Firewall / bm-iptables - surcharge de configuration

_Antoine · June 5, 2024, 9:25am

Bonjour,

Nous sommes en train de faire un déploiement en 4.9 (avec souscription) en collant à tous les pré-requis.
En voulant configurer le parfeu qui dans cette version est géré par IpTables, je suis tombé sur des règles par défaut qui me laissent un peu perplexe

Dans /etc/init.d/bm-iptable

root@ServeurBM:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
bmhosts    all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain bmhosts (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.63.8         anywhere
ACCEPT     all  --  Azenor.ede.lan       anywhere
bmports    all  --  anywhere             anywhere             state NEW

Chain bmports (1 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:24
DROP       udp  --  anywhere             anywhere             udp dpt:24
DROP       tcp  --  anywhere             anywhere             tcp dpt:1110
DROP       udp  --  anywhere             anywhere             udp dpt:1110
DROP       tcp  --  anywhere             anywhere             tcp dpt:1143
DROP       udp  --  anywhere             anywhere             udp dpt:1143
DROP       tcp  --  anywhere             anywhere             tcp dpt:cisco-sccp
DROP       udp  --  anywhere             anywhere             udp dpt:2000
DROP       tcp  --  anywhere             anywhere             tcp dpt:2502
DROP       udp  --  anywhere             anywhere             udp dpt:2502
DROP       tcp  --  anywhere             anywhere             tcp dpt:81
DROP       udp  --  anywhere             anywhere             udp dpt:81
DROP       tcp  --  anywhere             anywhere             tcp dpt:2400
DROP       udp  --  anywhere             anywhere             udp dpt:2400
DROP       tcp  --  anywhere             anywhere             tcp dpt:2500
DROP       udp  --  anywhere             anywhere             udp dpt:2500
DROP       tcp  --  anywhere             anywhere             tcp dpt:5001
DROP       udp  --  anywhere             anywhere             udp dpt:5001
DROP       tcp  --  anywhere             anywhere             tcp dpt:5280
DROP       udp  --  anywhere             anywhere             udp dpt:5280
DROP       tcp  --  anywhere             anywhere             tcp dpt:5290
DROP       udp  --  anywhere             anywhere             udp dpt:5290
DROP       tcp  --  anywhere             anywhere             tcp dpt:postgresql
DROP       udp  --  anywhere             anywhere             udp dpt:5432
DROP       tcp  --  anywhere             anywhere             tcp dpt:5701
DROP       udp  --  anywhere             anywhere             udp dpt:5701
DROP       tcp  --  anywhere             anywhere             tcp dpts:5702:5715
DROP       udp  --  anywhere             anywhere             udp dpts:5702:5715
DROP       tcp  --  anywhere             anywhere             tcp dpt:8022
DROP       udp  --  anywhere             anywhere             udp dpt:8022
DROP       tcp  --  anywhere             anywhere             tcp dpt:8079
DROP       udp  --  anywhere             anywhere             udp dpt:8079
DROP       tcp  --  anywhere             anywhere             tcp dpt:http-alt
DROP       udp  --  anywhere             anywhere             udp dpt:8080
DROP       tcp  --  anywhere             anywhere             tcp dpt:8082
DROP       udp  --  anywhere             anywhere             udp dpt:8082
DROP       tcp  --  anywhere             anywhere             tcp dpt:8084
DROP       udp  --  anywhere             anywhere             udp dpt:8084
DROP       tcp  --  anywhere             anywhere             tcp dpt:2501
DROP       udp  --  anywhere             anywhere             udp dpt:2501
DROP       tcp  --  anywhere             anywhere             tcp dpt:8090
DROP       udp  --  anywhere             anywhere             udp dpt:8090
DROP       tcp  --  anywhere             anywhere             tcp dpt:8087
DROP       udp  --  anywhere             anywhere             udp dpt:8087
DROP       tcp  --  anywhere             anywhere             tcp dpt:8086
DROP       udp  --  anywhere             anywhere             udp dpt:8086
DROP       tcp  --  anywhere             anywhere             tcp dpt:8888
DROP       udp  --  anywhere             anywhere             udp dpt:8888
DROP       tcp  --  anywhere             anywhere             tcp dpt:9092
DROP       udp  --  anywhere             anywhere             udp dpt:9092
DROP       tcp  --  anywhere             anywhere             tcp dpt:9200
DROP       udp  --  anywhere             anywhere             udp dpt:9200
DROP       tcp  --  anywhere             anywhere             tcp dpt:9300
DROP       udp  --  anywhere             anywhere             udp dpt:9300
DROP       tcp  --  anywhere             anywhere             tcp dpt:8091
DROP       udp  --  anywhere             anywhere             udp dpt:8091
DROP       tcp  --  anywhere             anywhere             tcp dpt:11211
DROP       udp  --  anywhere             anywhere             udp dpt:11211
RETURN     all  --  anywhere             anywhere

On est donc sur une Policy à ACCEPT en INPUT avec des restrictions qui me paraissent un peu légères derrières, à savoir des DROP sur des ports utilisés par les services BM pour des IPs qui ne seraient pas des serveurs BM déclarés.

Nous souhaitons restreindre beaucoup plus que ça, surtout sur le serveur EDGE en DMZ.

Existe t il aujourd’hui une méthode officielle pour surcharger la config du service “bm-iptables”, et qui permettrait donc une persistance même après mise à jour du serveur.

Merci d’avance pour vos réponses.

Toony · June 6, 2024, 12:21pm

BlueMind gère uniquement l’accès à ses ports internes au niveau du pare-feu.
Vous pouvez compléter ces règles en fonction de vos besoins, avec les outils de votre choix (firewalld, le service iptables…).

_Antoine · June 12, 2024, 12:23pm

Voilà à quoi j’arrive sur le EDGE de test si ça peut faire gagner du temps à quelqu’un, en modifiant directement le script bm-iptables, sans altérer ce qui est déjà en place.

/etc/init.d/bm-iptables

#!/bin/bash
#
### BEGIN INIT INFO
# Provides: bm-iptables
# Required-Start: $syslog $network
# Required-Stop: $syslog $network
# Should-Start: bm-core
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: BM iptables rules.
# Description: init system for BlueMind iptables rules.
### END INIT INFO

test -f ~/core.debug && exit 0

# Debian/Ubuntu
[ -f /lib/init/vars.sh ] && source /lib/init/vars.sh
[ -f /lib/lsb/init-functions ] && source /lib/lsb/init-functions
# RH
[ ! -f /lib/lsb/init-functions ] && [ -f /etc/init.d/functions ] && source /etc/init.d/functions

[ -d /run/systemd/system ] && systemctl is-active --quiet firewalld && sleep 3

if [ "$VERBOSE" == "yes" ]; then
    set -x
fi

BM_SERVICE="BlueMind iptables rules"

IP6TABLES=1
if command -v ip6tables &> /dev/null; then
    IP6TABLES=0
fi
iptables_timeout="-w 10"

cyrus="24 1110 1143 2000 2502"
http="81"
lmtp="2400"
milter="2500"
mapi=5001
xmpp="5280 5290"
pg="5432"
hazelcast="5701 5702:5715"
node="8022"
hps="8079"
webserver="8080"
eas="8082"
locator="8084"
core="2501 8090"
tika="8087"
influxdb="8086"
chronograph="8888"
kapacitor="9092"
es="9200 9300"
memcache="11211"
sds="8091"

bmPorts="${cyrus} \
     ${http} \
	 ${lmtp} \
	 ${milter} \
	 ${mapi} \
	 ${xmpp} \
	 ${pg} \
	 ${hazelcast} \
	 ${node} \
	 ${hps} \
	 ${webserver} \
	 ${eas} \
	 ${locator} \
	 ${core} \
	 ${tika} \
	 ${influxdb} \
	 ${chronograph} \
	 ${kapacitor} \
	 ${es} \
	 ${sds} \
	 ${memcache}"


bmHosts="IP_EDGE_SRV IP_CORE_SRV"
bmHostChain="bmhosts"
bmPortChain="bmports"

cmd_iptables() {
    iptables ${iptables_timeout} ${*}

    [ ${IP6TABLES} ] && {
        ip6tables ${iptables_timeout} ${*}
    }
}

stop_bm-iptables() {
	echo -n "Removing BM iptables rules..."
	
	cmd_iptables -L -v -n|grep ${bmPortChain} 2>&1 > /dev/null
	alreadyLoaded=$?
	
	if [ ${alreadyLoaded} -eq 0 ]; then
	        # Flushing BlueMind rules
	        cmd_iptables -D INPUT -j ${bmHostChain}
	
	        cmd_iptables -F ${bmHostChain}
	        cmd_iptables -F ${bmPortChain}
	        cmd_iptables -X ${bmHostChain}
	        cmd_iptables -X ${bmPortChain}
	fi
	
	echo " done."
}

stop_global-iptables() {
	echo -n "Removing global iptables rules..."
	
		# Flushing all rules
		cmd_iptables -F
		cmd_iptables -X
		
		## Default policy
		cmd_iptables -P INPUT   ACCEPT
		cmd_iptables -P FORWARD ACCEPT
		cmd_iptables -P OUTPUT  ACCEPT
}

start_bm-iptables() {
	echo -n "Adding BM iptables rules..."

	# Fill filter
	cmd_iptables -N ${bmPortChain}
	for bmPort in ${bmPorts}; do
	        cmd_iptables -A ${bmPortChain} -p tcp --dport ${bmPort} -j DROP
	        cmd_iptables -A ${bmPortChain} -p udp --dport ${bmPort} -j DROP
	done
	cmd_iptables -A ${bmPortChain} -j RETURN
	
	cmd_iptables -N ${bmHostChain}
	cmd_iptables -A ${bmHostChain} -i lo -j ACCEPT
	for bmHost in ${bmHosts}; do
			# IPv4 only for now
	        iptables ${iptables_timeout} -A ${bmHostChain} -s ${bmHost} -j ACCEPT
	done
	cmd_iptables -A ${bmHostChain} -m state --state NEW -j ${bmPortChain}
	
	cmd_iptables -I INPUT 1 -j ${bmHostChain}
	
	echo " done."
}

start_global-iptables() {
	echo -n "Adding global iptables rules..."
	
	## Default policy
	cmd_iptables -P INPUT   DROP
	cmd_iptables -P FORWARD DROP
	cmd_iptables -P OUTPUT  ACCEPT
	
	# Established connection
	cmd_iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	
	# Acces SSH depuis machines administration
	cmd_iptables -N chain-incoming-ssh
	cmd_iptables -A chain-incoming-ssh -s IP_ADM_COMPUTER_1 -j ACCEPT
	cmd_iptables -A chain-incoming-ssh -s IP_ADM_COMPUTER_2 -j ACCEPT
	cmd_iptables -A chain-incoming-ssh -s IP_ADM_COMPUTER_3 -j ACCEPT
	cmd_iptables -A chain-incoming-ssh -j DROP
	
	# Acces SMTP
	cmd_iptables -N chain-incoming-smtp
	cmd_iptables -A chain-incoming-smtp -s IP_ANTISPAM_SRV -j ACCEPT
	cmd_iptables -A chain-incoming-smtp -s IP_OK_RELAY_1 -j ACCEPT
	cmd_iptables -A chain-incoming-smtp -s IP_OK_RELAY_2 -j ACCEPT
	cmd_iptables -A chain-incoming-smtp -j DROP
	
	# Accept incoming SSH
	cmd_iptables -A INPUT -p tcp --dport 22 -j chain-incoming-ssh
	
	# Accept incoming SMTP
	cmd_iptables -A INPUT -p tcp --dport 25 -j chain-incoming-smtp
	
	# Accept incoming all on HTTP / HTTPS
	cmd_iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	cmd_iptables -A INPUT -p tcp --dport 443 -j ACCEPT
}
	

case "$1" in
    start)
    	stop_bm-iptables
	stop_global-iptables
	start_global-iptables
        start_bm-iptables
        ;;
    
    stop)
        stop_bm-iptables
	stop_global-iptables
        ;;
    restart)
        stop_bm-iptables
	stop_global-iptables
	start_global-iptables
        start_bm-iptables
        ;;
esac

exit 0

Toony · June 14, 2024, 3:28pm

Ce fichier peut-être ré-écrit sur certaines opérations, et dans ce cas vos modifications seront perdues.
Nous vous conseillons vivement de mettre en place vos règles via un outil dédié.