# -*- shell-script -*- # # Configuration file for ferm(1). # # V: 0.1 # # ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html # Blog post: https://blog.ipredator.se/linux-firewall-howto.html # # Really make sure that these modules exist and are loaded. @hook pre "/sbin/modprobe nf_conntrack_ftp"; @hook pre "/sbin/modprobe nfnetlink_log"; # Network interfaces. #@def $DEV_LAN = eth0; @def $DEV_LAN = ens3; @def $DEV_LOOPBACK = lo0; @def $DEV_VPN = tun0; # Network definition for the loopback device. This is needed to allow # DNS resolution on Ubuntu Linux where the local resolver is bound # to 127.0.1.1 - as opposed to the default 127.0.0.1. @def $NET_LOOPBACK = 127.0.0.0/8; # Common application ports. @def $PORT_DNS = 53; @def $PORT_FTP = ( 20 21 ); @def $PORT_NTP = 123; @def $PORT_SSH = 22; @def $PORT_WEB = ( 80 443 ); # The ports we allow OpenVPN to connect to. IPredator allows you # to connect on _any_ port. Simply add more ports if desired but # stick to only those that you really need. @def $PORT_OPENVPN = (1194 1234 1337 2342 5060); # See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html # Ports Transmission is allowed to use. @def $PORT_TRANSMISSION = 16384:65535; # Public DNS servers and those that are only reachable via VPN. # DNS servers are specified in the outbound DNS rules to prevent DNS leaks # (https://www.dnsleaktest.com/). The public DNS servers configured on your # system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns), # but you need to verify this. # @def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32); # Add your ISP name server to this object if you want to restrict # which DNS servers can be queried. @def $IP_DNS_PUBLIC = 0.0.0.0/0; # DNS server available within the VPN. @def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 ); # Make sure to use the proper VPN interface (e.g. tun0 in this case). # Note: You cannot reference $DEV_VPN here, substition does not take # place for commands passed to a sub shell. @def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`; # VPN interface conditional. If true the following rules are loaded. @if $VPN_ACTIVE { domain ip { table filter { chain INPUT { interface $DEV_VPN { proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT; } } chain OUTPUT { # Default allowed outbound services on the VPN interface. # If you need more simply add your rules here. outerface $DEV_VPN { proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT; proto tcp dport $PORT_FTP ACCEPT; proto udp dport $PORT_NTP ACCEPT; proto tcp dport $PORT_SSH ACCEPT; proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT; proto tcp dport $PORT_WEB ACCEPT; } } } } } # The main IPv4 rule set. domain ip { table filter { chain INPUT { # The default policy for the chain. Usually ACCEPT or DROP or REJECT. policy DROP; # Connection tracking. mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # Allow local traffic to loopback interface. daddr $NET_LOOPBACK ACCEPT; # Allow inbound SSH on your LAN interface _only_. interface $DEV_LAN { proto tcp dport $PORT_SSH ACCEPT; } # Respond to ping ... makes debugging easier. proto icmp icmp-type echo-request ACCEPT; # Log dropped packets. NFLOG nflog-group 1; DROP; } chain OUTPUT { policy DROP; # Connection tracking. mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # Allow local traffic from the loopback interface. saddr $NET_LOOPBACK ACCEPT; # Respond to ping. proto icmp icmp-type echo-request ACCEPT; # Allowed services on the LAN interface. outerface $DEV_LAN { proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT; proto udp dport $PORT_NTP ACCEPT; proto (tcp udp) dport $PORT_OPENVPN ACCEPT; proto tcp dport $PORT_SSH ACCEPT; } # Log dropped packets. NFLOG nflog-group 1; DROP; } chain FORWARD { policy DROP; # If you use your machine to route traffic eg. # from a VM you have to add rules here! # Log dropped packets. NFLOG nflog-group 1; DROP; } } } # IPv6 is generally disabled, communication on the loopback device is allowed. domain ip6 { table filter { chain INPUT { policy DROP; # Allow local traffic. interface $DEV_LOOPBACK ACCEPT; # Log dropped packets. NFLOG nflog-group 1; DROP; } chain OUTPUT { policy DROP; # Log dropped packets. NFLOG nflog-group 1; DROP; } chain FORWARD { policy DROP; # Log dropped packets. NFLOG nflog-group 1; DROP; } } }