Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
292 lines (224 sloc) 9.77 KB
#!/bin/ash
iptables="/usr/sbin/iptables"
ip6tables="/usr/sbin/ip6tables"
network_profile="$(cat /etc/enigmabox/network-profile)"
# define interfaces
[[ "$network_profile" == "alix" ]] && internal_interfaces="eth1 eth2"
[[ "$network_profile" == "apu" ]] && internal_interfaces="eth0 eth1"
[[ "$network_profile" == "raspi" ]] && internal_interfaces="eth0"
################################################################################
# init
################################################################################
# reset all
$iptables -F
$iptables -t nat -F
# defaults
$iptables -P INPUT DROP
{{#if_missioncontrol}}$iptables -P OUTPUT DROP{{/if_missioncontrol}}
{{^if_missioncontrol}}$iptables -P OUTPUT ACCEPT{{/if_missioncontrol}}
$iptables -P FORWARD DROP
################################################################################
# define interfaces + address groups
################################################################################
# loopback
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
$iptables -X internal-services
$iptables -N internal-services
$iptables -A internal-services -p tcp --dport 22 -j ACCEPT # ssh
$iptables -A internal-services -p tcp --dport 25 -j ACCEPT # smtp
$iptables -A internal-services -p udp --dport 53 -j ACCEPT # allow dns requests to tinyproxy
$iptables -A internal-services -p udp --dport 67:68 -j ACCEPT # dhcp server
$iptables -A internal-services -p tcp --dport 80 -j ACCEPT # webinterface
$iptables -A internal-services -p tcp --dport 110 -j ACCEPT # pop3
$iptables -A internal-services -p tcp --dport 143 -j ACCEPT # imap
$iptables -A internal-services -p udp --dport 5060 -j ACCEPT # voip phone
$iptables -A internal-services -p udp --dport 1024:65535 -j ACCEPT # voip phone video
$iptables -A internal-services -p tcp --dport 8117 -j ACCEPT # renew notice
$iptables -A internal-services -p tcp --dport 8080 -j ACCEPT # grandstream phone provisioning
$iptables -A internal-services -p tcp --dport 8888 -j ACCEPT # tinyproxy
$iptables -A internal-services -p icmp -m limit --limit 10/second -j ACCEPT # icmp
$iptables -X internal-in
$iptables -N internal-in
for interface in $internal_interfaces; do
$iptables -A internal-in -i "$interface" -j internal-services
done
$iptables -X internal-out
$iptables -N internal-out
for interface in $internal_interfaces; do
$iptables -A internal-out -o "$interface" -j ACCEPT
done
$iptables -X peering-servers
$iptables -N peering-servers
{{#peerings}}
$iptables -A peering-servers --dst {{ip}} -j ACCEPT
{{/peerings}}
{{#missioncontrol}}
$iptables -A peering-servers --dst {{ip}} -j ACCEPT
{{/missioncontrol}}
################################################################################
# general rules
################################################################################
# syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# allow related and established
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
################################################################################
# input
################################################################################
# allow internal interfaces
$iptables -A INPUT -j internal-in
{{#if_allow_peering}}
# peering port
$iptables -A INPUT -p udp --dport {{peering_port}} -j ACCEPT
{{/if_allow_peering}}
################################################################################
# output
################################################################################
$iptables -A OUTPUT -o tun0 -j ACCEPT # that is needed for dnsmasq to make dns requests
$iptables -A OUTPUT -j peering-servers
$iptables -A OUTPUT -j internal-out # asterisk needs this
################################################################################
# forward
################################################################################
# NAT
$iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
for interface in $internal_interfaces; do
# MTU fix
$iptables -A FORWARD -i "$interface" -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# allow forwarding for internal_interfaces, but not for others
$iptables -A FORWARD -i "$interface" -o tun0 -j ACCEPT
$iptables -A FORWARD -i tun0 -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
done
{{#if_display_expiration_notice}}
# show renew notice if subscription has expired
for interface in $internal_interfaces; do
$iptables -t nat -A PREROUTING -i "$interface" -p tcp --dport 80 -j REDIRECT --to-port 8117
done
{{/if_display_expiration_notice}}
################################################################################
# IPv6
################################################################################
################################################################################
# init
################################################################################
# reset all
$ip6tables -F
$ip6tables -t nat -F
# defaults
$ip6tables -P INPUT DROP
$ip6tables -P OUTPUT DROP
$ip6tables -P FORWARD DROP
################################################################################
# define interfaces + address groups
################################################################################
# loopback
$ip6tables -A INPUT -i lo -j ACCEPT
$ip6tables -A OUTPUT -o lo -j ACCEPT
$ip6tables -X internal-in
$ip6tables -N internal-in
for interface in $internal_interfaces; do
$ip6tables -A internal-in -i "$interface" -j ACCEPT
done
$ip6tables -X internal-out
$ip6tables -N internal-out
for interface in $internal_interfaces; do
$ip6tables -A internal-out -o "$interface" -j ACCEPT
done
$ip6tables -X friends-services
$ip6tables -N friends-services
$ip6tables -A friends-services -p tcp --dport 25 -j ACCEPT # smtp
$ip6tables -A friends-services -p tcp --dport 5060 -j ACCEPT # asterisk
$ip6tables -A friends-services -p udp --dport 5060 -j ACCEPT # asterisk
$ip6tables -A friends-services -p udp -m udp --dport 10000:20000 -j ACCEPT # rtp
{{#if_hype_access_friends}}
$ip6tables -A friends-services -p tcp --dport 80 -j ACCEPT # hypesites
{{/if_hype_access_friends}}
# port forwardings
{{#portforwardings}}
# port {{port}}
if [[ "{{access}}" == "global" ]]; then
$ip6tables -A INPUT -i tun0 -p tcp --dport {{port}} -j ACCEPT
$ip6tables -A INPUT -i tun0 -p udp --dport {{port}} -j ACCEPT
fi
if [[ "{{access}}" == "friends" ]]; then
$ip6tables -A friends-services -p tcp --dport {{port}} -j ACCEPT
$ip6tables -A friends-services -p udp --dport {{port}} -j ACCEPT
fi
if [[ "{{access}}" == "specific" ]]; then
{{#access_list}}
$ip6tables -A INPUT -i tun0 --src {{ipv6}} -p tcp --dport {{port}} -j ACCEPT
$ip6tables -A INPUT -i tun0 --src {{ipv6}} -p udp --dport {{port}} -j ACCEPT
{{/access_list}}
true # prevent syntax error on empty access_list
fi
{{/portforwardings}}
$ip6tables -A friends-services -p ipv6-icmp -m limit --limit 10/second -j ACCEPT # icmp
$ip6tables -X friends-in
$ip6tables -N friends-in
{{#addresses}}
$ip6tables -A friends-in -i tun0 --src {{ipv6}} -j friends-services
{{/addresses}}
################################################################################
# general rules
################################################################################
# allow related and established
$ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ping
$ip6tables -A INPUT -p ipv6-icmp -m limit --limit 10/second -j internal-in
################################################################################
# input
################################################################################
# allow friends
$ip6tables -A INPUT -j friends-in
{{#if_global_availability}}
# allow ping
$ip6tables -A INPUT -i tun0 -p ipv6-icmp -m limit --limit 10/second -j ACCEPT
# allow calls from everyone
$ip6tables -A INPUT -i tun0 -p tcp --dport 5060 -j ACCEPT
$ip6tables -A INPUT -i tun0 -p udp --dport 5060 -j ACCEPT
# RTP - the media stream
# (related to the port range in /etc/asterisk/rtp.conf)
$ip6tables -A INPUT -i tun0 -p udp -m udp --dport 10000:20000 -j ACCEPT
# allow emails from everyone
$ip6tables -A INPUT -i tun0 -p tcp --dport 25 -j ACCEPT
{{/if_global_availability}}
{{#if_teletext_enabled}}
# teletext
$ip6tables -A INPUT -i tun0 -p tcp --dport 3838 -j ACCEPT
#$ip6tables -A INPUT -i tun0 -p tcp --sport 3838 -j ACCEPT - test that
{{/if_teletext_enabled}}
{{#if_hype_access_global}}
# allow global Hypesite access
$ip6tables -A INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
# allow Hypesite access from LAN
$ip6tables -A INPUT -p tcp --dport 80 -j internal-in
{{/if_hype_access_global}}
{{#if_hype_access_friends}}
# allow Hypesite access from LAN
$ip6tables -A INPUT -p tcp --dport 80 -j internal-in
{{/if_hype_access_friends}}
{{#if_hype_access_internal}}
# allow Hypesite access from LAN
$ip6tables -A INPUT -p tcp --dport 80 -j internal-in
{{/if_hype_access_internal}}
################################################################################
# output
################################################################################
# allow OUTPUT for tun0
$ip6tables -A OUTPUT -o tun0 -j ACCEPT
# allow router advertisements
$ip6tables -A OUTPUT -p ipv6-icmp -j internal-out
################################################################################
# forward
################################################################################
# NAT
$ip6tables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
for interface in $internal_interfaces; do
# allow hype access
$ip6tables -A FORWARD -i "$interface" -o tun0 -j ACCEPT
$ip6tables -A FORWARD -i tun0 -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
done
# EOF