-
-
Save gtmanfred/ac456a378e01ece0134d34b1f1f66a27 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
print_help() { | |
echo "Help for support_firewall.sh" | |
echo -e "\tSetup firewall with Rackspace ips" | |
echo -e "-h, --help display this help text" | |
return 1 | |
} | |
while (( $# )); do | |
case $1 in | |
-h|--help) | |
print_help | |
;; | |
*) | |
echo "Unknown arg $1" | |
print_help | |
;; | |
esac | |
done | |
START_TIME=$(date +%s) | |
trap 'echo "Completed in $(($(date +%s) - START_TIME)) seconds"' EXIT | |
export SUPPORT_IPS=( | |
'72.3.128.84' '69.20.0.1' '69.20.3.135' '120.136.34.22' | |
'212.100.225.42' '50.57.22.125' '119.9.4.2' | |
) | |
export MONITORING_IPS=( | |
'50.56.142.128/26' '180.150.149.64/26' '69.20.52.192/26' '78.136.44.0/26' | |
'50.57.61.0/26' '2001:4800:7902:1::/64' '2401:1800:7902:1::/64' | |
'2001:4802:7902:1::/64' '2a00:1a48:7902:1::/64' '2001:4801:7902:1::/64' | |
) | |
# DFW ORD LON SYD HKG IAD new infra after the /'s | |
export AUTOMATION_IPS=( | |
'166.78.7.146' '10.181.3.91' '50.56.249.239' '10.181.24.208' | |
'162.209.4.155' '10.178.19.107' '95.138.174.55' '10.179.75.22' | |
'162.13.1.53' '10.179.0.222' '119.9.12.91' '10.176.1.39' | |
'119.9.12.98' '10.176.1.131' '119.9.93.22' '10.176.65.19' | |
'119.9.95.27' '10.176.65.74' '104.130.7.147' '10.208.229.182' | |
'162.242.233.38' '10.176.160.144' '67.192.155.96/27' '120.136.33.192/27' | |
'69.20.80.0/28' '89.234.21.64/28' '173.203.5.160/27' '173.203.32.136/29' | |
'64.49.200.192/27' '23.253.251.154' '10.209.161.248' '104.239.138.80' | |
'10.209.131.234' '104.130.118.61' '10.211.0.159' '104.130.118.129' | |
'10.211.0.211' '104.130.171.248' '10.209.4.244' '104.130.172.99' | |
'10.209.5.15' '134.213.148.114' '10.182.5.234' '134.213.147.236' | |
'10.182.5.215' '119.9.104.208' '10.176.70.29' '119.9.104.231' | |
'10.176.70.47' '119.9.30.141' '10.176.160.144' '119.9.30.159' | |
'10.176.160.161' | |
) | |
# for rhel 5 | |
if ! command -v timeout >/dev/null; then | |
timeout() { /bin/bash /usr/share/doc/bash-3.2/scripts/timeout "${@}"; } | |
fi | |
timeout ${CLOUD_INIT_TIMEOUT:-180}s bash <<HERE | |
wait_for_cloud_init() { | |
echo "Checking for cloud-init processes" | |
while pgrep -f '[c]loud-init'; do | |
sleep 5 | |
done | |
if [[ -f /var/lib/cloud/instance/boot-finished ]]; then | |
echo "Cloud-init completion file found: /var/lib/cloud/instance/boot-finished" | |
return 0 | |
else | |
echo "WARNING: Cloud-init completion file not found but no running instances" | |
fi | |
return 0 | |
} | |
wait_for_cloud_init | |
HERE | |
setup_redhat_firewall() { | |
if (( VERSION >= 7 )); then | |
echo "Setting up firewalld" | |
for ip in ${SUPPORT_IPS[@]} ${MONITORING_IPS[@]} ${AUTOMATION_IPS[@]}; do | |
firewall-cmd --zone=public --add-source=$ip --permanent >/dev/null 2>&1 | |
done | |
echo "Reloading firewalld" | |
firewall-cmd --reload >/dev/null | |
else | |
if grep ${SUPPORT_IPS[0]} /etc/sysconfig/iptables >/dev/null 2>&1; then | |
return 0 | |
fi | |
chain=RH-Firewall-1-Input | |
echo "Setting up iptables chain: $chain" | |
if ! iptables -L "$chain" 2>/dev/null; then | |
iptables -N "$chain" | |
ip6tables -N "$chain" | |
fi | |
iptables -F | |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -p icmp -j ACCEPT | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
iptables -A INPUT -j "$chain" | |
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited | |
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
ip6tables -F | |
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A INPUT -p icmp -j ACCEPT | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
ip6tables -A INPUT -j "$chain" | |
ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited | |
echo "Setting up support ips in iptables" | |
(( VERSION != 5 )) && COMMENT=(-m comment --comment 'Rackspace Support') | |
for ip in ${SUPPORT_IPS[@]}; do | |
if [[ $ip == *:* ]]; then | |
CMD=ip6tables | |
else | |
CMD=iptables | |
fi | |
$CMD -A "$chain" -s "$ip" "${COMMENT[@]}" -j ACCEPT | |
done | |
echo "Setting up monitoring ips in iptables" | |
(( VERSION != 5 )) && COMMENT=(-m comment --comment 'Rackspace Monitoring') | |
for ip in ${MONITORING_IPS[@]}; do | |
if [[ $ip == *:* ]]; then | |
CMD=ip6tables | |
else | |
CMD=iptables | |
fi | |
$CMD -A "$chain" -s "$ip" "${COMMENT[@]}" -j ACCEPT | |
done | |
(( VERSION != 5 )) && COMMENT=(-m comment --comment 'Rackspace Automation') | |
echo "Setting up automation ips in iptables" | |
for ip in ${AUTOMATION_IPS[@]}; do | |
if [[ $ip == *:* ]]; then | |
CMD=ip6tables | |
else | |
CMD=iptables | |
fi | |
$CMD -A "$chain" -s "$ip" "${COMMENT[@]}" -j ACCEPT | |
done | |
echo "Saving iptables" | |
service iptables save | |
service ip6tables save | |
fi | |
} | |
setup_deb_firewall() { | |
echo "Setting up ufw" | |
ufw allow from any to any port 22 >/dev/null | |
for ip in ${SUPPORT_IPS[@]} ${MONITORING_IPS[@]} ${AUTOMATION_IPS[@]}; do | |
ufw allow from $ip to any >/dev/null | |
done | |
if grep -E '^IPV6=no$' /etc/default/ufw >/dev/null; then | |
echo "Enabling ipv6 in ufw" | |
sed -i 's:^IPV6=no$:IPV6=yes:' /etc/default/ufw | |
fi | |
echo "Enabling ufw" | |
ufw --force enable >/dev/null | |
} | |
setup_firewall(){ | |
echo "Setting up Rackspace firewall" | |
if (( REDHAT || CENTOS )); then | |
setup_redhat_firewall | |
elif (( DEBIAN || UBUNTU )); then | |
setup_deb_firewall | |
fi | |
} | |
setup_fail2ban_emails() { | |
echo "Updating emails in fail2ban to root@localhost" | |
if grep 'you@example.com' /etc/fail2ban/jail.conf >/dev/null; then | |
sed -i 's,you@example.com,root@localhost,g' /etc/fail2ban/jail.conf | |
fi | |
} | |
setup_fail2ban_logtarget() { | |
if [[ ! -f /etc/fail2ban/fail2ban.local ]]; then | |
echo "Setting up logtarget in fail2ban" | |
cat > /etc/fail2ban/fail2ban.local <<HERE | |
# Created from support_packages.sh | |
[Definition] | |
logtarget = /var/log/fail2ban.log | |
HERE | |
fi | |
} | |
setup_fail2ban_ignoreips() { | |
if [[ -f /etc/fail2ban/jail.local ]] && grep '^ignoreips =\W' /etc/fail2ban/jail.local >/dev/null; then | |
echo "Updating ignoreips in fail2ban" | |
REPL="s,ignoreips = .*,ignoreips = ${SUPPORT_IPS[@]} ${AUTOMATION_IPS[@]}," | |
sed -i "$REPL" /etc/fail2ban/jail.local | |
else | |
echo "Setting up ignoreips in fail2ban" | |
cat >> /etc/fail2ban/jail.local <<HERE | |
[DEFAULT] | |
ignoreips = ${SUPPORT_IPS[@]} ${AUTOMATION_IPS[@]} | |
HERE | |
fi | |
} | |
setup_fail2ban_rpm6() { | |
echo "Setting up fail2ban on rpm6" | |
if grep '^\[sshd-iptables\]$' /etc/fail2ban/jail.conf >/dev/null; then | |
SSHD_LABEL=sshd-iptables | |
elif grep '^\[sshd\]$' /etc/fail2ban/jail.conf >/dev/null; then | |
SSHD_LABEL=sshd | |
fi | |
if [[ -n $SSHD_LABEL ]] && ! grep $SSHD_LABEL /etc/fail2ban/jail.local >/dev/null; then | |
echo "Setting up fail2ban config [$SSHD_LABEL]" | |
cat >> /etc/fail2ban/jail.local <<HERE | |
# added by support_packages.sh | |
[$SSHD_LABEL] | |
enabled = true | |
HERE | |
fi | |
} | |
setup_fail2ban_rpm7() { | |
echo "Setting up fail2ban on rpm7" | |
if grep '^\[sshd\]$' /etc/fail2ban/jail.conf >/dev/null; then | |
echo "Setting up fail2ban config [sshd]" | |
cat >> /etc/fail2ban/jail.local <<HERE | |
# Created from support_packages.sh | |
[sshd] | |
enabled = true | |
bantime = 3600 | |
banaction = firewallcmd-ipset | |
backend = systemd | |
action = %(action_)s | |
maxretry= 5 | |
HERE | |
fi | |
} | |
setup_fail2ban() { | |
echo "Setting up fail2ban" | |
setup_fail2ban_emails | |
setup_fail2ban_logtarget | |
setup_fail2ban_ignoreips | |
if (( REDHAT || CENTOS )); then | |
(( VERSION == 7 )) && setup_fail2ban_rpm7 | |
(( VERSION == 6 )) && setup_fail2ban_rpm6 | |
chkconfig fail2ban on | |
if ! service fail2ban status; then | |
service fail2ban start | |
else | |
service fail2ban restart | |
fi | |
elif (( DEBIAN || UBUNTU )); then | |
update-rc.d fail2ban defaults | |
/etc/init.d/fail2ban restart | |
fi | |
} | |
setup_hostsallow() { | |
echo "Writing ips to /etc/hosts.allow" | |
ALLOW_FILE=/etc/hosts.allow | |
for ip in ${SUPPORT_IPS[@]} ${AUTOMATION_IPS[@]}; do | |
if [[ $ip == *:* ]]; then | |
continue | |
fi | |
if [[ $ip == */* ]]; then | |
ip=${ip%.*}. | |
fi | |
if ! grep "$ip" /etc/hosts.allow >/dev/null; then | |
echo "sshd : $ip # Rackspace Managed Cloud Services" >> /etc/hosts.allow | |
fi | |
done | |
for ip in ${MONITORING_IPS[@]}; do | |
if [[ $ip == *:* ]]; then | |
continue | |
fi | |
if [[ $ip == */* ]]; then | |
ip=${ip%.*}. | |
fi | |
if ! grep "$ip" /etc/hosts.allow >/dev/null; then | |
echo "ALL : $ip # Rackspace Cloud Monitoring" >> /etc/hosts.allow | |
fi | |
done | |
} | |
DIST="$(python -c 'import platform; print platform.dist()[0].lower()')" | |
[[ $DIST == redhat ]] && export REDHAT=1 DIST=Redhat | |
[[ $DIST == centos ]] && export CENTOS=1 DIST=CentOS | |
[[ $DIST == debian ]] && export DEBIAN=1 | |
[[ $DIST == ubuntu ]] && export UBUNTU=1 | |
if (( REDHAT || CENTOS )); then | |
VERSION="$(python -c 'import platform; print platform.dist()[1][0]')" | |
if ! rpm -q fail2ban >/dev/null; then | |
yum install -y fail2ban | |
fi | |
elif (( DEBIAN || UBUNTU )); then | |
VERSION="$(python -c 'import platform; print platform.dist()[1]')" | |
if ! dpkg -l ufw fail2ban >/dev/null; then | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get update | |
apt-get install -y ufw fail2ban | |
fi | |
fi | |
export VERSION | |
setup_firewall | |
setup_fail2ban | |
setup_hostsallow |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment