aboutsummaryrefslogtreecommitdiff
path: root/share/provision/files/ipredator
diff options
context:
space:
mode:
Diffstat (limited to 'share/provision/files/ipredator')
-rw-r--r--share/provision/files/ipredator/etc/ferm/ferm.conf181
-rw-r--r--share/provision/files/ipredator/etc/openvpn/ipredator.conf94
-rw-r--r--share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules2
-rwxr-xr-xshare/provision/files/ipredator/usr/local/bin/fermreload.sh39
4 files changed, 0 insertions, 316 deletions
diff --git a/share/provision/files/ipredator/etc/ferm/ferm.conf b/share/provision/files/ipredator/etc/ferm/ferm.conf
deleted file mode 100644
index a25a3d2..0000000
--- a/share/provision/files/ipredator/etc/ferm/ferm.conf
+++ /dev/null
@@ -1,181 +0,0 @@
-# -*- shell-script -*-
-#
-# Configuration file for ferm(1).
-#
-# V: 0.1
-#
-# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-# Really make sure that these modules exist and are loaded.
-@hook pre "/sbin/modprobe nf_conntrack_ftp";
-@hook pre "/sbin/modprobe nfnetlink_log";
-
-# Network interfaces.
-#@def $DEV_LAN = eth0;
-@def $DEV_LAN = ens3;
-@def $DEV_LOOPBACK = lo0;
-@def $DEV_VPN = tun0;
-
-# Network definition for the loopback device. This is needed to allow
-# DNS resolution on Ubuntu Linux where the local resolver is bound
-# to 127.0.1.1 - as opposed to the default 127.0.0.1.
-@def $NET_LOOPBACK = 127.0.0.0/8;
-
-# Common application ports.
-@def $PORT_DNS = 53;
-@def $PORT_FTP = ( 20 21 );
-@def $PORT_NTP = 123;
-@def $PORT_SSH = 22;
-@def $PORT_WEB = ( 80 443 );
-
-# The ports we allow OpenVPN to connect to. IPredator allows you
-# to connect on _any_ port. Simply add more ports if desired but
-# stick to only those that you really need.
-@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);
-
-# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
-# Ports Transmission is allowed to use.
-@def $PORT_TRANSMISSION = 16384:65535;
-
-# Public DNS servers and those that are only reachable via VPN.
-# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
-# (https://www.dnsleaktest.com/). The public DNS servers configured on your
-# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
-# but you need to verify this.
-#
-@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);
-
-# Add your ISP name server to this object if you want to restrict
-# which DNS servers can be queried.
-@def $IP_DNS_PUBLIC = 0.0.0.0/0;
-
-# DNS server available within the VPN.
-@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );
-
-# Make sure to use the proper VPN interface (e.g. tun0 in this case).
-# Note: You cannot reference $DEV_VPN here, substition does not take
-# place for commands passed to a sub shell.
-@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;
-
-# VPN interface conditional. If true the following rules are loaded.
-@if $VPN_ACTIVE {
- domain ip {
- table filter {
- chain INPUT {
- interface $DEV_VPN {
- proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
- }
- }
- chain OUTPUT {
- # Default allowed outbound services on the VPN interface.
- # If you need more simply add your rules here.
- outerface $DEV_VPN {
- proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
- proto tcp dport $PORT_FTP ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
- proto tcp dport $PORT_WEB ACCEPT;
- }
- }
- }
- }
-}
-
-# The main IPv4 rule set.
-domain ip {
- table filter {
- chain INPUT {
- # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic to loopback interface.
- daddr $NET_LOOPBACK ACCEPT;
-
- # Allow inbound SSH on your LAN interface _only_.
- interface $DEV_LAN {
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Respond to ping ... makes debugging easier.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain OUTPUT {
- policy DROP;
-
- # Connection tracking.
- mod state state INVALID DROP;
- mod state state (ESTABLISHED RELATED) ACCEPT;
-
- # Allow local traffic from the loopback interface.
- saddr $NET_LOOPBACK ACCEPT;
-
- # Respond to ping.
- proto icmp icmp-type echo-request ACCEPT;
-
- # Allowed services on the LAN interface.
- outerface $DEV_LAN {
- proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
- proto udp dport $PORT_NTP ACCEPT;
- proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
- proto tcp dport $PORT_SSH ACCEPT;
- }
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
-
- chain FORWARD {
- policy DROP;
-
- # If you use your machine to route traffic eg.
- # from a VM you have to add rules here!
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
-
-# IPv6 is generally disabled, communication on the loopback device is allowed.
-domain ip6 {
- table filter {
- chain INPUT {
- policy DROP;
-
- # Allow local traffic.
- interface $DEV_LOOPBACK ACCEPT;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain OUTPUT {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- chain FORWARD {
- policy DROP;
-
- # Log dropped packets.
- NFLOG nflog-group 1;
- DROP;
- }
- }
-}
diff --git a/share/provision/files/ipredator/etc/openvpn/ipredator.conf b/share/provision/files/ipredator/etc/openvpn/ipredator.conf
deleted file mode 100644
index 439f31b..0000000
--- a/share/provision/files/ipredator/etc/openvpn/ipredator.conf
+++ /dev/null
@@ -1,94 +0,0 @@
-# VER: 0.25
-client
-dev tun0
-proto udp
-remote pw.openvpn.ipredator.se 1194
-remote pw.openvpn.ipredator.me 1194
-remote pw.openvpn.ipredator.es 1194
-resolv-retry infinite
-nobind
-
-#auth-user-pass /etc/openvpn/IPredator.auth
-auth-user-pass /etc/openvpn/ipredator.auth
-auth-retry nointeract
-
-ca [inline]
-
-tls-client
-tls-auth [inline]
-ns-cert-type server
-remote-cert-tls server
-remote-cert-ku 0x00e0
-
-keepalive 10 30
-cipher AES-256-CBC
-persist-key
-comp-lzo
-tun-mtu 1500
-mssfix 1200
-passtos
-verb 3
-replay-window 512 60
-mute-replay-warnings
-ifconfig-nowarn
-
-script-security 2
-up /etc/openvpn/update-resolv-conf
-down /etc/openvpn/update-resolv-conf
-
-# Disable this if your system does not support it!
-tls-version-min 1.2
-
-<ca>
------BEGIN CERTIFICATE-----
-MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
-VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
-BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
-ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
-JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
-NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
-EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
-ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
-HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
-aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
-DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
-bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
-d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
-Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
-/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
-pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
-Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
-bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
-IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
-ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
-ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
-DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
-/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
-M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
-tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
-CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
-BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
------END CERTIFICATE-----
-</ca>
-
-<tls-auth>
------BEGIN OpenVPN Static key V1-----
-03f7b2056b9dc67aa79c59852cb6b35a
-a3a15c0ca685ca76890bbb169e298837
-2bdc904116f5b66d8f7b3ea6a5ff05cb
-fc4f4889d702d394710e48164b28094f
-a0e1c7888d471da39918d747ca4bbc2f
-285f676763b5b8bee9bc08e4b5a69315
-d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
-56c4c44dbca35041b67e2374788f8977
-7ad4ab8e06cd59e7164200dfbadb942a
-351a4171ab212c23bee1920120f81205
-efabaa5e34619f13adbe58b6c83536d3
-0d34e6466feabdd0e63b39ad9bb1116b
-37fafb95759ab9a15572842f70e7cba9
-69700972a01b21229eba487745c091dd
-5cd6d77bdc7a54a756ffe440789fd39e
-97aa9abe2749732b7262f82e4097bee3
------END OpenVPN Static key V1-----
-</tls-auth>
diff --git a/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules
deleted file mode 100644
index 64d8bd1..0000000
--- a/share/provision/files/ipredator/etc/udev/rules.d/81-vpn-firewall.rules
+++ /dev/null
@@ -1,2 +0,0 @@
-KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add"
-KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
diff --git a/share/provision/files/ipredator/usr/local/bin/fermreload.sh b/share/provision/files/ipredator/usr/local/bin/fermreload.sh
deleted file mode 100755
index cebf7cc..0000000
--- a/share/provision/files/ipredator/usr/local/bin/fermreload.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# fermreload.sh
-# V: 0.1
-#
-# Reloads the ferm firewall ruleset and is invoked by
-# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
-#
-# IPredator 2014
-# Released under the Kopimi license.
-#
-# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
-#
-
-LOGGER=/usr/bin/logger
-LOGGER_TAG=$0
-
-UDEV_ACTION=$1
-
-FERM=/usr/sbin/ferm
-FERM_CONF=/etc/ferm/ferm.conf
-
-MSG_FW_RULE_ADD="Adding VPN firewall rules."
-MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
-MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
-
-case "$UDEV_ACTION" in
- add)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
- $FERM $FERM_CONF
- ;;
- remove)
- $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
- $FERM $FERM_CONF
- ;;
- *)
- $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
- exit 1
-esac