From 0743f1042389c7e6369631cac432d4cf5044cb09 Mon Sep 17 00:00:00 2001 From: Dirk Alders Date: Mon, 2 Oct 2023 20:09:39 +0200 Subject: [PATCH] added iptables scripts --- ipt | 1 + ipt-static-ruleset | 123 +++++++++++++++++++++++++++++++++++++++++++++ vlanm | 98 ++++++++++++++++++++++++++++++++++++ 3 files changed, 222 insertions(+) create mode 100755 ipt create mode 100755 ipt-static-ruleset create mode 100755 vlanm diff --git a/ipt b/ipt new file mode 100755 index 0000000..b9d5532 --- /dev/null +++ b/ipt @@ -0,0 +1 @@ +sudo iptables -L -n -v --line-numbers $* diff --git a/ipt-static-ruleset b/ipt-static-ruleset new file mode 100755 index 0000000..76ffad5 --- /dev/null +++ b/ipt-static-ruleset @@ -0,0 +1,123 @@ +####################################################################################################################### +# Firewall configuration for this host ################################################################################ +####################################################################################################################### + +# Allow minimum for all VLANS (ping, dhcp, dns, ntp) +sudo iptables -A INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept incomming pings" +sudo iptables -A OUTPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "accept outgoing pings" +sudo iptables -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept incomming dhcp" +sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 -m comment --comment "accept outgoing dhcp" +sudo iptables -A INPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept incomming dns" +sudo iptables -A INPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept incomming dns" +sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 53 -m comment --comment "accept outgoing dns" +sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 -m comment --comment "accept outgoing dns" +sudo iptables -A INPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept incomming ntp" +sudo iptables -A OUTPUT -j ACCEPT -p udp --dport 123 -m comment --comment "accept outgoing ntp" + +# Allow some usefull outgoing traffic for all VLANS (ssh) +sudo iptables -A OUTPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "accept outgoing ssh" + + +# Allow established and related trafic +sudo iptables -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all incomming established and related trafic" +sudo iptables -A OUTPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "accept all outgoing established and related trafic" + +# Allow everything for trusted networks +sudo iptables -A INPUT -j ACCEPT -i lo -m comment --comment "accept all incoming traffic of loopback device" +sudo iptables -A OUTPUT -j ACCEPT -o lo -m comment --comment "accept all outgoing traffic of the loopback device" +sudo iptables -A INPUT -j ACCEPT -i eth0 -m comment --comment "accept all incoming traffic of eth0.30 device" +sudo iptables -A OUTPUT -j ACCEPT -o eth0 -m comment --comment "accept all outgoing traffic of the eth0.30 device" + +sudo iptables -A OUTPUT -j ACCEPT -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "accept all outgoing traffic to the internet" + +# Add reject rule for propper feedback +sudo iptables -A INPUT -j REJECT -m comment --comment "Reject all remaining traffic" + + + +####################################################################################################################### +# Cros VLAN forwarding ################################################################################################ +####################################################################################################################### +# General +sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" +sudo iptables -A FORWARD -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "forward all established and related traffic" +sudo iptables -A FORWARD -j ACCEPT -p icmp --icmp-type 8 -m comment --comment "forward all pings" +sudo iptables -A FORWARD -j ACCEPT -p udp --dport 123 -m comment --comment "forward all ntp request" +sudo iptables -A FORWARD -j ACCEPT -p udp --sport 123 -m comment --comment "forward all ntp request" + +#--------------------- +# -> VLAN10 (Internet) +#--------------------- +# Allow VLAN30 full access to the internet +sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 ! -d 192.168.0.0/16 -m comment --comment "forward all traffic from vlan30 to the internet" +sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.10 -d 192.168.0.0/24 -m comment --comment "forward all traffic from vlan30 to vlan10" +# Allow VLAN40 access to to http,https +sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan40 to the internet" +sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 8080 -m comment --comment "forward port 8080 to the internet for siemens dishwasher" +# Allow VLAN60 access to to http,https +sudo iptables -A FORWARD -j ACCEPT -i eth0.60 -o eth0.10 ! -d 192.168.0.0/16 -p tcp --dport 80:443 -m comment --comment "forward all http and https traffic from vlan60 to the internet" + +#-------------------- +# -> VLAN20 (Network) +#-------------------- +# Allow VLAN30 full access +sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.20 -d 192.168.20.0/24 -m comment --comment "forward traffic from vlan30 to VLAN20" + +#-------------------------------------- +# -> VLAN30 (Family) - VERY RESTRICTIVE +#-------------------------------------- +# Allow VLAN40 and VLAN50 access to the mqtt port +sudo iptables -A FORWARD -j ACCEPT -i eth0.40 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan40 to VLAN30" +sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 1883 -d 192.168.30.0/24 -m comment --comment "forward mqtt traffic from vlan50 to VLAN30" +sudo iptables -A FORWARD -j ACCEPT -i eth0.50 -o eth0 -p tcp --dport 21 -d 192.168.30.0/24 -m comment --comment "forward ftp traffic from vlan50 to VLAN30 (brother printer)" + + +#------------------------------- +# -> VLAN40 (Untrusted Internet) +#------------------------------- +# Allow VLAN30 full access +sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.40 -d 192.168.40.0/24 -m comment --comment "forward traffic from vlan30 to VLAN40" + +#--------------------------------- +# -> VLAN50 (Untrusted no Internet +#--------------------------------- +# Allow VLAN30 full access +sudo iptables -A FORWARD -j ACCEPT -i eth0 -o eth0.50 -d 192.168.50.0/24 -m comment --comment "forward traffic from vlan30 to VLAN50" + +#------------------ +# -> VLAN60 (Gäste) +#------------------ + + + +#---------------------- +# Masquerade traffic to +#---------------------- +sudo iptables -t nat -A POSTROUTING -o eth0.10 -j MASQUERADE -m comment --comment "masquerade ->eth0.10" +sudo iptables -t nat -A POSTROUTING -o eth0.20 -j MASQUERADE -m comment --comment "masquerade ->eth0.20" +sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "masquerade ->eth0.30" +sudo iptables -t nat -A POSTROUTING -o eth0.40 -j MASQUERADE -m comment --comment "masquerade ->eth0.40" +sudo iptables -t nat -A POSTROUTING -o eth0.50 -j MASQUERADE -m comment --comment "masquerade ->eth0.50" + + + + +####################################################################################################################### +# Change policy to drop all remainig ################################################################################## +####################################################################################################################### +sudo iptables -P INPUT DROP +sudo iptables -P OUTPUT DROP +sudo iptables -P FORWARD DROP + + + +####################################################################################################################### +# Show configuration ################################################################################################## +####################################################################################################################### +sudo iptables -L -n -v --line-numbers + + +echo "********************************************************************************************" +echo "* -> Execute sudo sh -c \"iptables-save > /etc/iptables/rules.v4\"" +echo "********************************************************************************************" + diff --git a/vlanm b/vlanm new file mode 100755 index 0000000..30b3be6 --- /dev/null +++ b/vlanm @@ -0,0 +1,98 @@ +#!/bin/python3 +# +import argparse +from getpass import getpass +import re +import subprocess + +def device_by_vlan(n): + return 'eth0' if n == 10 else 'eth0.%d' % n + +def iprange_by_vlan(n): + return '192.168.0.0/24' if n == 10 else '192.168.%d.0/24' % n + +def get_iptables_info(): + global password + my_cmd = "sudo -S iptables -L -n -v --line-numbers".split() + cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",) + return cmd.stdout + +def get_rule_num(chain, comment): + required_chain = False + for line in get_iptables_info().split('\n'): + if line.strip().lower().startswith('chain'): + required_chain = line.strip().lower().startswith('chain ' + chain.strip().lower()) + if required_chain: + rule_num = None + try: + rule_num = int(line.split()[0]) + except: + pass + else: + s = re.search(r'\/\*(.*?)\*\/', line) + if s is not None: + if s.group(1).strip() == comment: + return rule_num + + + +if __name__ == "__main__": + global password + + prog = 'vlan manager' + description = 'Add and removes iptable rules for a given vlan' + epilog = 'Text at the bottom of help' + parser = argparse.ArgumentParser(prog=prog, description=description, epilog=epilog) + parser.add_argument('-v', '--vlan_number', type=int, required=True, help="Define the vlan to be used") + parser.add_argument('-o', '--open_to_internet', action='store_true', help="Toggle rule: Open vlan to the internet") + parser.add_argument('-l', '--log_to_internet', action='store_true', help="Toggle rule: Log vlan to the internet") + + args = parser.parse_args() + + UID_O = 'VLANM_RULE__OPEN_TO_INTERNET_%d' % args.vlan_number + UID_L = 'VLANM_RULE__LOG_TO_INTERNET_%d' % args.vlan_number + + if args.open_to_internet: + password = getpass("password: ") + print() + rn = get_rule_num('forward', UID_O) + if rn is None: + print("Add rule:", UID_O) + else: + print("Remove rule:", UID_O) + if getpass('Proceed? [Y/n]') in ['', 'y', 'Y']: + if rn is None: + my_cmd = ['sudo', '-S', 'iptables', '-A', 'FORWARD', '-j', 'ACCEPT', '-i', device_by_vlan(args.vlan_number), '-o', 'eth0', '!', '-d', '192.168.0.0/16', '-m', 'comment', '--comment', UID_O] + cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",) + print(cmd.stdout) + else: + my_cmd = ['sudo', '-S', 'iptables', '-D', 'FORWARD', str(rn)] + cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",) + print(cmd.stdout) + elif args.log_to_internet: + password = getpass("password: ") + print() + rn = get_rule_num('forward', UID_L) + if rn is None: + print("Add rule:", UID_L) + else: + print("Remove rule:", UID_L) + if getpass('Proceed? [Y/n]') in ['', 'y', 'Y']: + if rn is None: + my_cmd = ['sudo', '-S', 'iptables', '-A', 'FORWARD', '-j', 'LOG', '-i', device_by_vlan(args.vlan_number), '-o', 'eth0', '!', '-d', '192.168.0.0/16', '-m', 'comment', '--comment', UID_L] + cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",) + print(cmd.stdout) + print("Use 'sudo ~/bin/ftail /var/log/kern.log' to view the logs.") + else: + my_cmd = ['sudo', '-S', 'iptables', '-D', 'FORWARD', str(rn)] + cmd = subprocess.run(my_cmd, stdout=subprocess.PIPE, input=password, encoding="ascii",) + print(cmd.stdout) + + + else: + print("************************") + print("* No action specified! *") + print("************************") + print() + parser.print_help() +