* minifirewall: upstream release 22.03.2
Some checks reported errors
continuous-integration/drone/push Build was killed
Some checks reported errors
continuous-integration/drone/push Build was killed
This commit is contained in:
parent
545226f6f6
commit
8a9faa0250
|
@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* evolinux-base: backup-server-state release 22.03
|
* evolinux-base: backup-server-state release 22.03
|
||||||
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
|
* evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
|
||||||
* generate-ldif: Add services check for bkctld
|
* generate-ldif: Add services check for bkctld
|
||||||
* minifirewall: upstream release 22.03.1 and use includes directory
|
* minifirewall: upstream release 22.03.2 and use includes directory
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
|
23
minifirewall/files/blacklist-countries.sh
Normal file
23
minifirewall/files/blacklist-countries.sh
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
ripedeny_file=/var/tmp/ripe_deny
|
||||||
|
|
||||||
|
cd /var/tmp
|
||||||
|
|
||||||
|
rm -f $ripedeny_file
|
||||||
|
|
||||||
|
GET http://antispam00.evolix.org/spam/ripe.cidr.md5 > ripe.cidr.md5
|
||||||
|
GET http://antispam00.evolix.org/spam/ripe.cidr > ripe.cidr
|
||||||
|
|
||||||
|
for i in CN KR RU; do
|
||||||
|
|
||||||
|
grep "^$i|" ripe.cidr >> $ripedeny_file
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
/sbin/iptables -F NEEDRESTRICT
|
||||||
|
|
||||||
|
for i in $(cat $ripedeny_file); do
|
||||||
|
BLOCK=$(echo $i | cut -d"|" -f2)
|
||||||
|
/sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
|
||||||
|
done
|
|
@ -28,9 +28,10 @@
|
||||||
# Description: Firewall designed for standalone server
|
# Description: Firewall designed for standalone server
|
||||||
### END INIT INFO
|
### END INIT INFO
|
||||||
|
|
||||||
VERSION="22.03.1"
|
VERSION="22.03.2"
|
||||||
|
|
||||||
NAME="minifirewall"
|
NAME="minifirewall"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
DESC="Firewall designed for standalone server"
|
DESC="Firewall designed for standalone server"
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
@ -115,6 +116,8 @@ chain_exists() {
|
||||||
chain_name="$1"
|
chain_name="$1"
|
||||||
if [ $# -ge 2 ]; then
|
if [ $# -ge 2 ]; then
|
||||||
intable="--table $2"
|
intable="--table $2"
|
||||||
|
else
|
||||||
|
intable=""
|
||||||
fi
|
fi
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
|
iptables ${intable} -nL "${chain_name}" >/dev/null 2>&1
|
||||||
|
@ -476,34 +479,46 @@ start() {
|
||||||
# Privileged services (accessible from privileged & trusted IPs)
|
# Privileged services (accessible from privileged & trusted IPs)
|
||||||
for dstport in ${SERVICESTCP2}; do
|
for dstport in ${SERVICESTCP2}; do
|
||||||
for srcip in ${PRIVILEGIEDIPS}; do
|
for srcip in ${PRIVILEGIEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
for srcip in ${TRUSTEDIPS}; do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
for dstport in ${SERVICESUDP2}; do
|
for dstport in ${SERVICESUDP2}; do
|
||||||
for srcip in ${PRIVILEGIEDIPS}; do
|
for srcip in ${PRIVILEGIEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
for srcip in ${TRUSTEDIPS}; do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
# Trusted services (accessible from trusted IPs)
|
# Trusted services (accessible from trusted IPs)
|
||||||
for dstport in ${SERVICESTCP3}; do
|
for dstport in ${SERVICESTCP3}; do
|
||||||
for srcip in ${TRUSTEDIPS}; do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
for dstport in ${SERVICESUDP3}; do
|
for dstport in ${SERVICESUDP3}; do
|
||||||
for srcip in ${TRUSTEDIPS}; do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
if ! is_ipv6 ${srcip}; then
|
||||||
|
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
11
minifirewall/files/minifirewall.d/zzz-custom
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
### custom minifirewall commands
|
||||||
|
#
|
||||||
|
# You can add any custom command in files like this;
|
||||||
|
# either this one, or others in the same directory.
|
||||||
|
# They are executed as shell scripts.
|
||||||
|
# They are automatically included in alphanumerical order.
|
||||||
|
#
|
||||||
|
# Within included files, you can use those helper functions :
|
||||||
|
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
|
||||||
|
# * is_docker_enabled: returns true if Docker mode is eabled, or false
|
||||||
|
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
|
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
7
minifirewall/files/minifirewall.d/zzzz-ban
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
### ban rules
|
||||||
|
#
|
||||||
|
# If you have ban rules in /root/ban.iptables
|
||||||
|
# (either manually or with /usr/share/scripts/blacklist-countries.sh)
|
||||||
|
# ou can automatically import them with the following command:
|
||||||
|
#
|
||||||
|
# cat /root/ban.iptables | iptables-restore -n
|
|
@ -14,14 +14,6 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: include directory is present
|
|
||||||
file:
|
|
||||||
path: /etc/minifirewall.d/
|
|
||||||
state: directory
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0700"
|
|
||||||
|
|
||||||
- name: configuration is copied
|
- name: configuration is copied
|
||||||
copy:
|
copy:
|
||||||
src: minifirewall.conf
|
src: minifirewall.conf
|
||||||
|
@ -30,3 +22,40 @@
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: includes directory is present
|
||||||
|
file:
|
||||||
|
path: /etc/minifirewall.d/
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0700"
|
||||||
|
|
||||||
|
- name: examples for includes are present
|
||||||
|
copy:
|
||||||
|
src: "minifirewall.d/"
|
||||||
|
dest: "/etc/minifirewall.d/"
|
||||||
|
force: "no"
|
||||||
|
mode: "0600"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: evolix/remount-usr
|
||||||
|
|
||||||
|
- name: /usr/share/scripts exists
|
||||||
|
file:
|
||||||
|
dest: /usr/share/scripts
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: blacklist-countries.sh is copied
|
||||||
|
copy:
|
||||||
|
src: blacklist-countries.sh
|
||||||
|
dest: /usr/share/scripts/blacklist-countries.sh
|
||||||
|
force: "no"
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
Loading…
Reference in a new issue