From 80bf02d7adb49ad07fa7465ed407e08823998aa2 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 17 Aug 2024 22:19:12 +0200 Subject: [PATCH] Add support for FreeIPA Service on local networks. --- conf/default_ports.conf | 6 ++++++ conf/main_ipv4.conf.sample | 14 ++++++++++++++ conf/main_ipv6.conf.sample | 14 ++++++++++++++ conf/post_decalrations.conf | 8 ++++++++ ip6t-firewall-gateway | 23 +++++++++++++++++++++++ ipt-firewall-gateway | 23 +++++++++++++++++++++++ 6 files changed, 88 insertions(+) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index cd7663a..61bdb85 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -140,6 +140,12 @@ standard_unifi_tcp_ctrl_out_ports="443,8883" standard_unifi_udp_ctrl_out_ports="443,3478" +# freeIPA Ports +# +standard_freeipa_tcp_in_ports="53,80,88,443,464,389,636" +standard_freeipa_udp_in_ports="53,123,88,464" + + # Outbound Streaming Ports TCP # # - outbound port 1935/TCP : outbound streaming over RTMP to most diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index e85a61a..0012dc7 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -968,6 +968,20 @@ snmp_port="$standard_snmp_port" snmp_trap_port="$standard_snmp_trap_port" +# ====== +# - FreeIPA Service +# ====== + +# - FreeIPA services local Networks +# - +freeipa_server_ips="" + +# - FreeIPA (in) Ports +# - +freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports" +freeipa_udp_in_ports="$standard_freeipa_udp_in_ports" + + # ====== # - Mumble Service # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index e76c720..1af9a12 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -938,6 +938,20 @@ snmp_port="$standard_snmp_port" snmp_trap_port="$standard_snmp_trap_port" +# ====== +# - FreeIPA Service +# ====== + +# - FreeIPA services local Networks +# - +freeipa_server_ips="" + +# - FreeIPA (in) Ports +# - +freeipa_tcp_in_ports="$standard_freeipa_tcp_in_ports" +freeipa_udp_in_ports="$standard_freeipa_udp_in_ports" + + # ====== # - Mumble Service diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 8f0bf2c..81c0f27 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -433,6 +433,14 @@ for _ip in $snmp_server_ips ; do snmp_server_ip_arr+=("$_ip") done +# --- +# - IP Adresses FreeIPA Server +# --- +declare -a freeipa_server_ip_arr=() +for _ip in $freeipa_server_ips ; do + freeipa_server_ip_arr+=("$_ip") +done + # --- # - IP Adresses Munin Service # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 04b2e33..2c6f335 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -4649,6 +4649,29 @@ else fi +# --- +# - freeIPA Services local Networks +# --- + +echononl "\t\tFreeIPA Services local Networks" + +if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then + for _ip in ${freeipa_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ip6t -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + echo_done +else + echo_skipped +fi + + # --- # - WakeOnLan only out into local Networks # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 126f8e4..0cea726 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -5452,6 +5452,29 @@ else fi +# --- +# - freeIPA Services local Networks +# --- + +echononl "\t\tFreeIPA Services local Networks" + +if [[ ${#freeipa_server_ip_arr[@]} -gt 0 ]] && ! $permit_between_local_networks; then + for _ip in ${freeipa_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + $ipt -A FORWARD -i $_dev -p udp -d $_ip -m multiport --dports $freeipa_udp_in_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp -d $_ip -m multiport --dports $freeipa_tcp_in_ports -m conntrack --ctstate NEW -j ACCEPT + done + fi + done + echo_done +else + echo_skipped +fi + + # --- # - WakeOnLan only out into local Networks # ---