Refactor the firewall script

Make it more generic, dropping ai-specific bits here and there. Provide a standard command-line interface including --help and --version options. Move default filter setup to a standalone code snippet. Rename package to just 'firewall'. Bump version to 0.2 to highlight the difference with the original ai-firewall codebase.

Refactor the firewall script
406c1770 · ale · ccb6462d · 406c1770 · 406c1770 · 406c1770
Commit 406c1770 authored 7 years ago by ale
--- a/.gitignore
+++ b/.gitignore
+*-stamp
+*.debhelper
+*.substvars
+debian/firewall
+debian/files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+
+stages:
+  - build_src
+  - build_pkg
+  - upload
+
+build:src:
+  stage: build_src
+  image: "ai/build:stretch"
+  script: "build-dsc"
+  artifacts:
+    paths:
+      - build-deb/
+  only:
+    - master
+
+build:pkg:
+  stage: build_pkg
+  image: "ai/build:stretch"
+  script: "build-deb"
+  dependencies:
+    - build:src
+  artifacts:
+    paths:
+      - output-deb/
+  only:
+    - master
+
+upload:pkg:
+  stage: upload
+  image: "ai/pkg:base"
+  script: "upload-packages -r ai3"
+  dependencies:
+    - build:pkg
+  only:
+    - master
+
--- a/COPYING
+++ b/COPYING
-Copyright (C) 2012, Autistici/Inventati <info@inventati.org>.
+Copyright (C) 2012-2018, Autistici/Inventati <info@inventati.org>.

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

--- a/Makefile
+++ b/Makefile

 prefix = /usr
+sbindir = $(prefix)/sbin
 sysconfdir = /etc
+fwconfdir = $(sysconfdir)/firewall
+sharedir = $(prefix)/share/firewall
 INSTALL = install
+TABLES = filter nat mangle

 all:

 clean:

 install:
-	$(INSTALL) -d $(DESTDIR)$(prefix)/bin
-	$(INSTALL) -m 755 firewall $(DESTDIR)$(prefix)/bin/firewall
-	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall
-	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/filter.d
-	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/nat.d
-	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/mangle.d
-	$(INSTALL) -m 644 README $(DESTDIR)$(sysconfdir)/firewall/README
-	(for f in ./conf-dist/filter.d/* ; do \
-	 $(INSTALL) -m 644 $$f $(DESTDIR)$(sysconfdir)/firewall/filter.d ; done)
+	$(INSTALL) -d $(DESTDIR)$(sbindir)
+	$(INSTALL) -d $(DESTDIR)$(sharedir)
+	$(INSTALL) -d $(DESTDIR)$(fwconfdir)
+	$(INSTALL) -m 755 firewall $(DESTDIR)$(sbindir)/firewall
+	(for t in $(TABLES); do \
+	  $(INSTALL) -d $(DESTDIR)$(fwconfdir)/$$t.d ; \
+	  $(INSTALL) -d $(DESTDIR)$(sharedir)/$$t.d ; \
+	  if [ -d conf-dist/$$t.d ]; then \
+	   for f in conf-dist/$$t.d/* ; do \
+	    $(INSTALL) -m 644 $$f $(DESTDIR)$(sharedir)/$$t.d ; \
+	    b=$$(basename $$f) ; \
+	    ln -s $(sharedir)/$$t.d/$$b $(DESTDIR)$(fwconfdir)/$$t.d/$$b ; \
+	   done ; \
+	  fi ; \
+	done)

--- a/README
+++ b/README
-
-ai-firewall
-===========
-
-A shell-based DSL for quick and easy configuration of an iptables
-firewall, primarily targeted at individual servers, supporting both
-IPv4 and IPv6.
-
-ai-firewall will perform some basic setup and then execute
-application-specific configuration snippets from the /etc/firewall
-tree. This setup allows packages to plug into the firewall setup by
-simply deploying a snippet in /etc/firewall.
-
-The configuration is loaded from the directories below /etc/firewall,
-every iptables table (such as 'filter', 'nat', and 'mangle') is
-configured independently from its own subdirectory named after itself,
-with a '.d' extension. Individual files from each directory are loaded
-in lexicographical order (like run-parts, for instance).
-
-
-Configuration syntax
--------------------
-
-Configuration files are simple shell scripts. Rules are generated by
-invoking the following predefined helper functions:
-
-
-    create_chain <CHAIN_NAME>
-
-        Create a new chain with the specified name.
-
-
-    add_rule <IPTABLES_ARGS>
-    add_rule4 <IPTABLES_ARGS>
-    add_rule6 <IPTABLES_ARGS>
-
-        This function will generate a full iptables rule exactly as
-        specified.  The first form will generate the rule for IPv4 and
-        IPv6, the other two are protocol-specific.
-
-        An example:
-
-          add_rule -A bad-host -s 1.2.3.4 -j DROP
-
-
-    add_to_chain <CHAIN_NAME> <IPTABLES_ARGS>
-
-        A shortcut for 'add_rule -A <CHAIN_NAME> <IPTABLES_ARGS>'.
-
-
-    add_user_port <PROTOCOL> <PORT> [<TARGET>]
-
-        Allow incoming traffic to the specified protocol / port.
-
-
-    add_user_ports <PROTOCOL> <PORT_SPEC>
-
-        Allow incoming traffic to the specified ports. PORT_SPEC
-        should be a comma-separated list of destination ports.
-
-
-
--- a/README.md
+++ b/README.md
+firewall
+=====
+
+A shell-based DSL for quick and easy configuration of an iptables
+firewall, primarily targeted at individual servers, supporting both
+IPv4 and IPv6. Instead of parameterizing the hell out of iptables like
+more sophisticated solutions (think Shorewall), it provides helpers to
+write iptables configs from shell snippets. These helpers make it easy
+to maintain IPv4 and IPv6 rules in sync.
+
+The main driver script will perform some basic setup and then execute
+application-specific configuration snippets from the */etc/firewall*
+tree. This setup allows packages to plug into the firewall setup by
+simply deploying a snippet in /etc/firewall.
+
+The configuration is loaded from the directories below /etc/firewall,
+every iptables table (such as *filter*, *nat*, and *mangle*) is
+configured independently from its own subdirectory named after the
+table, with a `.d` extension. Individual files from each directory are
+loaded in lexicographical order using *run-parts(8)*.
+
+# Configuration
+
+Configuration files are simple shell scripts. Rules are generated by
+invoking the following predefined helper functions:
+
+#### `create_chain` *CHAIN_NAME*
+
+Create a new chain with the specified name.
+
+#### `add_rule` *IPTABLES_ARGS*
+#### `add_rule4` *IPTABLES_ARGS*
+#### `add_rule6` *IPTABLES_ARGS*
+
+This function will generate a full iptables rule exactly as
+specified.  The first form will generate the rule for IPv4 and
+IPv6, the other two are protocol-specific.
+
+An example:
+
+```
+add_rule -A bad-host -s 1.2.3.4 -j DROP
+```
+
+#### `add_to_chain` *CHAIN_NAME* *IPTABLES_ARGS*
+
+A shortcut for `add_rule -A CHAIN_NAME IPTABLES_ARGS`.
+
+#### `allow_port` *PROTOCOL* *PORT* *[IPTABLES_ARGS]*
+
+Allow incoming traffic to the specified protocol / port.
+*IPTABLES_ARGS* is just a placeholder for any number of arbitrary
+iptables options (the default is simply `-j ALLOW`).
+
+#### `allow_ports` *PROTOCOL* *PORT_SPEC* *[IPTABLES_ARGS]*
+
+Allow incoming traffic to the specified ports. *PORT_SPEC*
+should be a comma-separated list of destination ports.
--- a/conf-dist/filter.d/00base
+++ b/conf-dist/filter.d/00base
+# Set up basic rules for the 'filter' table.
+#
+# This snippet should run before the others.
+
+# Set up a chain that will drop noisy unwanted traffic
+# without even logging it. 
+create_chain drop-noise
+add_rule -A drop-noise -p tcp --dport 113 -j REJECT
+add_rule -A drop-noise -p tcp -m multiport --dports 139,445 -j DROP
+add_rule -A drop-noise -p udp -m multiport --dports 137,138,500 -j DROP
+# Be kind and allow old-style traceroutes.
+add_rule -A drop-noise -p udp --dport 33434:33500 -j REJECT
+
+# base-input chain.
+create_chain base-input
+
+# Enable everything from lo and ring0.
+add_rule -A base-input -i lo -j ACCEPT
+add_rule4 -A base-input -i ring0 -s 172.16.1.0/24 -j ACCEPT
+
+# Some IPv6-specific ICMP setup.
+add_rule6 -A base-input -m rt --rt-type 0 --rt-segsleft 0 -j DROP 
+for icmp6type in 133 134 135 136 ; do 
+    add_rule6 -A base-input -p ipv6-icmp -m icmp6 \
+              --icmpv6-type ${icmp6type} -m hl --hl-eq 255 -j ACCEPT 
+done
+
+# Standard conntrack stuff.
+add_rule -A base-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+add_rule6 -A base-input -s fe80::/10 -p ipv6-icmp -m icmp6 \
+          --icmpv6-type 129 -j ACCEPT
+add_rule -A base-input -m conntrack --ctstate INVALID -j DROP
+
+# Enable 6to4 protocol.
+#add_rule4 -A base-input -p ipv6 -j ACCEPT
+
+# Allow useful ICMPs (but rate-limit incoming echo requests).
+for icmptype in 3 4 11 12 ; do
+    add_rule4 -A base-input -p icmp -m icmp \
+              --icmp-type ${icmptype} -j ACCEPT
+done
+for icmp6type in 1 2 3 4 128 ; do
+    add_rule6 -A base-input -p ipv6-icmp -m icmp6 \
+              --icmpv6-type ${icmp6type} -j ACCEPT
+done
+add_rule4 -A base-input -p icmp -m icmp --icmp-type 8 \
+          -m limit --limit 3/s -j ACCEPT
+add_rule6 -A base-input -p ipv6-icmp -m icmp6 --icmp-type 128 \
+          -m limit --limit 3/s -j ACCEPT
+
+# IPv6 autodiscovery.
+#add_rule6 -A base-input -s fe80::/10 -d fe80::/10 -p udp -m udp \
+#    --sport 547 --dport 546 -j ACCEPT
+
+# user-input
+create_chain user-input
+
+# Always allow SSH access, just in case someone forgets to add it
+# with a user-defined ruleset file.
+allow_port tcp 22
+
+# Setup the INPUT chain.
+# It is split into stages: base-input, user-input
+add_rule -A INPUT -j base-input
+add_rule -A INPUT -j drop-noise
+add_rule -A INPUT -j user-input
--- a/conf-dist/filter.d/01docker
+++ b/conf-dist/filter.d/01docker
+# Preserve docker-related firewall rules (IPv4-only).
+iptables-save -t filter \
+    | grep \
+          -e '^:DOCKER' \
+          -e '^-A DOCKER' \
+          -e '-[io] docker[0-9]' \
+          -e '-j DOCKER' \
+    | (while read line; do add_rule4 "${line}"; done)
--- a/conf-dist/filter.d/01fail2ban
+++ b/conf-dist/filter.d/01fail2ban
-
 # The following snippet saves the existing fail2ban rules and
-# reproduces them identically in the output.
-if [ -x /sbin/iptables-save ]; then
-    /sbin/iptables-save | (while read line ; do
+# reproduces them identically in the output (IPv4-only).
+iptables-save -t filter | (while read line ; do
        case "${line}" in
            ":fail2ban-"*|"-A fail2ban-"*|*"-j fail2ban-"*)
                add_rule4 "${line}"
                ;;
        esac
        done)
-fi
--- a/conf-dist/nat.d/01docker
+++ b/conf-dist/nat.d/01docker
+# Preserve docker-related firewall rules (IPv4-only).
+iptables-save -t nat \
+    | grep \
+          -e '^:DOCKER' \
+          -e '^-A DOCKER' \
+          -e '-[io] docker[0-9]' \
+          -e '-j DOCKER' \
+    | (while read line; do add_rule4 "${line}"; done)
--- a/debian/ai-firewall.default
+++ b/debian/ai-firewall.default
-
-# Remove comment to enable.
-#ENABLED=true
-
--- a/debian/ai-firewall.init
+++ b/debian/ai-firewall.init
-#!/bin/bash
-#
-# Start/stop the A/I firewall.
-#
-### BEGIN INIT INFO
-# Provides:          ai-firewall
-# Required-Start:    $network $local_fs
-# Required-Stop:
-# Should-Start:
-# Should-Stop:
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: A/I Firewall
-# Description:       A/I Firewall
-### END INIT INFO
-
-ENABLED=false
-
-test -e /etc/default/ai-firewall && . /etc/default/ai-firewall
-
-if [ "${ENABLED}" != true ]; then
-    exit 0
-fi
-
-case "$1" in
-start|restart)
-        echo -n "Starting firewall... "
-        /usr/bin/firewall start
-        echo "ok"
-        ;;
-stop)
-        ;;
-esac
-
-exit 0
--- a/debian/ai-firewall.postinst
+++ b/debian/ai-firewall.postinst
-#!/bin/sh
-
-#DEBHELPER#
-
-exit 0
--- a/debian/changelog
+++ b/debian/changelog
-ai-firewall (0.1-2) unstable; urgency=low
+firewall (0.2) unstable; urgency=medium

-  * Use debhelper for postinst script.
+  * New package.

- -- Autistici/Inventati <debian@autistici.org>  Sun, 22 Jun 2014 19:12:21 +0000
-
-ai-firewall (0.1-1) unstable; urgency=low
-
-  * Update debian package to start service at boot
-
- -- Autistici/Inventati <debian@autistici.org>  Sun, 22 Jun 2014 18:30:41 +0000
-
-ai-firewall (0.1) unstable; urgency=low
-
-  * First packaged release.
-
- -- Autistici/Inventati <debian@autistici.org>  Sat, 13 Sep 2012 14:49:37 +0000
+ -- Autistici/Inventati <debian@autistici.org>  Mon, 07 May 2018 08:37:01 +0100
--- a/debian/compat
+++ b/debian/compat
-7
+10
--- a/debian/control
+++ b/debian/control
-Source: ai-firewall
+Source: firewall
 Section: net
 Priority: extra
 Maintainer: Autistici/Inventati <debian@autistici.org>
 Build-Depends: debhelper (>= 7), cdbs
 Standards-Version: 3.8.0.1

-Package: ai-firewall
+Package: firewall
 Architecture: all
-Depends: ${misc:Depends}, python, iptables
+Depends: ${misc:Depends}, iptables
 Description: A/I Firewall Script
 Automatically maintain local firewalls for A/I servers.

--- a/debian/firewall.service
+++ b/debian/firewall.service
+[Unit]
+Description=Set up firewall
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/default/firewall
+ExecStart=/usr/sbin/firewall
+
+[Install]
+WantedBy=multi-user.target
--- a/debian/rules
+++ b/debian/rules
 #!/usr/bin/make -f
 # -*- makefile -*-

-DEB_MAKE_INSTALL_TARGET = install DESTDIR=$(cdbs_make_curdestdir)
+export DH_OPTIONS

-include /usr/share/cdbs/1/rules/debhelper.mk
-include /usr/share/cdbs/1/class/makefile.mk
+%:
+	dh $@

--- a/examples/filter.d/00ring0
+++ b/examples/filter.d/00ring0
-
-# Create a RING0 chain that will accept requests from IP addresses
-# in the ring0, and drop everything else.
-create_chain RING0
-if [ -e /etc/ai/hosts ]; then
-    ai_hosts=${AI_HOSTS:-/etc/ai/hosts}
-    RING0_IP4=$(resolve_addrs_from_file ${ai_hosts} ipv4)
-    RING0_IP6=$(resolve_addrs_from_file ${ai_hosts} ipv6)
-    for ip in ${RING0_IP4} ; do
-        add_rule4 -A RING0 -s ${ip} -j ACCEPT
-    done
-    for ip in ${RING0_IP6} ; do
-        add_rule6 -A RING0 -s ${ip} -j ACCEPT
-    done
-fi
-add_rule -A RING0 -j DROP
--- a/examples/filter.d/dns
+++ b/examples/filter.d/dns
-add_user_port udp 53
-add_user_port tcp 53