diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2019-01-03 17:01:29 -0200 | 
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2019-01-03 17:01:29 -0200 | 
| commit | 81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74 (patch) | |
| tree | 8c60706bd046ebdb33f8953402772dba160de815 /share/provision/files | |
| parent | 35e0621effa975cfe0e64d1bd5c71bda69c65332 (diff) | |
| download | kvmx-81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74.tar.gz kvmx-81fbd1a3b93b8ec7abc5af38e9ffa4fa492e3f74.tar.bz2 | |
Provision: IPredator: firewall support
Diffstat (limited to 'share/provision/files')
3 files changed, 212 insertions, 0 deletions
| diff --git a/share/provision/files/ipredator/etc/ferm/ferm.conf b/share/provision/files/ipredator/etc/ferm/ferm.conf new file mode 100644 index 0000000..d7b97a3 --- /dev/null +++ b/share/provision/files/ipredator/etc/ferm/ferm.conf @@ -0,0 +1,171 @@ +# -*- shell-script -*- +# +#  Configuration file for ferm(1). +# +#  V: 0.1 +# +#  ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html +#  Blog post:   https://blog.ipredator.se/linux-firewall-howto.html +# + +# Really make sure that these modules exist and are loaded. +@hook pre "/sbin/modprobe nf_conntrack_ftp"; +@hook pre "/sbin/modprobe nfnetlink_log"; + +# Network interfaces. +#@def $DEV_LAN = eth0; +@def $DEV_LAN = ens3; +@def $DEV_LOOPBACK = lo0; +@def $DEV_VPN = tun0; + +# Network definition for the loopback device. This is needed to allow +# DNS resolution on Ubuntu Linux where the local resolver is bound +# to 127.0.1.1 - as opposed to the default 127.0.0.1. +@def $NET_LOOPBACK = 127.0.0.0/8; + +# Common application ports. +@def $PORT_DNS = 53; +@def $PORT_FTP = ( 20 21 ); +@def $PORT_NTP = 123; +@def $PORT_SSH = 22; +@def $PORT_WEB = ( 80 443 ); + +# The ports we allow OpenVPN to connect to. IPredator allows you +# to connect on _any_ port. Simply add more ports if desired but +# stick to only those that you really need. +@def $PORT_OPENVPN = (1194 1234 1337 2342 5060); + +# Public DNS servers and those that are only reachable via VPN. +# DNS servers are specified in the outbound DNS rules to prevent DNS leaks +# (https://www.dnsleaktest.com/). The public DNS servers configured on your +# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), +# but you need to verify this. +# +@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); + +# Add your ISP name server to this object if you want to restrict  +# which DNS servers can be queried. +@def $IP_DNS_PUBLIC = 0.0.0.0/0; + +# DNS server available within the VPN. +@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); + +# Make sure to use the proper VPN interface (e.g. tun0 in this case). +# Note: You cannot reference $DEV_VPN here, substition does not take +#       place for commands passed to a sub shell. +@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; + +# VPN interface conditional. If true the following rules are loaded. +@if $VPN_ACTIVE { +    domain ip { +        table filter { +            chain OUTPUT { +                # Default allowed outbound services on the VPN interface. +                # If you need more simply add your rules here. +                outerface $DEV_VPN { +                    proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; +                    proto tcp dport $PORT_FTP ACCEPT; +                    proto udp dport $PORT_NTP ACCEPT; +                    proto tcp dport $PORT_SSH ACCEPT; +                    proto tcp dport $PORT_WEB ACCEPT; +                } +            } +        } +    } +} + +# The main IPv4 rule set. +domain ip { +    table filter { +        chain INPUT { +            # The default policy for the chain. Usually ACCEPT or DROP or REJECT. +            policy DROP; + +            # Connection tracking. +            mod state state INVALID DROP; +            mod state state (ESTABLISHED RELATED) ACCEPT; + +            # Allow local traffic to loopback interface. +            daddr $NET_LOOPBACK ACCEPT; +  +            # Allow inbound SSH on your LAN interface _only_. +            interface $DEV_LAN { +                proto tcp dport $PORT_SSH ACCEPT; +            } + +            # Respond to ping ... makes debugging easier. +            proto icmp icmp-type echo-request ACCEPT; + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } + +        chain OUTPUT { +            policy DROP; + +            # Connection tracking. +            mod state state INVALID DROP; +            mod state state (ESTABLISHED RELATED) ACCEPT; + +            # Allow local traffic from the loopback interface. +            saddr $NET_LOOPBACK ACCEPT; +   +            # Respond to ping. +            proto icmp icmp-type echo-request ACCEPT; + +            # Allowed services on the LAN interface. +            outerface $DEV_LAN { +                proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; +                proto udp dport $PORT_NTP ACCEPT; +                proto (tcp udp) dport $PORT_OPENVPN ACCEPT; +                proto tcp dport $PORT_SSH ACCEPT; +            } + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } + +        chain FORWARD { +            policy DROP; + +            # If you use your machine to route traffic eg.  +            # from a VM you have to add rules here! + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } +    } +} + +# IPv6 is generally disabled, communication on the loopback device is allowed. +domain ip6 { +    table filter { +        chain INPUT { +            policy DROP; + +            # Allow local traffic. +            interface $DEV_LOOPBACK ACCEPT; + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } +        chain OUTPUT { +            policy DROP; + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } +        chain FORWARD { +            policy DROP; + +            # Log dropped packets. +            NFLOG nflog-group 1; +            DROP; +        } +    } +} diff --git a/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules new file mode 100644 index 0000000..64d8bd1 --- /dev/null +++ b/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules @@ -0,0 +1,2 @@ +KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add" +KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove" diff --git a/share/provision/files/ipredator/usr/local/bin/fermreload.sh b/share/provision/files/ipredator/usr/local/bin/fermreload.sh new file mode 100755 index 0000000..cebf7cc --- /dev/null +++ b/share/provision/files/ipredator/usr/local/bin/fermreload.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# fermreload.sh +# V: 0.1 +# +# Reloads the ferm firewall ruleset and is invoked by +# the udev via /etc/udev/rules.d/81-vpn-firewall.rules. +# +# IPredator 2014 +# Released under the Kopimi license. +# +# Blog post:   https://blog.ipredator.se/linux-firewall-howto.html +# + +LOGGER=/usr/bin/logger +LOGGER_TAG=$0 + +UDEV_ACTION=$1 + +FERM=/usr/sbin/ferm +FERM_CONF=/etc/ferm/ferm.conf + +MSG_FW_RULE_ADD="Adding VPN firewall rules." +MSG_FW_RULE_REMOVE="Removing VPN firewall rules." +MSG_UDEV_ACTION_UNKNOWN="Unknown udev action." + +case "$UDEV_ACTION" in +    add) +        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD +        $FERM $FERM_CONF +        ;; +    remove) +        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE +        $FERM $FERM_CONF +        ;; +    *) +        $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN +        exit 1 +esac | 
