[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. debian/0.12-2-gcc9c302
Andreas B. Mundt
andi at debian.org
Mon Jul 8 18:43:37 UTC 2013
The following commit has been merged in the master branch:
commit cc9c302e7c103a9c875efad311475214a56b97e8
Author: Andreas B. Mundt <andi at debian.org>
Date: Mon Jul 8 20:26:21 2013 +0200
Add FIREWALL class. Enable shorewall for the 'two-interfaces'-setup.
For the setup where the mainserver acts as gateway, configure
shorewall to block all access from the external network except ssh
logins (limited to one connection per minute).
Based on the more sophisticated example provided by Julien Lambot in
<URL:http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html>,
thanks!
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index 8da8289..1338c49 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -40,7 +40,7 @@ FLAVOR="LVM8_A DISKLESS_SERVER" ## simple diskless, default for testing in a VM
#FLAVOR="RAIDLVM7BAK_A RAID DISKLESS_SERVER" ## diskless, RAID1, backup disk
## Setup with graphical user management tool GOsa. Remove GOSA class if it is not needed:
-MAINSERVER_A="$FLAVOR CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \
+MAINSERVER_A="$FLAVOR FIREWALL CUPS_SERVER LOG_SERVER PROXY NTP_SERVER DNS_SERVER NFS_SERVER \
MAIL_SERVER LDAP_CLIENT LDAP_SERVER KERBEROS_CLIENT KERBEROS_KDC KDC_LDAP SERVER_A GOSA"
WORKSTATION_A="LVM5_A CUPS_CLIENT LOG_CLIENT LDAP_CLIENT NFS_CLIENT KERBEROS_CLIENT \
diff --git a/fai/config/package_config/CUPS_CLIENT b/fai/config/package_config/FIREWALL
similarity index 60%
copy from fai/config/package_config/CUPS_CLIENT
copy to fai/config/package_config/FIREWALL
index f498806..2645b4c 100644
--- a/fai/config/package_config/CUPS_CLIENT
+++ b/fai/config/package_config/FIREWALL
@@ -1,2 +1,2 @@
PACKAGES aptitude
-cups-client
+shorewall
diff --git a/fai/config/scripts/FIREWALL/10-config b/fai/config/scripts/FIREWALL/10-config
new file mode 100755
index 0000000..7c2a3a9
--- /dev/null
+++ b/fai/config/scripts/FIREWALL/10-config
@@ -0,0 +1,134 @@
+#!/bin/bash
+#
+
+set -e
+
+if [ "$FAI_ACTION" != "install" ] && [ "$CONVERT" != "true" ] ; then
+ exit 0
+fi
+
+CONFDIR="${target}/etc/shorewall/"
+
+if [ "$MAINSERVER_IPADDR" = "$GATEWAY" ] ; then
+ ## mainserver = gateway, use shorewall's "two-interfaces" example as base setup:
+ for FILE in interfaces masq policy routestopped rules zones ; do
+ cp -v ${target}/usr/share/doc/shorewall/examples/two-interfaces/$FILE $CONFDIR
+ done
+
+ ## Enable shorewall and forwarding:
+ sed -i "s/startup=0/startup=1/" ${target}/etc/default/shorewall
+ sed -i "s/IP_FORWARDING=Keep/IP_FORWARDING=on/" $CONFDIR/shorewall.conf
+
+ ## Define interfaces and use parameters:
+ sed -i -e 's/eth0/\$NET_IF/' -e 's/eth1/\$LOC_IF/' $CONFDIR/interfaces $CONFDIR/masq $CONFDIR/routestopped
+ sed -i -e '$i LOC_IF=eth0' -e '$i NET_IF=eth1' $CONFDIR/params
+
+ ## Allow access from the LAN to the firewall and from the firewall to LAN and internet:
+ sed -i -e '/^loc/a loc \$FW ACCEPT' \
+ -e '/^net/a $FW net ACCEPT' \
+ -e '/.*MUST BE LAST/i $FW loc ACCEPT' $CONFDIR/policy
+
+ ## Debian-LAN rules:
+ cat >> $CONFDIR/rules <<EOF
+##
+## Debian-LAN
+##
+#
+# Limit ssh connections from everywhere
+#
+SSH(ACCEPT) all \$FW - - - - s:1/min:1
+
+EOF
+
+else
+ # FIXME: Add firewall for server with single nic here:
+ exit 0
+fi
+
+## C.f. http://lists.alioth.debian.org/pipermail/debian-lan-devel/2013q2/000357.html
+## More restrictive rules (if traffic loc <--> $FW --> net is not allowed by default)
+
+#HTTP(ACCEPT) \$FW net
+#HTTP(ACCEPT) loc \$FW
+#HTTPS(ACCEPT) \$FW net
+#HTTPS(ACCEPT) loc \$FW
+#
+#LDAP(ACCEPT) loc \$FW
+#LDAPS(ACCEPT) loc \$FW
+#
+#SMTP(ACCEPT) loc \$FW
+#IMAP(ACCEPT) loc \$FW
+#
+#SSH(ACCEPT) loc \$FW
+#SSH(ACCEPT) \$FW loc
+#SSH(ACCEPT) \$FW net
+#
+#NTP(ACCEPT) \$FW net
+#NTP(ACCEPT) loc \$FW
+#
+##
+## Allow CUPS
+##
+#IPPserver(ACCEPT) loc \$FW
+#IPPserver(ACCEPT) \$FW loc
+#Jetdirect(ACCEPT) \$FW loc
+#
+##
+## Allow apt-cacher-ng
+##
+#ACCEPT loc \$FW tcp 3142
+#
+##
+## Allow TFTP
+##
+#TFTP(ACCEPT) loc \$FW
+#TFTP(ACCEPT) \$FW loc
+#
+##
+## Allow Nagios NRPE
+##
+#ACCEPT \$FW loc tcp 5666
+#
+##
+## Allow Munin
+##
+#Munin(ACCEPT) \$FW loc
+#
+##
+## Allow Syslog server
+##
+#Syslog(ACCEPT) loc \$FW
+#
+##
+## Kerberos v5 KDC
+##
+#ACCEPT loc \$FW tcp 88
+#ACCEPT loc \$FW udp 88
+## kpasswd
+#ACCEPT loc \$FW udp 464
+#
+##
+## Allow NFSv4
+##
+#ACCEPT loc \$FW udp 111
+#ACCEPT loc \$FW tcp 111
+#ACCEPT loc \$FW tcp 2049
+#ACCEPT loc \$FW udp 2049
+#ACCEPT loc \$FW tcp 32764:32769
+#ACCEPT loc \$FW udp 32764:32769
+#
+##
+## SQUID Manual Proxy (http://www.shorewall.net/Shorewall_Squid_Usage.html#Manual)
+##
+#Squid(ACCEPT) loc \$FW
+#Webcache(ACCEPT) loc \$FW
+#
+### below rules must be checked ## mostly triggered during FAI installation
+#ACCEPT loc \$FW tcp 51105
+#ACCEPT loc \$FW udp 55850
+#ACCEPT loc \$FW tcp 36174
+#ACCEPT loc \$FW tcp 4711
+#ACCEPT \$FW loc tcp 39233
+#ACCEPT \$FW loc tcp 53615
+##### pay extra attention ####
+#EOF
diff --git a/fai/config/scripts/SERVER_A/10-misc b/fai/config/scripts/SERVER_A/10-misc
index f0f4c71..0a6eed8 100755
--- a/fai/config/scripts/SERVER_A/10-misc
+++ b/fai/config/scripts/SERVER_A/10-misc
@@ -57,9 +57,6 @@ if [ "$MAINSERVER_IPADDR" != "$GATEWAY" ] ; then
gateway ${GATEWAY}
EOF
else
- cat >> $target/etc/network/interfaces <<EOF
- post-up iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
-EOF
if $ROOTCMD which dansguardian > /dev/null ; then
cat >> $target/etc/network/interfaces <<EOF
## Redirect port 80 to dansguardian:
@@ -73,6 +70,4 @@ allow-hotplug eth1
auto eth1
iface eth1 inet dhcp
EOF
- ## Switch on forwarding:
- ainsl -a /etc/sysctl.d/debian-lan.conf "net.ipv4.ip_forward=1"
fi
--
Debian-LAN development and packaging
More information about the debian-lan-devel
mailing list