diff options
| author | Simon Rettberg | 2025-02-12 15:19:02 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2025-02-12 15:19:02 +0100 |
| commit | 490f557b2b7b62a60c50a76dc064f8cad7015391 (patch) | |
| tree | 225394c2a74c0d78439679e432e7bdf6bb824ed7 | |
| parent | [pvs2] Stricter firewall rules in exam mode (diff) | |
| download | mltk-490f557b2b7b62a60c50a76dc064f8cad7015391.tar.gz mltk-490f557b2b7b62a60c50a76dc064f8cad7015391.tar.xz mltk-490f557b2b7b62a60c50a76dc064f8cad7015391.zip | |
[iptables-helper] Modularize more default rules
4 files changed, 58 insertions, 0 deletions
diff --git a/core/modules/dnbd3/data/opt/openslx/iptables/rules.d/20-dnbd3 b/core/modules/dnbd3/data/opt/openslx/iptables/rules.d/20-dnbd3 new file mode 100755 index 00000000..aab30e2d --- /dev/null +++ b/core/modules/dnbd3/data/opt/openslx/iptables/rules.d/20-dnbd3 @@ -0,0 +1,17 @@ +#!/bin/ash + +. /opt/openslx/config + +[ -z "${SLX_DNBD3_SERVERS}${SLX_DNBD3_FALLBACK}" ] && exit 0 + +. /opt/openslx/bin/slx-tools +net_split &> /dev/null # Preload, as it's being used in subshell + +for ip in $SLX_DNBD3_SERVERS $SLX_DNBD3_FALLBACK; do + ip=$( net_split "$ip" 5003 ) + port=${ip#* } + ip=${ip% *} + iptables -A OUTPUT -d "$ip" -p tcp --dport "$port" -j ACCEPT +done + +exit 0 diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker index 12b88289..346e90a8 100755 --- a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -65,6 +65,16 @@ reload_rules () { # Loopback iptables -w -A ipt-helper-INPUT -i lo -j ACCEPT iptables -w -A ipt-helper-OUTPUT -o lo -j ACCEPT + # Stateful + iptables -w -A ipt-helper-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -w -A ipt-helper-OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -w -A ipt-helper-FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + # Essential: boot server(s) + . /opt/openslx/config + for ip in $SLX_KCL_SERVERS $SLX_PXE_SERVER_IP; do + iptables -w -A ipt-helper-OUTPUT -d "$ip" -j ACCEPT + done + # TODO: IPv6 (in general) # Apply diff --git a/core/modules/pam-slx-plug/data/opt/openslx/iptables/rules.d/50-pam-slx b/core/modules/pam-slx-plug/data/opt/openslx/iptables/rules.d/50-pam-slx new file mode 100755 index 00000000..c671cc64 --- /dev/null +++ b/core/modules/pam-slx-plug/data/opt/openslx/iptables/rules.d/50-pam-slx @@ -0,0 +1,22 @@ +#!/bin/ash + +# pam-slx-plug +srcd= +for file in /opt/openslx/pam/slx-ldap.d/*; do + [ -f "$file" ] || continue + uris="$( grep -Po "(?<=LDAP_URI=')[^']*" "$file" )" + [ -n "$uris" ] || continue + if [ -z "$srcd" ]; then + srcd=1 + . /opt/openslx/bin/slx-tools + fi + for uri in $uris; do + ip=$( net_parse_uri "$uri" x ) + port="${ip#* }" + [ "$port" = "x" ] && continue + ip="${ip% *}" + iptables -A OUTPUT -d "$ip" -p tcp --dport "$port" -j ACCEPT + done +done + +exit 0 diff --git a/core/modules/redsocks/data/opt/openslx/iptables/rules.d/50-sysproxy b/core/modules/redsocks/data/opt/openslx/iptables/rules.d/50-sysproxy new file mode 100755 index 00000000..3ea02cff --- /dev/null +++ b/core/modules/redsocks/data/opt/openslx/iptables/rules.d/50-sysproxy @@ -0,0 +1,9 @@ +#!/bin/ash + +. /opt/openslx/config + +[ -z "$SLX_PROXY_MODE" ] && exit 0 +[ "$SLX_PROXY_MODE" = "off" ] && exit 0 +[ -z "$SLX_PROXY_IP" ] && exit 0 + +iptables -A OUTPUT -d "$SLX_PROXY_IP" -p tcp --dport "$SLX_PROXY_PORT" -j ACCEPT |