!/bin/bash
version 2012-12-20
TODO -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
PROPERTYREADERUTILITY="/var/lib/ssl/BACKUP/PropertiesReaderCLI-0.32.jar" VMPROPERTIESFILE="/var/lib/ssl/BACKUP/vm.properties" STORAGEPROPERTIESFILE="/var/lib/tomcat6/webapps/storagegateway/WEB-INF/app.properties" AUTHENTICATIONPROPERTIESFILE="/var/lib/tomcat6/webapps/authgateway/WEB-INF/app.properties" RSAAUTHPROPERTIESFILE="/var/lib/tomcat6/oxygen-authgateway/authmanager-hostname.txt"
function getProperty() { if [ $# -ne 2 ]; then printf "ERROR: getProperty() incorrect number of parameters" exit 1 fi KEYWORD="$1" FILE="$2" if [ -f "$PROPERTYREADERUTILITY" ]; then java -jar "$PROPERTYREADERUTILITY" "$FILE" "$KEYWORD" else printf "ERROR: $PROPERTYREADERUTILITY does not exist" fi }
function allowPort() { if [ "$#" -ne 1 ]; then printf "port parameter missing" exit 0 fi
PORT="$1"
if [ ! -z "$PORT" ]; then
# Allow incoming on PORT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport $PORT -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s 0/0 --sport $PORT --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing on PORT (note state for INPUT is only ESTABLISHED)
/sbin/iptables -A OUTPUT -p tcp --dport $PORT -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport $PORT --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
else
printf "port parameter is blank"
fi
}
function valid_ip() { local ip=$1 local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
printf "$stat"
}
function get_ip_address_from_hostname() { if [ "$#" -ne 1 ]; then printf "hostname parameter missing" exit 0 fi
HOSTNAME="$1"
IPADDRESS=`getent ahosts "$HOSTNAME" | grep STREAM | cut -f 1 -d ' '`
printf "$IPADDRESS"
}
- - - - - - - - - - - MAIN - - - - - - - - - - - - - - -
clear any existing firewall rules
/sbin/iptables -F /sbin/iptables -X /sbin/iptables -F -t mangle /sbin/iptables -F -t nat /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT DROP
Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Allow loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT
Allow DNS queries
/sbin/iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Allow NTP (query time server)
/sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
Allow incoming HTTPS
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -s 0/0 --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Allow outgoing HTTPS (note state for INPUT is only ESTABLISHED)
/sbin/iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -s 0/0 --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
if [ -f "$VMPROPERTIESFILE" ]; then PINGENABLED=$( getProperty "pingenabled" "$VMPROPERTIESFILE" ) if [ "true" == "$PINGENABLED" ]; then /sbin/iptables -I OUTPUT 1 -p icmp -j ACCEPT /sbin/iptables -I INPUT 1 -p icmp -j ACCEPT fi
AUDITENABLED=$( getProperty "auditenabled" "$VMPROPERTIESFILE" ) if [ "true" == "$AUDITENABLED" ]; then # Allow outgoing RSYSLOG /sbin/iptables -A OUTPUT -p tcp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -s 0/0 --sport 514 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT fi fi
if [ -f "$STORAGEPROPERTIESFILE" ]; then IDTYPE="storagegateway.storageGatewayType" STORAGEGATEWAYTYPE=$( getProperty "$IDTYPE" "$STORAGEPROPERTIESFILE" )
if [ "EMCstorageAdaptor" == "$STORAGEGATEWAYTYPE" ]; then ATMOSPORT=$( getProperty "storagegateway.emc.portNumber" "$STORAGEPROPERTIESFILE" ) allowPort "$ATMOSPORT" fi
if [ "S3storageAdaptor" == "$STORAGEGATEWAYTYPE" ]; then S3PORT=$( getProperty "storagegateway.s3.port" "$STORAGEPROPERTIESFILE" ) allowPort "$S3PORT" fi
CIFSSERVER=$( getProperty "cifsserver" "$VMPROPERTIESFILE" ) if [ ! -z "$CIFSSERVER" ]; then IPISINVALID=$( valid_ip "$CIFSSERVER" ) if [ "$IPISINVALID" == 1 ]; then CIFSSERVERIP=$( get_ip_address_from_hostname "$CIFSSERVER" ) else CIFSSERVERIP="$CIFSSERVER" fi
if [ ! -z "$CIFSSERVERIP" ]; then
# allow the whole range in case it's a cluster
CIFSSERVERIPRANGE="$CIFSSERVERIP/255.255.255.0"
/sbin/iptables -A INPUT -p tcp -s "$CIFSSERVERIPRANGE" --sport 445 -d 0/0 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s 0/0 --sport 1024:65535 -d "$CIFSSERVERIPRANGE" --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
else
printf "\nERROR: invalid server or ip address $CIFSERVER"
fi
fi
NFSSERVER=$( getProperty "nfsserver" "$VMPROPERTIESFILE" ) if [ ! -z "$NFSSERVER" ]; then IPISINVALID=$( valid_ip "$NFSSERVER" ) if [ "$IPISINVALID" == 1 ]; then NFSSERVERIP=$( get_ip_address_from_hostname "$NFSSERVER" ) else NFSSERVERIP="$NFSSERVER" fi
if [ ! -z "$NFSSERVERIP" ]; then
# allow the whole range in case it's a cluster
NFSSERVERIPRANGE="$NFSSERVERIP/255.255.255.0"
/sbin/iptables -A OUTPUT -p tcp -d "$NFSSERVERIP" -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s "$NFSSERVERIP" -m state --state RELATED,ESTABLISHED -j ACCEPT
else
printf "\nERROR: invalid server or ip address $NFSERVER"
fi
fi
CLUSTERENABLED=$( getProperty "storagegateway.useCommonCacheLock" "$STORAGEPROPERTIESFILE" ) if [ "true" == "$CLUSTERENABLED" ]; then
CLUSTERCACHESERVER=$( getProperty "storagegateway.cache.hosts" "$STORAGEPROPERTIESFILE" )
# CLUSTER CLIENT CONFIG: Allow outbound MySQL and Memcached
/sbin/iptables -A OUTPUT -p tcp -d "$CLUSTERCACHESERVER" --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s "$CLUSTERCACHESERVER" --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d "$CLUSTERCACHESERVER" --dport 11211 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s "$CLUSTERCACHESERVER" --sport 11211 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
fi
fi
end STORAGEPROPERTIESFILE section
if [ -f "$AUTHENTICATIONPROPERTIESFILE" ]; then # Allow LDAP /sbin/iptables -A OUTPUT -p tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -s 0/0 --sport 389 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -s 0/0 --sport 389 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow LDAPS /sbin/iptables -A OUTPUT -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -s 0/0 --sport 636 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -s 0/0 --sport 636 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
RSAENABLED=$( getProperty "authgateway.rsa1.active" "$AUTHENTICATIONPROPERTIESFILE" )
if [ "true" == "$RSAENABLED" ]; then
if [ -f "$RSAAUTHPROPERTIESFILE" ]; then
RSAAUTHMANAGER=cat "$RSAAUTHPROPERTIESFILE"
if [ ! -z "$RSAAUTHMANAGER" ]; then
RSAAUTHMANAGERIP=$( get_ip_address_from_hostname "$NFSSERVER" )
/sbin/iptables -A INPUT -s "$RSAAUTHMANAGERIP" -j ACCEPT
/sbin/iptables -A OUTPUT -d "$RSAAUTHMANAGERIP" -j ACCEPT
fi
fi
fi
fi
end AUTHENTICATIONPROPERTIESFILE section
Ensure configuration applications are not available at boot, must be explicitly enabled from the ConsoleMenu
if [ -d "/var/lib/tomcat6/webapps/UploadSSL" ]; then rm -rf /var/lib/tomcat6/webapps/UploadSSL fi
if [ -d "/var/lib/tomcat6/webapps/AppProperties" ]; then rm -rf /var/lib/tomcat6/webapps/AppProperties fi