From bf82a1a535075bc3e7b2ea5b77d8e8d4816556ab Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 27 Mar 2016 14:29:02 +0200 Subject: [PATCH] Add a preflight check for the precence of ip_tables. Check if the kernel has ipv6_tables support and if the module is present load it. If ipv6 support isn't available and we have a public ipv6 address warn the user that the system has no ipv6 firewall --- setup/preflight.sh | 21 +++++++++++++++++++++ setup/system.sh | 40 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/setup/preflight.sh b/setup/preflight.sh index c3351471..3f7d9091 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -60,3 +60,24 @@ if [ -z "$ARM" ]; then exit fi fi + +# Check that the kernel supports at least ipv4 ip_tables, either by a module or by being +# compiled directly in the kernel +# +# If this isn't supported tell the user to compile the kernel module or disable the firewall +# and inform of the risk of doing so. +if + [ ! -e /proc/net/ip_tables_names ] && + [ ! -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko ] && + [ -z "$DISABLE_FIREWALL" ] +then + echo "Your system doesn't support at least ipv4 ip_tables. You will either need to compile" + echo "a kernel that supports it, or compile the kernel module" + echo + echo "If you would like to continue without a firewall you can set 'export DISABLE_FIREWALL=1' at the" + echo "command line. However, doing this prevents Mail-in-a-Box to activate fail2ban. This service" + echo "protects the system from bruteforce attacks on the exposed network services. Also services " + echo "that shouldn't be exposed are now exposed if you don't use a different (external) firewall" + exit +fi + diff --git a/setup/system.sh b/setup/system.sh index ce8eba36..44c106cb 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -227,10 +227,42 @@ if [ -z "$DISABLE_FIREWALL" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw - # Some providers don't load the ip6_tables kernel module (Scaleway) - if [ -z "`lsmod | grep ^ip6_tables`" ]; then - echo ip6_tables >> /etc/modules - modprobe ip6_tables + # Check if the ip_tables has ipv6 support on this system, prefilght has + # taken care of ipv4. + # + # We check if: + # - the kernel has support built-in + # - the module is present on the system. + # + # If no ipv6 support is available we disable the ipv6 firewall + # + # If ipv6 is supported on the system we load the module if necessary and activate the + # ipv6 firewall. + if + [ ! -e /proc/net/ip6_tables_names ] && + [ ! -e /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/ip6_tables.ko ] + then + # If we have a public ipv6 address we should notify the user that no ipv6 firewall is available + if [ ! -z "$PUBLIC_IPV6" ]; then + echo "WARNING: There is a public ipv6 address but no ipv6 firewall available in the kernel" + fi + + # Disable the IPV6 firewall + sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw + else + # Check if the ipv6 ip_tables is not active in the kernel or that the module + # isn't loaded. Some providers fail to load the module by default (Scaleway) + if + [ ! -e /proc/net/ip6_tables_names ] && + [ -z "`lsmod | grep ^ip6_tables`" ] + then + # Load the ip6_tables kernel module, previous step made sure it exists + echo ip6_tables >> /etc/modules + modprobe ip6_tables + fi + + # Enable the IPV6 firewall + sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw fi # Allow incoming connections to SSH.