Add a preflight check for the precence of ip_tables. Check if the kernel has ipv6_tables support and if the module is present load it. If ipv6 support isn't available and we have a public ipv6 address warn the user that the system has no ipv6 firewall
This commit is contained in:
Michael Kroes
parent
402b35db9d
commit
bf82a1a535
|
|
@ -60,3 +60,24 @@ if [ -z "$ARM" ]; then
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Check that the kernel supports at least ipv4 ip_tables, either by a module or by being
|
||||||
|
# compiled directly in the kernel
|
||||||
|
#
|
||||||
|
# If this isn't supported tell the user to compile the kernel module or disable the firewall
|
||||||
|
# and inform of the risk of doing so.
|
||||||
|
if
|
||||||
|
[ ! -e /proc/net/ip_tables_names ] &&
|
||||||
|
[ ! -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko ] &&
|
||||||
|
[ -z "$DISABLE_FIREWALL" ]
|
||||||
|
then
|
||||||
|
echo "Your system doesn't support at least ipv4 ip_tables. You will either need to compile"
|
||||||
|
echo "a kernel that supports it, or compile the kernel module"
|
||||||
|
echo
|
||||||
|
echo "If you would like to continue without a firewall you can set 'export DISABLE_FIREWALL=1' at the"
|
||||||
|
echo "command line. However, doing this prevents Mail-in-a-Box to activate fail2ban. This service"
|
||||||
|
echo "protects the system from bruteforce attacks on the exposed network services. Also services "
|
||||||
|
echo "that shouldn't be exposed are now exposed if you don't use a different (external) firewall"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -227,12 +227,44 @@ if [ -z "$DISABLE_FIREWALL" ]; then
|
||||||
# Install `ufw` which provides a simple firewall configuration.
|
# Install `ufw` which provides a simple firewall configuration.
|
||||||
apt_install ufw
|
apt_install ufw
|
||||||
|
|
||||||
# Some providers don't load the ip6_tables kernel module (Scaleway)
|
# Check if the ip_tables has ipv6 support on this system, prefilght has
|
||||||
if [ -z "`lsmod | grep ^ip6_tables`" ]; then
|
# taken care of ipv4.
|
||||||
|
#
|
||||||
|
# We check if:
|
||||||
|
# - the kernel has support built-in
|
||||||
|
# - the module is present on the system.
|
||||||
|
#
|
||||||
|
# If no ipv6 support is available we disable the ipv6 firewall
|
||||||
|
#
|
||||||
|
# If ipv6 is supported on the system we load the module if necessary and activate the
|
||||||
|
# ipv6 firewall.
|
||||||
|
if
|
||||||
|
[ ! -e /proc/net/ip6_tables_names ] &&
|
||||||
|
[ ! -e /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/ip6_tables.ko ]
|
||||||
|
then
|
||||||
|
# If we have a public ipv6 address we should notify the user that no ipv6 firewall is available
|
||||||
|
if [ ! -z "$PUBLIC_IPV6" ]; then
|
||||||
|
echo "WARNING: There is a public ipv6 address but no ipv6 firewall available in the kernel"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Disable the IPV6 firewall
|
||||||
|
sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw
|
||||||
|
else
|
||||||
|
# Check if the ipv6 ip_tables is not active in the kernel or that the module
|
||||||
|
# isn't loaded. Some providers fail to load the module by default (Scaleway)
|
||||||
|
if
|
||||||
|
[ ! -e /proc/net/ip6_tables_names ] &&
|
||||||
|
[ -z "`lsmod | grep ^ip6_tables`" ]
|
||||||
|
then
|
||||||
|
# Load the ip6_tables kernel module, previous step made sure it exists
|
||||||
echo ip6_tables >> /etc/modules
|
echo ip6_tables >> /etc/modules
|
||||||
modprobe ip6_tables
|
modprobe ip6_tables
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Enable the IPV6 firewall
|
||||||
|
sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw
|
||||||
|
fi
|
||||||
|
|
||||||
# Allow incoming connections to SSH.
|
# Allow incoming connections to SSH.
|
||||||
ufw_allow ssh;
|
ufw_allow ssh;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue