Add support for FreeIPA Service on local networks.

2024-08-17 22:19:12 +02:00 · 2024-08-17 22:19:12 +02:00 · 80bf02d7ad
commit 80bf02d7ad
parent 06199517c7
6 changed files with 88 additions and 0 deletions
--- a/conf/default_ports.conf
+++ b/conf/default_ports.conf
@ -140,6 +140,12 @@ standard_unifi_tcp_ctrl_out_ports="443,8883"
 standard_unifi_udp_ctrl_out_ports="443,3478"


+# freeIPA Ports
+#
+standard_freeipa_tcp_in_ports="53,80,88,443,464,389,636"
+standard_freeipa_udp_in_ports="53,123,88,464"
+
+
 # Outbound Streaming Ports TCP
 #
 #    - outbound port 1935/TCP : outbound streaming over RTMP to most
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@ -968,6 +968,20 @@ snmp_port="$standard_snmp_port"
 snmp_trap_port="$standard_snmp_trap_port"


+# ======
+# - FreeIPA Service
+# ======
+
+# - FreeIPA services local Networks
+# -
+freeipa_server_ips=""
+
+# - FreeIPA (in) Ports
+# -
+freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
+freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
+
+
 # ======
 # - Mumble Service
 # ======
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@ -938,6 +938,20 @@ snmp_port="$standard_snmp_port"
 snmp_trap_port="$standard_snmp_trap_port"


+# ======
+# - FreeIPA Service
+# ======
+
+# - FreeIPA services local Networks
+# -
+freeipa_server_ips=""
+
+# - FreeIPA (in) Ports
+# -
+freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports"
+freeipa_udp_in_ports="$standard_freeipa_udp_in_ports"
+
+

 # ======
 # - Mumble Service
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -433,6 +433,14 @@ for _ip in $snmp_server_ips ; do
   snmp_server_ip_arr+=("$_ip")
 done

+# ---
+# - IP Adresses FreeIPA Server
+# ---
+declare -a freeipa_server_ip_arr=()
+for _ip in $freeipa_server_ips ; do
+   freeipa_server_ip_arr+=("$_ip")
+done
+
 # ---
 # - IP Adresses Munin Service 
 # ---
--- a/23
+++ b/23
@ -4649,6 +4649,29 @@ else
 fi


+# ---
+# - freeIPA Services local Networks
+# ---
+
+echononl "\t\tFreeIPA Services local Networks"
+
+if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then
+   for _ip in ${freeipa_server_ip_arr[@]} ; do
+      $ip6t -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then
+         for _dev in ${local_if_arr[@]} ; do
+            $ip6t -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+            $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+         done
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - WakeOnLan only out into local Networks
 # ---
--- a/23
+++ b/23
@ -5452,6 +5452,29 @@ else
 fi


+# ---
+# - freeIPA Services local Networks
+# ---
+
+echononl "\t\tFreeIPA Services local Networks"
+
+if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then
+   for _ip in ${freeipa_server_ip_arr[@]} ; do
+      $ipt -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+      $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+      if $kernel_activate_forwarding && ! $permit_between_local_networks ; then
+         for _dev in ${local_if_arr[@]} ; do
+            $ipt -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+            $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT
+         done
+      fi
+   done
+   echo_done
+else
+   echo_skipped
+fi
+
+
 # ---
 # - WakeOnLan only out into local Networks
 # ---