know-how:firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende ÜberarbeitungNächste ÜberarbeitungBeide Seiten der Revision | ||
know-how:firewall [2020/12/20 13:53] – [roadworker wake on lan (wol) trigger] cc | know-how:firewall [2024/02/12 11:38] – [unbound] cc | ||
---|---|---|---|
Zeile 834: | Zeile 834: | ||
supersede dhcp-renewal-time 300; | supersede dhcp-renewal-time 300; | ||
</ | </ | ||
- | ====== roadworker openvpn wake on lan (wol) trigger | + | |
+ | |||
+ | |||
+ | ====== VPN ====== | ||
+ | |||
+ | ===== roadworker mfa - multiple factor auth ===== | ||
+ | * Bei **OpenVPN** mit entsprechender Konfiguration wäre sie implizit gegeben wenn zB: ein Zertifikat zur Authentifizierung benutzt wird + Username + Password | ||
+ | |||
+ | |||
+ | * OpenVPN Server - **roadworker-auth.conf**: | ||
+ | |||
+ | < | ||
+ | ... | ||
+ | auth-user-pass-verify / | ||
+ | script-security 3 | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | * **/ | ||
+ | |||
+ | < | ||
+ | # | ||
+ | |||
+ | function bailout () | ||
+ | { | ||
+ | echo $1 | ||
+ | exit 1 | ||
+ | |||
+ | } | ||
+ | |||
+ | export username | ||
+ | export password | ||
+ | |||
+ | #env > / | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | |||
+ | ORIGINAL_PASSWORD=" | ||
+ | AUTH_TOTP_SECRET="/ | ||
+ | |||
+ | |||
+ | echo $username | grep -P -q " | ||
+ | |||
+ | #2021-09-21 cc: Somehow malformed | ||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | |||
+ | [[ -f $AUTH_TOTP_SECRET && ${# | ||
+ | |||
+ | #2021-09-21 cc: The last 6 digits contain the TOTP string / the rest is the password | ||
+ | [[ -f $AUTH_TOTP_SECRET ]] && password=$(echo ${ORIGINAL_PASSWORD:: | ||
+ | |||
+ | / | ||
+ | |||
+ | RET_SMB_AUTH=$? | ||
+ | |||
+ | [[ ! -f $AUTH_TOTP_SECRET ]] && exit $? | ||
+ | |||
+ | #echo "smb auth: $RET_SMB_AUTH" | ||
+ | |||
+ | [[ $RET_SMB_AUTH != 0 ]] && bailout "SMB Auth invalid" | ||
+ | |||
+ | |||
+ | password=$(echo ${ORIGINAL_PASSWORD: | ||
+ | |||
+ | / | ||
+ | |||
+ | exit $? | ||
+ | </ | ||
+ | |||
+ | * **/ | ||
+ | * Gültiger Account check via smb FIXME check username | ||
+ | |||
+ | < | ||
+ | AUTH_USERNAME=" | ||
+ | AUTH_PASSWORD=" | ||
+ | AUTH_SERVER=" | ||
+ | |||
+ | |||
+ | [[ $AUTH_USERNAME == "" | ||
+ | [[ $AUTH_PASSWORD == "" | ||
+ | |||
+ | #env > / | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | |||
+ | echo $AUTH_PASSWORD | / | ||
+ | |||
+ | exit $? | ||
+ | </ | ||
+ | |||
+ | * **/ | ||
+ | * TOTP Check mit **oathtool** | ||
+ | |||
+ | < | ||
+ | # | ||
+ | |||
+ | |||
+ | function bailout () | ||
+ | { | ||
+ | echo $1 | ||
+ | exit 1 | ||
+ | |||
+ | } | ||
+ | |||
+ | AUTH_USERNAME=" | ||
+ | AUTH_PASSWORD=" | ||
+ | AUTH_TOTP_SECRET="/ | ||
+ | |||
+ | |||
+ | [[ $AUTH_USERNAME == "" | ||
+ | [[ $AUTH_PASSWORD == "" | ||
+ | |||
+ | |||
+ | echo $AUTH_USERNAME | grep -P -q " | ||
+ | |||
+ | #2021-09-21 cc: Somehow malformed | ||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | |||
+ | #2021-09-21 cc: Somehow not 6 digits | ||
+ | echo $AUTH_PASSWORD | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-09-21 cc: This is tricky , if there' | ||
+ | [[ ! -f $AUTH_TOTP_SECRET ]] && exit 0 | ||
+ | |||
+ | TOTP_SEED=$(cat $AUTH_TOTP_SECRET) | ||
+ | |||
+ | DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) | ||
+ | |||
+ | #env > / | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | #echo "c: -$DIGIT_CODE" | ||
+ | |||
+ | [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 | ||
+ | |||
+ | exit 1 | ||
+ | </ | ||
+ | |||
+ | |||
+ | * Um für bestimmten User **TOTP zu aktivieren** | ||
+ | |||
+ | < | ||
+ | pwgen -0 -s -1 16 > / | ||
+ | </ | ||
+ | |||
+ | * Dieser TOTP Seed , der nun unter **/ | ||
+ | |||
+ | |||
+ | * Variante um bei bestehender zertifikatsbasierender Authentifizierung OTP zu aktivieren: | ||
+ | * **für bestimmtes Gerät d.h. Zertifikat ** wird es obligatorisch und User können zum Zertifikat spezifiziert werden | ||
+ | * **/ | ||
+ | < | ||
+ | ... | ||
+ | auth-user-pass-verify / | ||
+ | auth-user-pass-optional | ||
+ | script-security 3 | ||
+ | .... | ||
+ | </ | ||
+ | * **/ | ||
+ | < | ||
+ | # | ||
+ | |||
+ | |||
+ | function bailout () | ||
+ | { | ||
+ | echo $1 | ||
+ | echo $1 | logger -t totp | ||
+ | exit 1 | ||
+ | |||
+ | } | ||
+ | |||
+ | AUTH_USERNAME=" | ||
+ | AUTH_PASSWORD=" | ||
+ | AUTH_COMMON_NAME=" | ||
+ | AUTH_TOTP_ROOT_SECRET="/ | ||
+ | AUTH_TOTP_SECRET=" | ||
+ | |||
+ | #2021-10-14 cc: Certificate required | ||
+ | echo $common_name | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-10-14 cc: IF directory with common name does not exist OTP is not activated | ||
+ | [[ ! -d " | ||
+ | |||
+ | |||
+ | echo $AUTH_USERNAME | grep -P -q " | ||
+ | |||
+ | #2021-09-21 cc: Somehow malformed | ||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | |||
+ | #2021-09-21 cc: Somehow not 6 digits | ||
+ | echo $AUTH_PASSWORD | grep -P -q " | ||
+ | |||
+ | [[ $? != 0 ]] && bailout " | ||
+ | |||
+ | #2021-09-21 cc: This is tricky , if there' | ||
+ | #2021-10-14 cc: If common_name root path exists there must be a file for the user | ||
+ | [[ ! -f $AUTH_TOTP_SECRET ]] && bailout "TOTP Secret not found - is needed" | ||
+ | |||
+ | TOTP_SEED=$(cat $AUTH_TOTP_SECRET) | ||
+ | |||
+ | DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED) | ||
+ | |||
+ | #env > / | ||
+ | #echo "u: -$AUTH_USERNAME-" | ||
+ | #echo "p: -$AUTH_PASSWORD-" | ||
+ | #echo "c: -$DIGIT_CODE" | ||
+ | |||
+ | [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0 | ||
+ | |||
+ | exit 1 | ||
+ | |||
+ | </ | ||
+ | ===== roadworker openvpn wake on lan (wol) trigger ===== | ||
* zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered | * zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered | ||
Zeile 873: | Zeile 1092: | ||
</ | </ | ||
- | ====== roadworker strongswan ipsec wake on lan (wol) ====== | + | ===== roadworker strongswan ipsec ===== |
* FIXME Auth über radius server / Trigger bei strongswan für wake on lan | * FIXME Auth über radius server / Trigger bei strongswan für wake on lan | ||
+ | * Getestet auf: **Ubuntu 18.04** | ||
+ | |||
+ | * **/ | ||
+ | * Verbindungsparameter wurden speziell auf Windows Rechner ausgerichtet , damit **IPSEC VPN** im Windows automatisch funktioniert - **Achtung** bei Windows wird die Default Route ersetzt , muss sich um ein " | ||
+ | * CA Zertifikat muss für den **Computer** Zertifikatsstore importiert worden sein und **FQDN** muss matchen bei Verbindungsaufbau mit zB: **vpn.firewall.at** | ||
+ | |||
+ | < | ||
+ | # ipsec.conf - strongSwan IPsec configuration file | ||
+ | config setup | ||
+ | # | ||
+ | |||
+ | conn %default | ||
+ | keyexchange=ikev2 | ||
+ | ike=aes256-sha1-modp1024! | ||
+ | esp=aes256-sha1! | ||
+ | dpdaction=clear | ||
+ | dpddelay=300s | ||
+ | rekey=no | ||
+ | |||
+ | conn roadworker | ||
+ | left=%any | ||
+ | leftsubnet=0.0.0.0/ | ||
+ | leftauth=pubkey | ||
+ | leftcert=vpn.firewall.at.crt | ||
+ | leftid=@vpn.firweall.at | ||
+ | right=%any | ||
+ | rightsourceip=172.16.3.0/ | ||
+ | rightauth=eap-radius | ||
+ | eap_identity=%identity | ||
+ | rightsendcert=never | ||
+ | auto=add | ||
+ | leftupdown=/ | ||
+ | </ | ||
+ | |||
+ | * wake on lan (wol) bei erfolgreichem Login: **/ | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | #Debugging: env > / | ||
+ | # | ||
+ | |||
+ | / | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | </ | ||
+ | |||
+ | ====== unbound ====== | ||
+ | * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt | ||
+ | |||
+ | ===== dns over tls ===== | ||
+ | * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw. | ||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: The debian place where the bundle can be found | ||
+ | tls-cert-bundle: | ||
+ | .. | ||
+ | .. | ||
+ | forward-zone: | ||
+ | name: " | ||
+ | forward-addr: | ||
+ | forward-addr: | ||
+ | forward-tls-upstream: | ||
+ | .. | ||
+ | .. | ||
+ | </ | ||
+ | |||
+ | ====== Traffic Shaping - tc ====== | ||
+ | * FIXME - Großteil " | ||
+ | * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches | ||
+ | < | ||
+ | #!/bin/sh -x | ||
+ | |||
+ | # Maximum allowed downlink. Set to 90% of the achievable downlink in mbit | ||
+ | DOWNLINK=60 | ||
+ | |||
+ | # Interface facing the Internet | ||
+ | EXTDEV=wlp2s0 | ||
+ | |||
+ | # Load IFB, all other modules all loaded automatically | ||
+ | modprobe ifb | ||
+ | ip link set dev ifb0 down | ||
+ | |||
+ | # Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table | ||
+ | tc qdisc del dev $EXTDEV root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 ingress | ||
+ | iptables -t mangle -F | ||
+ | |||
+ | # appending " | ||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit | ||
+ | fi | ||
+ | |||
+ | ip link set dev ifb0 up | ||
+ | |||
+ | # HTB classes on IFB with rate limiting - default class 3:30 | ||
+ | tc qdisc add dev ifb0 root handle 3: htb default 30 | ||
+ | |||
+ | tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit | ||
+ | tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit | ||
+ | |||
+ | # Packets marked with " | ||
+ | tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33 | ||
+ | |||
+ | # Martin Devera, author of HTB, then recommends SFQ for beneath these classes: | ||
+ | tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10 | ||
+ | tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10 | ||
+ | |||
+ | # | ||
+ | iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2 | ||
+ | iptables -t mangle -A PREROUTING -j CONNMARK --save-mark | ||
+ | |||
+ | |||
+ | |||
+ | # Forward all ingress traffic on internet interface to the IFB device | ||
+ | tc qdisc add dev $EXTDEV ingress handle ffff: | ||
+ | tc filter add dev $EXTDEV parent ffff: protocol ip \ | ||
+ | u32 match u32 0 0 \ | ||
+ | action connmark \ | ||
+ | action mirred egress redirect dev ifb0 \ | ||
+ | flowid ffff:1 | ||
+ | |||
+ | |||
+ | # Kein markieren mehr der Pakete / iptables fällt weg über ipset | ||
+ | # root@mrWhiteGhost:/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # | ||
+ | #class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b | ||
+ | # Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 20582 borrowed: 0 giants: 0 | ||
+ | # tokens: -16889 ctokens: -16889 | ||
+ | # | ||
+ | #class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b | ||
+ | # Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 3364 borrowed: 0 giants: 0 | ||
+ | # tokens: 3125 ctokens: 3125 | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ====== GeoIP - iptables matches ====== | ||
+ | * Getestet mit Debian Buster - **Achtung** hier gibt es keine xtables-addons* Pakete mehr / Sukzessive Wechsel zu **nftables** wird spürbar(er) | ||
+ | * Dafür gibt es die Pakete in Debian Bullseye wieder / Die Pakete für bullseye scheinen auch unter Debian Buster zu laufen (**xtables-addons-common_3.13-1_amd64.deb/ | ||
+ | |||
+ | * Grundsätzliches: | ||
+ | |||
+ | < | ||
+ | iptables -m geoip --help | ||
+ | iptables v1.8.2 | ||
+ | |||
+ | Usage: iptables -[ACD] chain rule-specification [options] | ||
+ | iptables -I chain [rulenum] rule-specification [options] | ||
+ | iptables -R chain rulenum rule-specification [options] | ||
+ | iptables -D chain rulenum [options] | ||
+ | iptables -[LS] [chain [rulenum]] [options] | ||
+ | iptables -[FZ] [chain] [options] | ||
+ | iptables -[NX] chain | ||
+ | iptables -E old-chain-name new-chain-name | ||
+ | iptables -P chain target [options] | ||
+ | iptables -h (print this help information) | ||
+ | |||
+ | Commands: | ||
+ | Either long or short options are allowed. | ||
+ | --append | ||
+ | --check | ||
+ | --delete | ||
+ | --delete | ||
+ | Delete rule rulenum (1 = first) from chain | ||
+ | --insert | ||
+ | Insert in chain as rulenum (default 1=first) | ||
+ | --replace -R chain rulenum | ||
+ | Replace rule rulenum (1 = first) in chain | ||
+ | --list | ||
+ | List the rules in a chain or all chains | ||
+ | --list-rules -S [chain [rulenum]] | ||
+ | Print the rules in a chain or all chains | ||
+ | --flush | ||
+ | --zero | ||
+ | Zero counters in chain or all chains | ||
+ | --new -N chain Create a new user-defined chain | ||
+ | --delete-chain | ||
+ | -X [chain] Delete a user-defined chain | ||
+ | --policy | ||
+ | Change policy on chain to target | ||
+ | --rename-chain | ||
+ | -E old-chain new-chain | ||
+ | Change chain name, (moving any references) | ||
+ | Options: | ||
+ | --ipv4 -4 Nothing (line is ignored by ip6tables-restore) | ||
+ | --ipv6 -6 Error (line is ignored by iptables-restore) | ||
+ | [!] --proto -p proto protocol: | ||
+ | [!] --source -s address[/ | ||
+ | source specification | ||
+ | [!] --destination -d address[/ | ||
+ | destination specification | ||
+ | [!] --in-interface -i input name[+] | ||
+ | network interface name ([+] for wildcard) | ||
+ | | ||
+ | target for rule (may load target extension) | ||
+ | --goto | ||
+ | jump to chain with no return | ||
+ | --match -m match | ||
+ | extended match (may load extension) | ||
+ | --numeric -n numeric output of addresses and ports | ||
+ | [!] --out-interface -o output name[+] | ||
+ | network interface name ([+] for wildcard) | ||
+ | --table -t table table to manipulate (default: `filter' | ||
+ | --verbose -v verbose mode | ||
+ | --wait -w [seconds] maximum wait to acquire xtables lock before give up | ||
+ | --wait-interval -W [usecs] wait time to try to acquire xtables lock | ||
+ | default is 1 second | ||
+ | --line-numbers print line numbers when listing | ||
+ | --exact -x expand numbers (display exact values) | ||
+ | [!] --fragment -f match second or further fragments only | ||
+ | --modprobe=< | ||
+ | --set-counters PKTS BYTES set the counter during insert/ | ||
+ | [!] --version -V print package version. | ||
+ | |||
+ | geoip match options: | ||
+ | [!] --src-cc, --source-country country[, | ||
+ | Match packet coming from (one of) the specified country(ies) | ||
+ | [!] --dst-cc, --destination-country country[, | ||
+ | Match packet going to (one of) the specified country(ies) | ||
+ | |||
+ | NOTE: The country is inputed by its ISO3166 code | ||
+ | </ | ||
+ | |||
+ | * Datenbank aktualisieren 1x im Monat **update-geoip.sh** | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | DST_TEMP_DB="/ | ||
+ | SRC_URL=" | ||
+ | |||
+ | #Required on Ubuntu 18.04: libtext-csv-xs-perl, | ||
+ | XTABLES_BUILD_SCRIPT="/ | ||
+ | |||
+ | XTABLES_GEOIP_DIRECTORY="/ | ||
+ | |||
+ | function bailout | ||
+ | { | ||
+ | >&2 echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | } | ||
+ | |||
+ | [[ -f $DST_TEMP_DB ]] && bailout "FAIL: $DST_TEMP_DB already found aborting" | ||
+ | |||
+ | wget -q " | ||
+ | |||
+ | |||
+ | gunzip -t $DST_TEMP_DB || bailout "FAIL: Gzip Format failure from $SRC_URL" | ||
+ | |||
+ | [[ -d " | ||
+ | |||
+ | gunzip -f $DST_TEMP_DB --to-stdout > $XTABLES_GEOIP_DIRECTORY/ | ||
+ | |||
+ | [[ -x $XTABLES_BUILD_SCRIPT | ||
+ | |||
+ | $XTABLES_BUILD_SCRIPT -D " | ||
+ | |||
+ | rm $DST_TEMP_DB | ||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | * **Achtung** **/ | ||
+ | |||
+ | * Nach 20 Minuten Tests mit iptables matches gabs noch keine panic :) | ||
+ | |||
+ | < | ||
+ | | ||
+ | </ | ||
+ | ====== GeoIP - map-geoip.sh ====== | ||
+ | * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen | ||
+ | |||
+ | * **map-geoip.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # cmd: foo=$(mmdblookup -f / | ||
+ | |||
+ | # https:// | ||
+ | |||
+ | PATH_LOGS="/ | ||
+ | PATH_GEODB="/ | ||
+ | |||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_geo | ||
+ | { | ||
+ | mmdblookup -f $PATH_GEODB | ||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_ip | ||
+ | { | ||
+ | echo $1 | grep -o -P " | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | [[ -r $PATH_GEODB ]] || bailout " | ||
+ | |||
+ | |||
+ | [[ -r " | ||
+ | |||
+ | [[ $1 == " | ||
+ | |||
+ | |||
+ | [[ -r $PATH_LOGS || $PATH_LOGS == " | ||
+ | |||
+ | |||
+ | which mmdblookup >/ | ||
+ | |||
+ | IFS=$' | ||
+ | |||
+ | while read foo ; | ||
+ | do | ||
+ | LOG_SUFFIX="" | ||
+ | SRC_IP="" | ||
+ | DST_IP="" | ||
+ | |||
+ | SRC_IP=$(lookup_ip $foo " | ||
+ | DST_IP=$(lookup_ip $foo " | ||
+ | |||
+ | #echo "SRC: $SRC_IP" | ||
+ | #echo "DST: $DST_IP" | ||
+ | |||
+ | if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ] | ||
+ | then | ||
+ | SRC_GEO=$(lookup_geo $SRC_IP) | ||
+ | DST_GEO=$(lookup_geo $DST_IP) | ||
+ | |||
+ | [[ -z $SRC_GEO | ||
+ | [[ -z $DST_GEO ]] && DST_GEO=" | ||
+ | |||
+ | LOG_SUFFIX=" | ||
+ | |||
+ | |||
+ | echo " | ||
+ | fi | ||
+ | |||
+ | |||
+ | done < <(zcat -f $PATH_LOGS ) | ||
+ | </ | ||
+ | ====== WEB Module ====== | ||
+ | ===== Blocks - Multi - IPSET ===== | ||
+ | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * **Achtung: | ||
+ | * **merge-ipsets.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | } | ||
+ | |||
+ | which dnsmasq >/ | ||
+ | |||
+ | |||
+ | LOCATION_DNSMASQS="/ | ||
+ | TMP_LOCATION=$(mktemp) | ||
+ | FINAL_LOCATION="/ | ||
+ | |||
+ | if [ ! -w $FINAL_LOCATION ] | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to " | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | grep -h " | ||
+ | do | ||
+ | nr_matches=$(echo $hosts | awk ' | ||
+ | host_entry=$(echo $hosts | awk ' | ||
+ | |||
+ | if (($nr_matches > 1 )) && | ||
+ | then | ||
+ | | ||
+ | |||
+ | while read found_sets | ||
+ | do | ||
+ | build_entry+="/ | ||
+ | |||
+ | done <<< | ||
+ | |||
+ | |||
+ | echo $build_entry >> $TMP_LOCATION | ||
+ | echo $build_entry | ||
+ | |||
+ | fi | ||
+ | | ||
+ | |||
+ | |||
+ | done | ||
+ | |||
+ | filesize_tmp=$(stat -c %s $TMP_LOCATION) | ||
+ | |||
+ | if [ $filesize_tmp == " | ||
+ | then | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | echo "No double ipsets found in $LOCATION_DNSMASQS" | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cmp -s $TMP_LOCATION $FINAL_LOCATION | ||
+ | |||
+ | compare_ret=" | ||
+ | |||
+ | if [ $compare_ret == " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | |||
+ | dnsmasq --test --conf-file=$TMP_LOCATION | ||
+ | |||
+ | ipset_tests=" | ||
+ | if [ $ipset_tests != " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | bailout "FAIL: Malformed config file: $TMP_LOCATION" | ||
+ | fi | ||
+ | |||
+ | #2022-02-21 cc: Keep Ownership intact | ||
+ | cat $TMP_LOCATION > $FINAL_LOCATION | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq" | ||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | * {{ : | ||
+ | |||
+ | ===== Blocks - IPSET ===== | ||
+ | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * {{ : | ||
+ | |||
+ | ===== Blocks - Hostnamen ===== | ||
+ | * In Kombination mit dnsmasq / um quasi "dns Spoofing" | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * {{ : | ||
+ | ===== Proxy ===== | ||
+ | * Um squid proxy ACLs zu bearbeiten | ||
+ | * Achtung www-data braucht sudo Rechte für parse / reload | ||
+ | * zB: visudo -> www-data | ||
+ | * {{ : | ||
+ | ===== Authorizer ===== | ||
+ | * Um nach erfolgter Authentifizierung IP/MACs in ipset einzutragen | ||
+ | * {{ : | ||
+ |
know-how/firewall.txt · Zuletzt geändert: 2024/02/26 10:31 von cc