#!/bin/bash
################################################################################
# FIREWALL PARA HOST PROXMOX (SOLO HOST Y MVs ROUTED #
# Juan Maria Gil #
# Basado en: http://wiki.openvz.org/Setting_up_an_iptables_firewall #
################################################################################
# This script sets up the firewall for the INPUT chain (which is for
# the HN itself) and then processes the config files under
# /etc/olinet/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
################################################################################
#
# Funciones de display de mensajes
#
success() {
echo -n "...success"
}
failure() {
echo -n "...failure"
}
################################################################################
#
#
WAN_INTERFACE=vmbr0
#
# IPs/Redes con full access
#
DMZS="w.x.y.z/32
w.x.y.z/32"
#
#
# IPs/Redes contenedores
#
CT_NETS="w.x.y.z/30
w.x.y.z
w.x.y.z
w.x.y.z"
#
# The IP used by the hosting server itself
#
THISHOST="w.x.y.z"
THISHOST_24="w.x.y"
#
# Puertos que se abrirán a todo el mundo (de momento ninguno)
#
# OKPORTS="53"
#
echo -n "Firewall: Setting default policies to DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
success ; echo
#
# Añadimos los permisos para que funcione correctamente la monitorización de OVH
# También le damos acceso ssh para los técnicos
#
echo -n "Firewall: Configuring permisions for OVH monitoring"
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx2.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.249 -j ACCEPT # temporary, only for HG server
iptables -A INPUT -i $WAN_INTERFACE -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
success ; echo
#
# Permiso de forward y de nfs a los containers
#
echo "Firewall: Configuring permisions to containers"
for net in $CT_NETS ; do
echo -n " NFS/FORWARD $net"
iptables -I FORWARD -j ACCEPT --source $net
iptables -I INPUT -j ACCEPT --source $net -p udp --dport 111
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 111
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 2049
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 32803
iptables -I INPUT -j ACCEPT --source $net -p udp --dport 32769
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 892
iptables -I INPUT -j ACCEPT --source $net -p udp --dport 892
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 875
iptables -I INPUT -j ACCEPT --source $net -p udp --dport 875
iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 662
iptables -I INPUT -j ACCEPT --source $net -p udp --dport 662
success ; echo
done
#
# Permiso a los puertos abiertos del HN (De momento deshabilitado)
#
echo "Firewall: Allowing access to HN"
# for port in $OKPORTS ; do
# echo -n " port $port"
# iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $port
# iptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port
# success ; echo
# done
#
# Permiso full a las IPs/Redes autorizadas
#
for ip in $DMZS ; do
echo -n " DMZ $ip"
iptables -I INPUT -i $WAN_INTERFACE -j ACCEPT -s $ip
iptables -I FORWARD -i $WAN_INTERFACE -j ACCEPT -s $ip
success ; echo
done
#
# Chequeo de los permisos específicos para cada container
#
CTSETUPS=`echo /etc/olinet/firewall.d/*`
if [ "$CTSETUPS" != "/etc/olinet/firewall.d/*" ] ; then
echo "Firewall: Setting up container firewalls"
for i in $CTSETUPS ; do
. $i
echo -n " $CTNAME CT$CTID"
if [ -n "$BANNED" ]; then
for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done
fi
if [ -n "$OPENPORTS" ]; then
for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
fi
if [ -n "$DMZS" ]; then
for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
fi
if [ -n "$PING" ]; then
iptables -I FORWARD -j ACCEPT --destination $CTIP -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED
fi
[ $? -eq 0 ] && success || failure
echo
done
fi
################################################################################
# FIN FIREWALL #
################################################################################