aboutsummaryrefslogtreecommitdiff
path: root/share/provision/files/ipredator/etc/ferm/ferm.conf
blob: d7b97a3d984f212ae4568392df08533863e40736 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#
#  V: 0.1
#
#  ferm manual: http://ferm.foo-projects.org/download/2.2/ferm.html
#  Blog post:   https://blog.ipredator.se/linux-firewall-howto.html
#

# Really make sure that these modules exist and are loaded.
@hook pre "/sbin/modprobe nf_conntrack_ftp";
@hook pre "/sbin/modprobe nfnetlink_log";

# Network interfaces.
#@def $DEV_LAN = eth0;
@def $DEV_LAN = ens3;
@def $DEV_LOOPBACK = lo0;
@def $DEV_VPN = tun0;

# Network definition for the loopback device. This is needed to allow
# DNS resolution on Ubuntu Linux where the local resolver is bound
# to 127.0.1.1 - as opposed to the default 127.0.0.1.
@def $NET_LOOPBACK = 127.0.0.0/8;

# Common application ports.
@def $PORT_DNS = 53;
@def $PORT_FTP = ( 20 21 );
@def $PORT_NTP = 123;
@def $PORT_SSH = 22;
@def $PORT_WEB = ( 80 443 );

# The ports we allow OpenVPN to connect to. IPredator allows you
# to connect on _any_ port. Simply add more ports if desired but
# stick to only those that you really need.
@def $PORT_OPENVPN = (1194 1234 1337 2342 5060);

# Public DNS servers and those that are only reachable via VPN.
# DNS servers are specified in the outbound DNS rules to prevent DNS leaks
# (https://www.dnsleaktest.com/). The public DNS servers configured on your
# system should be the IPredator ones (https://www.ipredator.se/page/services#service_dns),
# but you need to verify this.
#
@def $IP_DNS_IPR_PUBLIC = (194.132.32.32/32 46.246.46.246/32);

# Add your ISP name server to this object if you want to restrict 
# which DNS servers can be queried.
@def $IP_DNS_PUBLIC = 0.0.0.0/0;

# DNS server available within the VPN.
@def $IP_DNS_VPN = ( 46.246.46.46/32 194.132.32.23/32 );

# Make sure to use the proper VPN interface (e.g. tun0 in this case).
# Note: You cannot reference $DEV_VPN here, substition does not take
#       place for commands passed to a sub shell.
@def $VPN_ACTIVE = `ip link show tun0 >/dev/null 2>/dev/null && echo 1 || echo`;

# VPN interface conditional. If true the following rules are loaded.
@if $VPN_ACTIVE {
    domain ip {
        table filter {
            chain OUTPUT {
                # Default allowed outbound services on the VPN interface.
                # If you need more simply add your rules here.
                outerface $DEV_VPN {
                    proto (tcp udp) daddr ( $IP_DNS_VPN $IP_DNS_IPR_PUBLIC ) dport $PORT_DNS ACCEPT;
                    proto tcp dport $PORT_FTP ACCEPT;
                    proto udp dport $PORT_NTP ACCEPT;
                    proto tcp dport $PORT_SSH ACCEPT;
                    proto tcp dport $PORT_WEB ACCEPT;
                }
            }
        }
    }
}

# The main IPv4 rule set.
domain ip {
    table filter {
        chain INPUT {
            # The default policy for the chain. Usually ACCEPT or DROP or REJECT.
            policy DROP;

            # Connection tracking.
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # Allow local traffic to loopback interface.
            daddr $NET_LOOPBACK ACCEPT;
 
            # Allow inbound SSH on your LAN interface _only_.
            interface $DEV_LAN {
                proto tcp dport $PORT_SSH ACCEPT;
            }

            # Respond to ping ... makes debugging easier.
            proto icmp icmp-type echo-request ACCEPT;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }

        chain OUTPUT {
            policy DROP;

            # Connection tracking.
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # Allow local traffic from the loopback interface.
            saddr $NET_LOOPBACK ACCEPT;
  
            # Respond to ping.
            proto icmp icmp-type echo-request ACCEPT;

            # Allowed services on the LAN interface.
            outerface $DEV_LAN {
                proto (tcp udp) daddr $IP_DNS_PUBLIC dport $PORT_DNS ACCEPT;
                proto udp dport $PORT_NTP ACCEPT;
                proto (tcp udp) dport $PORT_OPENVPN ACCEPT;
                proto tcp dport $PORT_SSH ACCEPT;
            }

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }

        chain FORWARD {
            policy DROP;

            # If you use your machine to route traffic eg. 
            # from a VM you have to add rules here!

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
    }
}

# IPv6 is generally disabled, communication on the loopback device is allowed.
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;

            # Allow local traffic.
            interface $DEV_LOOPBACK ACCEPT;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
        chain OUTPUT {
            policy DROP;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
        chain FORWARD {
            policy DROP;

            # Log dropped packets.
            NFLOG nflog-group 1;
            DROP;
        }
    }
}