diff mbox series

[LEDE-DEV] dropbear: automatically add firewall rules based on the config

Message ID 1524045662-2745-1-git-send-email-pme.lebleu@gmail.com
State Superseded
Headers show
Series [LEDE-DEV] dropbear: automatically add firewall rules based on the config | expand

Commit Message

Pierre Lebleu April 18, 2018, 10:01 a.m. UTC
An extra option (AllowedClientIPs:list) is available to allow
specific clients to use this service.

Testing done:
root@OpenWrt:~# uci show dropbear
dropbear.lan=dropbear
dropbear.lan.enable='1'
dropbear.lan.Interface='lan'
dropbear.lan.PasswordAuth='on'
dropbear.lan.RootPasswordAuth='on'
dropbear.lan.Port='22'
dropbear.lan.IdleTimeout='600'
dropbear.wan=dropbear
dropbear.wan.Interface='wan'
dropbear.wan.PasswordAuth='on'
dropbear.wan.RootPasswordAuth='on'
dropbear.wan.Port='2223'
dropbear.wan.IdleTimeout='600'
dropbear.wan.enable='1'
dropbear.wan.AllowedClientIPs='1.2.3.4'
dropbear.wan.RootLogin='0'

root@OpenWrt:~# fw3 print | grep dropbear
iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ubus:dropbear[lan] rule 0" -j ACCEPT
iptables -t filter -A zone_wan_input -p tcp -s 1.2.3.4/255.255.255.255 -m tcp --dport 2223 -m comment --comment "!fw3: ubus:dropbear[wan] rule 0" -j ACCEPT

Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
---
 package/network/services/dropbear/files/dropbear.init  | 47 ++++++++++++++++++++--
 1 file changed, 44 insertions(+), 3 deletions(-)

Comments

Hans Dedecker April 18, 2018, 12:49 p.m. UTC | #1
On Wed, Apr 18, 2018 at 12:01 PM, Pierre Lebleu <pme.lebleu@gmail.com> wrote:
> An extra option (AllowedClientIPs:list) is available to allow
> specific clients to use this service.
>
> Testing done:
> root@OpenWrt:~# uci show dropbear
> dropbear.lan=dropbear
> dropbear.lan.enable='1'
> dropbear.lan.Interface='lan'
> dropbear.lan.PasswordAuth='on'
> dropbear.lan.RootPasswordAuth='on'
> dropbear.lan.Port='22'
> dropbear.lan.IdleTimeout='600'
> dropbear.wan=dropbear
> dropbear.wan.Interface='wan'
> dropbear.wan.PasswordAuth='on'
> dropbear.wan.RootPasswordAuth='on'
> dropbear.wan.Port='2223'
> dropbear.wan.IdleTimeout='600'
> dropbear.wan.enable='1'
> dropbear.wan.AllowedClientIPs='1.2.3.4'
> dropbear.wan.RootLogin='0'
>
> root@OpenWrt:~# fw3 print | grep dropbear
> iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ubus:dropbear[lan] rule 0" -j ACCEPT
> iptables -t filter -A zone_wan_input -p tcp -s 1.2.3.4/255.255.255.255 -m tcp --dport 2223 -m comment --comment "!fw3: ubus:dropbear[wan] rule 0" -j ACCEPT
>
> Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
> ---
>  package/network/services/dropbear/files/dropbear.init  | 47 ++++++++++++++++++++--
>  1 file changed, 44 insertions(+), 3 deletions(-)
>
> diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
> index 2225113..2704554 100755
> --- a/package/network/services/dropbear/files/dropbear.init
> +++ b/package/network/services/dropbear/files/dropbear.init
> @@ -43,15 +43,37 @@ validate_section_dropbear()
>                 'IdleTimeout:uinteger:0' \
>                 'MaxAuthTries:uinteger:3' \
>                 'RecvWindowSize:uinteger:0' \
> +               'AllowedClientIPs:list(ipaddr)' \
>                 'mdns:bool:1'
>  }
>
> +add_fw_rules()
> +{
> +       local intf="$1"
> +       local port="$2"
> +       local client="$3"
> +
> +       [ -z "${intf}" ] && return
> +       local zone=$(fw3 -q network "${intf}")
> +       [ -z "${zone}" ] && return
> +
> +       json_add_object ""
> +       json_add_string type rule
> +       json_add_string src "${zone}"
> +       json_add_string proto tcp
> +       json_add_string dest_port "${port}"
> +       [ -n "${client}" ] && json_add_string src_ip "${client}"
> +       json_add_string target ACCEPT
> +       json_close_object
> +}
> +
>  dropbear_instance()
>  {
>         local PasswordAuth enable Interface GatewayPorts \
>                 RootPasswordAuth RootLogin rsakeyfile \
>                 BannerFile Port SSHKeepAlive IdleTimeout \
> -               MaxAuthTries RecvWindowSize mdns ipaddrs
> +               MaxAuthTries RecvWindowSize AllowedClientIPs \
> +               mdns ipaddrs
>
>         validate_section_dropbear "${1}" || {
>                 echo "validation failed"
> @@ -69,7 +91,8 @@ dropbear_instance()
>         PIDCOUNT="$(( ${PIDCOUNT} + 1))"
>         local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
>
> -       procd_open_instance
> +       procd_open_instance "${1}"
> +
>         procd_set_param command "$PROG" -F -P "$pid_file"
>         [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
>         [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
> @@ -83,8 +106,22 @@ dropbear_instance()
>         [ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
>         [ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
>                 procd_append_param command -W "${RecvWindowSize}"
> -       [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
>         procd_set_param respawn
> +
> +       procd_open_data
> +
> +       [ "${mdns}" -ne 0 ] && {
> +               json_add_object "mdns"
> +               procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear"
> +               json_close_object
> +       }
> +
> +       json_add_array firewall
> +       add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}"
> +       json_close_array
This will create an empty firewall procd data entry if either there's
no interface or the interface does not belong to a firewall zone which
is suboptimal

Hans
> +
> +       procd_close_data
> +
>         procd_close_instance
>  }
>
> @@ -130,6 +167,10 @@ start_service()
>         config_foreach dropbear_instance dropbear
>  }
>
> +service_started() {
> +       procd_set_config_changed firewall
> +}
> +
>  service_triggers()
>  {
>         local interfaces
> --
> 1.9.1
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
diff mbox series

Patch

diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
index 2225113..2704554 100755
--- a/package/network/services/dropbear/files/dropbear.init
+++ b/package/network/services/dropbear/files/dropbear.init
@@ -43,15 +43,37 @@  validate_section_dropbear()
 		'IdleTimeout:uinteger:0' \
 		'MaxAuthTries:uinteger:3' \
 		'RecvWindowSize:uinteger:0' \
+		'AllowedClientIPs:list(ipaddr)' \
 		'mdns:bool:1'
 }
 
+add_fw_rules()
+{
+	local intf="$1"
+	local port="$2"
+	local client="$3"
+
+	[ -z "${intf}" ] && return
+	local zone=$(fw3 -q network "${intf}")
+	[ -z "${zone}" ] && return
+
+	json_add_object ""
+	json_add_string type rule
+	json_add_string src "${zone}"
+	json_add_string proto tcp
+	json_add_string dest_port "${port}"
+	[ -n "${client}" ] && json_add_string src_ip "${client}"
+	json_add_string target ACCEPT
+	json_close_object
+}
+
 dropbear_instance()
 {
 	local PasswordAuth enable Interface GatewayPorts \
 		RootPasswordAuth RootLogin rsakeyfile \
 		BannerFile Port SSHKeepAlive IdleTimeout \
-		MaxAuthTries RecvWindowSize mdns ipaddrs
+		MaxAuthTries RecvWindowSize AllowedClientIPs \
+		mdns ipaddrs
 
 	validate_section_dropbear "${1}" || {
 		echo "validation failed"
@@ -69,7 +91,8 @@  dropbear_instance()
 	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
 	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
 
-	procd_open_instance
+	procd_open_instance "${1}"
+
 	procd_set_param command "$PROG" -F -P "$pid_file"
 	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
 	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
@@ -83,8 +106,22 @@  dropbear_instance()
 	[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
 	[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
 		procd_append_param command -W "${RecvWindowSize}"
-	[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
 	procd_set_param respawn
+
+	procd_open_data
+
+	[ "${mdns}" -ne 0 ] && {
+		json_add_object "mdns"
+		procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear"
+		json_close_object
+	}
+
+	json_add_array firewall
+	add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}"
+	json_close_array
+
+	procd_close_data
+
 	procd_close_instance
 }
 
@@ -130,6 +167,10 @@  start_service()
 	config_foreach dropbear_instance dropbear
 }
 
+service_started() {
+	procd_set_config_changed firewall
+}
+
 service_triggers()
 {
 	local interfaces