# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#
#  V: 0.1
#
#  ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
#  Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
#

# Really make sure that these modules exist and are loaded.
@hook pre "/sbin/modprobe nf_conntrack_ftp";
@hook pre "/sbin/modprobe nfnetlink_log";

# Network interfaces.
#@def $DEV_LAN = eth0;
@def $DEV_LAN = ens3;
@def $DEV_LOOPBACK = lo0;
@def $DEV_VPN = tun0;

# Network definition for the loopback device. This is needed to allow
# DNS resolution on Ubuntu Linux where the local resolver is bound
# to 127.0.1.1 - as opposed to the default 127.0.0.1.
@def $NET_LOOPBACK = 127.0.0.0/8;

# Common application ports.
@def $PORT_DNS = 53;
@def $PORT_FTP = ( 20 21 );
@def $PORT_NTP = 123;
@def $PORT_SSH = 22;
@def $PORT_WEB = ( 80 443 );

# The ports we allow OpenVPN to connect to. IPredator allows you
# to connect on _any_ port. Simply add more ports if desired but
# stick to only those that you really need.
@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);

# See https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html
# Ports Transmission is allowed to use.
@def $PORT_TRANSMISSION = 16384:65535;

# Public DNS servers and those that are only reachable via VPN.
# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
# (https://www.dnsleaktest.com/). The public DNS servers configured on your
# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
# but you need to verify this.
#
@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);

# Add your ISP name server to this object if you want to restrict 
# which DNS servers can be queried.
@def $IP_DNS_PUBLIC = 0.0.0.0/0;

# DNS server available within the VPN.
@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );

# Make sure to use the proper VPN interface (e.g. tun0 in this case).
# Note: You cannot reference $DEV_VPN here, substition does not take
#       place for commands passed to a sub shell.
@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;

# VPN interface conditional. If true the following rules are loaded.
@if $VPN_ACTIVE {
    domain ip {
        table filter {
            chain INPUT {
                interface $DEV_VPN {
                    proto (tcp udp) dport $PORT_TRANSMISSION ACCEPT;
                }
            }
            chain OUTPUT {
                # Default allowed outbound services on the VPN interface.
                # If you need more simply add your rules here.
                outerface $DEV_VPN {
                    proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
                    proto tcp dport $PORT_FTP ACCEPT;
                    proto udp dport $PORT_NTP ACCEPT;
                    proto tcp dport $PORT_SSH ACCEPT;
                    proto (tcp udp) sport $PORT_TRANSMISSION ACCEPT;
                    proto tcp dport $PORT_WEB ACCEPT;
                }
            }
        }
    }
}

# The main IPv4 rule set.
domain ip {
    table filter {
        chain INPUT {
            # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
            policy DROP;

            # Connection tracking.
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # Allow local traffic to loopback interface.
            daddr $NET_LOOPBACK ACCEPT;
 
            # Allow inbound SSH on your LAN interface _only_.
            interface $DEV_LAN {
                proto tcp dport $PORT_SSH ACCEPT;
            }

            # Respond to ping ... makes debugging easier.
            proto icmp icmp-type echo-request ACCEPT;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }

        chain OUTPUT {
            policy DROP;

            # Connection tracking.
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # Allow local traffic from the loopback interface.
            saddr $NET_LOOPBACK ACCEPT;
  
            # Respond to ping.
            proto icmp icmp-type echo-request ACCEPT;

            # Allowed services on the LAN interface.
            outerface $DEV_LAN {
                proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
                proto udp dport $PORT_NTP ACCEPT;
                proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
                proto tcp dport $PORT_SSH ACCEPT;
            }

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }

        chain FORWARD {
            policy DROP;

            # If you use your machine to route traffic eg. 
            # from a VM you have to add rules here!

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
    }
}

# IPv6 is generally disabled, communication on the loopback device is allowed.
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;

            # Allow local traffic.
            interface $DEV_LOOPBACK ACCEPT;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
        chain OUTPUT {
            policy DROP;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
        chain FORWARD {
            policy DROP;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
    }
}