Commit 2a11974f authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Add comments to iptables

Depending on each rule reason we add a relevant comment prefixed
with "snf-network_".

Currently we have three reasons: firewall, proxy-arp, extra.

Additionally save all rules under /etc/iptables/ at the end of
ifup-extra script. This can be used to restore some rules after
reloading ferm.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent db4bf30d
......@@ -44,7 +44,9 @@ function try {
function clear_routed_setup_ipv4 {
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle -m comment --comment "snf-network_proxy-arp"
while ip rule del dev $INTERFACE; do :; done
# This is needed for older snf-network versions
iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
}
......@@ -70,7 +72,9 @@ function clear_routed_setup_firewall {
for oldchain in protected unprotected limited; do
iptables -D FORWARD -o $INTERFACE -j $oldchain
iptables -D FORWARD -o $INTERFACE -j $oldchain -m comment --comment "snf-network_firewall"
ip6tables -D FORWARD -o $INTERFACE -j $oldchain
ip6tables -D FORWARD -o $INTERFACE -j $oldchain -m comment --comment "snf-network_firewall"
done
}
......@@ -79,7 +83,9 @@ function clear_bridged_setup_firewall {
for oldchain in protected unprotected limited; do
iptables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain
iptables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
ip6tables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain
ip6tables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
done
}
......@@ -111,7 +117,7 @@ function routed_setup_ipv4 {
fi
# mangle ARPs to come from the gw's IP
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" -m comment --comment "snf-network_proxy-arp"
# route interface to the proper routing table
ip rule add dev $INTERFACE table $TABLE
......@@ -183,8 +189,8 @@ function routed_setup_firewall {
done
if [ "x$chain" != "x" ]; then
iptables -A FORWARD -o $INTERFACE -j $chain
ip6tables -A FORWARD -o $INTERFACE -j $chain
iptables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
ip6tables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
fi
}
......@@ -212,8 +218,8 @@ function bridged_setup_firewall {
done
if [ "x$chain" != "x" ]; then
iptables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain
ip6tables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain
iptables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
ip6tables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
fi
}
function init_ebtables {
......
......@@ -58,7 +58,9 @@ source /usr/lib/snf-network/common.sh
function clean_extra (){
iptables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT
iptables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT -m comment --comment "snf-network_extra"
ip6tables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT
ip6tables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT -m comment --comment "snf-network_extra"
}
......@@ -84,17 +86,29 @@ function setup_extra () {
mail)
# Here add iptalbes rule..
$SNF_NETWORK_LOG $0 "Tag $tag found: Applying rule for $INTERFACE..."
iptables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT
ip6tables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT -m comment --comment "snf-network_extra"
ip6tables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT -m comment --comment "snf-network_extra"
;;
esac
done
}
function save_all_tables () {
mkdir -p /etc/iptables
date > /etc/iptables/date
iptables-save > /etc/iptables/snf-network.v4
ip6tables-save > /etc/iptables/snf-network.v6
arptables-save > /etc/iptables/snf-network.arp
}
try clean_extra
setup_extra
save_all_tables
exit 0
domain (ip ip6) chain protected {
domain (ip ip6) chain protected mod comment comment snf-network_ferm {
# Do not packets that request a new connection
proto tcp !syn ACCEPT;
# Allow dns responses
......@@ -8,7 +8,7 @@ domain (ip ip6) chain protected {
DROP;
}
domain (ip ip6) chain limited {
domain (ip ip6) chain limited mod comment comment snf-network_ferm {
proto tcp !syn ACCEPT;
# Allow ssh
proto tcp dport 22 ACCEPT;
......@@ -19,6 +19,6 @@ domain (ip ip6) chain limited {
DROP;
}
domain (ip ip6) chain unprotected {
domain (ip ip6) chain unprotected mod comment comment snf-network_ferm {
ACCEPT;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment