first commit

Makefile

+
+prefix = /usr
+sysconfdir = /etc
+INSTALL = install
+
+all:
+
+clean:
+
+install:
+	$(INSTALL) -m 755 firewall $(DESTDIR)$(prefix)/bin/firewall
+	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall
+	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/filter.d
+	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/nat.d
+	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/firewall/mangle.d
+	(for f in ./conf-dist/filter.d/* ; do \
+	 $(INSTALL) -m 644 $$f $(DESTDIR)$(sysconfdir)/firewall/filter.d ; done)
+

conf-dist/filter.d/01fail2ban

+
+# The following snippet saves the existing fail2ban rules and
+# reproduces them identically in the output.
+if [ -x /sbin/iptables-save ]; then
+    /sbin/iptables-save | (while read line ; do
+        case "${line}" in
+            ":fail2ban-"*|"-A fail2ban-"*|*"-j fail2ban-"*)
+                add_rule4 "${line}"
+                ;;
+        esac
+        done)
+fi

debian/ai-firewall.init

+#!/bin/bash
+#
+# Start/stop the A/I firewall.
+#
+### BEGIN INIT INFO
+# Provides:          ai-firewall
+# Required-Start:    $network $local_fs
+# Required-Stop:
+# Should-Start:
+# Should-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: A/I Firewall
+# Description:       A/I Firewall
+### END INIT INFO
+
+ENABLED=true
+
+test -e /etc/default/ai-firewall && . /etc/default/ai-firewall
+
+if [ "${ENABLED}" != true ]; then
+    exit 0
+fi
+
+case "$1" in
+start|restart)
+        echo -n "Starting firewall... "
+        /usr/bin/firewall start
+        echo "ok"
+        ;;
+stop)
+        ;;
+esac
+
+exit 0

debian/changelog

+accountserver (0.1) unstable; urgency=low
+
+  * First packaged release.
+
+ -- Autistici/Inventati <debian@autistici.org>  Sat, 13 Sep 2012 14:49:37 +0000

debian/compat

+7

debian/control

+Source: ai-firewall
+Section: net
+Priority: extra
+Maintainer: Autistici/Inventati <debian@autistici.org>
+Build-Depends: debhelper (>= 7), cdbs
+Standards-Version: 3.8.0.1
+
+Package: ai-firewall
+Architecture: all
+Depends: ${misc:Depends}, python, iptables
+Description: A/I Firewall Script
+ Automatically maintain local firewalls for A/I servers.
+

debian/rules

+#!/usr/bin/make -f
+# -*- makefile -*-
+
+include /usr/share/cdbs/1/rules/debhelper.mk
+include /usr/share/cdbs/1/class/makefile.mk
+

examples/filter.d/00ring0

+
+# Create a RING0 chain that will accept requests from IP addresses
+# in the ring0, and drop everything else.
+create_chain RING0
+if [ -e /etc/ai/hosts ]; then
+    ai_hosts=${AI_HOSTS:-/etc/ai/hosts}
+    RING0_IP4=$(resolve_addrs_from_file ${ai_hosts} ipv4)
+    RING0_IP6=$(resolve_addrs_from_file ${ai_hosts} ipv6)
+    for ip in ${RING0_IP4} ; do
+        add_rule4 -A RING0 -s ${ip} -j ACCEPT
+    done
+    for ip in ${RING0_IP6} ; do
+        add_rule6 -A RING0 -s ${ip} -j ACCEPT
+    done
+fi
+add_rule -A RING0 -j DROP

examples/filter.d/dns

+add_user_port udp 53
+add_user_port tcp 53

examples/filter.d/ftp

+
+add_user_port tcp 21
+
+# This is the port range for PASV transfers.
+add_user_port tcp 15000:19000

examples/filter.d/jabber

+
+add_user_ports tcp 5222,5223,5269,5280
+
+# STUN.
+add_user_ports tcp 3478,5349
+add_user_port udp 3478
+

examples/filter.d/mail

+add_user_ports tcp 25,110,143,465,587,993,995
+

examples/filter.d/monitoring

+
+# Create a chain with probe IP ranges.
+create_chain MONITORING
+add_rule -A MONITORING -s 131.114.114.0/24 -j ACCEPT
+add_rule -A MONITORING -s 46.4.206.80/28 -j ACCEPT
+add_rule -A MONITORING -j DROP
+
+add_user_port tcp 3900 -j MONITORING
+

examples/filter.d/tinc

+for proto in udp tcp ; do
+  add_user_ports ${proto} 655,656,657 -j RING0
+done

examples/filter.d/www

+
+# Standard HTTP/HTTPS ports.
+add_user_ports tcp 80,443
+
+# Block outgoing connections from the users' FastCGI runners
+# (i.e. the PHP scripts) to only HTTP.
+USERS_GROUP=2000
+create_chain user-output-cgi
+add_rule -A user-output-cgi -p tcp --syn --dport 80 -j ACCEPT
+add_rule -A user-output-cgi -p tcp --syn --dport 443 -j ACCEPT
+add_rule -A user-output-cgi -m log --log-prefix \"users-cgi: \" \
+         -m limit --limit 3/s -j LOG
+add_rule -A user-output-cgi -j REJECT
+add_rule -A OUTPUT -m owner --gid-owner ${USERS_GROUP} -j user-output-cgi

firewall

+#!/bin/bash
+
+
+FW_DIR="${FW_DIR:-/etc/firewall}"
+TABLES="filter nat mangle"
+
+# Resolve a host with the given proto (ipv4 or ipv6).
+resolve_addr() {
+    local addr="$1"
+    local proto="$2"
+    case ${proto} in
+        ipv4) af=AF_INET ;;
+        ipv6) af=AF_INET6 ;;
+    esac
+    python -c "import socket ; print socket.getaddrinfo('${addr}', 0, socket.${af}, socket.SOCK_STREAM)[0][4][0]" 2>/dev/null || true
+}
+
+# Resolve all hostnames in a file.
+resolve_addrs_from_file() {
+    local filename="$1"
+    local proto="$2"
+    awk '{print $1}' < ${filename} \
+        | while read name ; do \
+        test -n "${name}" && resolve_addr ${name}.investici.org ${proto} ; \
+        done
+}
+
+# Add a rule valid for IPv4 and IPv6.
+add_rule() {
+    add_rule4 "$*"
+    add_rule6 "$*"
+}
+
+# Add an IPv4-only rule.
+add_rule4() {
+    local args="$*"
+    echo "${args}" 1>&4
+}
+
+# Add an IPv6-only rule.
+add_rule6() {
+    local args="$*"
+    echo "${args}" 1>&6
+}
+
+# Create a new iptables chain.
+create_chain() {
+    local chain="$1"
+    local policy="${2:--}"
+    add_rule4 ":${chain} ${policy} [0:0]"
+    add_rule6 ":${chain} ${policy} [0:0]"
+}
+
+# Add a rule to a chain.
+add_to_chain() {
+    local chain="$1"
+    shift
+    local args="$*"
+    add_rule -A ${chain} "${args}"
+}
+
+# Add a rule to the 'user-input' chain allowing traffic to a
+# specific port/protocol.
+add_user_port() {
+    local proto="$1"
+    local port="$2"
+    shift 2
+    local target="$*"
+    if [ -z "${target}" ]; then
+        target="-j ACCEPT"
+    fi
+    add_rule -A user-input -p ${proto} --dport ${port} ${target}
+}
+
+# Add a rule to the 'user-input' chain allowing traffic to
+# a set of multiple ports.
+add_user_ports() {
+    local proto="$1"
+    local ports="$2"
+    shift 2
+    add_rule -A user-input -p ${proto} -m multiport --dports ${ports} $*
+}
+
+# Prepare rule generation, using the two temporary files passed as
+# arguments.
+run_with_fds() {
+    v4rules="$1"
+    v6rules="$2"
+    shift 2
+    exec 4>>${v4rules} 6>>${v6rules}
+    "$@"
+}
+
+# Generate rules.
+generate() {
+    local table_name="$1"
+    local conf_root="$1"
+
+    add_rule "*${table_name}"
+
+    # Initialize the table.
+    case ${table_name} in
+        nat)
+            generate_nat
+            ;;
+        filter)
+            generate_filter
+            ;;
+   esac
+
+    # Load user-defined rulesets.
+    for file in ${conf_root}/*
+    do
+        test -f ${file} || continue
+        case $(basename "${file}") in
+            *~|.*)
+                ;;
+            *)
+                . ${file}
+                ;;
+        esac
+    done
+
+    add_rule COMMIT
+}
+
+# Initialize the 'nat' table.
+generate_nat() {
+    create_chain PREROUTING ACCEPT
+    create_chain INPUT ACCEPT
+    create_chain OUTPUT ACCEPT
+    create_chain POSTROUTING ACCEPT
+}
+
+# Initialize the 'filter' table.
+generate_filter() {
+    create_chain INPUT DROP
+    create_chain OUTPUT ACCEPT
+    create_chain FORWARD ACCEPT
+
+    # Setup the INPUT chain.
+    # It is split into stages: before-input, user-input
+    add_rule -A INPUT -j before-input
+    add_rule -A INPUT -j drop-noise
+    add_rule -A INPUT -j user-input
+
+    # Set up a chain that will drop noisy scans early.
+    create_chain drop-noise
+    add_rule -A drop-noise -p tcp --dports 139,445 -j DROP
+    add_rule -A drop-noise -p udp --dports 137,138 -j DROP
+
+    # base-input chain.
+    create_chain base-input
+
+    # Enable everything from lo and ring0.
+    add_rule -A base-input -i lo -j ACCEPT
+    add_rule4 -A base-input -i ring0 -s 172.16.1.0/24 -j ACCEPT
+
+    # Some IPv6-specific ICMP setup.
+    add_rule6 -A before-input -m rt --rt-type 0 --rt-segsleft 0 -j DROP 
+    for icmp6type in 133 134 135 136 ; do 
+        add_rule6 -A before-input -p ipv6-icmp -m icmp6 \
+            --icmpv6-type ${icmp6type} -m hl --hl-eq 255 -j ACCEPT 
+    done
+
+    # Standard conntrack stuff.
+    add_rule -A base-input -m state --state RELATED,ESTABLISHED -j ACCEPT
+    add_rule6 -A before-input -s fe80::/10 -p ipv6-icmp -m icmp6 \
+        --icmpv6-type 129 -j ACCEPT
+    add_rule -A base-input -m state --state INVALID -j DROP
+
+    # Enable 6to4 protocols.
+    add_rule -A base-input -p ipv6 -j ACCEPT
+
+    # Allow useful ICMPs.
+    for icmptype in 3 4 8 11 12 ; do
+        add_rule4 -A base-input -p icmp -m icmp \
+            --icmp-type ${icmptype} -j ACCEPT
+    done
+    for icmp6type in 1 2 3 4 128 ; do
+        add_rule6 -A base-input -p ipv6-icmp -m icmp6 \
+            --icmpv6-type ${icmp6type} -j ACCEPT
+    done
+
+    # IPv6 autodiscovery.
+    #add_rule6 -A before-input -s fe80::/10 -d fe80::/10 -p udp -m udp \
+    #    --sport 547 --dport 546 -j ACCEPT
+
+    # user-input
+    create_chain user-input
+
+    # Always allow SSH access, just in case someone forgets to add it
+    # with a user-defined ruleset file.
+    add_user_port tcp 22
+}
+
+load() {
+    set -e
+    set -u
+
+    v4rules=$(mktemp ${TMP:-/tmp}/ip4t.XXXXXX)
+    v6rules=$(mktemp ${TMP:-/tmp}/ip6t.XXXXXX)
+    trap "rm -f ${v4rules} ${v6rules} 2>/dev/null; trap - EXIT; exit 0" EXIT
+
+    # Setup the various tables. Note that IPv6 only has the
+    # 'filter' table.
+    for table in ${TABLES} ; do
+        table_dir=${FW_DIR}/${table}.d
+        case "$table" in
+            filter)
+                run_with_fds ${v4rules} ${v6rules} \
+                    generate ${table} ${table_dir}
+                ;;
+            *)
+                run_with_fds ${v4rules} /dev/null \
+                    generate ${table} ${table_dir}
+                ;;
+        esac
+    done
+
+    echo "/sbin/iptables-restore <${v4rules}"
+    cat ${v4rules}
+    echo "/sbin/ip6tables-restore <${v6rules}"
+    cat ${v6rules}
+}
+
+case "$1" in
+    start|load|reload)
+        load
+        ;;
+    *)
+        echo "Usage: $0 {start|reload}" 1>&2
+        ;;
+esac
+
+exit 0