ip-array.conf — Configure the main configuration file of ip-array (default: ip-array.conf)
/etc/ip-array/{stable|test}/conf.d/ip-array.conf
This file is the main configuration file of ip-array. It holds all the variables needed to find the other configuration files and many settings about the host and what to configure.
The various settings for the /proc filesystem are not listed here. Please stick to the comments in the configuration file and the kernel documentation for further explanations. The list of the settings names and their path inside the /proc filesystem can be retrieved by running: ip-array show -sc proc
CONFIG_FILES
Names of the configuration files which will be loaded in order of appearence. i.e. CONFIG_FILES="aliases.conf global.conf".
This is the only variable that needs to be inside the main configuration file. All others can be placed into different files of your choice and should be listed in the above variable, in order to be sourced from there.
BASE_TEMPLATES
Names of the basic XML template files.
ENABLE_FILTER
Enable or disable loading of the iptables filter table configuration. Valid values are `0' or `1'.
IPT_FILTER_TEMPLATES
Names of the iptables filter table XML templates files.
FILTER_RULEBLOCKS
Names of the iptables filter table ruleblocks files.
FILTER_RULES
Names of the iptables filter table rule files.
ENABLE_MANGLE
Enable or disable loading of the iptables mangle table configuration. Valid values are `0' or `1'.
IPT_MANGLE_TEMPLATES
Names of the iptables mangle table XML templates files.
MANGLE_RULEBLOCKS
Names of the iptables mangle table ruleblocks files.
MANGLE_RULES
Names of the iptables mangle table rule files.
ENABLE_NAT
Enable or disable loading of the iptables nat table configuration. Valid values are `0' or `1'.
IPT_NAT_TEMPLATES
Names of the iptables nat table XML templates files.
NAT_RULEBLOCKS
Names of the iptables nat table ruleblocks files.
NAT_RULES
Names of the iptables nat table rule files.
ENABLE_RAW
Enable or disable loading of the iptables raw table configuration. Valid values are `0' or `1'.
IPT_RAW_TEMPLATES
Names of the iptables raw table XML templates files.
RAW_RULEBLOCKS
Names of the iptables raw table ruleblocks files.
RAW_RULES
Names of the iptables raw table rule files.
ENABLE_RAWPOST
Enable or disable loading of the iptables rawpost table configuration. Only works if xtables-addons are installed. Valid values are `0' or `1'.
IPT_RAWPOST_TEMPLATES
Names of the iptables rawpost table XML templates files. Only works if xtables-addons are installed.
RAWPOST_RULEBLOCKS
Names of the iptables rawpost table ruleblocks files. Only works if xtables-addons are installed.
RAWPOST_RULES
Names of the iptables rawpost table rule files. Only works if xtables-addons are installed.
ENABLE_SECURITY
Enable or disable loading of the iptables security table configuration. Valid values are `0' or `1'.
IPT_SECURITY_TEMPLATES
Names of the iptables security table XML templates files.
SECURITY_RULEBLOCKS
Names of the iptables security table ruleblocks files.
SECURITY_RULES
Names of the iptables security table rule files.
IPSET_RULES
Names of the ipset rule files.
MODULE_DIR
Patch to the kernels module directory. Defaults to /lib/modules/$(uname -r).
MODULES_TO_LOAD
Select the kernel modules to load. Entries are separated by newline.
Format:
module-name [parameters [...]]
MODS_TO_RM
Select the kernel modules to remove.
LOOPBACK_IF
Allowed values: A valid interface name. Defaults to `lo' if unset.
Purpose: Name of the loopback interface.
NET_INTERFACES
This variable must be configured with at least one interface. Any network interface but `lo' (localhost) may be put here.
If you use a VPN software that creates an interface (named i.e. ipsec) you need to put it in as a separate entry. Otherwise use the available types:
ext | local | ipsec
ext = an external interface, local = a local interface, ipsec = an ipsec interface
Example:
Table 1. Configure networking interfaces
Inteface name | Interface alias | Type[:ipsec] | Network name |
---|---|---|---|
eth0 | eth0 | ext:ipsec | INET_CON_X |
eth1 | eth1 | ext | INET_CON_Y |
eth2 | eth2 | local | PRODUCTION |
eth2 | eth2:0 | local | DEVELOPMENT |
eth3 | eth3 | local | DMZ |
ipsec0 | ipsec0 | ipsec | VPN_REMOTE_OFFICE |
SCRIPT_MAP
The purpose of this variable is to configure which scripts will run at what startup mode.
The format is (newline separates entries):
startup-parameter-name[,...] { prolog | epilog } script-name { prolog | epilog } script-name
Example:
start,restart prolog my_start_prolog-script epilog
my_start_epilog-script
POLICY_MAP
The purpose of this variable is to configure the policy for buitin iptables chains.
The format is (newline separates entries):
table chain policy
Example:
filter INPUT DROP
filter OUTPUT ACCEPT
ALLOW_LOOPBACK
Allow communication to and from the loopback interface. Valid values: `0' or `1'.
ADMIN_CONNECTION
Define an administrative connection, which will be allowed under certain conditions. The conditions are:
If the enviroment variable $SSH_CONNECTION is not available, otherwise those values will always be used.
When IP-Array enters lockdown mode in start mode.
In restore mode, if ipset is used.
In lockdown mode.
On a fail condition (an error occured while applying a ruleset).
The format is:
admin_source-IP local_destination-IP local_destination-port
CHAIN_MAP
The purpose of this variable is to create custom iptables chains.
The format is (newline separates entries):
table chain-name [...]
Example:
filter chain1 chain2
mangle mchain1 mchain2
JUMP_TREE
The purpose of this variable is to create an automated jump tree of iptables chains.
The format is:
{ none | interface | netname | netname+interface } { table-name [...] | all }
`none' disables jump tree creation (undefined variable does the same).
`interface' means to create a jump tree categorised by interfaces.
`netname' means to create a jump tree categorised by networks.
`netname+interface' means to create a jump tree categorised by interfaces and their networks.
`table' defines in which table the jump tree will be created. A value of `all' will cause creation in all tables.
Examples:
JUMP_TREE="interface filter mangle"
JUMP_TREE="netname all"
JUMP_TREE_CHAINS_CREATE_ALL
Valid values: `0' or `1'.
Enable or disable automatic creation of all jump tree chains.
REMOVE_EMPTY_CHAINS
Valid values: `0' or `1'.
Remove empty chains after applying the ruleset.
REMOVE_UNREF_CHAINS
Valid values: `0' or `1'.
Remove unreferenced chains after applying the ruleset.
KNOWN_TRAFFIC_MAP
This allows to define which and where the rules are created, which deal with the return traffic identified by the connection tracker. The format is (newline separates entries):
chain [ state ] [ top | bottom ]
state can be either E, R or ER (ESTABLESHED, RELATED or ESTABLISHED and RELATED). top or bottom define wheter the rule should be placed on top or bottom of the rule stack.
REVERSE_INPUT_RULES_REQUIRED
Valid values: `0' or `1'.
In a ruleblock which uses a template definition that uses the reverse
(return) mode to generate bidirectional rules, define if those are
needed (i.e. KNOWN_TRAFFIC_MAP
is not used). This
applies to traffic entering the INPUT chain.
REVERSE_FORWARD_RULES_REQUIRED
Valid values: `0' or `1'.
In a ruleblock which uses a template definition that uses the reverse
(return) mode to generate bidirectional rules, define if those are
needed (i.e. KNOWN_TRAFFIC_MAP
is not used). This
applies to traffic entering the FORWARD chain.
FINAL_RULE_MAP
Define a terminating rule for custom or builtin chains. Format:
chain action [ limit ] [ burst ] [ log-level ] [ log-options ]
chain = the name of the chain. action = Can be one of: log, drop, reject, logdrop, logreject. See the help of the iptables arguments for the other entries (ip-array show -sc ipt_args:limit,log-level,log-options). The default value for limit is defined with GLOBAL_LOGLIMIT and the burst value uses the default of GLOBAL_BURSTLIMIT.
LOG_INVALID
Valid values: `0' or `1'.
Log packets in invalid state. The logging options are defined with the global log options.
BLOCK_INVALID
Valid values: `0' or `1'.
Drop packets in invalid state.
LOG_ILLEGAL
Valid values: `0' or `1'.
Log illegal TCP packets. The logging options are defined with the global log options.
BLOCK_ILLEGAL
Valid values: `0' or `1'.
Drop illegal TCP packets.
LAN_FTP
Select LAN interface from where FTP traffic is permitted. Format (whitespace separates entries):
lan-interface|netname[:external-interface|netname][:active|passive|all|none] [...]
i.e.
eth1:eth0:active
or eth2
or
LAN::passive
LAN_NS
Allow DNS (udp and tcp) traffic from nameservers inside one or more
local networks to ISP nameservers. Needs the LAN_NS
and ISP_NS
variables to be defined. Purpose: Define
name servers (DNS) that are part of a local area network.
Table 2. Local (LAN) name servers
Network name | Name server IP address | [Name server MAC address] |
---|---|---|
DMZ | 10.11.11.11 | AA:BB:CC:DD:EE:FF |
DMZ | 10.11.11.12 |
ISP_NS
Allow DNS (udp and tcp) traffic from nameservers inside one or more
local networks to ISP nameservers. Needs the LAN_NS
and ISP_NS
variables to be defined. Purpose: Define
the Internet service provider name servers (DNS), for each local area
network.
Table 3. ISP name servers
Network name | ISP name server IP address[,...] | [External network interface] |
---|---|---|
PRODUCTION | 123.12.12.22,123.12.12.23 | eth1 |
DEVELOPMENT | 124.13.13.23,124.13.13.24 |
ISP_SMTP
Allow SMTP traffic from inside one or more local networks to SMTP mailservers. Needs the lan_isp_smtp public function to be called in the rule file.
Table 4. ISP SMTP servers
Network name | ISP mail server IP address[,...] | [External network name] |
---|---|---|
PRODUCTION | 123.12.12.90,123.12.12.91 | INET_CON_ISP_X |
DEVELOPMENT | 125.25.25.5,125.25.25.6 | INET_CON_ISP_Y |
DMZ | 126.26.26.6,128.28.28.8 |
RESTRICT_OUTPUT
Valid values: `0', `1, ´IFBOUND' or `IPBOUND'.
If the policy for the OUTPUT chain is set to DROP, additional allow
rules may be applied. A value of `1' will allow other configurations
like allow rules for local name or time servers. A value of ´IFBOUND'
will create OUTPUT allow rules per interface i.e. -A OUTPUT -o
eth0 -j ACCEPT
. While setting it to `IPBOUND' will cause
creation of one allow rule per IP address configure on each
interface.
REST_OUT_DNS_ALLOW
Valid values: `0' or `1'.
If RESTRICT_OUTPUT
is set to `1' and the policy of
the OUTPUT chain is DROP, then rules will be created to allow localhost
to nameservers traffic .
LOCAL_NS
Purpose: Define name servers (DNS) of the local system (most likely
those configured in /etc/resolv.conf
.
If set to `auto', then IP-Array will try to read the nameservers from
/etc/resolv.conf
. Otherwise the following
formatting is used:
Table 5. Local name servers (resolv.conf)
Name server IP address | [External network name] |
---|---|
123.12.12.22,123.12.12.23 | INET_CON_ISP_X |
124.13.13.23,124.13.13.24 |
REST_OUT_NTP_ALLOW
Valid values: `0' or `1'.
If RESTRICT_OUTPUT
is set to `1' and the policy of
the OUTPUT chain is DROP, then rules will be created to allow localhost
to time servers traffic .
TIME_SERVERS
Purpose: Define time service request (NTP) of the local system.
If set to `auto', then IP-Array will try to read the ntp servers from
/etc/ntp.conf
. Note that host names are not
supported! Otherwise the following formatting is used:
Table 6. Local NTP servers
NTP server IP address[,...] | [External network name] |
---|---|
11.12.13.14,12.13.14.15 | INET_CON_ISP_X |
99.99.99.9,99.99.99.10 |
REST_OUT_LAN_ALLOW
Valid values "lan-interface [...]"
If RESTRICT_OUTPUT
is set to `1' and the policy of
the OUTPUT chain is DROP, then rules will be created to allow traffic to
the subnets configured .
REST_ALLOW_RELATED
Valid values: `0' or `1'.
If RESTRICT_OUTPUT
is set to `IFBOUND' or ´IPBOUND'
and the policy of the OUTPUT chain is DROP, setting this variable to `0'
will allow only traffic in ESTABLISHED state, while setting it to `1'
will allow traffic in ESTABLISHED and RELATED state.
DROP_DHCP
Drop DHCP broadcasts to certain interfaces. Allowed values are interface-names.
DROP_UPNP
Drop UPNP broadcasts to certain interfaces. Allowed values are interface-names.
LOG_PREFIX
A prefix for iptables log entries.
Use a short value, log entries have a limited lenght.
GLOBAL_LOGLIMIT
An iptables logging limit parameter that will be used globally, wherever it's not specified / requested differently. Defaults to 1/s (1 per second).
GLOBAL_BURSTLIMIT
An iptables logging limit-burst parameter that will be used globally, wherever it's not specified / requested differently. Defaults to `3'.
GLOBAL_LOGLEVL
Valid values are: alert, crit, debug, emerg, err, info, notice and warning. Defaults to `info'.
An iptables logging loglevel parameter that will be used globally, wherever it's not specified / requested differently.
ENABLE_IPSEC
Valid values: `0' or `1'.
Enable or disable the IPSEC rules.
ALLOW_ALL_BRANCH
Valid values: `0' or `1'.
Allow all traffic between all VPN branches.
LOCAL_BRANCH
Allowed values: Characters of class [:word:] (alphanumeric and the `_' (underline) character).
Purpose: Set name of the local VPN branch.
IPSEC_RULES
The IPSEC rule files.
VPN_MAP
This variable holds the vpn branch data.
The VPN_MAP variable is structured as follows (example data provided):
Table 7. VPN_MAP structure
Branch name | External IP address | LAN address/mask | LAN interface IP address |
---|---|---|---|
local_branch | 188.88.88.8 | 192.168.1.0/24 | 192.168.1.1 |
remote_branch_01 | 177.77.77.7 | 10.1.1.0/24 | 10.1.1.1 |
remote_branch_02 | 166.66.66.6 | 172.16.1.0/24 | 172.16.1.1 |
ENABLE_TC_SHAPING
Valid values: `0' or `1'.
Enable or disable traffic shaping rules.
TC_MARK_RULES
Files holding the iptables MARK and CLASSIFY rules for the traffic shaping.
OUTPUT_BULK
Formatting:
output-interface:mark [...]
Put the matching packets into the output bulk queue disc.
FORWARD_BULK
Formatting:
input-interface,output-interface:mark [...]
Put the matching packets into the forward bulk queue disc.
PRIORITIZE_SYN
Valid values: `0' or `1'.
Prioritize TCP SYN packets in traffic shaping.
EXIT_ON_ERROR
Valid values: `0' or `1'.
If enabled, IP-Array will exit on all error conditions (configuration, comand apply errors, etc.). Otherwise it will continue and will only exit on hard errors.
RULE_PLACEHOLDER
Valid values: `_' (underscore), `-' (dash), `.' (dot), `,' (comma). Defaults to `_' (underscore).
If a rule entry in a ruleblock will not be set, use this character as placeholder.
USE_M_CONNTRACK
Valid values: `0' or `1'.
Always use the iptables match extension conntrack in favour of the state match.
NFACCT_OBJ_MAP
Netfilter accounting objects (nfacct)
Format:
nfacct-name [...]