownwizard.conf # Variables: $iptables Path to iptables binary for IPv4. # $ip6tables Path to iptables binary for IPv6. # $ENABLED Master off switch. # $POLICY Handling of unmatched packets. Default ACCEPT. # $DROP Handling of packets to be dropped. Default DROP. # $NET_ADMIN Administration subnet address and mask. # $IP_LOCAL Local IP address for cluster traffic. # $IP_PEER Peer's IP address for cluster traffic. # $PORT_WEB_IF Web Interface port for HTTP. # $PORT_WEB_IF_SECURE Web Interface port for HTTPS. # $PORT_HEARTBEAT Heartbeat UDP unicast/broadcast port. # $PORT_HAPROXY_STATS HAProxy statistics port. # $PORT_HAPROXY_REPLICATION HAProxy replication port. # optional IPV4 admin (subnets/24 computers/32) space separated IPV4_NET_ADMIN=(172.31.2.0/24 192.168.200.0/24) IPV4_NET_SNMP=(172.31.1.6/32) # optional IPV6 (computer/128 network/64) space separated IPV6_NET_ADMIN=(2a05:f080:0:300::/64 2a02:968:ffff:ffff::/64 ) # Do not remove this section - it is required by the firewall system. if [ $ENABLED != 'yes' ] then exit 126 fi ## # # IPv4 # ## # Chain policies: $iptables --policy INPUT $POLICY $iptables --policy OUTPUT $POLICY $iptables --policy FORWARD $POLICY # Create custom chains: $iptables --new-chain ssh_traffic_in $iptables --new-chain snmp_traffic_in $iptables --new-chain cluster_traffic_in $iptables --new-chain admin_traffic_in $iptables -I INPUT ! --dst $IP_LOCAL -p udp --dport 161 -j REJECT # Filter traffic types into chains: $iptables --append INPUT --protocol udp --destination-port $PORT_HEARTBEAT --jump cluster_traffic_in $iptables --append INPUT --protocol tcp --destination-port $PORT_HAPROXY_REPLICATION --jump cluster_traffic_in $iptables --append INPUT --protocol tcp --match multiport --destination-ports $PORT_WEB_IF,$PORT_WEB_IF_SECURE,$PORT_HAPROXY_STATS --jump admin_traffic_in $iptables --append INPUT --protocol udp --destination-port snmp --dst $IP_LOCAL --jump snmp_traffic_in $iptables --append INPUT --protocol tcp --destination-port ssh --jump ssh_traffic_in # Set chain rules: $iptables --append ssh_traffic_in --source $IP_PEER --jump ACCEPT $iptables --append ssh_traffic_in --source $NET_ADMIN --jump ACCEPT $iptables --append snmp_traffic_in --source $NET_SNMP --jump ACCEPT $iptables --append admin_traffic_in --source $NET_ADMIN --jump ACCEPT if [ -n "$IPV4_NET_ADMIN" ] then for IPV4_ADMIN in ${IPV4_NET_ADMIN[@]} do $iptables --append admin_traffic_in --source $IPV4_ADMIN --jump ACCEPT $iptables --append ssh_traffic_in --source $IPV4_ADMIN --jump ACCEPT $iptables --append snmp_traffic_in --source $IPV4_ADMIN --jump ACCEPT done fi if [ -n "$IPV4_NET_SNMP" ] then for IPV4_SNMP in ${IPV4_NET_SNMP[@]} do $iptables --append snmp_traffic_in --source $IPV4_SNMP --dst $IP_LOCAL --jump ACCEPT done fi $iptables --append cluster_traffic_in --source $IP_LOCAL --jump ACCEPT if [ $IP_PEER != "127.0.0.1" ] then $iptables --append cluster_traffic_in --source $IP_PEER --jump ACCEPT fi $iptables --append admin_traffic_in --jump $DROP $iptables --append ssh_traffic_in --jump $DROP $iptables --append snmp_traffic_in --jump $DROP $iptables --append cluster_traffic_in --jump $DROP ## # # IPv6 # ## # Chain policies: $ip6tables --policy INPUT $POLICY $ip6tables --policy OUTPUT $POLICY $ip6tables --policy FORWARD $POLICY # Custom chains: $ip6tables --new-chain ssh_traffic_in $ip6tables --new-chain snmp_traffic_in $ip6tables --new-chain cluster_traffic_in $ip6tables --new-chain admin_traffic_in # Filter traffic types into chains: $ip6tables --append INPUT --protocol udp --destination-port $PORT_HEARTBEAT --jump cluster_traffic_in $ip6tables --append INPUT --protocol tcp --destination-port $PORT_HAPROXY_REPLICATION --jump cluster_traffic_in $ip6tables --append INPUT --protocol tcp --match multiport --destination-ports $PORT_WEB_IF,$PORT_WEB_IF_SECURE,$PORT_HAPROXY_STATS --jump admin_traffic_in $ip6tables --append INPUT --protocol udp --destination-port snmp --jump admin_traffic_in $ip6tables --append INPUT --protocol tcp --destination-port ssh --jump ssh_traffic_in # Set chain rules: if [[ $IP_PEER =~ .*:.* ]] then $ip6tables --append ssh_traffic_in --source $IP_PEER --jump ACCEPT fi if [[ $NET_ADMIN =~ .*:.* ]] then $ip6tables --append ssh_traffic_in --source $NET_ADMIN --jump ACCEPT fi if [ -n "$IPV6_NET_ADMIN" ] then for IPV6_ADMIN in ${IPV6_NET_ADMIN[@]}; do $ip6tables --append ssh_traffic_in --source $IPV6_ADMIN --jump ACCEPT $ip6tables --append admin_traffic_in --source $IPV6_ADMIN --jump ACCEPT done fi if [[ $IP_LOCAL =~ .*:.* ]] then $ip6tables --append admin_traffic_in --source $IP_LOCAL --jump ACCEPT fi if [[ $IP_PEER =~ .*:.* ]] then $ip6tables --append admin_traffic_in --source $IP_PEER --jump ACCEPT fi if [[ $IP_LOCAL =~ .*:.* ]] then $ip6tables --append cluster_traffic_in --source $IP_LOCAL --jump ACCEPT fi if [ $IP_LOCAL == "127.0.0.1" ] then IP_LOCAL=::1 $ip6tables --append cluster_traffic_in --source $IP_LOCAL --jump ACCEPT fi if [[ $IP_PEER =~ .*:.* ]] then $ip6tables --append cluster_traffic_in --source $IP_PEER --jump ACCEPT fi $ip6tables --append admin_traffic_in --jump $DROP $ip6tables --append ssh_traffic_in --jump $DROP $ip6tables --append cluster_traffic_in --jump $DROP # Do not remove the statement below - it is required by the firewall system. exit 0