From e3ac8939191e19965d4645676f38ef011fc9874f Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 10 Apr 2013 20:57:06 +0200 Subject: [PATCH] Ajout : vm_hosted : rule_shorewall_configure . --- etc/shorewall/interfaces | 6 + etc/shorewall/macro.d/macro.Git | 3 + etc/shorewall/macro.d/macro.Managesieve | 3 + etc/shorewall/macro.d/macro.Mosh | 4 + etc/shorewall/params | 1 + etc/shorewall/policy | 7 ++ etc/shorewall/rules | 32 +++++ etc/shorewall/shorewall.conf | 148 ++++++++++++++++++++++++ etc/shorewall/zones | 6 + vm_hosted | 42 +++++++ 10 files changed, 252 insertions(+) create mode 100644 etc/shorewall/interfaces create mode 100644 etc/shorewall/macro.d/macro.Git create mode 100644 etc/shorewall/macro.d/macro.Managesieve create mode 100644 etc/shorewall/macro.d/macro.Mosh create mode 100644 etc/shorewall/params create mode 100644 etc/shorewall/policy create mode 100644 etc/shorewall/rules create mode 100644 etc/shorewall/shorewall.conf create mode 100644 etc/shorewall/zones diff --git a/etc/shorewall/interfaces b/etc/shorewall/interfaces new file mode 100644 index 0000000..293bc27 --- /dev/null +++ b/etc/shorewall/interfaces @@ -0,0 +1,6 @@ +# DOC: shorewall-interfaces(5) +############################################################################### +FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS +net eth0 arp_filter,logmartians,nosmurfs,routefilter,sourceroute=0,tcpflags diff --git a/etc/shorewall/macro.d/macro.Git b/etc/shorewall/macro.d/macro.Git new file mode 100644 index 0000000..69430b6 --- /dev/null +++ b/etc/shorewall/macro.d/macro.Git @@ -0,0 +1,3 @@ +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 9418 diff --git a/etc/shorewall/macro.d/macro.Managesieve b/etc/shorewall/macro.d/macro.Managesieve new file mode 100644 index 0000000..4899524 --- /dev/null +++ b/etc/shorewall/macro.d/macro.Managesieve @@ -0,0 +1,3 @@ +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - tcp 4190 diff --git a/etc/shorewall/macro.d/macro.Mosh b/etc/shorewall/macro.d/macro.Mosh new file mode 100644 index 0000000..a312226 --- /dev/null +++ b/etc/shorewall/macro.d/macro.Mosh @@ -0,0 +1,4 @@ +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +PARAM - - udp 60000:\ + 60010 diff --git a/etc/shorewall/params b/etc/shorewall/params new file mode 100644 index 0000000..16c86d0 --- /dev/null +++ b/etc/shorewall/params @@ -0,0 +1 @@ +#LAST LINE -- DO NOT REMOVE diff --git a/etc/shorewall/policy b/etc/shorewall/policy new file mode 100644 index 0000000..4c9f3d8 --- /dev/null +++ b/etc/shorewall/policy @@ -0,0 +1,7 @@ +# DOC: shorewall-policy(5) +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +$FW net DROP +net all DROP info +# XXX: the following policy must be last +all all REJECT info diff --git a/etc/shorewall/rules b/etc/shorewall/rules new file mode 100644 index 0000000..008765f --- /dev/null +++ b/etc/shorewall/rules @@ -0,0 +1,32 @@ +# DOC: shorewall-rules(5) +###################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT PORT(S) DEST LIMIT GROUP +#SECTION ALL +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW + +DNS(ACCEPT) net $FW +Git(ACCEPT) net $FW +HTTP(ACCEPT) net $FW +HTTPS(ACCEPT) net $FW +Limit(IMAPS,5,60):info net $FW tcp imaps +IMAPS(ACCEPT) net $FW +Managesieve(ACCEPT) net $FW +Mosh(ACCEPT) net $FW +SMTP(ACCEPT) net $FW +Ping(ACCEPT) net $FW +Limit(SSH,10,60):info net $FW tcp ssh +SSH(ACCEPT) net $FW +Submission(ACCEPT) net $FW +Limit(Submission,10,60):info net $FW tcp submission + +ACCEPT $FW net icmp +DNS(ACCEPT) $FW net +Git(ACCEPT) $FW net +HTTP(ACCEPT) $FW net +HTTPS(ACCEPT) $FW net +NTP(ACCEPT) $FW net +SMTP(ACCEPT) $FW net +SSH(ACCEPT) $FW net diff --git a/etc/shorewall/shorewall.conf b/etc/shorewall/shorewall.conf new file mode 100644 index 0000000..d77741f --- /dev/null +++ b/etc/shorewall/shorewall.conf @@ -0,0 +1,148 @@ +# DOC: http://www.shorewall.net/manpages/shorewall.conf.html +############################################################################### +# S T A R T U P E N A B L E D +############################################################################### + +STARTUP_ENABLED=Yes + +############################################################################### +# V E R B O S I T Y +############################################################################### + +VERBOSITY=1 + +############################################################################### +# L O G G I N G +############################################################################### + +BLACKLIST_LOGLEVEL= +LOGALLNEW= +LOGFILE=/var/log/messages +LOGFORMAT="Shorewall:%s:%s:" +LOGLIMIT= +LOGTAGONLY=No +LOG_MARTIANS=Yes +LOG_VERBOSITY=2 +MACLIST_LOG_LEVEL=info +RELATED_LOG_LEVEL= +SFILTER_LOG_LEVEL=info +SMURF_LOG_LEVEL=info +STARTUP_LOG=/var/log/shorewall-init.log +TCP_FLAGS_LOG_LEVEL=info + +############################################################################### +# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S +############################################################################### + +CONFIG_PATH="${CONFDIR}/shorewall:${CONFDIR}/shorewall/macro.d:${SHAREDIR}/shorewall" +GEOIPDIR=/usr/share/xt_geoip/LE +IP= +IPSET= +IPTABLES= +LOCKFILE= +MODULESDIR= +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" +PERL=/usr/bin/perl +RESTOREFILE=restore +SHOREWALL_SHELL=/bin/sh +SUBSYSLOCK="" +TC= + +############################################################################### +# D E F A U L T A C T I O N S / M A C R O S +############################################################################### + +ACCEPT_DEFAULT=none +DROP_DEFAULT=Drop +NFQUEUE_DEFAULT=none +QUEUE_DEFAULT=none +REJECT_DEFAULT=Reject + +############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' +RSH_COMMAND='ssh ${root}@${system} ${command}' + +############################################################################### +# F I R E W A L L O P T I O N S +############################################################################### + +ACCOUNTING=Yes +ACCOUNTING_TABLE=filter +ADD_IP_ALIASES=No +ADD_SNAT_ALIASES=No +ADMINISABSENTMINDED=Yes +AUTOMAKE=No +AUTO_COMMENT=Yes +BLACKLISTNEWONLY=Yes +CLAMPMSS=No +CLEAR_TC=Yes +COMPLETE=No +DELETE_THEN_ADD=Yes +DETECT_DNAT_IPADDRS=No +DISABLE_IPV6=No +DONT_LOAD= +DYNAMIC_BLACKLIST=Yes +EXPAND_POLICIES=Yes +EXPORTMODULES=Yes +FASTACCEPT=No +FORWARD_CLEAR_MARK= +IMPLICIT_CONTINUE=No +IPSET_WARNINGS=Yes +IP_FORWARDING=Keep +KEEP_RT_TABLES=No +LEGACY_FASTSTART=Yes +LOAD_HELPERS_ONLY=No +MACLIST_TABLE=filter +MACLIST_TTL= +MANGLE_ENABLED=Yes +MAPOLDACTIONS=No +MARK_IN_FORWARD_CHAIN=No +MODULE_SUFFIX=ko +MULTICAST=No +MUTEX_TIMEOUT=60 +NULL_ROUTE_RFC1918=Yes +OPTIMIZE=0 +OPTIMIZE_ACCOUNTING=No +REQUIRE_INTERFACE=No +RESTORE_DEFAULT_ROUTE=Yes +RETAIN_ALIASES=No +ROUTE_FILTER=Yes +SAVE_IPSETS=No +TC_ENABLED=Internal +TC_EXPERT=No +TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" +TRACK_PROVIDERS=No +USE_DEFAULT_RT=No +USE_PHYSICAL_NAMES=No +ZONE2ZONE=2 + +############################################################################### +# P A C K E T D I S P O S I T I O N +############################################################################### + +BLACKLIST_DISPOSITION=DROP +MACLIST_DISPOSITION=REJECT +RELATED_DISPOSITION=ACCEPT +SFILTER_DISPOSITION=DROP +SMURF_DISPOSITION=DROP +TCP_FLAGS_DISPOSITION=DROP + +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +MASK_BITS= +PROVIDER_BITS= +PROVIDER_OFFSET= +TC_BITS= +ZONE_BITS=0 + +################################################################################ +# L E G A C Y O P T I O N +# D O N O T D E L E T E O R A L T E R +################################################################################ + +IPSECFILE=zones diff --git a/etc/shorewall/zones b/etc/shorewall/zones new file mode 100644 index 0000000..1c410f0 --- /dev/null +++ b/etc/shorewall/zones @@ -0,0 +1,6 @@ +# DOC: shorewall-zones(5) +############################################################################### +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall +net ipv4 diff --git a/vm_hosted b/vm_hosted index b129993..a502f9d 100755 --- a/vm_hosted +++ b/vm_hosted @@ -1437,6 +1437,47 @@ rule_runit_sv_restart () { # SYNTAX: $sv esac done } +rule_shorewall_configure () { + # DOC: http://shorewall.net/Introduction.html + local -; set +f + rule apt_get_install shorewall + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/shorewall <<-EOF + INITLOG=/dev/null + OPTIONS="" + RESTARTOPTIONS="" + SAFESTOP=0 + STARTOPTIONS="" + startup=1 + EOF + local conf + for conf in "$tool"/etc/shorewall/* + do conf=${conf#"$tool"/etc/shorewall/} + sudo test ! -f "$tool"/etc/shorewall/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/"$conf" \ + /etc/shorewall/"$conf" + done + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/macro.d + for conf in "$tool"/etc/shorewall/macro.d/* + do conf=${conf#"$tool"/etc/shorewall/macro.d/} + sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/macro.d/"$conf" \ + /etc/shorewall/macro.d/"$conf" + done + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/action.d + #for conf in "$tool"/etc/shorewall/action.d/* + # do conf=${conf#"$tool"/etc/shorewall/action.d/} + # sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" || + # sudo install -m 640 -o root -g root \ + # "$tool"/etc/shorewall/action.d/"$conf" \ + # /etc/shorewall/action.d/"$conf" + # done + #sudo shorewall safe-restart + } rule_ssh_configure () { rule apt_get_install openssh-server rule insserv_remove ssh @@ -1470,6 +1511,7 @@ rule_ssh_configure () { ListenAddress $vm_ipv4 LogLevel INFO LoginGraceTime 120 + MaxAuthTries 1 PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin yes -- 2.20.1