From 7dbad8f884e9ab40444a7b013afca6a6d22da253 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Sun, 29 Mar 2015 11:13:01 +0000
Subject: [PATCH] new services

---
 ferm.conf               | 13 +++++++--
 functions               | 63 ++++++++++++++++++++---------------------
 services/40-web         |  3 ++
 services/45-dn42        | 16 +++++++----
 services/45-dns         | 24 ++++++++++------
 services/45-git         |  8 ++++++
 services/45-halfcode    |  2 ++
 services/45-phonefinder |  2 ++
 services/70-terraria    |  2 ++
 9 files changed, 84 insertions(+), 49 deletions(-)
 create mode 100644 services/45-halfcode
 create mode 100644 services/45-phonefinder
 create mode 100644 services/70-terraria

diff --git a/ferm.conf b/ferm.conf
index 9b223fb..81e88c2 100644
--- a/ferm.conf
+++ b/ferm.conf
@@ -1,7 +1,9 @@
-@def $subnet = 10.100.0.0/16;
+@def $subnet = 192.168.66.0/24;
 @def $bridge = br0;
+@def $evenet = evenet;
 @def $internet = "enp2s0";
-@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`;
+@def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
+@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
 
 include 'ferm.d/functions';
 include `find ferm.d/services/*`;
@@ -16,6 +18,10 @@ domain (ip ip6) {
   table filter {
     chain FORWARD {
       interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
+
+      # dn42 -> is filtered in dn42 container
+      interface $evenet outerface $evenet ACCEPT;
+
       interface $bridge outerface $internet ACCEPT;
     }
     chain (INPUT FORWARD) {
@@ -23,8 +29,9 @@ domain (ip ip6) {
       interface lo ACCEPT;
       protocol icmp ACCEPT;
       mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
+
+      LOG log-prefix "iptables reject:";
       protocol tcp REJECT reject-with tcp-reset;
-      protocol udp REJECT reject-with icmp-port-unreachable;
       REJECT reject-with icmp-port-unreachable;
     }
     chain OUTPUT policy ACCEPT;
diff --git a/functions b/functions
index a01f6b6..844f93a 100644
--- a/functions
+++ b/functions
@@ -1,62 +1,61 @@
 # Allow connections to public ports on the host
 @def &allow_local($proto, $port) = {
-	domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
+  domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
 }
 
 # Defines a service residing in a given container
 @def &def_service($service, $container, $proto, $port) = {
-	# look up IP addresses of the container
-	@def $ip4 = @resolve($container, A);
-	@def $ip6 = @resolve($container, AAAA);
+  # look up IP addresses of the container
+  @def $ip4 = @resolve($container, A);
+  @def $ip6 = @resolve($container, AAAA);
 
-	# chain to allow forwarding to the service
-	domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
+  # chain to allow forwarding to the service
+  domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
 
-	# chain to do the DNAT to change the address / port to the one of the container / service
-	domain ip  table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
-	domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
+  # chain to do the DNAT to change the address / port to the one of the container / service
+  domain ip  table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
+  domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
 }
 
+
 # Forwards a public port to the given service
 @def &forward_to_service($service, $proto, $port) = {
-	domain (ip ip6) {
-		# allow forwarding to the service
-		table filter chain FORWARD jump @cat("allow_", $service);
+  domain (ip ip6) {
+    # allow forwarding to the service
+    table filter chain FORWARD jump @cat("allow_", $service);
 
-		table nat {
-
-			# change destination address / port to the one of the container / service
-			chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
-		}
-	}
+    table nat {
+      # change destination address / port to the one of the container / service
+      chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
+    }
+  }
 }
 
 # Allows connection from the given container to the specified service (which resides in another container)
 @def &allow_service_for($service, $container) = {
-	@def $ip4 = @resolve($container, A);
-	@def $ip6 = @resolve($container, AAAA);
-	domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
+  @def $ip4 = @resolve($container, A);
+  @def $ip6 = @resolve($container, AAAA);
+  domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
 }
 
 # Allows connection a specific service to all containers
 @def &allow_service_for_all($service) = {
-	domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
+  domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
 }
 
-
 # ----------------
 # currently unused
 
 @def &forward_to($container, $proto, $port) = {
-	# look up IP addresses of the container
-	@def $ip4 = @resolve($container, A);
-	@def $ip6 = @resolve($container, AAAA);
+  # look up IP addresses of the container
+  @def $ip4 = @resolve($container, A);
+  @def $ip6 = @resolve($container, AAAA);
 
-	domain (ip ip6) {
-		# allow forwarding to container
-		table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
+  domain (ip ip6) {
+    # allow forwarding to container
+    table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
 
-		# change destination address to the containers one
-		table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
-	}
+    # change destination address to the containers one
+    table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
+  }
 }
diff --git a/services/40-web b/services/40-web
index e927e80..00987dc 100644
--- a/services/40-web
+++ b/services/40-web
@@ -1,6 +1,9 @@
 &def_service(web, web, tcp, 80);
 &def_service(webs, web, tcp, 443);
 
+&allow_service_for_all(web);
+&allow_service_for_all(webs);
 &forward_to_service(web, tcp, 80);
 &forward_to_service(webs, tcp, 443);
+
 &allow_service_for(ldap, web);
diff --git a/services/45-dn42 b/services/45-dn42
index c5ee194..02ea567 100644
--- a/services/45-dn42
+++ b/services/45-dn42
@@ -1,6 +1,10 @@
-# IKE negotiations
-&def_service(ike, dn42, udp, 500);
-&forward_to_service(ike, udp, 500);
-# ESP encrypton and authentication
-&def_service(esp, dn42, udp, 50);
-&forward_to_service(esp, udp, 50);
+@def $dn42_ip4 = @resolve(dn42, A);
+@def $dn42_ip6 = @resolve(dn42, AAAA);
+domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
+domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
+
+# tinc
+&def_service(evenet, dn42, udp, 666);
+&forward_to_service(evenet, udp, 666);
+&def_service(evenet, dn42, tcp, 666);
+&forward_to_service(evenet, tcp, 666);
diff --git a/services/45-dns b/services/45-dns
index 5a998ba..eaaa1d9 100644
--- a/services/45-dns
+++ b/services/45-dns
@@ -1,10 +1,18 @@
 &def_service(dns, dns, udp, 53);
-&def_service(dns-pub, dns, udp, 5353);
-&def_service(dnsweb, dns, tcp, 80);
-
-&forward_to_service(dns-pub, udp, 53);
-
+&def_service(dns2, dns, tcp, 53);
+#&def_service(dns, dns1.evenet.dn42, udp, 53);
+&forward_to_service(dns, udp, 53);
+&forward_to_service(dns2, tcp, 53);
 &allow_service_for_all(dns);
-&allow_service_for_all(dns);
-&allow_service_for(dnsweb, web);
-&allow_service_for(postgres, dns);
+&allow_service_for_all(dns2);
+
+chain FORWARD interface $evenet mod pkttype pkt-type (broadcast multicast) ACCEPT;
+
+# chain to allow forwarding to the service
+domain ip table filter chain FORWARD {
+  @def $dns1_ip4 = @resolve(dns1.evenet.dn42, A);
+  @def $dns2_ip4 = @resolve(dns2.evenet.dn42, A);
+  @def $ns1_ip4  = @resolve(ns1.evenet.dn42, A);
+  @def $ns2_ip4  = @resolve(ns2.evenet.dn42, A);
+  daddr ($dns1_ip4 $dns2_ip4 $ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
+}
diff --git a/services/45-git b/services/45-git
index c0c1bf5..6aee12a 100644
--- a/services/45-git
+++ b/services/45-git
@@ -1,3 +1,11 @@
+@def $git_ip4 = @resolve(git, A);
+@def $git_ip6 = @resolve(git, AAAA);
+@def $web_ip4 = @resolve(web, A);
+@def $web_ip6 = @resolve(web, AAAA);
+# git.higgsboson.tk points to web
+# therefore DNAT port ssh back to git
+domain (ip ip6) table nat chain PREROUTING daddr @ipfilter(($web_ip4 $web_ip6)) proto tcp dport ssh DNAT to @ipfilter(($git_ip4 $git_ip6));
+
 &def_service(git, git, tcp, 9000);
 &allow_service_for(git, web);
 &allow_service_for(postgres, git);
diff --git a/services/45-halfcode b/services/45-halfcode
new file mode 100644
index 0000000..1f80f85
--- /dev/null
+++ b/services/45-halfcode
@@ -0,0 +1,2 @@
+&def_service(halfcode, halfcode, tcp, 9000);
+&allow_service_for(halfcode, web);
diff --git a/services/45-phonefinder b/services/45-phonefinder
new file mode 100644
index 0000000..5383f50
--- /dev/null
+++ b/services/45-phonefinder
@@ -0,0 +1,2 @@
+&def_service(phonefinder, phonefinder, tcp, 9000);
+&allow_service_for(phonefinder, web);
diff --git a/services/70-terraria b/services/70-terraria
new file mode 100644
index 0000000..c644144
--- /dev/null
+++ b/services/70-terraria
@@ -0,0 +1,2 @@
+&def_service(terraria, terraria, tcp, 37757);
+&forward_to_service(terraria, tcp, 37757);