first commit
This commit is contained in:
commit
a7d20af5ad
35
ferm.conf
Normal file
35
ferm.conf
Normal file
@ -0,0 +1,35 @@
|
||||
@def $subnet = 10.100.0.0/16;
|
||||
@def $bridge = br0;
|
||||
@def $internet = "enp2s0";
|
||||
@def $wanip = `ip a s enp2s0 | awk '{if($0 ~ "inet "){split($2,a,"/");print a[1]}}'`;
|
||||
|
||||
include 'ferm.d/functions';
|
||||
include `find ferm.d/services/*`;
|
||||
|
||||
domain (ip ip6) {
|
||||
table nat {
|
||||
chain PREROUTING policy ACCEPT;
|
||||
chain POSTROUTING policy ACCEPT;
|
||||
chain INPUT policy ACCEPT;
|
||||
chain OUTPUT policy ACCEPT;
|
||||
}
|
||||
table filter {
|
||||
chain FORWARD {
|
||||
interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
|
||||
interface $bridge outerface $internet ACCEPT;
|
||||
}
|
||||
chain (INPUT FORWARD) {
|
||||
policy DROP;
|
||||
interface lo ACCEPT;
|
||||
protocol icmp ACCEPT;
|
||||
mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
|
||||
protocol tcp REJECT reject-with tcp-reset;
|
||||
protocol udp REJECT reject-with icmp-port-unreachable;
|
||||
REJECT reject-with icmp-port-unreachable;
|
||||
}
|
||||
chain OUTPUT policy ACCEPT;
|
||||
}
|
||||
}
|
||||
domain ip table nat {
|
||||
chain POSTROUTING outerface $internet MASQUERADE;
|
||||
}
|
62
functions
Normal file
62
functions
Normal file
@ -0,0 +1,62 @@
|
||||
# Allow connections to public ports on the host
|
||||
@def &allow_local($proto, $port) = {
|
||||
domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
|
||||
}
|
||||
|
||||
# Defines a service residing in a given container
|
||||
@def &def_service($service, $container, $proto, $port) = {
|
||||
# look up IP addresses of the container
|
||||
@def $ip4 = @resolve($container, A);
|
||||
@def $ip6 = @resolve($container, AAAA);
|
||||
|
||||
# chain to allow forwarding to the service
|
||||
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
|
||||
|
||||
# chain to do the DNAT to change the address / port to the one of the container / service
|
||||
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
|
||||
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
|
||||
}
|
||||
|
||||
# Forwards a public port to the given service
|
||||
@def &forward_to_service($service, $proto, $port) = {
|
||||
domain (ip ip6) {
|
||||
# allow forwarding to the service
|
||||
table filter chain FORWARD jump @cat("allow_", $service);
|
||||
|
||||
table nat {
|
||||
|
||||
# change destination address / port to the one of the container / service
|
||||
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Allows connection from the given container to the specified service (which resides in another container)
|
||||
@def &allow_service_for($service, $container) = {
|
||||
@def $ip4 = @resolve($container, A);
|
||||
@def $ip6 = @resolve($container, AAAA);
|
||||
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service);
|
||||
}
|
||||
|
||||
# Allows connection a specific service to all containers
|
||||
@def &allow_service_for_all($service) = {
|
||||
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
|
||||
}
|
||||
|
||||
|
||||
# ----------------
|
||||
# currently unused
|
||||
|
||||
@def &forward_to($container, $proto, $port) = {
|
||||
# look up IP addresses of the container
|
||||
@def $ip4 = @resolve($container, A);
|
||||
@def $ip6 = @resolve($container, AAAA);
|
||||
|
||||
domain (ip ip6) {
|
||||
# allow forwarding to container
|
||||
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT;
|
||||
|
||||
# change destination address to the containers one
|
||||
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6);
|
||||
}
|
||||
}
|
4
services/00-local
Normal file
4
services/00-local
Normal file
@ -0,0 +1,4 @@
|
||||
&allow_local(tcp, 22022); # SSH
|
||||
&allow_local(udp, 60000:60010); # Mosh
|
||||
&allow_local(tcp, 655); # tinc
|
||||
&allow_local(udp, 655); # tinc
|
1
services/20-ldap
Normal file
1
services/20-ldap
Normal file
@ -0,0 +1 @@
|
||||
&def_service(ldap, ldap, tcp, 389);
|
6
services/20-login
Normal file
6
services/20-login
Normal file
@ -0,0 +1,6 @@
|
||||
&def_service(login, login, tcp, 22);
|
||||
&forward_to_service(login, tcp, 22722);
|
||||
&allow_service_for(ldap, login);
|
||||
|
||||
&def_service(mosh_login, login, udp, 60011);
|
||||
&forward_to_service(mosh_login, udp, 60011);
|
2
services/30-database
Normal file
2
services/30-database
Normal file
@ -0,0 +1,2 @@
|
||||
&def_service(mysql, mysql, tcp, 3306);
|
||||
&def_service(postgres, postgres, tcp, 5432);
|
17
services/40-mail
Normal file
17
services/40-mail
Normal file
@ -0,0 +1,17 @@
|
||||
&allow_service_for(ldap,mail);
|
||||
|
||||
&def_service(smtp, mail, tcp, 25);
|
||||
&def_service(submission, mail, tcp, 587);
|
||||
&def_service(imap, mail, tcp, 143);
|
||||
&def_service(sieve, mail, tcp, 4190);
|
||||
&def_service(dsync, mail, tcp, 4170);
|
||||
|
||||
&forward_to_service(smtp, tcp, 25);
|
||||
&forward_to_service(submission, tcp, 587);
|
||||
&forward_to_service(imap, tcp, 143);
|
||||
&forward_to_service(sieve, tcp, 4190);
|
||||
&forward_to_service(dsync, tcp, 4170);
|
||||
|
||||
@def $mail_ip4 = @resolve(mail, A);
|
||||
@def $mail_ip6 = @resolve(mail, AAAA);
|
||||
domain (ip ip6) table filter chain FORWARD interface $bridge saddr @ipfilter(($mail_ip4 $mail_ip6)) protocol tcp dport smtp ACCEPT;
|
5
services/40-squid
Normal file
5
services/40-squid
Normal file
@ -0,0 +1,5 @@
|
||||
&def_service(squid, squid, tcp, 8888);
|
||||
&forward_to_service(squid, tcp, 8888);
|
||||
&def_service(ssquid, squid, tcp, 8889);
|
||||
&forward_to_service(ssquid, tcp, 8889);
|
||||
&allow_service_for(ldap, squid);
|
6
services/40-web
Normal file
6
services/40-web
Normal file
@ -0,0 +1,6 @@
|
||||
&def_service(web, web, tcp, 80);
|
||||
&def_service(webs, web, tcp, 443);
|
||||
|
||||
&forward_to_service(web, tcp, 80);
|
||||
&forward_to_service(webs, tcp, 443);
|
||||
&allow_service_for(ldap, web);
|
4
services/45-adminer
Normal file
4
services/45-adminer
Normal file
@ -0,0 +1,4 @@
|
||||
&def_service(adminer, adminer, tcp, 9000);
|
||||
&allow_service_for(postgres, adminer);
|
||||
&allow_service_for(mysql, adminer);
|
||||
&allow_service_for(adminer, web);
|
2
services/45-classifier
Normal file
2
services/45-classifier
Normal file
@ -0,0 +1,2 @@
|
||||
&def_service(classifier, classifier, tcp, 22);
|
||||
&forward_to_service(classifier, tcp, 2200);
|
6
services/45-dn42
Normal file
6
services/45-dn42
Normal file
@ -0,0 +1,6 @@
|
||||
# IKE negotiations
|
||||
&def_service(ike, dn42, udp, 500);
|
||||
&forward_to_service(ike, udp, 500);
|
||||
# ESP encrypton and authentication
|
||||
&def_service(esp, dn42, udp, 50);
|
||||
&forward_to_service(esp, udp, 50);
|
10
services/45-dns
Normal file
10
services/45-dns
Normal file
@ -0,0 +1,10 @@
|
||||
&def_service(dns, dns, udp, 53);
|
||||
&def_service(dns-pub, dns, udp, 5353);
|
||||
&def_service(dnsweb, dns, tcp, 80);
|
||||
|
||||
&forward_to_service(dns-pub, udp, 53);
|
||||
|
||||
&allow_service_for_all(dns);
|
||||
&allow_service_for_all(dns);
|
||||
&allow_service_for(dnsweb, web);
|
||||
&allow_service_for(postgres, dns);
|
3
services/45-etherpad
Normal file
3
services/45-etherpad
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(etherpad, etherpad, tcp, 9000);
|
||||
&allow_service_for(etherpad, web);
|
||||
&allow_service_for(postgres, etherpad);
|
7
services/45-git
Normal file
7
services/45-git
Normal file
@ -0,0 +1,7 @@
|
||||
&def_service(git, git, tcp, 9000);
|
||||
&allow_service_for(git, web);
|
||||
&allow_service_for(postgres, git);
|
||||
&allow_service_for(ldap, git);
|
||||
|
||||
&def_service(git-ssh, git, tcp, 22);
|
||||
&forward_to_service(git-ssh, tcp, 22);
|
3
services/45-istwiki
Normal file
3
services/45-istwiki
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(istwiki, istwiki, tcp, 9000);
|
||||
&allow_service_for(istwiki, web);
|
||||
&allow_service_for(mysql, istwiki);
|
3
services/45-ldapadmin
Normal file
3
services/45-ldapadmin
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(ldapadmin, ldapadmin, tcp, 9000);
|
||||
&allow_service_for(ldapadmin, web);
|
||||
&allow_service_for(ldap, ldapadmin);
|
4
services/45-owncloud
Normal file
4
services/45-owncloud
Normal file
@ -0,0 +1,4 @@
|
||||
&def_service(owncloud, owncloud, tcp, 9000);
|
||||
&allow_service_for(owncloud, web);
|
||||
&allow_service_for(postgres, owncloud);
|
||||
&allow_service_for(ldap, owncloud);
|
3
services/45-phpmyadmin
Normal file
3
services/45-phpmyadmin
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(phpmyadmin, phpmyadmin, tcp, 9000);
|
||||
&allow_service_for(phpmyadmin, web);
|
||||
&allow_service_for(mysql, phpmyadmin);
|
3
services/45-phppgadmin
Normal file
3
services/45-phppgadmin
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(phppgadmin, phppgadmin, tcp, 9000);
|
||||
&allow_service_for(phppgadmin, web);
|
||||
&allow_service_for(postgres, phppgadmin);
|
4
services/45-piwik
Normal file
4
services/45-piwik
Normal file
@ -0,0 +1,4 @@
|
||||
&def_service(piwik, piwik, tcp, 9000);
|
||||
&allow_service_for(piwik, web);
|
||||
&allow_service_for(mysql, piwik);
|
||||
&allow_service_for(ldap, piwik);
|
17
services/45-prosody
Normal file
17
services/45-prosody
Normal file
@ -0,0 +1,17 @@
|
||||
&def_service(xmpp-client, prosody, tcp, 5222);
|
||||
&def_service(xmpp-server, prosody, tcp, 5269);
|
||||
&def_service(xmpp-bosh, prosody, tcp, 5280);
|
||||
&def_service(bosh-ssl, prosody, tcp, 5281);
|
||||
&def_service(xmpp-proxy65, prosody, tcp, 5000);
|
||||
&allow_service_for_all(xmpp-client);
|
||||
&allow_service_for_all(xmpp-server);
|
||||
&allow_service_for_all(xmpp-proxy65);
|
||||
|
||||
&forward_to_service(xmpp-client, tcp, 5222);
|
||||
&forward_to_service(xmpp-server, tcp, 5269);
|
||||
&forward_to_service(xmpp-bosh, tcp, 5280);
|
||||
&forward_to_service(bosh-ssl, tcp, 5281);
|
||||
&forward_to_service(xmpp-proxy65, tcp, 5000);
|
||||
|
||||
&allow_service_for(postgres, prosody);
|
||||
&allow_service_for(ldap, prosody);
|
3
services/45-rainloop
Normal file
3
services/45-rainloop
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(rainloop, rainloop, tcp, 9000);
|
||||
&allow_service_for(postgres, rainloop);
|
||||
&allow_service_for(rainloop, web);
|
15
services/45-seafile
Normal file
15
services/45-seafile
Normal file
@ -0,0 +1,15 @@
|
||||
&def_service(seafile, seafile, tcp, 12001);
|
||||
&def_service(ccnet, seafile, tcp, 10001);
|
||||
&def_service(seahub, seafile, tcp, 8000);
|
||||
&def_service(webdav, seafile, tcp, 8080);
|
||||
&def_service(filesrv, seafile, tcp, 8082);
|
||||
|
||||
&allow_service_for(seahub, web);
|
||||
&allow_service_for(filesrv, web);
|
||||
&allow_service_for(webdav, web);
|
||||
&allow_service_for(ldap, seafile);
|
||||
&allow_service_for(postgres, seafile);
|
||||
&allow_service_for(smtp, seafile);
|
||||
&allow_service_for(submission, seafile);
|
||||
&forward_to_service(seafile, tcp, 12001);
|
||||
&forward_to_service(ccnet, tcp, 10001);
|
4
services/45-ttrss
Normal file
4
services/45-ttrss
Normal file
@ -0,0 +1,4 @@
|
||||
&def_service(ttrss, ttrss, tcp, 9000);
|
||||
&allow_service_for(ttrss, web);
|
||||
&allow_service_for(postgres, ttrss);
|
||||
&allow_service_for(ldap, ttrss);
|
3
services/45-tweetnest
Normal file
3
services/45-tweetnest
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(tweetnest, tweetnest, tcp, 9000);
|
||||
&allow_service_for(tweetnest, web);
|
||||
&allow_service_for(mysql, tweetnest);
|
3
services/45-ytm
Normal file
3
services/45-ytm
Normal file
@ -0,0 +1,3 @@
|
||||
&def_service(ytm, ytm, tcp, 9000);
|
||||
&allow_service_for(ytm, web);
|
||||
&allow_service_for(mysql, ytm);
|
4
services/70-pyload
Normal file
4
services/70-pyload
Normal file
@ -0,0 +1,4 @@
|
||||
&def_service(pyload, pyload, tcp, 8001);
|
||||
&allow_service_for(pyload, web);
|
||||
&def_service(pyloadremote, pyload, tcp, 7227);
|
||||
&forward_to_service(pyloadremote, tcp, 7227);
|
20
services/70-teamspeak
Normal file
20
services/70-teamspeak
Normal file
@ -0,0 +1,20 @@
|
||||
# default services
|
||||
&def_service(ts3_ft, teamspeak, tcp, 30033);
|
||||
&forward_to_service(ts3_ft, tcp, 30033);
|
||||
&def_service(ts3_sq, teamspeak, tcp, 10011);
|
||||
&forward_to_service(ts3_sq, tcp, 10011);
|
||||
&def_service(ts3_dns, teamspeak, tcp, 41144);
|
||||
&forward_to_service(ts3_dns, tcp, 41144);
|
||||
|
||||
# servers
|
||||
&def_service(ts3_devkid, teamspeak, udp, 9987);
|
||||
&forward_to_service(ts3_devkid, udp, 9987);
|
||||
|
||||
&def_service(ts3_ist, teamspeak, udp, 4242);
|
||||
&forward_to_service(ts3_ist, udp, 4242);
|
||||
|
||||
&def_service(ts3_martin, teamspeak, udp, 5037);
|
||||
&forward_to_service(ts3_martin, udp, 5037);
|
||||
|
||||
&def_service(ts3_putzy, teamspeak, udp, 9000);
|
||||
&forward_to_service(ts3_putzy, udp, 9000);
|
Loading…
Reference in New Issue
Block a user