From c48534146a4ab6265990952e4c52fb3ab689bbb1 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sat, 22 May 2021 09:11:49 +0200 Subject: [PATCH] Source files in /etc/default/minifirewall.d --- minifirewall | 26 +++++++++++++++------ minifirewall.conf | 25 ++++---------------- minifirewall.d/default-input-v6 | 7 ++++++ minifirewall.d/dhcp-v6.example | 4 ++++ minifirewall.d/dns-output-v6 | 3 +++ minifirewall.d/ntp-output-v6 | 3 +++ minifirewall.d/traceroute-output-v6.example | 3 +++ 7 files changed, 43 insertions(+), 28 deletions(-) create mode 100644 minifirewall.d/default-input-v6 create mode 100644 minifirewall.d/dhcp-v6.example create mode 100644 minifirewall.d/dns-output-v6 create mode 100644 minifirewall.d/ntp-output-v6 create mode 100644 minifirewall.d/traceroute-output-v6.example diff --git a/minifirewall b/minifirewall index c1a7251..9a64dff 100755 --- a/minifirewall +++ b/minifirewall @@ -61,6 +61,7 @@ chain_exists() # Configuration oldconfigfile="/etc/firewall.rc" configfile="/etc/default/minifirewall" +includesdir="/etc/default/minifirewall.d" IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}') DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}') @@ -133,14 +134,25 @@ if ! test -f $configfile; then exit 1 fi -tmpfile=`mktemp` -. $configfile 2>$tmpfile >&2 -if [ -s $tmpfile ]; then - echo "$configfile returns standard or error output (see below). Stopping." >&2 - cat $tmpfile - exit 1 +source_file_or_error() { + file=$1 + echo "...sourcing '${file}\`" + tmpfile=$(mktemp --tmpdir=/tmp minifirewall.XXX) + . ${file} 2>${tmpfile} >&2 + if [ -s ${tmpfile} ]; then + echo "${file} returns standard or error output (see below). Stopping." >&2 + cat ${tmpfile} + exit 1 + fi + rm ${tmpfile} +} +source_file_or_error ${configfile} +if [ -d "${includesdir}" ]; then + includefiles=$(find ${includesdir} -type f -readable -not -name '*.*') + for includefile in ${includefiles}; do + source_file_or_error "${includefile}" + done fi -rm $tmpfile # Trusted ip addresses $IPT -N ONLYTRUSTED diff --git a/minifirewall.conf b/minifirewall.conf index f5548fc..8230854 100644 --- a/minifirewall.conf +++ b/minifirewall.conf @@ -1,5 +1,6 @@ # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall # Version 20.12 — 2020-12-01 22:55:35 +# shellcheck shell=sh disable=SC2034 # Main interface INT='eth0' @@ -77,26 +78,8 @@ SMTPSECUREOK='' NTPOK='0.0.0.0/0' -# IPv6 Specific rules +# Includes ##################### -# Example: allow input HTTP/HTTPS/SMTP/DNS traffic -/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT -/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT - -# Example: allow output DNS, NTP and traceroute traffic -/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT -/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT -#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT - -# Example: allow DHCPv6 -/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT -/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT - -# IPv4 Specific rules -##################### - -# /sbin/iptables ... +# Files in /etc/default/minifirewall.d/* (without "." in name) +# are automatically included in alphanumerical order. \ No newline at end of file diff --git a/minifirewall.d/default-input-v6 b/minifirewall.d/default-input-v6 new file mode 100644 index 0000000..38cfe3f --- /dev/null +++ b/minifirewall.d/default-input-v6 @@ -0,0 +1,7 @@ +# shellcheck shell=sh disable=SC2034 +# allow input HTTP/HTTPS/SMTP/DNS traffic +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 25 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p udp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT +/sbin/ip6tables -A INPUT -i $INT -p tcp --sport 53 --match state --state ESTABLISHED,RELATED -j ACCEPT diff --git a/minifirewall.d/dhcp-v6.example b/minifirewall.d/dhcp-v6.example new file mode 100644 index 0000000..f2a60df --- /dev/null +++ b/minifirewall.d/dhcp-v6.example @@ -0,0 +1,4 @@ +# shellcheck shell=sh disable=SC2034 +# allow DHCPv6 +/sbin/ip6tables -A INPUT -i $INT -p udp --dport 546 -d fe80::/64 -j ACCEPT +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 547 -j ACCEPT \ No newline at end of file diff --git a/minifirewall.d/dns-output-v6 b/minifirewall.d/dns-output-v6 new file mode 100644 index 0000000..ac966ff --- /dev/null +++ b/minifirewall.d/dns-output-v6 @@ -0,0 +1,3 @@ +# shellcheck shell=sh disable=SC2034 +# allow DNS output +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 53 --match state --state NEW -j ACCEPT \ No newline at end of file diff --git a/minifirewall.d/ntp-output-v6 b/minifirewall.d/ntp-output-v6 new file mode 100644 index 0000000..e1a27e1 --- /dev/null +++ b/minifirewall.d/ntp-output-v6 @@ -0,0 +1,3 @@ +# shellcheck shell=sh disable=SC2034 +# allow NTP output +/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 123 --match state --state NEW -j ACCEPT \ No newline at end of file diff --git a/minifirewall.d/traceroute-output-v6.example b/minifirewall.d/traceroute-output-v6.example new file mode 100644 index 0000000..786f352 --- /dev/null +++ b/minifirewall.d/traceroute-output-v6.example @@ -0,0 +1,3 @@ +# shellcheck shell=sh disable=SC2034 +# allow traceroute output +#/sbin/ip6tables -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT \ No newline at end of file