first commit

This commit is contained in:
root 2014-12-19 20:50:19 +01:00
commit a7d20af5ad
29 changed files with 259 additions and 0 deletions

35
ferm.conf Normal file
View File

@ -0,0 +1,35 @@
@def $subnet = 10.100.0.0/16;
@def $bridge = br0;
@def $internet = "enp2s0";
@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`;
include 'ferm.d/functions';
include `find ferm.d/services/*`;
domain (ip ip6) {
table nat {
chain PREROUTING policy ACCEPT;
chain POSTROUTING policy ACCEPT;
chain INPUT policy ACCEPT;
chain OUTPUT policy ACCEPT;
}
table filter {
chain FORWARD {
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
interface $bridge outerface $internet ACCEPT;
}
chain (INPUT FORWARD) {
policy DROP;
interface lo ACCEPT;
protocol icmp ACCEPT;
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
protocol tcp REJECT reject-with tcp-reset;
protocol udp REJECT reject-with icmp-port-unreachable;
REJECT reject-with icmp-port-unreachable;
}
chain OUTPUT policy ACCEPT;
}
}
domain ip table nat {
chain POSTROUTING outerface $internet MASQUERADE;
}

62
functions Normal file
View File

@ -0,0 +1,62 @@
# Allow connections to public ports on the host
@def &allow_local($proto, $port) = {
domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
}
# Defines a service residing in a given container
@def &def_service($service, $container, $proto, $port) = {
# look up IP addresses of the container
@def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA);
# chain to allow forwarding to the service
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
# chain to do the DNAT to change the address / port to the one of the container / service
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
}
# Forwards a public port to the given service
@def &forward_to_service($service, $proto, $port) = {
domain (ip ip6) {
# allow forwarding to the service
table filter chain FORWARD jump @cat("allow_", $service);
table nat {
# change destination address / port to the one of the container / service
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
}
}
}
# Allows connection from the given container to the specified service (which resides in another container)
@def &allow_service_for($service, $container) = {
@def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA);
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
}
# Allows connection a specific service to all containers
@def &allow_service_for_all($service) = {
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
}
# ----------------
# currently unused
@def &forward_to($container, $proto, $port) = {
# look up IP addresses of the container
@def $ip4 = @resolve($container, A);
@def $ip6 = @resolve($container, AAAA);
domain (ip ip6) {
# allow forwarding to container
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
# change destination address to the containers one
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
}
}

4
services/00-local Normal file
View File

@ -0,0 +1,4 @@
&allow_local(tcp, 22022); # SSH
&allow_local(udp, 60000:60010); # Mosh
&allow_local(tcp, 655); # tinc
&allow_local(udp, 655); # tinc

1
services/20-ldap Normal file
View File

@ -0,0 +1 @@
&def_service(ldap, ldap, tcp, 389);

6
services/20-login Normal file
View File

@ -0,0 +1,6 @@
&def_service(login, login, tcp, 22);
&forward_to_service(login, tcp, 22722);
&allow_service_for(ldap, login);
&def_service(mosh_login, login, udp, 60011);
&forward_to_service(mosh_login, udp, 60011);

2
services/30-database Normal file
View File

@ -0,0 +1,2 @@
&def_service(mysql, mysql, tcp, 3306);
&def_service(postgres, postgres, tcp, 5432);

17
services/40-mail Normal file
View File

@ -0,0 +1,17 @@
&allow_service_for(ldap,mail);
&def_service(smtp, mail, tcp, 25);
&def_service(submission, mail, tcp, 587);
&def_service(imap, mail, tcp, 143);
&def_service(sieve, mail, tcp, 4190);
&def_service(dsync, mail, tcp, 4170);
&forward_to_service(smtp, tcp, 25);
&forward_to_service(submission, tcp, 587);
&forward_to_service(imap, tcp, 143);
&forward_to_service(sieve, tcp, 4190);
&forward_to_service(dsync, tcp, 4170);
@def $mail_ip4 = @resolve(mail, A);
@def $mail_ip6 = @resolve(mail, AAAA);
domain (ip ip6) table filter chain FORWARD interface $bridge saddr @ipfilter(($mail_ip4 $mail_ip6)) protocol tcp dport smtp ACCEPT;

5
services/40-squid Normal file
View File

@ -0,0 +1,5 @@
&def_service(squid, squid, tcp, 8888);
&forward_to_service(squid, tcp, 8888);
&def_service(ssquid, squid, tcp, 8889);
&forward_to_service(ssquid, tcp, 8889);
&allow_service_for(ldap, squid);

6
services/40-web Normal file
View File

@ -0,0 +1,6 @@
&def_service(web, web, tcp, 80);
&def_service(webs, web, tcp, 443);
&forward_to_service(web, tcp, 80);
&forward_to_service(webs, tcp, 443);
&allow_service_for(ldap, web);

4
services/45-adminer Normal file
View File

@ -0,0 +1,4 @@
&def_service(adminer, adminer, tcp, 9000);
&allow_service_for(postgres, adminer);
&allow_service_for(mysql, adminer);
&allow_service_for(adminer, web);

2
services/45-classifier Normal file
View File

@ -0,0 +1,2 @@
&def_service(classifier, classifier, tcp, 22);
&forward_to_service(classifier, tcp, 2200);

6
services/45-dn42 Normal file
View File

@ -0,0 +1,6 @@
# IKE negotiations
&def_service(ike, dn42, udp, 500);
&forward_to_service(ike, udp, 500);
# ESP encrypton and authentication
&def_service(esp, dn42, udp, 50);
&forward_to_service(esp, udp, 50);

10
services/45-dns Normal file
View File

@ -0,0 +1,10 @@
&def_service(dns, dns, udp, 53);
&def_service(dns-pub, dns, udp, 5353);
&def_service(dnsweb, dns, tcp, 80);
&forward_to_service(dns-pub, udp, 53);
&allow_service_for_all(dns);
&allow_service_for_all(dns);
&allow_service_for(dnsweb, web);
&allow_service_for(postgres, dns);

3
services/45-etherpad Normal file
View File

@ -0,0 +1,3 @@
&def_service(etherpad, etherpad, tcp, 9000);
&allow_service_for(etherpad, web);
&allow_service_for(postgres, etherpad);

7
services/45-git Normal file
View File

@ -0,0 +1,7 @@
&def_service(git, git, tcp, 9000);
&allow_service_for(git, web);
&allow_service_for(postgres, git);
&allow_service_for(ldap, git);
&def_service(git-ssh, git, tcp, 22);
&forward_to_service(git-ssh, tcp, 22);

3
services/45-istwiki Normal file
View File

@ -0,0 +1,3 @@
&def_service(istwiki, istwiki, tcp, 9000);
&allow_service_for(istwiki, web);
&allow_service_for(mysql, istwiki);

3
services/45-ldapadmin Normal file
View File

@ -0,0 +1,3 @@
&def_service(ldapadmin, ldapadmin, tcp, 9000);
&allow_service_for(ldapadmin, web);
&allow_service_for(ldap, ldapadmin);

4
services/45-owncloud Normal file
View File

@ -0,0 +1,4 @@
&def_service(owncloud, owncloud, tcp, 9000);
&allow_service_for(owncloud, web);
&allow_service_for(postgres, owncloud);
&allow_service_for(ldap, owncloud);

3
services/45-phpmyadmin Normal file
View File

@ -0,0 +1,3 @@
&def_service(phpmyadmin, phpmyadmin, tcp, 9000);
&allow_service_for(phpmyadmin, web);
&allow_service_for(mysql, phpmyadmin);

3
services/45-phppgadmin Normal file
View File

@ -0,0 +1,3 @@
&def_service(phppgadmin, phppgadmin, tcp, 9000);
&allow_service_for(phppgadmin, web);
&allow_service_for(postgres, phppgadmin);

4
services/45-piwik Normal file
View File

@ -0,0 +1,4 @@
&def_service(piwik, piwik, tcp, 9000);
&allow_service_for(piwik, web);
&allow_service_for(mysql, piwik);
&allow_service_for(ldap, piwik);

17
services/45-prosody Normal file
View File

@ -0,0 +1,17 @@
&def_service(xmpp-client, prosody, tcp, 5222);
&def_service(xmpp-server, prosody, tcp, 5269);
&def_service(xmpp-bosh, prosody, tcp, 5280);
&def_service(bosh-ssl, prosody, tcp, 5281);
&def_service(xmpp-proxy65, prosody, tcp, 5000);
&allow_service_for_all(xmpp-client);
&allow_service_for_all(xmpp-server);
&allow_service_for_all(xmpp-proxy65);
&forward_to_service(xmpp-client, tcp, 5222);
&forward_to_service(xmpp-server, tcp, 5269);
&forward_to_service(xmpp-bosh, tcp, 5280);
&forward_to_service(bosh-ssl, tcp, 5281);
&forward_to_service(xmpp-proxy65, tcp, 5000);
&allow_service_for(postgres, prosody);
&allow_service_for(ldap, prosody);

3
services/45-rainloop Normal file
View File

@ -0,0 +1,3 @@
&def_service(rainloop, rainloop, tcp, 9000);
&allow_service_for(postgres, rainloop);
&allow_service_for(rainloop, web);

15
services/45-seafile Normal file
View File

@ -0,0 +1,15 @@
&def_service(seafile, seafile, tcp, 12001);
&def_service(ccnet, seafile, tcp, 10001);
&def_service(seahub, seafile, tcp, 8000);
&def_service(webdav, seafile, tcp, 8080);
&def_service(filesrv, seafile, tcp, 8082);
&allow_service_for(seahub, web);
&allow_service_for(filesrv, web);
&allow_service_for(webdav, web);
&allow_service_for(ldap, seafile);
&allow_service_for(postgres, seafile);
&allow_service_for(smtp, seafile);
&allow_service_for(submission, seafile);
&forward_to_service(seafile, tcp, 12001);
&forward_to_service(ccnet, tcp, 10001);

4
services/45-ttrss Normal file
View File

@ -0,0 +1,4 @@
&def_service(ttrss, ttrss, tcp, 9000);
&allow_service_for(ttrss, web);
&allow_service_for(postgres, ttrss);
&allow_service_for(ldap, ttrss);

3
services/45-tweetnest Normal file
View File

@ -0,0 +1,3 @@
&def_service(tweetnest, tweetnest, tcp, 9000);
&allow_service_for(tweetnest, web);
&allow_service_for(mysql, tweetnest);

3
services/45-ytm Normal file
View File

@ -0,0 +1,3 @@
&def_service(ytm, ytm, tcp, 9000);
&allow_service_for(ytm, web);
&allow_service_for(mysql, ytm);

4
services/70-pyload Normal file
View File

@ -0,0 +1,4 @@
&def_service(pyload, pyload, tcp, 8001);
&allow_service_for(pyload, web);
&def_service(pyloadremote, pyload, tcp, 7227);
&forward_to_service(pyloadremote, tcp, 7227);

20
services/70-teamspeak Normal file
View File

@ -0,0 +1,20 @@
# default services
&def_service(ts3_ft, teamspeak, tcp, 30033);
&forward_to_service(ts3_ft, tcp, 30033);
&def_service(ts3_sq, teamspeak, tcp, 10011);
&forward_to_service(ts3_sq, tcp, 10011);
&def_service(ts3_dns, teamspeak, tcp, 41144);
&forward_to_service(ts3_dns, tcp, 41144);
# servers
&def_service(ts3_devkid, teamspeak, udp, 9987);
&forward_to_service(ts3_devkid, udp, 9987);
&def_service(ts3_ist, teamspeak, udp, 4242);
&forward_to_service(ts3_ist, udp, 4242);
&def_service(ts3_martin, teamspeak, udp, 5037);
&forward_to_service(ts3_martin, udp, 5037);
&def_service(ts3_putzy, teamspeak, udp, 9000);
&forward_to_service(ts3_putzy, udp, 9000);