From a7d20af5ad12651c8a09413df103dccc4d65f15d Mon Sep 17 00:00:00 2001 From: root Date: Fri, 19 Dec 2014 20:50:19 +0100 Subject: [PATCH] first commit --- ferm.conf | 35 ++++++++++++++++++++++++ functions | 62 ++++++++++++++++++++++++++++++++++++++++++ services/00-local | 4 +++ services/20-ldap | 1 + services/20-login | 6 ++++ services/30-database | 2 ++ services/40-mail | 17 ++++++++++++ services/40-squid | 5 ++++ services/40-web | 6 ++++ services/45-adminer | 4 +++ services/45-classifier | 2 ++ services/45-dn42 | 6 ++++ services/45-dns | 10 +++++++ services/45-etherpad | 3 ++ services/45-git | 7 +++++ services/45-istwiki | 3 ++ services/45-ldapadmin | 3 ++ services/45-owncloud | 4 +++ services/45-phpmyadmin | 3 ++ services/45-phppgadmin | 3 ++ services/45-piwik | 4 +++ services/45-prosody | 17 ++++++++++++ services/45-rainloop | 3 ++ services/45-seafile | 15 ++++++++++ services/45-ttrss | 4 +++ services/45-tweetnest | 3 ++ services/45-ytm | 3 ++ services/70-pyload | 4 +++ services/70-teamspeak | 20 ++++++++++++++ 29 files changed, 259 insertions(+) create mode 100644 ferm.conf create mode 100644 functions create mode 100644 services/00-local create mode 100644 services/20-ldap create mode 100644 services/20-login create mode 100644 services/30-database create mode 100644 services/40-mail create mode 100644 services/40-squid create mode 100644 services/40-web create mode 100644 services/45-adminer create mode 100644 services/45-classifier create mode 100644 services/45-dn42 create mode 100644 services/45-dns create mode 100644 services/45-etherpad create mode 100644 services/45-git create mode 100644 services/45-istwiki create mode 100644 services/45-ldapadmin create mode 100644 services/45-owncloud create mode 100644 services/45-phpmyadmin create mode 100644 services/45-phppgadmin create mode 100644 services/45-piwik create mode 100644 services/45-prosody create mode 100644 services/45-rainloop create mode 100644 services/45-seafile create mode 100644 services/45-ttrss create mode 100644 services/45-tweetnest create mode 100644 services/45-ytm create mode 100644 services/70-pyload create mode 100644 services/70-teamspeak diff --git a/ferm.conf b/ferm.conf new file mode 100644 index 0000000..9b223fb --- /dev/null +++ b/ferm.conf @@ -0,0 +1,35 @@ +@def $subnet = 10.100.0.0/16; +@def $bridge = br0; +@def $internet = "enp2s0"; +@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`; + +include 'ferm.d/functions'; +include `find ferm.d/services/*`; + +domain (ip ip6) { + table nat { + chain PREROUTING policy ACCEPT; + chain POSTROUTING policy ACCEPT; + chain INPUT policy ACCEPT; + chain OUTPUT policy ACCEPT; + } + table filter { + chain FORWARD { + interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset; + interface $bridge outerface $internet ACCEPT; + } + chain (INPUT FORWARD) { + policy DROP; + interface lo ACCEPT; + protocol icmp ACCEPT; + mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; + protocol tcp REJECT reject-with tcp-reset; + protocol udp REJECT reject-with icmp-port-unreachable; + REJECT reject-with icmp-port-unreachable; + } + chain OUTPUT policy ACCEPT; + } +} +domain ip table nat { + chain POSTROUTING outerface $internet MASQUERADE; +} diff --git a/functions b/functions new file mode 100644 index 0000000..a01f6b6 --- /dev/null +++ b/functions @@ -0,0 +1,62 @@ +# Allow connections to public ports on the host +@def &allow_local($proto, $port) = { + domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT; +} + +# Defines a service residing in a given container +@def &def_service($service, $container, $proto, $port) = { + # look up IP addresses of the container + @def $ip4 = @resolve($container, A); + @def $ip6 = @resolve($container, AAAA); + + # chain to allow forwarding to the service + domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; + + # chain to do the DNAT to change the address / port to the one of the container / service + domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port"; + domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port"; +} + +# Forwards a public port to the given service +@def &forward_to_service($service, $proto, $port) = { + domain (ip ip6) { + # allow forwarding to the service + table filter chain FORWARD jump @cat("allow_", $service); + + table nat { + + # change destination address / port to the one of the container / service + chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service); + } + } +} + +# Allows connection from the given container to the specified service (which resides in another container) +@def &allow_service_for($service, $container) = { + @def $ip4 = @resolve($container, A); + @def $ip6 = @resolve($container, AAAA); + domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service); +} + +# Allows connection a specific service to all containers +@def &allow_service_for_all($service) = { + domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service); +} + + +# ---------------- +# currently unused + +@def &forward_to($container, $proto, $port) = { + # look up IP addresses of the container + @def $ip4 = @resolve($container, A); + @def $ip6 = @resolve($container, AAAA); + + domain (ip ip6) { + # allow forwarding to container + table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; + + # change destination address to the containers one + table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6); + } +} diff --git a/services/00-local b/services/00-local new file mode 100644 index 0000000..da1e820 --- /dev/null +++ b/services/00-local @@ -0,0 +1,4 @@ +&allow_local(tcp, 22022); # SSH +&allow_local(udp, 60000:60010); # Mosh +&allow_local(tcp, 655); # tinc +&allow_local(udp, 655); # tinc diff --git a/services/20-ldap b/services/20-ldap new file mode 100644 index 0000000..cc2be55 --- /dev/null +++ b/services/20-ldap @@ -0,0 +1 @@ +&def_service(ldap, ldap, tcp, 389); diff --git a/services/20-login b/services/20-login new file mode 100644 index 0000000..0cd7315 --- /dev/null +++ b/services/20-login @@ -0,0 +1,6 @@ +&def_service(login, login, tcp, 22); +&forward_to_service(login, tcp, 22722); +&allow_service_for(ldap, login); + +&def_service(mosh_login, login, udp, 60011); +&forward_to_service(mosh_login, udp, 60011); diff --git a/services/30-database b/services/30-database new file mode 100644 index 0000000..08f559f --- /dev/null +++ b/services/30-database @@ -0,0 +1,2 @@ +&def_service(mysql, mysql, tcp, 3306); +&def_service(postgres, postgres, tcp, 5432); diff --git a/services/40-mail b/services/40-mail new file mode 100644 index 0000000..1fe3ff3 --- /dev/null +++ b/services/40-mail @@ -0,0 +1,17 @@ +&allow_service_for(ldap,mail); + +&def_service(smtp, mail, tcp, 25); +&def_service(submission, mail, tcp, 587); +&def_service(imap, mail, tcp, 143); +&def_service(sieve, mail, tcp, 4190); +&def_service(dsync, mail, tcp, 4170); + +&forward_to_service(smtp, tcp, 25); +&forward_to_service(submission, tcp, 587); +&forward_to_service(imap, tcp, 143); +&forward_to_service(sieve, tcp, 4190); +&forward_to_service(dsync, tcp, 4170); + +@def $mail_ip4 = @resolve(mail, A); +@def $mail_ip6 = @resolve(mail, AAAA); +domain (ip ip6) table filter chain FORWARD interface $bridge saddr @ipfilter(($mail_ip4 $mail_ip6)) protocol tcp dport smtp ACCEPT; diff --git a/services/40-squid b/services/40-squid new file mode 100644 index 0000000..7862ec5 --- /dev/null +++ b/services/40-squid @@ -0,0 +1,5 @@ +&def_service(squid, squid, tcp, 8888); +&forward_to_service(squid, tcp, 8888); +&def_service(ssquid, squid, tcp, 8889); +&forward_to_service(ssquid, tcp, 8889); +&allow_service_for(ldap, squid); diff --git a/services/40-web b/services/40-web new file mode 100644 index 0000000..e927e80 --- /dev/null +++ b/services/40-web @@ -0,0 +1,6 @@ +&def_service(web, web, tcp, 80); +&def_service(webs, web, tcp, 443); + +&forward_to_service(web, tcp, 80); +&forward_to_service(webs, tcp, 443); +&allow_service_for(ldap, web); diff --git a/services/45-adminer b/services/45-adminer new file mode 100644 index 0000000..f330d78 --- /dev/null +++ b/services/45-adminer @@ -0,0 +1,4 @@ +&def_service(adminer, adminer, tcp, 9000); +&allow_service_for(postgres, adminer); +&allow_service_for(mysql, adminer); +&allow_service_for(adminer, web); diff --git a/services/45-classifier b/services/45-classifier new file mode 100644 index 0000000..38d3327 --- /dev/null +++ b/services/45-classifier @@ -0,0 +1,2 @@ +&def_service(classifier, classifier, tcp, 22); +&forward_to_service(classifier, tcp, 2200); diff --git a/services/45-dn42 b/services/45-dn42 new file mode 100644 index 0000000..c5ee194 --- /dev/null +++ b/services/45-dn42 @@ -0,0 +1,6 @@ +# IKE negotiations +&def_service(ike, dn42, udp, 500); +&forward_to_service(ike, udp, 500); +# ESP encrypton and authentication +&def_service(esp, dn42, udp, 50); +&forward_to_service(esp, udp, 50); diff --git a/services/45-dns b/services/45-dns new file mode 100644 index 0000000..5a998ba --- /dev/null +++ b/services/45-dns @@ -0,0 +1,10 @@ +&def_service(dns, dns, udp, 53); +&def_service(dns-pub, dns, udp, 5353); +&def_service(dnsweb, dns, tcp, 80); + +&forward_to_service(dns-pub, udp, 53); + +&allow_service_for_all(dns); +&allow_service_for_all(dns); +&allow_service_for(dnsweb, web); +&allow_service_for(postgres, dns); diff --git a/services/45-etherpad b/services/45-etherpad new file mode 100644 index 0000000..9f8ed74 --- /dev/null +++ b/services/45-etherpad @@ -0,0 +1,3 @@ +&def_service(etherpad, etherpad, tcp, 9000); +&allow_service_for(etherpad, web); +&allow_service_for(postgres, etherpad); diff --git a/services/45-git b/services/45-git new file mode 100644 index 0000000..c0c1bf5 --- /dev/null +++ b/services/45-git @@ -0,0 +1,7 @@ +&def_service(git, git, tcp, 9000); +&allow_service_for(git, web); +&allow_service_for(postgres, git); +&allow_service_for(ldap, git); + +&def_service(git-ssh, git, tcp, 22); +&forward_to_service(git-ssh, tcp, 22); diff --git a/services/45-istwiki b/services/45-istwiki new file mode 100644 index 0000000..010b54f --- /dev/null +++ b/services/45-istwiki @@ -0,0 +1,3 @@ +&def_service(istwiki, istwiki, tcp, 9000); +&allow_service_for(istwiki, web); +&allow_service_for(mysql, istwiki); diff --git a/services/45-ldapadmin b/services/45-ldapadmin new file mode 100644 index 0000000..ea221aa --- /dev/null +++ b/services/45-ldapadmin @@ -0,0 +1,3 @@ +&def_service(ldapadmin, ldapadmin, tcp, 9000); +&allow_service_for(ldapadmin, web); +&allow_service_for(ldap, ldapadmin); diff --git a/services/45-owncloud b/services/45-owncloud new file mode 100644 index 0000000..133dfb2 --- /dev/null +++ b/services/45-owncloud @@ -0,0 +1,4 @@ +&def_service(owncloud, owncloud, tcp, 9000); +&allow_service_for(owncloud, web); +&allow_service_for(postgres, owncloud); +&allow_service_for(ldap, owncloud); diff --git a/services/45-phpmyadmin b/services/45-phpmyadmin new file mode 100644 index 0000000..3f8f909 --- /dev/null +++ b/services/45-phpmyadmin @@ -0,0 +1,3 @@ +&def_service(phpmyadmin, phpmyadmin, tcp, 9000); +&allow_service_for(phpmyadmin, web); +&allow_service_for(mysql, phpmyadmin); diff --git a/services/45-phppgadmin b/services/45-phppgadmin new file mode 100644 index 0000000..39dcd25 --- /dev/null +++ b/services/45-phppgadmin @@ -0,0 +1,3 @@ +&def_service(phppgadmin, phppgadmin, tcp, 9000); +&allow_service_for(phppgadmin, web); +&allow_service_for(postgres, phppgadmin); diff --git a/services/45-piwik b/services/45-piwik new file mode 100644 index 0000000..3c94a4c --- /dev/null +++ b/services/45-piwik @@ -0,0 +1,4 @@ +&def_service(piwik, piwik, tcp, 9000); +&allow_service_for(piwik, web); +&allow_service_for(mysql, piwik); +&allow_service_for(ldap, piwik); diff --git a/services/45-prosody b/services/45-prosody new file mode 100644 index 0000000..3028388 --- /dev/null +++ b/services/45-prosody @@ -0,0 +1,17 @@ +&def_service(xmpp-client, prosody, tcp, 5222); +&def_service(xmpp-server, prosody, tcp, 5269); +&def_service(xmpp-bosh, prosody, tcp, 5280); +&def_service(bosh-ssl, prosody, tcp, 5281); +&def_service(xmpp-proxy65, prosody, tcp, 5000); +&allow_service_for_all(xmpp-client); +&allow_service_for_all(xmpp-server); +&allow_service_for_all(xmpp-proxy65); + +&forward_to_service(xmpp-client, tcp, 5222); +&forward_to_service(xmpp-server, tcp, 5269); +&forward_to_service(xmpp-bosh, tcp, 5280); +&forward_to_service(bosh-ssl, tcp, 5281); +&forward_to_service(xmpp-proxy65, tcp, 5000); + +&allow_service_for(postgres, prosody); +&allow_service_for(ldap, prosody); diff --git a/services/45-rainloop b/services/45-rainloop new file mode 100644 index 0000000..fe85acf --- /dev/null +++ b/services/45-rainloop @@ -0,0 +1,3 @@ +&def_service(rainloop, rainloop, tcp, 9000); +&allow_service_for(postgres, rainloop); +&allow_service_for(rainloop, web); diff --git a/services/45-seafile b/services/45-seafile new file mode 100644 index 0000000..d00ff31 --- /dev/null +++ b/services/45-seafile @@ -0,0 +1,15 @@ +&def_service(seafile, seafile, tcp, 12001); +&def_service(ccnet, seafile, tcp, 10001); +&def_service(seahub, seafile, tcp, 8000); +&def_service(webdav, seafile, tcp, 8080); +&def_service(filesrv, seafile, tcp, 8082); + +&allow_service_for(seahub, web); +&allow_service_for(filesrv, web); +&allow_service_for(webdav, web); +&allow_service_for(ldap, seafile); +&allow_service_for(postgres, seafile); +&allow_service_for(smtp, seafile); +&allow_service_for(submission, seafile); +&forward_to_service(seafile, tcp, 12001); +&forward_to_service(ccnet, tcp, 10001); diff --git a/services/45-ttrss b/services/45-ttrss new file mode 100644 index 0000000..aed7e46 --- /dev/null +++ b/services/45-ttrss @@ -0,0 +1,4 @@ +&def_service(ttrss, ttrss, tcp, 9000); +&allow_service_for(ttrss, web); +&allow_service_for(postgres, ttrss); +&allow_service_for(ldap, ttrss); diff --git a/services/45-tweetnest b/services/45-tweetnest new file mode 100644 index 0000000..16064bb --- /dev/null +++ b/services/45-tweetnest @@ -0,0 +1,3 @@ +&def_service(tweetnest, tweetnest, tcp, 9000); +&allow_service_for(tweetnest, web); +&allow_service_for(mysql, tweetnest); diff --git a/services/45-ytm b/services/45-ytm new file mode 100644 index 0000000..485d654 --- /dev/null +++ b/services/45-ytm @@ -0,0 +1,3 @@ +&def_service(ytm, ytm, tcp, 9000); +&allow_service_for(ytm, web); +&allow_service_for(mysql, ytm); diff --git a/services/70-pyload b/services/70-pyload new file mode 100644 index 0000000..82597b1 --- /dev/null +++ b/services/70-pyload @@ -0,0 +1,4 @@ +&def_service(pyload, pyload, tcp, 8001); +&allow_service_for(pyload, web); +&def_service(pyloadremote, pyload, tcp, 7227); +&forward_to_service(pyloadremote, tcp, 7227); diff --git a/services/70-teamspeak b/services/70-teamspeak new file mode 100644 index 0000000..81b934c --- /dev/null +++ b/services/70-teamspeak @@ -0,0 +1,20 @@ +# default services +&def_service(ts3_ft, teamspeak, tcp, 30033); +&forward_to_service(ts3_ft, tcp, 30033); +&def_service(ts3_sq, teamspeak, tcp, 10011); +&forward_to_service(ts3_sq, tcp, 10011); +&def_service(ts3_dns, teamspeak, tcp, 41144); +&forward_to_service(ts3_dns, tcp, 41144); + +# servers +&def_service(ts3_devkid, teamspeak, udp, 9987); +&forward_to_service(ts3_devkid, udp, 9987); + +&def_service(ts3_ist, teamspeak, udp, 4242); +&forward_to_service(ts3_ist, udp, 4242); + +&def_service(ts3_martin, teamspeak, udp, 5037); +&forward_to_service(ts3_martin, udp, 5037); + +&def_service(ts3_putzy, teamspeak, udp, 9000); +&forward_to_service(ts3_putzy, udp, 9000);