Feat: provision: njalla-wireguard: firewall config

author: Silvio Rhatto <rhatto@riseup.net> 2020-11-06 19:33:02 -0300
committer: Silvio Rhatto <rhatto@riseup.net> 2020-11-06 19:33:02 -0300
commit: a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5 (patch)
tree: f1be0c3a1f1a738b1522816498078732917adac9 /share
parent: 44aa200f3fc65c52b58bb49533bbfd17530911d0 (diff)
download: kvmx-a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5.tar.gz
kvmx-a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5.tar.bz2
4 files changed, 227 insertions, 7 deletions
diff --git a/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
new file mode 100644
index 0000000..9ef8208
--- /dev/null
+++ b/share/provision/files/njalla-wireguard/etc/ferm/ferm.conf
@@ -0,0 +1,179 @@
+# -*- shell-script -*-
+#
+#  Configuration file for ferm(1).
+#
+#  V: 0.1
+#
+#  ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
+#  Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
+#
+
+# Really make sure that these modules exist and are loaded.
+@hook pre "/sbin/modprobe nf_conntrack_ftp";
+@hook pre "/sbin/modprobe nfnetlink_log";
+
+# Network interfaces.
+#@def $DEV_LAN = eth0;
+@def $DEV_LAN = ens3;
+@def $DEV_LOOPBACK = lo0;
+@def $DEV_VPN = wg0;
+
+# Network definition for the loopback device. This is needed to allow
+# DNS resolution on Ubuntu Linux where the local resolver is bound
+# to 127.0.1.1 - as opposed to the default 127.0.0.1.
+@def $NET_LOOPBACK = 127.0.0.0/8;
+
+# Common application ports.
+@def $PORT_DNS = 53;
+@def $PORT_FTP = ( 20 21 );
+@def $PORT_NTP = 123;
+@def $PORT_SSH = 22;
+@def $PORT_WEB = ( 80 443 );
+
+# The ports we allow to connect to.
+@def $PORT_WIREGUARD = ( 51820 );
+
+# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
+# Ports Transmission is allowed to use.
+@def $PORT_TRANSMISSION = 16384:65535;
+
+# Public DNS servers and those that are only reachable via VPN.
+# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
+# (https://www.dnsleaktest.com/). The public DNS servers configured on your
+# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
+# but you need to verify this.
+#
+@def $IP_DNS_IPR_PUBLIC = ( 95.215.19.53/32 );
+
+# Add your ISP name server to this object if you want to restrict 
+# which DNS servers can be queried.
+@def $IP_DNS_PUBLIC = 0.0.0.0/0;
+
+# DNS server available within the VPN.
+@def $IP_DNS_VPN = ( 95.215.19.53/32 );
+
+# Make sure to use the proper VPN interface (e.g. wg0 in this case).
+# Note: You cannot reference $DEV_VPN here, substition does not take
+#       place for commands passed to a sub shell.
+@def $VPN_ACTIVE = `ip link show wg0 >/dev/null 2>/dev/null && echo 1 || echo`;
+
+# VPN interface conditional. If true the following rules are loaded.
+@if $VPN_ACTIVE {
+    domain ip {
+        table filter {
+            chain INPUT {
+                interface $DEV_VPN {
+                    proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
+                }
+            }
+            chain OUTPUT {
+                # Default allowed outbound services on the VPN interface.
+                # If you need more simply add your rules here.
+                outerface $DEV_VPN {
+                    proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
+                    proto tcp dport $PORT_FTP ACCEPT;
+                    proto udp dport $PORT_NTP ACCEPT;
+                    proto tcp dport $PORT_SSH ACCEPT;
+                    proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
+                    proto tcp dport $PORT_WEB ACCEPT;
+                }
+            }
+        }
+    }
+}
+
+# The main IPv4 rule set.
+domain ip {
+    table filter {
+        chain INPUT {
+            # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
+            policy DROP;
+
+            # Connection tracking.
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+
+            # Allow local traffic to loopback interface.
+            daddr $NET_LOOPBACK ACCEPT;
+ 
+            # Allow inbound SSH on your LAN interface _only_.
+            interface $DEV_LAN {
+                proto tcp dport $PORT_SSH ACCEPT;
+            }
+
+            # Respond to ping ... makes debugging easier.
+            proto icmp icmp-type echo-request ACCEPT;
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+
+            # Connection tracking.
+            mod state state INVALID DROP;
+            mod state state (ESTABLISHED RELATED) ACCEPT;
+
+            # Allow local traffic from the loopback interface.
+            saddr $NET_LOOPBACK ACCEPT;
+  
+            # Respond to ping.
+            proto icmp icmp-type echo-request ACCEPT;
+
+            # Allowed services on the LAN interface.
+            outerface $DEV_LAN {
+                proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
+                proto udp dport $PORT_NTP ACCEPT;
+                proto (tcp udp) dport $PORT_WIREGUARD ACCEPT;
+                proto tcp dport $PORT_SSH ACCEPT;
+            }
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+
+        chain FORWARD {
+            policy DROP;
+
+            # If you use your machine to route traffic eg. 
+            # from a VM you have to add rules here!
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+    }
+}
+
+# IPv6 is generally disabled, communication on the loopback device is allowed.
+domain ip6 {
+    table filter {
+        chain INPUT {
+            policy DROP;
+
+            # Allow local traffic.
+            interface $DEV_LOOPBACK ACCEPT;
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+        chain OUTPUT {
+            policy DROP;
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+        chain FORWARD {
+            policy DROP;
+
+            # Log dropped packets.
+            NFLOG nflog-group 1;
+            DROP;
+        }
+    }
+}
diff --git a/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules
new file mode 100644
index 0000000..8c9d744
--- /dev/null
+++ b/share/provision/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules
@@ -0,0 +1,2 @@
+KERNEL=="wg0", ACTION=="add",    RUN+="/usr/local/bin/fermreload.sh add"
+KERNEL=="wg0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
diff --git a/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh
new file mode 100755
index 0000000..cebf7cc
--- /dev/null
+++ b/share/provision/files/njalla-wireguard/usr/local/bin/fermreload.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# fermreload.sh
+# V: 0.1
+#
+# Reloads the ferm firewall ruleset and is invoked by
+# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
+#
+# IPredator 2014
+# Released under the Kopimi license.
+#
+# Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
+#
+
+LOGGER=/usr/bin/logger
+LOGGER_TAG=$0
+
+UDEV_ACTION=$1
+
+FERM=/usr/sbin/ferm
+FERM_CONF=/etc/ferm/ferm.conf
+
+MSG_FW_RULE_ADD="Adding VPN firewall rules."
+MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
+MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
+
+case "$UDEV_ACTION" in
+    add)
+        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
+        $FERM $FERM_CONF
+        ;;
+    remove)
+        $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
+        $FERM $FERM_CONF
+        ;;
+    *)
+        $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
+        exit 1
+esac
diff --git a/share/provision/njalla-wireguard b/share/provision/njalla-wireguard
index fe3d7fe..df364bf 100755
--- a/share/provision/njalla-wireguard
+++ b/share/provision/njalla-wireguard
@@ -30,13 +30,13 @@ APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y"
 $DIRNAME/wireguard $HOSTNAME $DOMAIN $MIRROR
 
 # Firewall
-#$APT_INSTALL ferm ulogd2 ulogd2-pcap
-#sudo cp $DIRNAME/files/njalla-wireguard/etc/ferm/ferm.conf /etc/ferm
-#sudo cp $DIRNAME/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d
-#sudo cp $DIRNAME/files/njalla-wireguard/usr/local/bin/fermreload.sh /usr/local/bin
-#sudo chmod 555 /usr/local/bin/fermreload.sh
-#sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm
-#sudo service ferm restart
+$APT_INSTALL ferm ulogd2 ulogd2-pcap
+sudo cp $DIRNAME/files/njalla-wireguard/etc/ferm/ferm.conf /etc/ferm
+sudo cp $DIRNAME/files/njalla-wireguard/etc/udev/rules.d/81-vpn-firewall.rules /etc/udev/rules.d
+sudo cp $DIRNAME/files/njalla-wireguard/usr/local/bin/fermreload.sh /usr/local/bin
+sudo chmod 555 /usr/local/bin/fermreload.sh
+sudo sed -i -e 's/^ENABLED=.*$/ENABLED="yes"/' /etc/default/ferm
+sudo service ferm restart
 
 # Njalla
 echo "Please configure /etc/wireguard/ng0.conf"
author	Silvio Rhatto <rhatto@riseup.net>	2020-11-06 19:33:02 -0300
committer	Silvio Rhatto <rhatto@riseup.net>	2020-11-06 19:33:02 -0300
commit	a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5 (patch)
tree	f1be0c3a1f1a738b1522816498078732917adac9 /share
parent	44aa200f3fc65c52b58bb49533bbfd17530911d0 (diff)
download	kvmx-a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5.tar.gz kvmx-a95c84c5cc9cdd4bced26bdb2c5c1908ffcaa6b5.tar.bz2