1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
#!/usr/local/bin/perl
# setup.cgi
# Setup an initial save file
require './firewall-lib.pl';
&ReadParse();
$access{'setup'} || &error($text{'setup_ecannot'});
&lock_file($iptables_save_file);
if ($in{'reset'}) {
# Clear out all rules
foreach $t ("filter", "nat", "mangle") {
&system_logged("iptables -t $t -P INPUT ACCEPT >/dev/null 2>&1");
&system_logged("iptables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1");
&system_logged("iptables -t $t -P FORWARD ACCEPT >/dev/null 2>&1");
&system_logged("iptables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1");
&system_logged("iptables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1");
&system_logged("iptables -t $t -F >/dev/null 2>&1");
&system_logged("iptables -t $t -X >/dev/null 2>&1");
}
}
# Save all existing active rules
if (defined(&unapply_iptables)) {
&unapply_iptables();
}
else {
&backquote_logged("iptables-save >$iptables_save_file 2>&1");
}
if ($in{'auto'}) {
@tables = &get_iptables_save();
if ($in{'auto'} == 1) {
# Add a single rule to the nat table for masquerading
$iface = $in{'iface1'} || $in{'iface1_other'};
$iface || &error($text{'setup_eiface'});
($table) = grep { $_->{'name'} eq 'nat' } @tables;
push(@{$table->{'rules'}},
{ 'chain' => 'POSTROUTING',
'o' => [ "", $iface ],
'j' => [ "", 'MASQUERADE' ] } );
}
elsif ($in{'auto'} >= 2) {
# Block all incoming traffic, except for established
# connections, DNS replies and safe ICMP types
# In mode 3 allow ssh and ident too
# In mode 4 allow ftp, echo-request and high ports too
$iface = $in{'iface'.$in{'auto'}} ||
$in{'iface'.$in{'auto'}.'_other'};
$iface || &error($text{'setup_eiface'});
($table) = grep { $_->{'name'} eq 'filter' } @tables;
$table->{'defaults'}->{'INPUT'} = 'DROP';
push(@{$table->{'rules'}},
{ 'chain' => 'INPUT',
'i' => [ "!", $iface ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept traffic from internal interfaces' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'tcp-flags' => [ "", "ACK", "ACK" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept traffic with the ACK flag set' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "state" ] ],
'state' => [ "", "ESTABLISHED" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Allow incoming data that is part of a connection we established' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "state" ] ],
'state' => [ "", "RELATED" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Allow data that is related to existing connections' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "udp" ] ],
'p' => [ "", "udp" ],
'sport' => [ "", 53 ],
'dport' => [ "", "1024:65535" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept responses to DNS queries' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "echo-reply" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept responses to our pings' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "destination-unreachable" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept notifications of unreachable hosts' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "source-quench" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept notifications to reduce sending speed' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "time-exceeded" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept notifications of lost packets' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "parameter-problem" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Accept notifications of protocol problems' }
);
if ($in{'auto'} >= 3) {
# Allow ssh and ident
push(@{$table->{'rules'}},
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "ssh" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Allow connections to our SSH server' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "auth" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Allow connections to our IDENT server'}
);
}
if ($in{'auto'} == 4) {
# Allow pings and most high ports
push(@{$table->{'rules'}},
{ 'chain' => 'INPUT',
'm' => [ [ "", "icmp" ] ],
'p' => [ [ "", "icmp" ] ],
'icmp-type' => [ "", "echo-request" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Respond to pings' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "2049:2050" ],
'j' => [ "", 'DROP' ],
'cmt' => 'Protect our NFS server' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "6000:6063" ],
'j' => [ "", 'DROP' ],
'cmt' => 'Protect our X11 display server' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "7000:7010" ],
'j' => [ "", 'DROP' ],
'cmt' => 'Protect our X font server' },
{ 'chain' => 'INPUT',
'm' => [ [ "", "tcp" ] ],
'p' => [ "", "tcp" ],
'dport' => [ "", "1024:65535" ],
'j' => [ "", 'ACCEPT' ],
'cmt' => 'Allow connections to unprivileged ports' },
);
}
}
&run_before_command();
&save_table($table);
&run_after_command();
©_to_cluster();
}
if ($in{'atboot'}) {
&create_firewall_init();
}
&unlock_file($iptables_save_file);
&webmin_log("setup");
&redirect("");
|
