# -*- shell-script -*- # # Configuration file for ferm(1). # @hook pre "#"; @hook pre "# Entr'ouvert firewall config, generated by ferm"; @hook pre "#"; @def $IP_WAN = 176.31.123.109; @def $DEV_WAN = eth0; # guests : virtual machines @def $NET_VMS = 178.33.6.208/28; @def $DEV_VMS = vmbr1; @def $NET_VMS_PRIVATE = 192.168.0.0/16; @def $DEV_VMS_PRIVATE = venet0; # whitelisted services = IP and port knocking @def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`; @def $WHITELIST_IPS = ($EO_WHITELIST_IPS); @def $KNOCK1 = 100; @def $KNOCK2 = 200; @def $KNOCK3 = 301; # WAN services @def $DNS_ON_WAN = 1; @def $WEB_ON_WAN = (80 443); # HTTP, HTTPS @def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE @def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc) # global VMS services @def $WEB_ON_VMS = (80 443); @def $WHITELIST_VMS = (ssh); # supervision servers (munin, nagios) @def $SUPERVISORS = (212.85.154.22 88.190.46.145); @include './include-by-hostname config.d|'; @include './include-by-hostname pre.d|'; # $VMS = 1 if there are VMs with public IPs @def $VMS = 0; @if $NET_VMS @if $DEV_VMS @def $VMS = 1; # $VMS = 1 if there are VMs with private IPs @def $VMS_PRIVATE = 0; @if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1; # output some debug informations @hook post "# VMS = $VMS"; @hook post "# VMS_PRIVATE = $VMS_PRIVATE"; table filter { chain INPUT { policy DROP; # allow all local traffic interface lo ACCEPT; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # accept ping request proto icmp icmp-type echo-request ACCEPT; # local services daddr $IP_WAN mod state state NEW { # DNS requests @if $DNS_ON_WAN proto (udp tcp) dport 53 mod comment comment "DNS on WAN" ACCEPT; # Web @if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN mod comment comment "Web on WAN" ACCEPT; # Mail @if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN mod comment comment "Mail services on WAN" ACCEPT; # munin & nagios @if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666) mod comment comment "Munin&Nagios on WAN" ACCEPT; # allow connections (SSH, proxmox, etc.) from whitelisted IPs proto tcp mod multiport destination-ports $WHITELIST_WAN jump whitelist; } # port knocking interception interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock; } chain OUTPUT { policy DROP; # allow all local traffic interface lo ACCEPT; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; proto tcp mod multiport destination-ports (53 22 80 443) mod state state NEW ACCEPT; proto udp dport 53 mod state state NEW ACCEPT; proto icmp icmp-type echo-request ACCEPT; } chain FORWARD { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # accept ping request proto icmp icmp-type echo-request ACCEPT; # from VMS to Internet: ssh, web, dns, ping outerface $DEV_WAN { proto tcp mod multiport destination-ports (53 22 80 389 443 636) mod state state NEW ACCEPT; proto udp dport 53 mod state state NEW ACCEPT; proto icmp icmp-type echo-request ACCEPT; } # Web on VMs @if $WEB_ON_VMS protocol tcp mod comment comment "Web on VMs" mod multiport destination-ports $WEB_ON_VMS mod state state NEW { @if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT; @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT; } # private VMs @if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE { # connections (SSH, etc.) from host @if $WHITELIST_VMS interface $DEV_WAN protocol tcp mod multiport destination-ports $WHITELIST_VMS mod state state NEW ACCEPT; } # public VMs @if $VMS daddr $NET_VMS outerface $DEV_VMS { # nagios @if $SUPERVISORS saddr $SUPERVISORS protocol tcp mod multiport destination-ports (4949 5666) mod state state NEW mod comment comment "Munin&Nagios on VMs" ACCEPT; # connections (SSH, etc.) from whitelisted IPs # + port knocking @if $WHITELIST_VMS protocol tcp { mod multiport destination-ports $WHITELIST_VMS mod state state NEW jump whitelist; jump knock; } } } # accept from EO & port-knock source IP chain whitelist { saddr $WHITELIST_IPS ACCEPT; mod recent rcheck name "knock3" seconds 15 ACCEPT; } # port knocking (add IP in the whitelist for 15 seconds) chain knock { protocol tcp { dport $KNOCK1 mod recent set name "knock1" NOP; dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" { mod recent name "knock1" remove NOP; mod recent name "knock2" set NOP; } dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" { mod recent name "knock2" remove NOP; mod recent name "knock3" set NOP; } } } } # SNAT for private VMs @if $VMS_PRIVATE table nat chain POSTROUTING saddr $NET_VMS_PRIVATE outerface $DEV_WAN SNAT to $IP_WAN; @include './include-by-hostname post.d|';