diff options
author | intrigeri <intrigeri@boum.org> | 2010-12-17 19:39:44 +0100 |
---|---|---|
committer | intrigeri <intrigeri@boum.org> | 2010-12-17 19:39:44 +0100 |
commit | b39b5c24910f8816c3b9e6d2a0211ad892b36aa6 (patch) | |
tree | e0b7d6044597a4dc4a70c377274bc0075667ea21 /manifests/rules/torify | |
parent | 3691f9c09adbb9dbde9bb945b0f4da0e5a525ced (diff) | |
download | puppet-shorewall-b39b5c24910f8816c3b9e6d2a0211ad892b36aa6.tar.gz puppet-shorewall-b39b5c24910f8816c3b9e6d2a0211ad892b36aa6.tar.bz2 |
Add support for Tor-ified traffic.
Diffstat (limited to 'manifests/rules/torify')
-rw-r--r-- | manifests/rules/torify/allow_tor_transparent_proxy.pp | 21 | ||||
-rw-r--r-- | manifests/rules/torify/allow_tor_user.pp | 15 | ||||
-rw-r--r-- | manifests/rules/torify/redirect_tcp_to_tor.pp | 40 | ||||
-rw-r--r-- | manifests/rules/torify/reject_non_tor.pp | 32 | ||||
-rw-r--r-- | manifests/rules/torify/user.pp | 27 |
5 files changed, 135 insertions, 0 deletions
diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp new file mode 100644 index 0000000..3c18db6 --- /dev/null +++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp @@ -0,0 +1,21 @@ +class shorewall::rules::torify::allow_tor_transparent_proxy { + + $rule = "allow-tor-transparent-proxy" + + if !defined(Shorewall::Rule["$rule"]) { + # A weirdness in shorewall forces us to explicitly allow traffic to + # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even + # if $FW->$FW traffic is allowed. This anyway avoids us special-casing + # the remote Tor transparent proxy situation. + shorewall::rule { + "$rule": + source => '$FW', + destination => "net:${shorewall::tor_transparent_proxy_host}", + proto => 'tcp', + destinationport => $shorewall::tor_transparent_proxy_port, + order => 100, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp new file mode 100644 index 0000000..2bee658 --- /dev/null +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -0,0 +1,40 @@ +define shorewall::rules::torify::redirect_tcp_to_tor( + $user = '-', + $originaldest = '-' +){ + + # hash the destination as it may contain slashes + $originaldest_sha1 = sha1($originaldest) + $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}" + + if !defined(Shorewall::Rule["$rule"]) { + + $originaldest_real = $originaldest ? { + '-' => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16', + default => $originaldest, + } + + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + + $destzone = $shorewall::tor_transparent_proxy_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + shorewall::rule { + "$rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", + proto => 'tcp:syn', + originaldest => $originaldest_real, + user => $user_real, + order => 110, + action => 'DNAT'; + } + + } + +} diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp new file mode 100644 index 0000000..80240ec --- /dev/null +++ b/manifests/rules/torify/reject_non_tor.pp @@ -0,0 +1,32 @@ +define shorewall::rules::torify::reject_non_tor( + $user = '-', + $originaldest = '-', + $allow_rfc1918 = true +){ + + # hash the destination as it may contain slashes + $originaldest_sha1 = sha1($originaldest) + $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}" + + if $originaldest == '-' { + $originaldest_real = $allow_rfc1918 ? { + false => '!127.0.0.1', + default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16', + } + } else { + $originaldest_real = $originaldest + } + + if !defined(Shorewall::Rule["$rule"]) { + shorewall::rule { + "$rule": + source => '$FW', + destination => 'all', + originaldest => $originaldest_real, + user => $user, + order => 120, + action => 'REJECT'; + } + } + +} diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp new file mode 100644 index 0000000..5caccfd --- /dev/null +++ b/manifests/rules/torify/user.pp @@ -0,0 +1,27 @@ +define shorewall::rules::torify::user( + $originaldest = '-', + $allow_rfc1918 = true +){ + + $user = $name + + include shorewall::rules::torify::allow_tor_transparent_proxy + + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + + shorewall::rules::torify::redirect_tcp_to_tor { + "redirect-to-tor-user=${user}-to=${originaldest}": + user => $user, + originaldest => $originaldest + } + + shorewall::rules::torify::reject_non_tor { + "reject-non-tor-user=${user}-to=${originaldest}": + user => "$user", + originaldest => $originaldest, + allow_rfc1918 => $allow_rfc1918; + } + +} |