Add a preflight check for the precence of ip_tables. Check if the kernel has ipv6_tables support and if the module is present load it. If ipv6 support isn't available and we have a public ipv6 address warn the user that the system has no ipv6 firewall
This commit is contained in:
Michael Kroes
parent
402b35db9d
commit
bf82a1a535
|
|
@ -60,3 +60,24 @@ if [ -z "$ARM" ]; then
|
|||
exit
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check that the kernel supports at least ipv4 ip_tables, either by a module or by being
|
||||
# compiled directly in the kernel
|
||||
#
|
||||
# If this isn't supported tell the user to compile the kernel module or disable the firewall
|
||||
# and inform of the risk of doing so.
|
||||
if
|
||||
[ ! -e /proc/net/ip_tables_names ] &&
|
||||
[ ! -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko ] &&
|
||||
[ -z "$DISABLE_FIREWALL" ]
|
||||
then
|
||||
echo "Your system doesn't support at least ipv4 ip_tables. You will either need to compile"
|
||||
echo "a kernel that supports it, or compile the kernel module"
|
||||
echo
|
||||
echo "If you would like to continue without a firewall you can set 'export DISABLE_FIREWALL=1' at the"
|
||||
echo "command line. However, doing this prevents Mail-in-a-Box to activate fail2ban. This service"
|
||||
echo "protects the system from bruteforce attacks on the exposed network services. Also services "
|
||||
echo "that shouldn't be exposed are now exposed if you don't use a different (external) firewall"
|
||||
exit
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -227,10 +227,42 @@ if [ -z "$DISABLE_FIREWALL" ]; then
|
|||
# Install `ufw` which provides a simple firewall configuration.
|
||||
apt_install ufw
|
||||
|
||||
# Some providers don't load the ip6_tables kernel module (Scaleway)
|
||||
if [ -z "`lsmod | grep ^ip6_tables`" ]; then
|
||||
echo ip6_tables >> /etc/modules
|
||||
modprobe ip6_tables
|
||||
# Check if the ip_tables has ipv6 support on this system, prefilght has
|
||||
# taken care of ipv4.
|
||||
#
|
||||
# We check if:
|
||||
# - the kernel has support built-in
|
||||
# - the module is present on the system.
|
||||
#
|
||||
# If no ipv6 support is available we disable the ipv6 firewall
|
||||
#
|
||||
# If ipv6 is supported on the system we load the module if necessary and activate the
|
||||
# ipv6 firewall.
|
||||
if
|
||||
[ ! -e /proc/net/ip6_tables_names ] &&
|
||||
[ ! -e /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/ip6_tables.ko ]
|
||||
then
|
||||
# If we have a public ipv6 address we should notify the user that no ipv6 firewall is available
|
||||
if [ ! -z "$PUBLIC_IPV6" ]; then
|
||||
echo "WARNING: There is a public ipv6 address but no ipv6 firewall available in the kernel"
|
||||
fi
|
||||
|
||||
# Disable the IPV6 firewall
|
||||
sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw
|
||||
else
|
||||
# Check if the ipv6 ip_tables is not active in the kernel or that the module
|
||||
# isn't loaded. Some providers fail to load the module by default (Scaleway)
|
||||
if
|
||||
[ ! -e /proc/net/ip6_tables_names ] &&
|
||||
[ -z "`lsmod | grep ^ip6_tables`" ]
|
||||
then
|
||||
# Load the ip6_tables kernel module, previous step made sure it exists
|
||||
echo ip6_tables >> /etc/modules
|
||||
modprobe ip6_tables
|
||||
fi
|
||||
|
||||
# Enable the IPV6 firewall
|
||||
sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw
|
||||
fi
|
||||
|
||||
# Allow incoming connections to SSH.
|
||||
|
|
|
|||
Loading…
Reference in New Issue