Name

ip-array.conf — Configure the main configuration file of ip-array (default: ip-array.conf)

Synopsis

/etc/ip-array/{stable|test}/conf.d/ip-array.conf

Description

This file is the main configuration file of ip-array. It holds all the variables needed to find the other configuration files and many settings about the host and what to configure.

Variables

CONFIG_FILES

Names of the configuration files which will be loaded in order of appearence. i.e. CONFIG_FILES="aliases.conf global.conf".

Tip

This is the only variable that needs to be inside the main configuration file. All others can be placed into different files of your choice and should be listed in the above variable, in order to be sourced from there.

BASE_TEMPLATES

Names of the basic XML template files.

ENABLE_FILTER

Enable or disable loading of the iptables filter table configuration. Valid values are `0' or `1'.

IPT_FILTER_TEMPLATES

Names of the iptables filter table XML templates files.

FILTER_RULEBLOCKS

Names of the iptables filter table ruleblocks files.

FILTER_RULES

Names of the iptables filter table rule files.

ENABLE_MANGLE

Enable or disable loading of the iptables mangle table configuration. Valid values are `0' or `1'.

IPT_MANGLE_TEMPLATES

Names of the iptables mangle table XML templates files.

MANGLE_RULEBLOCKS

Names of the iptables mangle table ruleblocks files.

MANGLE_RULES

Names of the iptables mangle table rule files.

ENABLE_NAT

Enable or disable loading of the iptables nat table configuration. Valid values are `0' or `1'.

IPT_NAT_TEMPLATES

Names of the iptables nat table XML templates files.

NAT_RULEBLOCKS

Names of the iptables nat table ruleblocks files.

NAT_RULES

Names of the iptables nat table rule files.

ENABLE_RAW

Enable or disable loading of the iptables raw table configuration. Valid values are `0' or `1'.

IPT_RAW_TEMPLATES

Names of the iptables raw table XML templates files.

RAW_RULEBLOCKS

Names of the iptables raw table ruleblocks files.

RAW_RULES

Names of the iptables raw table rule files.

ENABLE_RAWPOST

Enable or disable loading of the iptables rawpost table configuration. Only works if xtables-addons are installed. Valid values are `0' or `1'.

IPT_RAWPOST_TEMPLATES

Names of the iptables rawpost table XML templates files. Only works if xtables-addons are installed.

RAWPOST_RULEBLOCKS

Names of the iptables rawpost table ruleblocks files. Only works if xtables-addons are installed.

RAWPOST_RULES

Names of the iptables rawpost table rule files. Only works if xtables-addons are installed.

ENABLE_SECURITY

Enable or disable loading of the iptables security table configuration. Valid values are `0' or `1'.

IPT_SECURITY_TEMPLATES

Names of the iptables security table XML templates files.

SECURITY_RULEBLOCKS

Names of the iptables security table ruleblocks files.

SECURITY_RULES

Names of the iptables security table rule files.

IPSET_RULES

Names of the ipset rule files.

MODULE_DIR

Patch to the kernels module directory. Defaults to /lib/modules/$(uname -r).

MODULES_TO_LOAD

Select the kernel modules to load. Entries are separated by newline.

Format:

module-name [parameters [...]]
MODS_TO_RM

Select the kernel modules to remove.

LOOPBACK_IF

Allowed values: A valid interface name. Defaults to `lo' if unset.

Purpose: Name of the loopback interface.

NET_INTERFACES

This variable must be configured with at least one interface. Any network interface but `lo' (localhost) may be put here.

If you use a VPN software that creates an interface (named i.e. ipsec) you need to put it in as a separate entry. Otherwise use the available types:

ext | local | ipsec

ext = an external interface, local = a local interface, ipsec = an ipsec interface

Example:

Table 1. Configure networking interfaces

Inteface nameInterface aliasType[:ipsec]Network name
eth0eth0ext:ipsecINET_CON_X
eth1eth1extINET_CON_Y
eth2eth2localPRODUCTION
eth2eth2:0localDEVELOPMENT
eth3eth3localDMZ
ipsec0ipsec0ipsecVPN_REMOTE_OFFICE


SCRIPT_MAP

The purpose of this variable is to configure which scripts will run at what startup mode.

The format is (newline separates entries):

startup-parameter-name[,...] { prolog | epilog } script-name { prolog | epilog } script-name

Example:

start,restart prolog my_start_prolog-script epilog my_start_epilog-script

POLICY_MAP

The purpose of this variable is to configure the policy for buitin iptables chains.

The format is (newline separates entries):

table chain policy

Example:

filter INPUT DROP

filter OUTPUT ACCEPT

ALLOW_LOOPBACK

Allow communication to and from the loopback interface. Valid values: `0' or `1'.

ADMIN_CONNECTION

Define an administrative connection, which will be allowed under certain conditions. The conditions are:

  • If the enviroment variable $SSH_CONNECTION is not available, otherwise those values will always be used.

  • When IP-Array enters lockdown mode in start mode.

  • In restore mode, if ipset is used.

  • In lockdown mode.

  • On a fail condition (an error occured while applying a ruleset).

The format is:

admin_source-IP local_destination-IP local_destination-port
CHAIN_MAP

The purpose of this variable is to create custom iptables chains.

The format is (newline separates entries):

table chain-name [...]

Example:

filter chain1 chain2

mangle mchain1 mchain2

JUMP_TREE

The purpose of this variable is to create an automated jump tree of iptables chains.

The format is:

{ none | interface | netname | netname+interface } { table-name [...] | all }

`none' disables jump tree creation (undefined variable does the same).

`interface' means to create a jump tree categorised by interfaces.

`netname' means to create a jump tree categorised by networks.

`netname+interface' means to create a jump tree categorised by interfaces and their networks.

`table' defines in which table the jump tree will be created. A value of `all' will cause creation in all tables.

Examples:

JUMP_TREE="interface filter mangle"

JUMP_TREE="netname all"

JUMP_TREE_CHAINS_CREATE_ALL

Valid values: `0' or `1'.

Enable or disable automatic creation of all jump tree chains.

REMOVE_EMPTY_CHAINS

Valid values: `0' or `1'.

Remove empty chains after applying the ruleset.

REMOVE_UNREF_CHAINS

Valid values: `0' or `1'.

Remove unreferenced chains after applying the ruleset.

KNOWN_TRAFFIC_MAP

This allows to define which and where the rules are created, which deal with the return traffic identified by the connection tracker. The format is (newline separates entries):

chain [ state ] [ top | bottom ]

state can be either E, R or ER (ESTABLESHED, RELATED or ESTABLISHED and RELATED). top or bottom define wheter the rule should be placed on top or bottom of the rule stack.

REVERSE_INPUT_RULES_REQUIRED

Valid values: `0' or `1'.

In a ruleblock which uses a template definition that uses the reverse (return) mode to generate bidirectional rules, define if those are needed (i.e. KNOWN_TRAFFIC_MAP is not used). This applies to traffic entering the INPUT chain.

REVERSE_FORWARD_RULES_REQUIRED

Valid values: `0' or `1'.

In a ruleblock which uses a template definition that uses the reverse (return) mode to generate bidirectional rules, define if those are needed (i.e. KNOWN_TRAFFIC_MAP is not used). This applies to traffic entering the FORWARD chain.

FINAL_RULE_MAP

Define a terminating rule for custom or builtin chains. Format:

chain action [ limit ] [ burst ] [ log-level ] [ log-options ]

chain = the name of the chain. action = Can be one of: log, drop, reject, logdrop, logreject. See the help of the iptables arguments for the other entries (ip-array show -sc ipt_args:limit,log-level,log-options). The default value for limit is defined with GLOBAL_LOGLIMIT and the burst value uses the default of GLOBAL_BURSTLIMIT.

LOG_INVALID

Valid values: `0' or `1'.

Log packets in invalid state. The logging options are defined with the global log options.

BLOCK_INVALID

Valid values: `0' or `1'.

Drop packets in invalid state.

LOG_ILLEGAL

Valid values: `0' or `1'.

Log illegal TCP packets. The logging options are defined with the global log options.

BLOCK_ILLEGAL

Valid values: `0' or `1'.

Drop illegal TCP packets.

LAN_FTP

Select LAN interface from where FTP traffic is permitted. Format (whitespace separates entries):

lan-interface|netname[:external-interface|netname][:active|passive|all|none] [...]

i.e. eth1:eth0:active or eth2 or LAN::passive

LAN_NS

Allow DNS (udp and tcp) traffic from nameservers inside one or more local networks to ISP nameservers. Needs the LAN_NS and ISP_NS variables to be defined. Purpose: Define name servers (DNS) that are part of a local area network.

Table 2. Local (LAN) name servers

Network nameName server IP address[Name server MAC address]
DMZ10.11.11.11AA:BB:CC:DD:EE:FF
DMZ10.11.11.12 


ISP_NS

Allow DNS (udp and tcp) traffic from nameservers inside one or more local networks to ISP nameservers. Needs the LAN_NS and ISP_NS variables to be defined. Purpose: Define the Internet service provider name servers (DNS), for each local area network.

Table 3. ISP name servers

Network nameISP name server IP address[,...][External network interface]
PRODUCTION123.12.12.22,123.12.12.23eth1
DEVELOPMENT124.13.13.23,124.13.13.24 


ISP_SMTP

Allow SMTP traffic from inside one or more local networks to SMTP mailservers. Needs the lan_isp_smtp public function to be called in the rule file.

Table 4. ISP SMTP servers

Network nameISP mail server IP address[,...][External network name]
PRODUCTION123.12.12.90,123.12.12.91INET_CON_ISP_X
DEVELOPMENT125.25.25.5,125.25.25.6INET_CON_ISP_Y
DMZ126.26.26.6,128.28.28.8 


RESTRICT_OUTPUT

Valid values: `0', `1, ´IFBOUND' or `IPBOUND'.

If the policy for the OUTPUT chain is set to DROP, additional allow rules may be applied. A value of `1' will allow other configurations like allow rules for local name or time servers. A value of ´IFBOUND' will create OUTPUT allow rules per interface i.e. -A OUTPUT -o eth0 -j ACCEPT. While setting it to `IPBOUND' will cause creation of one allow rule per IP address configure on each interface.

REST_OUT_DNS_ALLOW

Valid values: `0' or `1'.

If RESTRICT_OUTPUT is set to `1' and the policy of the OUTPUT chain is DROP, then rules will be created to allow localhost to nameservers traffic .

LOCAL_NS

Purpose: Define name servers (DNS) of the local system (most likely those configured in /etc/resolv.conf.

If set to `auto', then IP-Array will try to read the nameservers from /etc/resolv.conf. Otherwise the following formatting is used:

Table 5. Local name servers (resolv.conf)

Name server IP address[External network name]
123.12.12.22,123.12.12.23INET_CON_ISP_X
124.13.13.23,124.13.13.24 


REST_OUT_NTP_ALLOW

Valid values: `0' or `1'.

If RESTRICT_OUTPUT is set to `1' and the policy of the OUTPUT chain is DROP, then rules will be created to allow localhost to time servers traffic .

TIME_SERVERS

Purpose: Define time service request (NTP) of the local system.

If set to `auto', then IP-Array will try to read the ntp servers from /etc/ntp.conf. Note that host names are not supported! Otherwise the following formatting is used:

Table 6. Local NTP servers

NTP server IP address[,...][External network name]
11.12.13.14,12.13.14.15INET_CON_ISP_X
99.99.99.9,99.99.99.10 


REST_OUT_LAN_ALLOW

Valid values "lan-interface [...]"

If RESTRICT_OUTPUT is set to `1' and the policy of the OUTPUT chain is DROP, then rules will be created to allow traffic to the subnets configured .

REST_ALLOW_RELATED

Valid values: `0' or `1'.

If RESTRICT_OUTPUT is set to `IFBOUND' or ´IPBOUND' and the policy of the OUTPUT chain is DROP, setting this variable to `0' will allow only traffic in ESTABLISHED state, while setting it to `1' will allow traffic in ESTABLISHED and RELATED state.

DROP_DHCP

Drop DHCP broadcasts to certain interfaces. Allowed values are interface-names.

DROP_UPNP

Drop UPNP broadcasts to certain interfaces. Allowed values are interface-names.

LOG_PREFIX

A prefix for iptables log entries.

Tip

Use a short value, log entries have a limited lenght.

GLOBAL_LOGLIMIT

An iptables logging limit parameter that will be used globally, wherever it's not specified / requested differently. Defaults to 1/s (1 per second).

GLOBAL_BURSTLIMIT

An iptables logging limit-burst parameter that will be used globally, wherever it's not specified / requested differently. Defaults to `3'.

GLOBAL_LOGLEVL

Valid values are: alert, crit, debug, emerg, err, info, notice and warning. Defaults to `info'.

An iptables logging loglevel parameter that will be used globally, wherever it's not specified / requested differently.

ENABLE_IPSEC

Valid values: `0' or `1'.

Enable or disable the IPSEC rules.

ALLOW_ALL_BRANCH

Valid values: `0' or `1'.

Allow all traffic between all VPN branches.

LOCAL_BRANCH

Allowed values: Characters of class [:word:] (alphanumeric and the `_' (underline) character).

Purpose: Set name of the local VPN branch.

IPSEC_RULES

The IPSEC rule files.

VPN_MAP

This variable holds the vpn branch data.

The VPN_MAP variable is structured as follows (example data provided):

Table 7. VPN_MAP structure

Branch nameExternal IP addressLAN address/maskLAN interface IP address
local_branch188.88.88.8192.168.1.0/24192.168.1.1
remote_branch_01177.77.77.710.1.1.0/2410.1.1.1
remote_branch_02166.66.66.6172.16.1.0/24172.16.1.1


ENABLE_TC_SHAPING

Valid values: `0' or `1'.

Enable or disable traffic shaping rules.

TC_MARK_RULES

Files holding the iptables MARK and CLASSIFY rules for the traffic shaping.

OUTPUT_BULK

Formatting:

output-interface:mark [...]

Put the matching packets into the output bulk queue disc.

FORWARD_BULK

Formatting:

input-interface,output-interface:mark [...]

Put the matching packets into the forward bulk queue disc.

PRIORITIZE_SYN

Valid values: `0' or `1'.

Prioritize TCP SYN packets in traffic shaping.

EXIT_ON_ERROR

Valid values: `0' or `1'.

If enabled, IP-Array will exit on all error conditions (configuration, comand apply errors, etc.). Otherwise it will continue and will only exit on hard errors.

RULE_PLACEHOLDER

Valid values: `_' (underscore), `-' (dash), `.' (dot), `,' (comma). Defaults to `_' (underscore).

If a rule entry in a ruleblock will not be set, use this character as placeholder.

USE_M_CONNTRACK

Valid values: `0' or `1'.

Always use the iptables match extension conntrack in favour of the state match.

NFACCT_OBJ_MAP

Netfilter accounting objects (nfacct)

Format:

nfacct-name [...]
SYSCTL_RULES

Names of the files holding the sysctl rules.

SYSCTL_CONNTRACK_MAX

Maximum number of connection to track (conntrack). This can also be set in your sysctl rules, but this variable is here to allow automatic calculation.

Formatting:

value (integer) | (x|X)factor (factor = integer)

Using (x|X)factor, the conntrack max value will be automatically calculated and then multiplied with factor (i.e. x2 - double the auto value).

See also

ip-array(8), ip-array_defaults.conf(8), ip-array_ruleblocks(5), ip-array_rulefiles(5), ip-array_sysctl_rules(5), ip-array_templates(5)