Add IPSet + IPTables integration
This commit is contained in:
parent
3d2284658a
commit
139d862f00
GPG Key ID:
F92BA85F61F4C173
|
|
@ -0,0 +1,24 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
pkgname=redxen-config-ipset
|
||||
pkgver=2021.01.28
|
||||
pkgrel=1
|
||||
pkgdesc="IPSec firewall configs"
|
||||
url="https://git.redxen.eu/RedXen"
|
||||
arch="noarch"
|
||||
license="none"
|
||||
depends="ipset"
|
||||
source="
|
||||
netwide4
|
||||
netwide6
|
||||
"
|
||||
options="!check"
|
||||
builddir="$srcdir"
|
||||
|
||||
package() {
|
||||
install -Dm644 netwide4 "$pkgdir"/etc/ipset.d/redxen/netwide4
|
||||
install -Dm644 netwide6 "$pkgdir"/etc/ipset.d/redxen/netwide6
|
||||
}
|
||||
|
||||
sha512sums="0c70b7b82c481ebcd755d4cf9a3c8d3490d1ea022158e32d1a4cf26152e9482858aeb09d7b68600e3d60312eba6d938a82bfa8012f2a19216dec69f05db4a250 netwide4
|
||||
dccd10b2fe5960bcf6466b27fabfbc5c80df40d33e744e84bd013c4b12e2fbb9fe4555568debb3cbbe851ff88f7b733ff19706073f2f29295d336a36efca4d07 netwide6"
|
||||
|
|
@ -0,0 +1 @@
|
|||
hash:ip family inet hashsize 4096 maxelem 65536 timeout 3600
|
||||
|
|
@ -0,0 +1 @@
|
|||
hash:ip family inet6 hashsize 4096 maxelem 65536 timeout 3600
|
||||
|
|
@ -1,23 +1,24 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
pkgname=redxen-config-iptables
|
||||
pkgver=2020.12.22
|
||||
pkgrel=2
|
||||
pkgver=2021.01.28
|
||||
pkgrel=1
|
||||
pkgdesc="IPTables firewall configs"
|
||||
url="https://git.redxen.eu/RedXen"
|
||||
arch="noarch"
|
||||
license="none"
|
||||
depends="iptables ip6tables"
|
||||
depends="iptables ip6tables redxen-config-ipset"
|
||||
source="
|
||||
rules-v4
|
||||
rules-v6
|
||||
"
|
||||
options="!check"
|
||||
builddir="$srcdir"
|
||||
|
||||
package() {
|
||||
install -Dm644 rules-v4 "$pkgdir"/etc/iptables/rx-rules4
|
||||
install -Dm644 rules-v6 "$pkgdir"/etc/iptables/rx-rules6
|
||||
}
|
||||
|
||||
sha512sums="678f1799b3ccce4fa47eb52769046db5e74c3c8a18a973c71fda9288e84a9763b3eec4665b1948fae04cf1ef5267d222a15230c5d43db5d00510c7ad7653488f rules-v4
|
||||
38bb28868d1552c9fadf721830a158e4c050c7c4f6fb7a54e563354d30f9e8ee3909b299af6114d305798a4f8c52002c5da9af8a86d2f59045682e0046ae0977 rules-v6"
|
||||
sha512sums="f8bd50b8798bc2a073129be5ea6e3a9e4884f8497effcda68273167a5e5627cc6a543b727cdd9a76570852845a09b2e9d7b1e84568d82328ce810f34f2940b38 rules-v4
|
||||
b9dc931b6acc3b1ddfe243063e85b7578681174fd3deb2e301a5437536188f5bc7adaaf8a8f47a3e13b6a17cd53c7389e8911908b6093bee19b18de5519963e2 rules-v6"
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
# Filter
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
|
|
@ -8,10 +7,11 @@
|
|||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i tun0 -j ACCEPT
|
||||
-A INPUT -i eth1 -p tcp -m tcp --dport 7521 -j ACCEPT
|
||||
-A INPUT -m set --match-set netwide4 src -j DROP
|
||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
# Mangle
|
||||
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
|
|
@ -19,14 +19,14 @@ COMMIT
|
|||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
||||
# NAT
|
||||
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
||||
# Raw
|
||||
|
||||
*raw
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
# Filter
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
|
|
@ -8,10 +7,11 @@
|
|||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -i tun0 -j ACCEPT
|
||||
-A INPUT -i eth1 -p tcp -m tcp --dport 7521 -j ACCEPT
|
||||
-A INPUT -m set --match-set netwide6 src -j DROP
|
||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
# Mangle
|
||||
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
|
|
@ -19,14 +19,14 @@ COMMIT
|
|||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
||||
# NAT
|
||||
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
||||
# Raw electrons
|
||||
|
||||
*raw
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
_svcname=ipset
|
||||
_grpname=firewall
|
||||
|
||||
. ../APKBUILD-openrc.common
|
||||
|
||||
pkgver=2021.01.28
|
||||
pkgrel=0
|
||||
|
||||
sha512sums="6dc3532dbd408f20b1327c711a4b8c220df1c00d69c07a5368b5da83d591f24002745e4d128b0152a41e6edc9d70a86fc43cd01089e9d0f3deea3997cd07a435 runfile
|
||||
da4d6b72a8e7114d44903a46455642f69ac44a51e0bf0b7bafc8b469398419128bba830c1e5c0759618784f301d07c220be98fa01eb1d3ffe72bc36768aa3472 conffile"
|
||||
|
|
@ -0,0 +1 @@
|
|||
DIR="/etc/ipset.d/redxen"
|
||||
|
|
@ -0,0 +1,125 @@
|
|||
#!/sbin/openrc-run
|
||||
# Init script for ipset
|
||||
# Copyright (C) 2012-2017 Kaarle Ritvanen
|
||||
# Licensed under the terms of the GPL2
|
||||
|
||||
description="Manage IP sets in the Linux kernel"
|
||||
description_save="Save firewall IP sets"
|
||||
description_reload="Load firewall IP sets"
|
||||
|
||||
extra_started_commands="save reload"
|
||||
|
||||
IPSET=/usr/sbin/ipset
|
||||
DIR="${DIR:-/etc/ipset.d}"
|
||||
STATUS=0
|
||||
|
||||
ipset() {
|
||||
$IPSET $* || STATUS=1
|
||||
}
|
||||
|
||||
set_files() {
|
||||
(cd "$DIR" && ls)
|
||||
}
|
||||
|
||||
set_file() {
|
||||
grep -v ^# $DIR/$1
|
||||
}
|
||||
|
||||
set_exists() {
|
||||
$IPSET -n list $1 &> /dev/null
|
||||
}
|
||||
|
||||
set_lists() {
|
||||
$IPSET save | sed "s/^create \\([^ ]\\+\\) list:set.*/\\1/;ta;d;:a"
|
||||
}
|
||||
|
||||
sets() {
|
||||
$IPSET -n list
|
||||
}
|
||||
|
||||
|
||||
depend() {
|
||||
before iptables ip6tables
|
||||
}
|
||||
|
||||
start() {
|
||||
reload
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Flushing firewall IP sets"
|
||||
|
||||
for name in $(set_lists); do
|
||||
ipset destroy $name
|
||||
done
|
||||
|
||||
for name in $(sets); do
|
||||
ipset destroy $name
|
||||
done
|
||||
|
||||
eend $STATUS
|
||||
}
|
||||
|
||||
save() {
|
||||
ebegin "Saving firewall IP sets"
|
||||
|
||||
ipset save | while read cmd; do
|
||||
set -- $cmd
|
||||
local action=$1
|
||||
local file="$DIR/$2"
|
||||
shift 2
|
||||
if [ "$action" = create ]; then
|
||||
echo $* > $file
|
||||
elif [ "$action" = add ]; then
|
||||
echo $* >> $file
|
||||
fi
|
||||
done
|
||||
|
||||
for name in $(set_files); do
|
||||
set_exists $name || rm -f $DIR/$name
|
||||
done
|
||||
|
||||
eend $STATUS
|
||||
}
|
||||
|
||||
reload() {
|
||||
ebegin "Loading firewall IP sets"
|
||||
|
||||
local swap=
|
||||
for name in $(set_files); do
|
||||
if set_exists $name; then
|
||||
swap="$swap $name"
|
||||
fi
|
||||
done
|
||||
|
||||
for name in $(set_files); do
|
||||
local new=$name
|
||||
if set_exists $name; then
|
||||
new=_init_$name
|
||||
fi
|
||||
echo create $new $(set_file $name | head -n 1)
|
||||
done | ipset restore
|
||||
|
||||
(
|
||||
for name in $(set_files); do
|
||||
local new=$name
|
||||
set_exists _init_$name && new=_init_$name
|
||||
set_file $name | sed "1d;s/^/add $new /"
|
||||
done
|
||||
|
||||
for name in $swap; do
|
||||
echo swap $name _init_$name
|
||||
done
|
||||
) | ipset restore
|
||||
|
||||
for name in $(set_lists); do
|
||||
[ -f "$DIR/$name" ] || echo destroy $name
|
||||
done | ipset restore
|
||||
|
||||
for name in $(sets); do
|
||||
[ -f "$DIR/$name" ] || echo destroy $name
|
||||
done | ipset restore
|
||||
|
||||
eend $STATUS
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue