#!/bin/bash # @(#)(CAcert) $Id: firewall,v 1.14 2014/08/15 15:55:57 root Exp $ # Common functions iptables() # function for setting IPv4/IPv6 rules at the same time { /usr/sbin/iptables "$@" /usr/sbin/ip6tables "$@" } ip4tables() # function for setting IPv4-specific rules { /usr/sbin/iptables "$@" } ip6tables() # function for setting IPv6-specific rules { /usr/sbin/ip6tables "$@" } ip4or6() # function for address-based IPv4/IPv6 choice { case "$1" in *:*) echo ip6tables ;; *\.*) echo ip4tables ;; *) echo $0: cannot recognize address $1 1>&2 echo false ;; esac } IP=iptables IP4=ip4tables IP6=ip6tables # cleanup $IP -F $IP -X $IP4 -F -t nat $IP4 -X -t nat $IP -F -t mangle $IP -X -t mangle # To easy the system $IP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow logging $IP4 -A OUTPUT -p udp -d 172.28.50.101 --dport 514 -j ACCEPT # Allow OCSP (server) $IP4 -A INPUT -p tcp --destination 172.16.3.103 --dport 2560 -j ACCEPT $IP4 -A INPUT -p tcp --destination 127.0.0.1 --dport 2560 -j ACCEPT $IP4 -A INPUT -p tcp --destination 172.16.3.103 --dport 443 -j ACCEPT $IP6 -A INPUT -p tcp --destination 2001:7b8:616:163::103 --dport 2560 -j ACCEPT $IP6 -A INPUT -p tcp --destination 2001:7b8:616:163::103 --dport 443 -j ACCEPT $IP6 -A INPUT -p tcp --destination 2001:7b8:616:163::103 --dport 80 -j ACCEPT # Note: IPv4 rerouting of port 80 to port 2560 is already done by the OpenBSD firewall. # Hence there is no need to insert explicit DNAT rules here for that purpose. # Allow replies from OCSP server (state tracking doesn't seem to work?) $IP -A OUTPUT -p tcp --sport 2560 -j ACCEPT $IP -A OUTPUT -p tcp --sport 443 -j ACCEPT $IP -A OUTPUT -p tcp --sport 80 -j ACCEPT # Allow OCSP (local testing by non-root users) $IP -A OUTPUT -p tcp --dport 2560 -j ACCEPT # Allow access to rsync daemon on www.cacert.org for retrieving CRLs $IP4 -A OUTPUT -p tcp --destination 172.28.50.12 --dport 873 -j ACCEPT # Allow DNS resolver $IP4 -A OUTPUT -p udp -d 172.28.50.2 --dport 53 -j ACCEPT $IP4 -A OUTPUT -p tcp -d 172.28.50.2 --dport 53 -j ACCEPT $IP4 -A OUTPUT -p udp -d 172.28.50.3 --dport 53 -j ACCEPT $IP4 -A OUTPUT -p tcp -d 172.28.50.3 --dport 53 -j ACCEPT # Allow ICMP Echo and ICMP Time Exceeded and all ICMPv6 $IP4 -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT $IP4 -A INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT $IP6 -A INPUT -p ICMPv6 -j ACCEPT $IP4 -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT $IP4 -A OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT $IP6 -A OUTPUT -p ICMPv6 -j ACCEPT # Allow everything on loopback interface $IP -A INPUT -i lo -j ACCEPT $IP -A OUTPUT -o lo -j ACCEPT # root can disable this firewall, so don't be stupid $IP -A OUTPUT -m owner --uid-owner 0 -j ACCEPT grep -v ^# /etc/firewall/allowedto|while read -r name uid dests do for dest in $dests do FUNC=`ip4or6 $dest` $FUNC -A OUTPUT -m owner --uid-owner $uid -d $dest -j LOG --log-prefix "user:${name} : " $FUNC -A OUTPUT -m owner --uid-owner $uid -d $dest -j ACCEPT done done # reject all the rest for outgoing $IP -A OUTPUT -j LOG --log-prefix "output: " $IP -A OUTPUT -j REJECT # who can enter at port 22? grep -v ^# /etc/firewall/allowedfrom|while read -r name froms do for from in $froms do FUNC=`ip4or6 $from` $FUNC -A INPUT -p tcp --dport 22 -s $from -j LOG --log-prefix "user:${name} : " $FUNC -A INPUT -p tcp --dport 22 -s $from -j ACCEPT done done # log all the rest for incoming (it will be dropped by policy setting below) $IP -A INPUT -j LOG --log-prefix "input: " # DROP everything from the internets $IP -P INPUT DROP # reject nicely to speedup local errors $IP -P OUTPUT DROP # DROP stuff we don't want to do $IP -P FORWARD DROP