know-how:firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
know-how:firewall [2021/10/18 11:06] – [roadworker mfa - multiple factor auth] cc | know-how:firewall [2024/02/26 10:31] (aktuell) – cc | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ~~ODT~~ | ||
FIXME | FIXME | ||
====== Features ====== | ====== Features ====== | ||
Zeile 993: | Zeile 994: | ||
auth-user-pass-verify / | auth-user-pass-verify / | ||
auth-user-pass-optional | auth-user-pass-optional | ||
+ | script-security 3 | ||
.... | .... | ||
</ | </ | ||
Zeile 1139: | Zeile 1141: | ||
</ | </ | ||
+ | |||
+ | ====== unbound ====== | ||
+ | * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt | ||
+ | |||
+ | ===== internal dns zone ===== | ||
+ | * zB: wenn intern ein AD Server benutzt wird für interne Domäne | ||
+ | |||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server | ||
+ | private-domain: | ||
+ | domain-insecure: | ||
+ | .. | ||
+ | .. | ||
+ | |||
+ | #2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server | ||
+ | forward-zone: | ||
+ | name: pannoniait.intern | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== dns over tls ===== | ||
+ | * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw. | ||
+ | < | ||
+ | server: | ||
+ | .. | ||
+ | .. | ||
+ | #2024-02-11 cc: The debian place where the bundle can be found | ||
+ | tls-cert-bundle: | ||
+ | .. | ||
+ | .. | ||
+ | forward-zone: | ||
+ | name: " | ||
+ | forward-addr: | ||
+ | forward-addr: | ||
+ | forward-tls-upstream: | ||
+ | .. | ||
+ | .. | ||
+ | </ | ||
+ | |||
+ | ====== Traffic Shaping - tc ====== | ||
+ | * FIXME - Großteil " | ||
+ | * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches | ||
+ | < | ||
+ | #!/bin/sh -x | ||
+ | |||
+ | # Maximum allowed downlink. Set to 90% of the achievable downlink in mbit | ||
+ | DOWNLINK=60 | ||
+ | |||
+ | # Interface facing the Internet | ||
+ | EXTDEV=wlp2s0 | ||
+ | |||
+ | # Load IFB, all other modules all loaded automatically | ||
+ | modprobe ifb | ||
+ | ip link set dev ifb0 down | ||
+ | |||
+ | # Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table | ||
+ | tc qdisc del dev $EXTDEV root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 ingress | ||
+ | iptables -t mangle -F | ||
+ | |||
+ | # appending " | ||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit | ||
+ | fi | ||
+ | |||
+ | ip link set dev ifb0 up | ||
+ | |||
+ | # HTB classes on IFB with rate limiting - default class 3:30 | ||
+ | tc qdisc add dev ifb0 root handle 3: htb default 30 | ||
+ | |||
+ | tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit | ||
+ | tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit | ||
+ | |||
+ | # Packets marked with " | ||
+ | tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33 | ||
+ | |||
+ | # Martin Devera, author of HTB, then recommends SFQ for beneath these classes: | ||
+ | tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10 | ||
+ | tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10 | ||
+ | |||
+ | # | ||
+ | iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2 | ||
+ | iptables -t mangle -A PREROUTING -j CONNMARK --save-mark | ||
+ | |||
+ | |||
+ | |||
+ | # Forward all ingress traffic on internet interface to the IFB device | ||
+ | tc qdisc add dev $EXTDEV ingress handle ffff: | ||
+ | tc filter add dev $EXTDEV parent ffff: protocol ip \ | ||
+ | u32 match u32 0 0 \ | ||
+ | action connmark \ | ||
+ | action mirred egress redirect dev ifb0 \ | ||
+ | flowid ffff:1 | ||
+ | |||
+ | |||
+ | # Kein markieren mehr der Pakete / iptables fällt weg über ipset | ||
+ | # root@mrWhiteGhost:/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # | ||
+ | #class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b | ||
+ | # Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 20582 borrowed: 0 giants: 0 | ||
+ | # tokens: -16889 ctokens: -16889 | ||
+ | # | ||
+ | #class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b | ||
+ | # Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 3364 borrowed: 0 giants: 0 | ||
+ | # tokens: 3125 ctokens: 3125 | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | |||
====== GeoIP - iptables matches ====== | ====== GeoIP - iptables matches ====== | ||
Zeile 1273: | Zeile 1408: | ||
| | ||
</ | </ | ||
+ | ====== GeoIP - map-geoip.sh ====== | ||
+ | * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen | ||
+ | * **map-geoip.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | |||
+ | # cmd: foo=$(mmdblookup -f / | ||
+ | |||
+ | # https:// | ||
+ | |||
+ | PATH_LOGS="/ | ||
+ | PATH_GEODB="/ | ||
+ | |||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_geo | ||
+ | { | ||
+ | mmdblookup -f $PATH_GEODB | ||
+ | |||
+ | } | ||
+ | |||
+ | function lookup_ip | ||
+ | { | ||
+ | echo $1 | grep -o -P " | ||
+ | |||
+ | |||
+ | } | ||
+ | |||
+ | [[ -r $PATH_GEODB ]] || bailout " | ||
+ | |||
+ | |||
+ | [[ -r " | ||
+ | |||
+ | [[ $1 == " | ||
+ | |||
+ | |||
+ | [[ -r $PATH_LOGS || $PATH_LOGS == " | ||
+ | |||
+ | |||
+ | which mmdblookup >/ | ||
+ | |||
+ | IFS=$' | ||
+ | |||
+ | while read foo ; | ||
+ | do | ||
+ | LOG_SUFFIX="" | ||
+ | SRC_IP="" | ||
+ | DST_IP="" | ||
+ | |||
+ | SRC_IP=$(lookup_ip $foo " | ||
+ | DST_IP=$(lookup_ip $foo " | ||
+ | |||
+ | #echo "SRC: $SRC_IP" | ||
+ | #echo "DST: $DST_IP" | ||
+ | |||
+ | if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ] | ||
+ | then | ||
+ | SRC_GEO=$(lookup_geo $SRC_IP) | ||
+ | DST_GEO=$(lookup_geo $DST_IP) | ||
+ | |||
+ | [[ -z $SRC_GEO | ||
+ | [[ -z $DST_GEO ]] && DST_GEO=" | ||
+ | |||
+ | LOG_SUFFIX=" | ||
+ | |||
+ | |||
+ | echo " | ||
+ | fi | ||
+ | |||
+ | |||
+ | done < <(zcat -f $PATH_LOGS ) | ||
+ | </ | ||
====== WEB Module ====== | ====== WEB Module ====== | ||
+ | ===== Blocks - Multi - IPSET ===== | ||
+ | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * **Achtung: | ||
+ | * **merge-ipsets.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | } | ||
+ | |||
+ | which dnsmasq >/ | ||
+ | |||
+ | |||
+ | LOCATION_DNSMASQS="/ | ||
+ | TMP_LOCATION=$(mktemp) | ||
+ | FINAL_LOCATION="/ | ||
+ | |||
+ | if [ ! -w $FINAL_LOCATION ] | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to " | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | grep -h " | ||
+ | do | ||
+ | nr_matches=$(echo $hosts | awk ' | ||
+ | host_entry=$(echo $hosts | awk ' | ||
+ | |||
+ | if (($nr_matches > 1 )) && | ||
+ | then | ||
+ | | ||
+ | |||
+ | while read found_sets | ||
+ | do | ||
+ | build_entry+="/ | ||
+ | |||
+ | done <<< | ||
+ | |||
+ | |||
+ | echo $build_entry >> $TMP_LOCATION | ||
+ | echo $build_entry | ||
+ | |||
+ | fi | ||
+ | | ||
+ | |||
+ | |||
+ | done | ||
+ | |||
+ | filesize_tmp=$(stat -c %s $TMP_LOCATION) | ||
+ | |||
+ | if [ $filesize_tmp == " | ||
+ | then | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | echo "No double ipsets found in $LOCATION_DNSMASQS" | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cmp -s $TMP_LOCATION $FINAL_LOCATION | ||
+ | |||
+ | compare_ret=" | ||
+ | |||
+ | if [ $compare_ret == " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | |||
+ | dnsmasq --test --conf-file=$TMP_LOCATION | ||
+ | |||
+ | ipset_tests=" | ||
+ | if [ $ipset_tests != " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | bailout "FAIL: Malformed config file: $TMP_LOCATION" | ||
+ | fi | ||
+ | |||
+ | #2022-02-21 cc: Keep Ownership intact | ||
+ | cat $TMP_LOCATION > $FINAL_LOCATION | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq" | ||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | * {{ : | ||
+ | |||
===== Blocks - IPSET ===== | ===== Blocks - IPSET ===== | ||
* In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
- | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | + | * www-data muss dnsmasq neu starten können zB: visudo -> www-data |
* {{ : | * {{ : | ||
know-how/firewall.1634547963.txt.gz · Zuletzt geändert: 2021/10/18 11:06 von cc