aboutsummaryrefslogtreecommitdiff
path: root/share/provision/files/njalla
diff options
context:
space:
mode:
Diffstat (limited to 'share/provision/files/njalla')
-rw-r--r--share/provision/files/njalla/etc/ferm/ferm.conf181
-rw-r--r--share/provision/files/njalla/etc/openvpn/ipredator.conf94
-rw-r--r--share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules2
-rwxr-xr-xshare/provision/files/njalla/usr/local/bin/fermreload.sh39
4 files changed, 316 insertions, 0 deletions
diff --git a/share/provision/files/njalla/etc/ferm/ferm.conf b/share/provision/files/njalla/etc/ferm/ferm.conf
new file mode 100644
index 0000000..a25a3d2
--- /dev/null
+++ b/share/provision/files/njalla/etc/ferm/ferm.conf
@@ -0,0 +1,181 @@
+# -*- shell-script -*-
+#
+# Configuration file for ferm(1).
+#
+# V: 0.1
+#
+# ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
+# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
+#
+
+# Really make sure that these modules exist and are loaded.
+@hook pre "/sbin/modprobe nf_conntrack_ftp";
+@hook pre "/sbin/modprobe nfnetlink_log";
+
+# Network interfaces.
+#@def $DEV_LAN = eth0;
+@def $DEV_LAN = ens3;
+@def $DEV_LOOPBACK = lo0;
+@def $DEV_VPN = tun0;
+
+# Network definition for the loopback device. This is needed to allow
+# DNS resolution on Ubuntu Linux where the local resolver is bound
+# to 127.0.1.1 - as opposed to the default 127.0.0.1.
+@def $NET_LOOPBACK = 127.0.0.0/8;
+
+# Common application ports.
+@def $PORT_DNS = 53;
+@def $PORT_FTP = ( 20 21 );
+@def $PORT_NTP = 123;
+@def $PORT_SSH = 22;
+@def $PORT_WEB = ( 80 443 );
+
+# The ports we allow OpenVPN to connect to. IPredator allows you
+# to connect on _any_ port. Simply add more ports if desired but
+# stick to only those that you really need.
+@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);
+
+# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
+# Ports Transmission is allowed to use.
+@def $PORT_TRANSMISSION = 16384:65535;
+
+# Public DNS servers and those that are only reachable via VPN.
+# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
+# (https://www.dnsleaktest.com/). The public DNS servers configured on your
+# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
+# but you need to verify this.
+#
+@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);
+
+# Add your ISP name server to this object if you want to restrict
+# which DNS servers can be queried.
+@def $IP_DNS_PUBLIC = 0.0.0.0/0;
+
+# DNS server available within the VPN.
+@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );
+
+# Make sure to use the proper VPN interface (e.g. tun0 in this case).
+# Note: You cannot reference $DEV_VPN here, substition does not take
+# place for commands passed to a sub shell.
+@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;
+
+# VPN interface conditional. If true the following rules are loaded.
+@if $VPN_ACTIVE {
+ domain ip {
+ table filter {
+ chain INPUT {
+ interface $DEV_VPN {
+ proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
+ }
+ }
+ chain OUTPUT {
+ # Default allowed outbound services on the VPN interface.
+ # If you need more simply add your rules here.
+ outerface $DEV_VPN {
+ proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
+ proto tcp dport $PORT_FTP ACCEPT;
+ proto udp dport $PORT_NTP ACCEPT;
+ proto tcp dport $PORT_SSH ACCEPT;
+ proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
+ proto tcp dport $PORT_WEB ACCEPT;
+ }
+ }
+ }
+ }
+}
+
+# The main IPv4 rule set.
+domain ip {
+ table filter {
+ chain INPUT {
+ # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
+ policy DROP;
+
+ # Connection tracking.
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # Allow local traffic to loopback interface.
+ daddr $NET_LOOPBACK ACCEPT;
+
+ # Allow inbound SSH on your LAN interface _only_.
+ interface $DEV_LAN {
+ proto tcp dport $PORT_SSH ACCEPT;
+ }
+
+ # Respond to ping ... makes debugging easier.
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+
+ chain OUTPUT {
+ policy DROP;
+
+ # Connection tracking.
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # Allow local traffic from the loopback interface.
+ saddr $NET_LOOPBACK ACCEPT;
+
+ # Respond to ping.
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # Allowed services on the LAN interface.
+ outerface $DEV_LAN {
+ proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
+ proto udp dport $PORT_NTP ACCEPT;
+ proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
+ proto tcp dport $PORT_SSH ACCEPT;
+ }
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+
+ chain FORWARD {
+ policy DROP;
+
+ # If you use your machine to route traffic eg.
+ # from a VM you have to add rules here!
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ }
+}
+
+# IPv6 is generally disabled, communication on the loopback device is allowed.
+domain ip6 {
+ table filter {
+ chain INPUT {
+ policy DROP;
+
+ # Allow local traffic.
+ interface $DEV_LOOPBACK ACCEPT;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ chain OUTPUT {
+ policy DROP;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ chain FORWARD {
+ policy DROP;
+
+ # Log dropped packets.
+ NFLOG nflog-group 1;
+ DROP;
+ }
+ }
+}
diff --git a/share/provision/files/njalla/etc/openvpn/ipredator.conf b/share/provision/files/njalla/etc/openvpn/ipredator.conf
new file mode 100644
index 0000000..439f31b
--- /dev/null
+++ b/share/provision/files/njalla/etc/openvpn/ipredator.conf
@@ -0,0 +1,94 @@
+# VER: 0.25
+client
+dev tun0
+proto udp
+remote pw.openvpn.ipredator.se 1194
+remote pw.openvpn.ipredator.me 1194
+remote pw.openvpn.ipredator.es 1194
+resolv-retry infinite
+nobind
+
+#auth-user-pass /etc/openvpn/IPredator.auth
+auth-user-pass /etc/openvpn/ipredator.auth
+auth-retry nointeract
+
+ca [inline]
+
+tls-client
+tls-auth [inline]
+ns-cert-type server
+remote-cert-tls server
+remote-cert-ku 0x00e0
+
+keepalive 10 30
+cipher AES-256-CBC
+persist-key
+comp-lzo
+tun-mtu 1500
+mssfix 1200
+passtos
+verb 3
+replay-window 512 60
+mute-replay-warnings
+ifconfig-nowarn
+
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+# Disable this if your system does not support it!
+tls-version-min 1.2
+
+<ca>
+-----BEGIN CERTIFICATE-----
+MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
+VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
+BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
+ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
+JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
+NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
+EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
+ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
+HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
+aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
+DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
+bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
+d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
+Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
+/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
+pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
+Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
+bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
+IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
+ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
+ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
+DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
+/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
+M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
+tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
+CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
+BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
+-----END CERTIFICATE-----
+</ca>
+
+<tls-auth>
+-----BEGIN OpenVPN Static key V1-----
+03f7b2056b9dc67aa79c59852cb6b35a
+a3a15c0ca685ca76890bbb169e298837
+2bdc904116f5b66d8f7b3ea6a5ff05cb
+fc4f4889d702d394710e48164b28094f
+a0e1c7888d471da39918d747ca4bbc2f
+285f676763b5b8bee9bc08e4b5a69315
+d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
+56c4c44dbca35041b67e2374788f8977
+7ad4ab8e06cd59e7164200dfbadb942a
+351a4171ab212c23bee1920120f81205
+efabaa5e34619f13adbe58b6c83536d3
+0d34e6466feabdd0e63b39ad9bb1116b
+37fafb95759ab9a15572842f70e7cba9
+69700972a01b21229eba487745c091dd
+5cd6d77bdc7a54a756ffe440789fd39e
+97aa9abe2749732b7262f82e4097bee3
+-----END OpenVPN Static key V1-----
+</tls-auth>
diff --git a/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules b/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules
new file mode 100644
index 0000000..64d8bd1
--- /dev/null
+++ b/share/provision/files/njalla/etc/udev/rules.d/81-vpn-firewall.rules
@@ -0,0 +1,2 @@
+KERNEL=="tun0", ACTION=="add", RUN+="/usr/local/bin/fermreload.sh add"
+KERNEL=="tun0", ACTION=="remove", RUN+="/usr/local/bin/fermreload.sh remove"
diff --git a/share/provision/files/njalla/usr/local/bin/fermreload.sh b/share/provision/files/njalla/usr/local/bin/fermreload.sh
new file mode 100755
index 0000000..cebf7cc
--- /dev/null
+++ b/share/provision/files/njalla/usr/local/bin/fermreload.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# fermreload.sh
+# V: 0.1
+#
+# Reloads the ferm firewall ruleset and is invoked by
+# the udev via /etc/udev/rules.d/81-vpn-firewall.rules.
+#
+# IPredator 2014
+# Released under the Kopimi license.
+#
+# Blog post: https://blog.ipredator.se/linux-firewall-howto.html
+#
+
+LOGGER=/usr/bin/logger
+LOGGER_TAG=$0
+
+UDEV_ACTION=$1
+
+FERM=/usr/sbin/ferm
+FERM_CONF=/etc/ferm/ferm.conf
+
+MSG_FW_RULE_ADD="Adding VPN firewall rules."
+MSG_FW_RULE_REMOVE="Removing VPN firewall rules."
+MSG_UDEV_ACTION_UNKNOWN="Unknown udev action."
+
+case "$UDEV_ACTION" in
+ add)
+ $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_ADD
+ $FERM $FERM_CONF
+ ;;
+ remove)
+ $LOGGER -t $LOGGER_TAG $MSG_FW_RULE_REMOVE
+ $FERM $FERM_CONF
+ ;;
+ *)
+ $LOGGER -t $LOGGER_TAG $MSG_UDEV_ACTION_UNKNOWN
+ exit 1
+esac