Mic92/ferm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new services

Browse Source
This commit is contained in:
Jörg Thalheim 2015-03-29 11:13:01 +00:00
parent a7d20af5ad
commit 7dbad8f884
9 changed files with 84 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ferm.conf
View File

@ -1,7 +1,9 @@
@def $subnet = 10.100.0.0/16; @def $subnet = 192.168.66.0/24;
@def $bridge = br0; @def $bridge = br0;
@def $evenet = evenet;
@def $internet = "enp2s0"; @def $internet = "enp2s0";
@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`; @def $public_ipv4 = `ip a s enp2s0 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
@def $public_ipv6 = `ip a s enp2s0 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
include 'ferm.d/functions'; include 'ferm.d/functions';
include `find ferm.d/services/*`; include `find ferm.d/services/*`;
@ -16,6 +18,10 @@ domain (ip ip6) {
table filter { table filter {
chain FORWARD { chain FORWARD {
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset; interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
# dn42 -> is filtered in dn42 container
interface $evenet outerface $evenet ACCEPT;
interface $bridge outerface $internet ACCEPT; interface $bridge outerface $internet ACCEPT;
} }
chain (INPUT FORWARD) { chain (INPUT FORWARD) {
@ -23,8 +29,9 @@ domain (ip ip6) {
interface lo ACCEPT; interface lo ACCEPT;
protocol icmp ACCEPT; protocol icmp ACCEPT;
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
LOG log-prefix "iptables reject:";
protocol tcp REJECT reject-with tcp-reset; protocol tcp REJECT reject-with tcp-reset;
protocol udp REJECT reject-with icmp-port-unreachable;
REJECT reject-with icmp-port-unreachable; REJECT reject-with icmp-port-unreachable;
} }
chain OUTPUT policy ACCEPT; chain OUTPUT policy ACCEPT;

63
functions
View File

@ -1,62 +1,61 @@
# Allow connections to public ports on the host # Allow connections to public ports on the host
@def &allow_local($proto, $port) = { @def &allow_local($proto, $port) = {
domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT; domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
} }
# Defines a service residing in a given container # Defines a service residing in a given container
@def &def_service($service, $container, $proto, $port) = { @def &def_service($service, $container, $proto, $port) = {
# look up IP addresses of the container # look up IP addresses of the container
@def $ip4 = @resolve($container, A); @def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA); @def $ip6 = @resolve($container, AAAA);
# chain to allow forwarding to the service # chain to allow forwarding to the service
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
# chain to do the DNAT to change the address / port to the one of the container / service # chain to do the DNAT to change the address / port to the one of the container / service
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port"; domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port"; domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
} }
# Forwards a public port to the given service # Forwards a public port to the given service
@def &forward_to_service($service, $proto, $port) = { @def &forward_to_service($service, $proto, $port) = {
domain (ip ip6) { domain (ip ip6) {
# allow forwarding to the service # allow forwarding to the service
table filter chain FORWARD jump @cat("allow_", $service); table filter chain FORWARD jump @cat("allow_", $service);
table nat { table nat {
# change destination address / port to the one of the container / service
# change destination address / port to the one of the container / service chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service); }
} }
}
} }
# Allows connection from the given container to the specified service (which resides in another container) # Allows connection from the given container to the specified service (which resides in another container)
@def &allow_service_for($service, $container) = { @def &allow_service_for($service, $container) = {
@def $ip4 = @resolve($container, A); @def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA); @def $ip6 = @resolve($container, AAAA);
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service); domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
} }
# Allows connection a specific service to all containers # Allows connection a specific service to all containers
@def &allow_service_for_all($service) = { @def &allow_service_for_all($service) = {
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service); domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
} }
# ---------------- # ----------------
# currently unused # currently unused
@def &forward_to($container, $proto, $port) = { @def &forward_to($container, $proto, $port) = {
# look up IP addresses of the container # look up IP addresses of the container
@def $ip4 = @resolve($container, A); @def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA); @def $ip6 = @resolve($container, AAAA);
domain (ip ip6) { domain (ip ip6) {
# allow forwarding to container # allow forwarding to container
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
# change destination address to the containers one # change destination address to the containers one
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6); table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
} }
} }

3
services/40-web
View File

@ -1,6 +1,9 @@
&def_service(web, web, tcp, 80); &def_service(web, web, tcp, 80);
&def_service(webs, web, tcp, 443); &def_service(webs, web, tcp, 443);
&allow_service_for_all(web);
&allow_service_for_all(webs);
&forward_to_service(web, tcp, 80); &forward_to_service(web, tcp, 80);
&forward_to_service(webs, tcp, 443); &forward_to_service(webs, tcp, 443);
&allow_service_for(ldap, web); &allow_service_for(ldap, web);

16
services/45-dn42
View File

@ -1,6 +1,10 @@
# IKE negotiations @def $dn42_ip4 = @resolve(dn42, A);
&def_service(ike, dn42, udp, 500); @def $dn42_ip6 = @resolve(dn42, AAAA);
&forward_to_service(ike, udp, 500); domain (ip ip6) table filter chain FORWARD proto udp dport 5001:5020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) interface $bridge ACCEPT;
# ESP encrypton and authentication domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 5001:5020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
&def_service(esp, dn42, udp, 50);
&forward_to_service(esp, udp, 50); # tinc
&def_service(evenet, dn42, udp, 666);
&forward_to_service(evenet, udp, 666);
&def_service(evenet, dn42, tcp, 666);
&forward_to_service(evenet, tcp, 666);

24
services/45-dns
View File

@ -1,10 +1,18 @@
&def_service(dns, dns, udp, 53); &def_service(dns, dns, udp, 53);
&def_service(dns-pub, dns, udp, 5353); &def_service(dns2, dns, tcp, 53);
&def_service(dnsweb, dns, tcp, 80); #&def_service(dns, dns1.evenet.dn42, udp, 53);
&forward_to_service(dns, udp, 53);
&forward_to_service(dns-pub, udp, 53); &forward_to_service(dns2, tcp, 53);
&allow_service_for_all(dns); &allow_service_for_all(dns);
&allow_service_for_all(dns); &allow_service_for_all(dns2);
&allow_service_for(dnsweb, web);
&allow_service_for(postgres, dns); chain FORWARD interface $evenet mod pkttype pkt-type (broadcast multicast) ACCEPT;
# chain to allow forwarding to the service
domain ip table filter chain FORWARD {
@def $dns1_ip4 = @resolve(dns1.evenet.dn42, A);
@def $dns2_ip4 = @resolve(dns2.evenet.dn42, A);
@def $ns1_ip4 = @resolve(ns1.evenet.dn42, A);
@def $ns2_ip4 = @resolve(ns2.evenet.dn42, A);
daddr ($dns1_ip4 $dns2_ip4 $ns1_ip4 $ns2_ip4) protocol udp dport 53 ACCEPT;
}

8
services/45-git
View File

@ -1,3 +1,11 @@
@def $git_ip4 = @resolve(git, A);
@def $git_ip6 = @resolve(git, AAAA);
@def $web_ip4 = @resolve(web, A);
@def $web_ip6 = @resolve(web, AAAA);
# git.higgsboson.tk points to web
# therefore DNAT port ssh back to git
domain (ip ip6) table nat chain PREROUTING daddr @ipfilter(($web_ip4 $web_ip6)) proto tcp dport ssh DNAT to @ipfilter(($git_ip4 $git_ip6));
&def_service(git, git, tcp, 9000); &def_service(git, git, tcp, 9000);
&allow_service_for(git, web); &allow_service_for(git, web);
&allow_service_for(postgres, git); &allow_service_for(postgres, git);

2
services/45-halfcode Normal file
View File

@ -0,0 +1,2 @@
&def_service(halfcode, halfcode, tcp, 9000);
&allow_service_for(halfcode, web);

2
services/45-phonefinder Normal file
View File

@ -0,0 +1,2 @@
&def_service(phonefinder, phonefinder, tcp, 9000);
&allow_service_for(phonefinder, web);

2
services/70-terraria Normal file
View File

@ -0,0 +1,2 @@
&def_service(terraria, terraria, tcp, 37757);
&forward_to_service(terraria, tcp, 37757);