Commit d47e6eb9 authored by Stefan Göbel's avatar Stefan Göbel

Initial commit, version 0.1

parents
This diff is collapsed.
CNFDIR ?= /etc/lxcfw
PREFIX ?= /usr/local
BINDIR ?= $(PREFIX)/bin
SHRDIR ?= $(PREFIX)/share/lxcfw
DOCDIR ?= $(PREFIX)/share/doc/lxcfw
MANDIR ?= $(PREFIX)/share/man
SRVDIR ?= $(PREFIX)/lib/systemd/system
TMPDIR ?= $(PREFIX)/lib/tmpfiles.d
doc: doc/lxcfw.8 doc/lxcfw-getconfig.8 doc/lxcfw-hook.8
clean:
rm -f doc/lxcfw.8
rm -f doc/lxcfw-getconfig.8
rm -f doc/lxcfw-hook.8
install: doc
# Executables etc.:
install -d $(DESTDIR)$(BINDIR)
install -d $(DESTDIR)$(SHRDIR)
install -d $(DESTDIR)$(SHRDIR)/dnsmasq
install -m 755 lxcfw $(DESTDIR)$(BINDIR)
install -m 755 lxc/lxcfw-getconfig $(DESTDIR)$(BINDIR)
install -m 755 lxc/lxcfw-hook $(DESTDIR)$(BINDIR)
install -m 755 dnsmasq/lxcfw-dhcp-handler $(DESTDIR)$(SHRDIR)/dnsmasq
install -m 644 share/functions $(DESTDIR)$(SHRDIR)
# Documentation:
install -d $(DESTDIR)$(DOCDIR)
install -d $(DESTDIR)$(MANDIR)/man8
install -m 644 README $(DESTDIR)$(DOCDIR)
install -m 644 dnsmasq/README $(DESTDIR)$(DOCDIR)/README.dnsmasq
install -m 644 lxc/README $(DESTDIR)$(DOCDIR)/README.lxc
install -m 644 service/README $(DESTDIR)$(DOCDIR)/README.service
install -m 644 doc/lxcfw.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 doc/lxcfw-getconfig.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 doc/lxcfw-hook.8 $(DESTDIR)$(MANDIR)/man8
# Service files etc.:
install -d $(DESTDIR)$(SRVDIR)
install -d $(DESTDIR)$(TMPDIR)
install -m 644 dnsmasq/lxcfw-dhcp-handler.service $(DESTDIR)$(SRVDIR)
install -m 644 lxc/lxcfw-hook.service $(DESTDIR)$(SRVDIR)
install -m 644 service/lxcfw-init.service $(DESTDIR)$(SRVDIR)
install -m 644 service/lxcfw.service $(DESTDIR)$(SRVDIR)
install -m 644 dnsmasq/lxcfw-dhcp-fifo.conf $(DESTDIR)$(TMPDIR)
# Example configuration:
cp -avx config $(DESTDIR)$(DOCDIR)
# Base configuration:
install -d $(DESTDIR)$(CNFDIR)
install -d $(DESTDIR)$(CNFDIR)/rules.d
awk '/^#####/{X=1}X<1{print}' config/lxcfw.conf | head -n -1 \
>$(DESTDIR)$(CNFDIR)/lxcfw.conf
# Fix paths:
sed -i "s@/usr/local@$(PREFIX)@g" \
$(DESTDIR)$(BINDIR)/lxcfw \
$(DESTDIR)$(BINDIR)/lxcfw-hook \
$(DESTDIR)$(DOCDIR)/config/rules.d/500_router-traffic \
$(DESTDIR)$(DOCDIR)/config/rules.d/500_multicast-broadcast \
$(DESTDIR)$(DOCDIR)/README.lxc \
$(DESTDIR)$(MANDIR)/man8/lxcfw.8 \
$(DESTDIR)$(MANDIR)/man8/lxcfw-hook.8 \
$(DESTDIR)$(SHRDIR)/dnsmasq/lxcfw-dhcp-handler \
$(DESTDIR)$(SRVDIR)/lxcfw-dhcp-handler.service
uninstall:
rm -f $(DESTDIR)$(BINDIR)/lxcfw
rm -f $(DESTDIR)$(BINDIR)/lxcfw-getconfig
rm -f $(DESTDIR)$(BINDIR)/lxcfw-hook
rm -f $(DESTDIR)$(MANDIR)/man8/lxcfw.8
rm -f $(DESTDIR)$(MANDIR)/man8/lxcfw-getconfig.8
rm -f $(DESTDIR)$(MANDIR)/man8/lxcfw-hook.8
rm -f $(DESTDIR)$(SRVDIR)/lxcfw-dhcp-handler.service
rm -f $(DESTDIR)$(SRVDIR)/lxcfw-hook.service
rm -f $(DESTDIR)$(SRVDIR)/lxcfw-init.service
rm -f $(DESTDIR)$(SRVDIR)/lxcfw.service
rm -f $(DESTDIR)$(TMPDIR)/lxcfw-dhcp-fifo.conf
rm -rf $(DESTDIR)$(SHRDIR)
rm -rf $(DESTDIR)$(DOCDIR)
rm -rf $(DESTDIR)$(CNFDIR)
dnsmasq-install:
install -d $(DESTDIR)$(SHRDIR)/dnsmasq
install -d $(DESTDIR)$(SRVDIR)
install -m 755 dnsmasq/lxcfw-dnsmasq-script $(DESTDIR)$(SHRDIR)/dnsmasq
install -m 644 dnsmasq/lxcfw-dnsmasq-expire.service $(DESTDIR)$(SRVDIR)
install -m 644 dnsmasq/lxcfw-dnsmasq-expire.timer $(DESTDIR)$(SRVDIR)
dnsmasq-uninstall:
rm -f $(DESTDIR)$(SHRDIR)/dnsmasq/lxcfw-dnsmasq-script
rmdir --ignore-fail-on-non-empty $(DESTDIR)$(SHRDIR)/dnsmasq
rmdir --ignore-fail-on-non-empty $(DESTDIR)$(SHRDIR)
rm -f $(DESTDIR)$(SRVDIR)/lxcfw-dnsmasq-expire.service
rm -f $(DESTDIR)$(SRVDIR)/lxcfw-dnsmasq-expire.timer
doc/lxcfw.8: doc/lxcfw.8.rst
rst2man doc/lxcfw.8.rst >doc/lxcfw.8
doc/lxcfw-getconfig.8: doc/lxcfw-getconfig.8.rst
rst2man doc/lxcfw-getconfig.8.rst >doc/lxcfw-getconfig.8
doc/lxcfw-hook.8: doc/lxcfw-hook.8.rst
rst2man doc/lxcfw-hook.8.rst >doc/lxcfw-hook.8
.PHONY: clean dnsmasq-install dnsmasq-uninstall doc install uninstall
# :indentSize=3:tabSize=3:noTabs=false:mode=makefile:maxLineLen=87:
\ No newline at end of file
lxcfw - Yet another firewall script…
==============================================================================
First things first: The main script, `lxcfw`, does not require LXC, and has
nothing to do with LXC. It is just another firewall script, using the `nft`
command instead of `iptables`, it will just load some netfilter rules
specified in its configuration file(s). However, `lxcfw` does come with some
LXC specific stuff, which may be used to automatically add or remove IPs from
the netfilter rules when LXC containers are started or stopped. That's why
it's called `lxcfw`. And no, I am not even trying to come up with a better
name…
The general idea for automation of the netfilter rules for LXC containers is a
role-based setup, i.e. every container that should be handled automatically
will be assigned to one or more roles, by using the lxc.groups option. For
example, a container that should be allowed access to HTTP servers may be
configured with
lxc.group = role-dns-client
lxc.group = role-http-client
The netfilter rules have to be prepared for this by adding a dns-client and
http-client set, allowing all IPs that are members of these sets access to DNS
and HTTP servers. The lxcfw-hook script must then be configured as a pre-start
and post-stop hook of the container, and every time the container is started
or stopped its IP will automatically be added or removed, respectively, to or
from the sets. This requires the container to have a fixed IP!
Example configuration and rules scripts are included, see the config/
directory and the documentation for more details.
Installation
------------------------------------------------------------------------------
Note: Generating the man pages requires the rst2man command from docutils!
Run
make
make install
to install in /usr/local etc., or set a PREFIX, for example
make
make PREFIX=/usr install
to install directly in /usr. To uninstall, use the `uninstall` make target
instead of `install`. Don't forget the PREFIX!
The example configuration has to be copied manually from the shared location
(e.g. /usr/local/share/lxcfw) to /etc/lxcfw/ if required.
For Arch Linux (or derivatives), the pkgbuild directory contains a PKGBUILD to
build packages for lxcfw instead.
Documentation
------------------------------------------------------------------------------
Man pages will be installed during installation, or see the doc/ directory.
Additional notes can be found in the README files (which will also be
installed).
License
------------------------------------------------------------------------------
Copyright © 2017-2018 Stefan Göbel < lxcfw ʇɐ subtype ˙ de >.
lxcfw is free software: you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.
lxcfw is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
lxcfw. If not, see <http://www.gnu.org/licenses/>.
# :indentSize=3:tabSize=3:noTabs=true:mode=text:maxLineLen=78:
\ No newline at end of file
#!/usr/bin/bash
#
# /etc/lxcfw/lxcfw.conf - configuration of lxcfw and related scripts.
#
# This file will be sourced, make sure it is a valid Bash script! Custom
# variables may be included as required, as long as they don't clash with
# variables already in use. grep the scripts if unsure.
#
# Default values are listed below.
## Paths: ####################################################################
# Lock file of the main lxcfw script will be placed in this directory:
#
#mainscr_lock='/run/lock/lxcfw'
# Path of the FIFO for the dhcp-handler script (DO NOT CHANGE THIS):
#
#handler_fifo='/run/lxcfw/dhcp/fifo'
# The lock file of the lxcfw-dhcp-handler script will be placed in this
# directory:
#
#handler_lock='/run/lock/lxcfw-dhcp-handler'
# Path of the nft executable (determined using the which command if unset):
#
#nft_fullpath='/usr/bin/nft'
# Path of the directory containing the scripts for rule set creation:
#
#fw_rules_dir='/etc/lxcfw/rules.d'
# Generated rules will be saved to and loaded from this file by default:
#
#fw_save_file='/etc/lxcfw/rules.nft'
# Name of the temporary network namespace:
#
#fw_namespace='lxcfw-temp'
# SNAT: ######################################################################
#
# Range of source addresses for SNAT, the gateway interface and the netmask.
# Used by the LXC hook and DHCP handler to add and remove SNAT rules when a
# container is started or stopped. The scripts will map each container IP to
# an IP in the specified range (inclusive $snat_minip and $snat_maxip). Leave
# $snat_maxip empty to only use $snat_minip. If both are empty no IPs will be
# added to the SNAT map. The appropriate rules and sets have to be created by
# the rule scripts (see 100_nat-table). $snat_iface and $snat_nmask have to be
# set so the scripts can add the SNAT IP to the interface. If either of these
# is empty, no address will be added.
#
# There are no default values for these variables (i.e. defaults are empty).
# The example below will set up SNAT on the br0 interface and map all original
# IPs to an IP between 192.168.1.51 and 192.168.1.59 (inclusive), the netmask
# is /24, i.e. the network is 192.168.1.0/24. The example rule scripts require
# these variables to be set (and will not check if they aren't).
#
snat_minip='192.168.1.51'
snat_maxip='192.168.1.59'
snat_iface='br0'
snat_nmask='24'
##############################################################################
#
# Custom configuration options below. These are for the rules.d scripts, the
# main script (plus the related tools) only care about the variables above.
#
# See the example rules.d/ directory for details on how these variables are
# used.
# External network: ----------------------------------------------------------
#
xtern_addr='192.168.1.101' # External IP.
xtern_gate='192.168.1.254' # Gateway.
xtern_netw='192.168.1.0/24' # Network.
# Internal container network: ------------------------------------------------
#
lxcnw_brif='lxcbr0' # LXC bridge interface.
lxcnw_addr='10.0.0.1' # Its IP address.
lxcnw_netw='10.0.0.0/22' # The network.
## Miscellaneous: ------------------------------------------------------------
#
# Unprivileged ports:
#
u_port_min='1024'
u_port_max='65535'
u_port_rng="$u_port_min-$u_port_max"
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=78: ########
\ No newline at end of file
#!/bin/bash
#
# Remove the current nftables configuration. Done by the firewall script automatically, include it in case these
# scripts are run by some other means. Note that flushing the rule set means all traffic will be allowed, unlike
# iptables with its default tables/chains and their policy.
nft flush ruleset
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create the filter tables. Separate tables for IPv4 and IPv6. The tables will be named 'filter'. Chains will be
# created for the input, output and forward hooks, with the same names. The default policy will be set to 'drop'.
nft -f <(
sed -e 's/^ //' <<'______EOF'
table ip filter {
chain input { type filter hook input priority 0 ; policy drop ; }
chain output { type filter hook output priority 0 ; policy drop ; }
chain forward { type filter hook forward priority 0 ; policy drop ; }
}
table ip6 filter {
chain input { type filter hook input priority 0 ; policy drop ; }
chain output { type filter hook output priority 0 ; policy drop ; }
chain forward { type filter hook forward priority 0 ; policy drop ; }
}
______EOF
)
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create the nat table with the prerouting and postrouting chains (IPv4 only). Also create a new map for the
# source/target IP mapping, and a rule to SNAT the map elements. The map will be empty by default.
#
# To manually add an entry to the map: nft add element ip nat snat-ips { <source> : <target> }
#
# These tables/chains/rules are required for the automatic SNAT setup by the lxcfw-hook script. The $snat_iface
# variable must be set to create the SNAT rule. If it is not set, the nat table and its chains/maps/rules will not
# be created.
#
# To add an LXC container's primary IP to the map, set the lxcfw-hook script as pre-start and post-stop hook and
# use the following option:
#
# lxc.group = ip.nat.snat-map=@ip0:@snat0
if [[ -n "$snat_iface" ]] ; then
nft -f <(
sed -e 's/^ //' -e "s/__IF_EXT__/$snat_iface/" <<'_________EOF'
table ip nat {
# The mapping of internal source addresses (keys) to external destination addresses (values):
#
map snat-map { type ipv4_addr : ipv4_addr ; }
# Prerouting and postrouting chains (both are required, even if prerouting is empty!):
#
chain prerouting { type nat hook prerouting priority 0 ; }
chain postrouting { type nat hook postrouting priority 0 ; }
# Enable SNAT for elements in snat-ips:
#
chain postrouting { oifname "__IF_EXT__" snat to ip saddr map @snat-map fully-random ; }
}
_________EOF
)
fi
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Not using IPv6, may as well drop pre- and postrouting in addition to in/out/forward (see 100_filter-tables).
nft -f <(
sed -e 's/^ //' <<'______EOF'
table ip6 filter {
chain prerouting { type filter hook prerouting priority 0 ; policy drop ; }
chain postrouting { type filter hook postrouting priority 0 ; policy drop ; }
}
______EOF
)
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Allow related and established connections and drop packets with an invalid state. IPv4 only.
# Create the conntrack-check chain:
#
nft add chain ip filter conntrack-check
# Accept all packets from established and related connections:
#
nft add rule ip filter conntrack-check ct state { established, related } accept
# Log and drop all packets with an invalid state:
#
nft add rule ip filter conntrack-check ct state invalid log prefix '"INV: "' flags all drop
# Jump to the chain from the main filter chains:
#
nft add rule ip filter input jump conntrack-check
nft add rule ip filter output jump conntrack-check
nft add rule ip filter forward jump conntrack-check
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Drop incoming multicast and broadcast traffic (before it hits the log rule), we don't need it for anything.
# Get the (first) broadcast address of the external interface (the broadcast_addrs function is defined in
# /usr/local/share/lxcfw/functions):
#
_baddr="$( broadcast_addrs "$snat_iface" )"
# Note: Putting 255.255.255.255 in a set does not work when saving/loading the rules, so just create one rule for
# each address.
#
add_rule d i - "$snat_iface" - - - "$_baddr" -
add_rule d i - "$snat_iface" - - - 255.255.255.255 -
add_rule d i - "$snat_iface" - - - 224.0.0.0/4 -
# Clean up the global scope:
#
unset _baddr
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Drop some incoming traffic from the router to port 80 before it hits the log. This uses the add_rule function
# defined in /usr/local/share/lxcfw/functions (or similar). Its parameters are:
#
# <drop|reject|accept> <input|output|forward> <protocol> <iifname> <saddr> <sport> <oifname> <daddr> <dport>
#
# Again, required variables are set in the lxcfw.conf file.
add_rule d i tcp "$snat_iface" "$xtern_gate" - - "$xtern_netw" 80
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create sets related to the DHCP server:
#
# * dhcp-server - IPs of DHSCP servers.
# * dhcpdns-client - IPs of clients allowed to access the DHCP's DNS server.
# * dhcpdns-listen - (IP address . TCP/UDP) ports of the DHCP's DNS server.
#
# To add an LXC container's IP to the sets, set the lxcfw-hook script as pre-start and post-stop hook and use the
# following options (as applicable, replace <port> by the port number the DNS server is listening on):
#
# lxc.group = role-dhcp-server
# lxc.group = role-dhcpdns-client
# lxc.group = role-dhcpdns-listen=@ip0+<port>
# Create the sets:
#
nft add set ip filter dhcp-server { type ipv4_addr \; }
nft add set ip filter dhcpdns-client { type ipv4_addr \; }
nft add set ip filter dhcpdns-listen { type ipv4_addr . inet_service \; }
# Main DNS servers to the DHCP DNS servers:
#
add_rule a f udp "$lxcnw_brif" @dhcpdns-client "$u_port_rng" "$lxcnw_brif" @dhcpdns-listen @dhcpdns-listen
add_rule a f tcp "$lxcnw_brif" @dhcpdns-client "$u_port_rng" "$lxcnw_brif" @dhcpdns-listen @dhcpdns-listen
# Allow DHCP broadcast on the bridge, drop some (apparently unecessary) broadcasts:
#
add_rule a f udp "$lxcnw_brif" 0.0.0.0 68 "$lxcnw_brif" 255.255.255.255 67
add_rule d i udp "$lxcnw_brif" 0.0.0.0 68 - 255.255.255.255 67
# DHCP traffic from the server to a client with an assigned address and vice versa:
#
add_rule a f udp "$lxcnw_brif" "$lxcnw_netw" 68 "$lxcnw_brif" @dhcp-server 67
add_rule a f udp "$lxcnw_brif" @dhcp-server 67 "$lxcnw_brif" "$lxcnw_netw" 68
# Allow the DHCP server to ping targets:
#
nft add rule ip filter forward \
ip protocol icmp icmp type echo-request \
iifname "$lxcnw_brif" ip saddr @dhcp-server \
oifname "$lxcnw_brif" ip daddr "$lxcnw_addr" \
accept
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create sets for DNS servers and clients and the appropriate rules:
#
# * dns-server - IPs in this set will be allowed to access external DNS servers (TCP/UDP port 53).
# * dns-client - IPs in this set will be allowed to access IPs in the rl-dns-server set.
#
# Both apply to LXC containers only. A rule for the host to allow access to any IP in the dns-server is added, too.
# DNS servers must listen on port 53, custom ports are not supported here.
#
# To add an LXC container's IP to the sets, set the lxcfw-hook script as pre-start and post-stop hook and use the
# following options (as applicable):
#
# lxc.group = role-dns-server
# lxc.group = role-dns-client
# Create the sets:
#
nft add set ip filter dns-server { type ipv4_addr \; }
nft add set ip filter dns-client { type ipv4_addr \; }
# Container DNS servers to external DNS servers:
#
add_rule a f udp "$lxcnw_brif" @dns-server "$u_port_rng" "$snat_iface" - 53
add_rule a f tcp "$lxcnw_brif" @dns-server "$u_port_rng" "$snat_iface" - 53
# Container DNS clients to container DNS servers:
#
add_rule a f udp "$lxcnw_brif" @dns-client "$u_port_rng" "$lxcnw_brif" @dns-server 53
add_rule a f tcp "$lxcnw_brif" @dns-client "$u_port_rng" "$lxcnw_brif" @dns-server 53
# Host to container DNS server:
#
add_rule a o udp - "$lxcnw_addr" "$u_port_rng" "$lxcnw_brif" @dns-server 53
add_rule a o tcp - "$lxcnw_addr" "$u_port_rng" "$lxcnw_brif" @dns-server 53
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create a set for HTTP clients and the appropriate rule:
#
# * http-client - IPs in this set will be allowed to access external HTTP servers.
#
# Note: The rule only applies to LXC containers, the host will not be allowed (adding the host to the set will not
# work either). IPs in the http-client set may access only HTTP servers on port 80, see role-https-client for HTTPS
# access.
#
# To add an LXC container's IP to the set, set the lxcfw-hook script as pre-start and post-stop hook and use the
# following option:
#
# lxc.group = role-http-client
# Create the set:
#
nft add set ip filter http-client { type ipv4_addr \; }
# Allow the clients to access any external HTTP servers:
#
add_rule a f tcp "$lxcnw_brif" @http-client "$u_port_rng" "$snat_iface" - 80
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create a set for HTTPS clients and the appropriate rule:
#
# * https-client - IPs in this set will be allowed to access external HTTPS servers.
#
# Note: The rule only applies to LXC containers, the host will not be allowed (adding the host to the set will not
# work either). IPs in the https-client set may access only HTTPS servers on port 443, see role-http-client for
# HTTP access.
#
# To add an LXC container's IP to the set, set the lxcfw-hook script as pre-start and post-stop hook and use the
# following option:
#
# lxc.group = role-https-client
# Create the set:
#
nft add set ip filter https-client { type ipv4_addr \; }
# Allow the clients to access any external HTTP servers:
#
add_rule a f tcp "$lxcnw_brif" @https-client "$u_port_rng" "$snat_iface" - 443
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Create a set for NTP servers and the appropriate rule:
#
# * ntp-server - IPs in this set will be allowed to access external NTP servers (UDP 123).
#
# NTP servers are only supported on the standard port UDP 123.
#
# To add an LXC container's IP to the set, set the lxcfw-hook script as pre-start and post-stop hook and use the
# following option:
#
# lxc.group = role-ntp-server
# Create the set:
#
nft add set ip filter ntp-server { type ipv4_addr \; }
# Allow the NTP server to access any external NTP servers:
#
add_rule a f udp "$lxcnw_brif" @ntp-server 123 "$snat_iface" - 123
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
#!/bin/bash
#
# Everything that hits the filter chains now will be logged (and dropped, even though the default policy of all
# chains is drop anyway).
for _type in ip ip6 ; do
nft add rule "$_type" filter input log prefix '"INP: "' flags all drop
nft add rule "$_type" filter output log prefix '"OUT: "' flags all drop
nft add rule "$_type" filter forward log prefix '"FWD: "' flags all drop
done
unset _type
# :indentSize=3:tabSize=3:noTabs=true:mode=shellscript:maxLineLen=115: ############################################
\ No newline at end of file
Example rules for the `lxcfw` script. These files are expected to be located
in /etc/lxcfw/rules.d/ by default.
Example rules are split into the following sections:
000 Reset (flush rule set).
1** Preparations. Create tables and basic sets.
400 Conntrack - allow established and related traffic.
5** Drop unwanted traffic.
7** Regular rules.
9** Log and drop.
Rules are sourced by the main script in alphabetical order, only executable
files are included (removing the executable bit is an easy way to disable a
script). Other than that, the rule files' names do not matter. Feel free to
change the naming scheme to your liking.
LXC containers are supported by the example rules, and some variables are
required to be set, see the lxcfw.conf file provided with the examples.
Note: The example rules are IPv4 only, IPv6 will be dropped!
\ No newline at end of file
Files in this directory may be used to setup automatic handling of LXC
containers without a fixed IP address, i.e. containers that get their IP by
DHCP.
It requires a dnsmasq server to handler the DHCP stuff. The server may itself
run inside an LXC container.
Setup on the host:
* A named pipe at /run/lxcfw/dhcp/fifo created by the lxcfw-dhcp-fifo.conf
tmpfiles.d configuration (read-/writable only by root).
* The lxcfw-dhcp-handler.service starting the lxcfw-dhcp-handler daemon,
which will read from the FIFO and call lxcfw-hook with the appropriate
parameters.
* Important: Do not use the lxcfw-hook script for container's that get
their IP by DHCP! Other options (i.e. the container roles defined via
the lxc.group options) are the same as for containers with fixed IPs.
Setup on the DHCP server:
* A pipe at /var/lib/dnsmasq/dnsmasq.fifo, which must be the same FIFO
as /run/lxcfw/dhcp/fifo on the host, i.e. bind mount it from the host
inside the container.
* dnsmasq must be configured to call lxcfw-dnsmasq-script when DHCP leases
change (using the --dhcp-script option).
* The (optional) lxcfw-dnsmasq-expire service and timer may be enabled to
make dnsmasq check for expired leases every five minutes.
Installation will put these files in /usr/local/share/lxcfw/dnsmasq (or
similar), since they're not required on the host. Use
make dnsmasq-install
inside the container to install the lxcfw-dnsmasq-* files (and nothing else).
A PREFIX will be respected. To uninstall, use
make dnsmasq-uninstall
Note: These scripts are pretty basic, use these at your own risk! All paths
are hardcoded, lxcfw's configuration file will be ignored by these scripts!
\ No newline at end of file
# Create the DHCP FIFO on boot:
#
D! /run/lxcfw 0700 root root -
D! /run/lxcfw/dhcp 0700 root root -
p+! /run/lxcfw/dhcp/fifo 0600 root root -
#!/usr/bin/bash
###################################################################################################################
#
# This file is part of lxcfw.
#
# Copyright © 2017-2018 Stefan Göbel < lxcfw ʇɐ subtype ˙ de >.
#
# lxcfw is free software: you can redistribute it and/or modify it under the terms of the GNU General Public
# License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any
# later version.
#
# lxcfw is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# You should have received a copy of the GNU General Public License along with lxcfw. If not, see
# <http://www.gnu.org/licenses/>.
#
###################################################################################################################
#
# Monitor the pipe /run/lxcfw/dhcp/fifo for lease messages from the dnsmasq DHCP server and add/remove/modify
# firewall rules accordingly. This script should be started by its systemd service (lxcfw-dhcp-handler.service).
#
# The lines read from the FIFO must be the arguments dnsmasq passes to its --dhcp-script:
#
# <add|old|del|arp-add|arp-del|init|tftp> <MAC address> <IP address> <hostname (if known)>
#
# The script must be run as root (or someone else who can modify the netfilter rule set, and read from the pipe).