204 lines
6.2 KiB
Bash
204 lines
6.2 KiB
Bash
# -*- shell-script -*-
|
|
#
|
|
# Configuration file for ferm(1).
|
|
#
|
|
|
|
@hook pre "#";
|
|
@hook pre "# Entr'ouvert firewall config, generated by ferm";
|
|
@hook pre "#";
|
|
|
|
@def $IP_WAN = 176.31.123.109;
|
|
@def $DEV_WAN = eth0;
|
|
|
|
# guests : virtual machines
|
|
@def $NET_VMS = 178.33.6.208/28;
|
|
@def $DEV_VMS = vmbr1;
|
|
@def $NET_VMS_PRIVATE = 192.168.0.0/16;
|
|
@def $DEV_VMS_PRIVATE = venet0;
|
|
|
|
# whitelisted services = IP and port knocking
|
|
@def $EO_WHITELIST_IPS = `bash -c '. /etc/firewall/default_eo ; echo ${WHITELIST_EO[@]}'`;
|
|
@def $WHITELIST_IPS = ($EO_WHITELIST_IPS);
|
|
@def $KNOCK1 = 100;
|
|
@def $KNOCK2 = 200;
|
|
@def $KNOCK3 = 301;
|
|
|
|
# WAN services
|
|
@def $DNS_ON_WAN = 1;
|
|
@def $WEB_ON_WAN = (80 443); # HTTP, HTTPS
|
|
@def $MAIL_ON_WAN = (25 587 993 995 4190); # SMTP, submission, IMAPS, POPS, SIEVE
|
|
@def $WHITELIST_WAN = (ssh 8006 3128 5900:5999); # SSH + proxmox (8006=web, 3128=spice, 5900:5999=vnc)
|
|
|
|
# global VMS services
|
|
@def $WEB_ON_VMS = (80 443);
|
|
@def $WHITELIST_VMS = (ssh);
|
|
|
|
# supervision servers (munin, nagios)
|
|
@def $SUPERVISORS = (212.85.154.22 88.190.46.145);
|
|
|
|
@include './include-by-hostname config.d|';
|
|
@include './include-by-hostname pre.d|';
|
|
|
|
# $VMS = 1 if there are VMs with public IPs
|
|
@def $VMS = 0;
|
|
@if $NET_VMS @if $DEV_VMS @def $VMS = 1;
|
|
# $VMS = 1 if there are VMs with private IPs
|
|
@def $VMS_PRIVATE = 0;
|
|
@if $NET_VMS_PRIVATE @if $DEV_VMS_PRIVATE @def $VMS_PRIVATE = 1;
|
|
|
|
# output some debug informations
|
|
@hook post "# VMS = $VMS";
|
|
@hook post "# VMS_PRIVATE = $VMS_PRIVATE";
|
|
|
|
table filter {
|
|
chain INPUT {
|
|
policy DROP;
|
|
|
|
# allow all local traffic
|
|
interface lo ACCEPT;
|
|
|
|
# connection tracking
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
# accept ping request
|
|
proto icmp icmp-type echo-request ACCEPT;
|
|
|
|
# local services
|
|
interface $DEV_WAN daddr $IP_WAN mod state state NEW {
|
|
# DNS requests
|
|
@if $DNS_ON_WAN proto (udp tcp) dport 53
|
|
mod comment comment "DNS on WAN"
|
|
ACCEPT;
|
|
# Web
|
|
@if $WEB_ON_WAN proto tcp mod multiport destination-ports $WEB_ON_WAN
|
|
mod comment comment "Web on WAN"
|
|
ACCEPT;
|
|
# Mail
|
|
@if $MAIL_ON_WAN proto tcp mod multiport destination-ports $MAIL_ON_WAN
|
|
mod comment comment "Mail services on WAN"
|
|
ACCEPT;
|
|
# munin & nagios
|
|
@if $SUPERVISORS saddr $SUPERVISORS proto tcp mod multiport destination-ports (4949 5666)
|
|
mod comment comment "Munin&Nagios on WAN"
|
|
ACCEPT;
|
|
# allow connections (SSH, proxmox, etc.) from whitelisted IPs
|
|
proto tcp mod multiport destination-ports $WHITELIST_WAN
|
|
jump whitelist;
|
|
}
|
|
|
|
# port knocking interception
|
|
interface $DEV_WAN daddr $IP_WAN protocol tcp jump knock;
|
|
}
|
|
|
|
chain OUTPUT {
|
|
policy DROP;
|
|
|
|
# allow all local traffic
|
|
interface lo ACCEPT;
|
|
|
|
# connection tracking
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
proto tcp mod multiport destination-ports (53 22 80 443)
|
|
mod state state NEW
|
|
ACCEPT;
|
|
proto udp dport 53
|
|
mod state state NEW
|
|
ACCEPT;
|
|
proto icmp icmp-type echo-request ACCEPT;
|
|
}
|
|
|
|
chain FORWARD {
|
|
policy DROP;
|
|
|
|
# connection tracking
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
# accept ping request
|
|
proto icmp icmp-type echo-request ACCEPT;
|
|
|
|
# from VMS to Internet: ssh, web, dns, ping
|
|
outerface $DEV_WAN {
|
|
proto tcp mod multiport destination-ports (53 22 80 389 443 636)
|
|
mod state state NEW
|
|
ACCEPT;
|
|
proto udp dport 53
|
|
mod state state NEW
|
|
ACCEPT;
|
|
proto icmp icmp-type echo-request ACCEPT;
|
|
}
|
|
|
|
# Web on VMs
|
|
@if $WEB_ON_VMS
|
|
protocol tcp
|
|
mod comment comment "Web on VMs"
|
|
mod multiport destination-ports $WEB_ON_VMS
|
|
mod state state NEW {
|
|
@if $VMS daddr $NET_VMS outerface $DEV_VMS ACCEPT;
|
|
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE ACCEPT;
|
|
}
|
|
|
|
# private VMs
|
|
@if $VMS_PRIVATE daddr $NET_VMS_PRIVATE outerface $DEV_VMS_PRIVATE {
|
|
# connections (SSH, etc.) from host
|
|
@if $WHITELIST_VMS interface $DEV_WAN protocol tcp
|
|
mod multiport destination-ports $WHITELIST_VMS
|
|
mod state state NEW
|
|
ACCEPT;
|
|
}
|
|
|
|
# public VMs
|
|
@if $VMS daddr $NET_VMS outerface $DEV_VMS {
|
|
# nagios
|
|
@if $SUPERVISORS saddr $SUPERVISORS
|
|
protocol tcp
|
|
mod multiport destination-ports (4949 5666)
|
|
mod state state NEW
|
|
mod comment comment "Munin&Nagios on VMs"
|
|
ACCEPT;
|
|
# connections (SSH, etc.) from whitelisted IPs
|
|
# + port knocking
|
|
@if $WHITELIST_VMS protocol tcp {
|
|
mod multiport destination-ports $WHITELIST_VMS
|
|
mod state state NEW jump whitelist;
|
|
jump knock;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
# accept from EO & port-knock source IP
|
|
chain whitelist {
|
|
saddr $WHITELIST_IPS ACCEPT;
|
|
mod recent rcheck name "knock3" seconds 15 ACCEPT;
|
|
}
|
|
|
|
# port knocking (add IP in the whitelist for 15 seconds)
|
|
chain knock {
|
|
protocol tcp {
|
|
dport $KNOCK1 mod recent set name "knock1" NOP;
|
|
dport $KNOCK2 mod recent rcheck name "knock1" seconds 3 @subchain "knock2" {
|
|
mod recent name "knock1" remove NOP;
|
|
mod recent name "knock2" set NOP;
|
|
}
|
|
dport $KNOCK3 mod recent rcheck name "knock2" seconds 3 @subchain "knock3" {
|
|
mod recent name "knock2" remove NOP;
|
|
mod recent name "knock3" set NOP;
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
# SNAT for private VMs
|
|
@if $VMS_PRIVATE table nat chain POSTROUTING
|
|
saddr $NET_VMS_PRIVATE
|
|
outerface $DEV_WAN
|
|
SNAT to $IP_WAN;
|
|
|
|
@include './include-by-hostname post.d|';
|
|
|