Message ID | 1524045662-2745-1-git-send-email-pme.lebleu@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | [LEDE-DEV] dropbear: automatically add firewall rules based on the config | expand |
On Wed, Apr 18, 2018 at 12:01 PM, Pierre Lebleu <pme.lebleu@gmail.com> wrote: > An extra option (AllowedClientIPs:list) is available to allow > specific clients to use this service. > > Testing done: > root@OpenWrt:~# uci show dropbear > dropbear.lan=dropbear > dropbear.lan.enable='1' > dropbear.lan.Interface='lan' > dropbear.lan.PasswordAuth='on' > dropbear.lan.RootPasswordAuth='on' > dropbear.lan.Port='22' > dropbear.lan.IdleTimeout='600' > dropbear.wan=dropbear > dropbear.wan.Interface='wan' > dropbear.wan.PasswordAuth='on' > dropbear.wan.RootPasswordAuth='on' > dropbear.wan.Port='2223' > dropbear.wan.IdleTimeout='600' > dropbear.wan.enable='1' > dropbear.wan.AllowedClientIPs='1.2.3.4' > dropbear.wan.RootLogin='0' > > root@OpenWrt:~# fw3 print | grep dropbear > iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ubus:dropbear[lan] rule 0" -j ACCEPT > iptables -t filter -A zone_wan_input -p tcp -s 1.2.3.4/255.255.255.255 -m tcp --dport 2223 -m comment --comment "!fw3: ubus:dropbear[wan] rule 0" -j ACCEPT > > Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com> > --- > package/network/services/dropbear/files/dropbear.init | 47 ++++++++++++++++++++-- > 1 file changed, 44 insertions(+), 3 deletions(-) > > diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init > index 2225113..2704554 100755 > --- a/package/network/services/dropbear/files/dropbear.init > +++ b/package/network/services/dropbear/files/dropbear.init > @@ -43,15 +43,37 @@ validate_section_dropbear() > 'IdleTimeout:uinteger:0' \ > 'MaxAuthTries:uinteger:3' \ > 'RecvWindowSize:uinteger:0' \ > + 'AllowedClientIPs:list(ipaddr)' \ > 'mdns:bool:1' > } > > +add_fw_rules() > +{ > + local intf="$1" > + local port="$2" > + local client="$3" > + > + [ -z "${intf}" ] && return > + local zone=$(fw3 -q network "${intf}") > + [ -z "${zone}" ] && return > + > + json_add_object "" > + json_add_string type rule > + json_add_string src "${zone}" > + json_add_string proto tcp > + json_add_string dest_port "${port}" > + [ -n "${client}" ] && json_add_string src_ip "${client}" > + json_add_string target ACCEPT > + json_close_object > +} > + > dropbear_instance() > { > local PasswordAuth enable Interface GatewayPorts \ > RootPasswordAuth RootLogin rsakeyfile \ > BannerFile Port SSHKeepAlive IdleTimeout \ > - MaxAuthTries RecvWindowSize mdns ipaddrs > + MaxAuthTries RecvWindowSize AllowedClientIPs \ > + mdns ipaddrs > > validate_section_dropbear "${1}" || { > echo "validation failed" > @@ -69,7 +91,8 @@ dropbear_instance() > PIDCOUNT="$(( ${PIDCOUNT} + 1))" > local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid" > > - procd_open_instance > + procd_open_instance "${1}" > + > procd_set_param command "$PROG" -F -P "$pid_file" > [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s > [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a > @@ -83,8 +106,22 @@ dropbear_instance() > [ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}" > [ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \ > procd_append_param command -W "${RecvWindowSize}" > - [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear" > procd_set_param respawn > + > + procd_open_data > + > + [ "${mdns}" -ne 0 ] && { > + json_add_object "mdns" > + procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear" > + json_close_object > + } > + > + json_add_array firewall > + add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}" > + json_close_array This will create an empty firewall procd data entry if either there's no interface or the interface does not belong to a firewall zone which is suboptimal Hans > + > + procd_close_data > + > procd_close_instance > } > > @@ -130,6 +167,10 @@ start_service() > config_foreach dropbear_instance dropbear > } > > +service_started() { > + procd_set_config_changed firewall > +} > + > service_triggers() > { > local interfaces > -- > 1.9.1 > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init index 2225113..2704554 100755 --- a/package/network/services/dropbear/files/dropbear.init +++ b/package/network/services/dropbear/files/dropbear.init @@ -43,15 +43,37 @@ validate_section_dropbear() 'IdleTimeout:uinteger:0' \ 'MaxAuthTries:uinteger:3' \ 'RecvWindowSize:uinteger:0' \ + 'AllowedClientIPs:list(ipaddr)' \ 'mdns:bool:1' } +add_fw_rules() +{ + local intf="$1" + local port="$2" + local client="$3" + + [ -z "${intf}" ] && return + local zone=$(fw3 -q network "${intf}") + [ -z "${zone}" ] && return + + json_add_object "" + json_add_string type rule + json_add_string src "${zone}" + json_add_string proto tcp + json_add_string dest_port "${port}" + [ -n "${client}" ] && json_add_string src_ip "${client}" + json_add_string target ACCEPT + json_close_object +} + dropbear_instance() { local PasswordAuth enable Interface GatewayPorts \ RootPasswordAuth RootLogin rsakeyfile \ BannerFile Port SSHKeepAlive IdleTimeout \ - MaxAuthTries RecvWindowSize mdns ipaddrs + MaxAuthTries RecvWindowSize AllowedClientIPs \ + mdns ipaddrs validate_section_dropbear "${1}" || { echo "validation failed" @@ -69,7 +91,8 @@ dropbear_instance() PIDCOUNT="$(( ${PIDCOUNT} + 1))" local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid" - procd_open_instance + procd_open_instance "${1}" + procd_set_param command "$PROG" -F -P "$pid_file" [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a @@ -83,8 +106,22 @@ dropbear_instance() [ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}" [ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \ procd_append_param command -W "${RecvWindowSize}" - [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear" procd_set_param respawn + + procd_open_data + + [ "${mdns}" -ne 0 ] && { + json_add_object "mdns" + procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear" + json_close_object + } + + json_add_array firewall + add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}" + json_close_array + + procd_close_data + procd_close_instance } @@ -130,6 +167,10 @@ start_service() config_foreach dropbear_instance dropbear } +service_started() { + procd_set_config_changed firewall +} + service_triggers() { local interfaces
An extra option (AllowedClientIPs:list) is available to allow specific clients to use this service. Testing done: root@OpenWrt:~# uci show dropbear dropbear.lan=dropbear dropbear.lan.enable='1' dropbear.lan.Interface='lan' dropbear.lan.PasswordAuth='on' dropbear.lan.RootPasswordAuth='on' dropbear.lan.Port='22' dropbear.lan.IdleTimeout='600' dropbear.wan=dropbear dropbear.wan.Interface='wan' dropbear.wan.PasswordAuth='on' dropbear.wan.RootPasswordAuth='on' dropbear.wan.Port='2223' dropbear.wan.IdleTimeout='600' dropbear.wan.enable='1' dropbear.wan.AllowedClientIPs='1.2.3.4' dropbear.wan.RootLogin='0' root@OpenWrt:~# fw3 print | grep dropbear iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ubus:dropbear[lan] rule 0" -j ACCEPT iptables -t filter -A zone_wan_input -p tcp -s 1.2.3.4/255.255.255.255 -m tcp --dport 2223 -m comment --comment "!fw3: ubus:dropbear[wan] rule 0" -j ACCEPT Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com> --- package/network/services/dropbear/files/dropbear.init | 47 ++++++++++++++++++++-- 1 file changed, 44 insertions(+), 3 deletions(-)