Add support for Tor-ified traffic.

6 files changed, 164 insertions, 0 deletions

diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
new file mode 100644
index 0000000..f6e62d8
--- /dev/null
+++ b/manifests/rules/torify.pp
@@ -0,0 +1,29 @@
+# shorewall::rules::torify
+#
+# Note: shorewall::rules::torify cannot be used several times with the
+# same user listed in the $users array. This restriction applies to
+# using this define multiple times without providing a $users
+# parameter.
+#
+# Parameters:
+#
+# - users: every element of this array must be valid in shorewall
+#   rules user/group column.
+# - destinations: every element of this array must be valid in
+#   shorewall rules original destination column.
+
+define shorewall::rules::torify(
+  $users        = ['-'],
+  $destinations = ['-'],
+  $allow_rfc1918 = true
+){
+
+  $originaldest = join($destinations,',')
+
+  shorewall::rules::torify::user {
+    $users:
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp
new file mode 100644
index 0000000..3c18db6
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp
@@ -0,0 +1,21 @@
+class shorewall::rules::torify::allow_tor_transparent_proxy {
+
+  $rule = "allow-tor-transparent-proxy"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    # A weirdness in shorewall forces us to explicitly allow traffic to
+    # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even
+    # if $FW->$FW traffic is allowed. This anyway avoids us special-casing
+    # the remote Tor transparent proxy situation.
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => "net:${shorewall::tor_transparent_proxy_host}",
+        proto           => 'tcp',
+        destinationport => $shorewall::tor_transparent_proxy_port,
+        order           => 100,
+        action          => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
new file mode 100644
index 0000000..f44c1f0
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+  $whitelist_rule = "allow-from-tor-user"
+  if !defined(Shorewall::Rule["$whitelist_rule"]) {
+    shorewall::rule {
+      "$whitelist_rule":
+        source      => '$FW',
+        destination => 'all',
+        user        => $shorewall::tor_user,
+        order       => 101,
+        action      => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
new file mode 100644
index 0000000..2bee658
--- /dev/null
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -0,0 +1,40 @@
+define shorewall::rules::torify::redirect_tcp_to_tor(
+  $user = '-',
+  $originaldest = '-'
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+
+    $originaldest_real = $originaldest ? {
+      '-'     => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+      default => $originaldest,
+    }
+
+    $user_real = $user ? {
+      '-'     => "!${shorewall::tor_user}",
+      default => $user,
+    }
+
+    $destzone = $shorewall::tor_transparent_proxy_host ? {
+      '127.0.0.1' => '$FW',
+      default     => 'net'
+    }
+    
+    shorewall::rule {
+      "$rule":
+        source       => '$FW',
+        destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
+        proto        => 'tcp:syn',
+        originaldest => $originaldest_real,
+        user         => $user_real,
+        order        => 110,
+        action       => 'DNAT';
+    }
+
+  }
+
+}
diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp
new file mode 100644
index 0000000..80240ec
--- /dev/null
+++ b/manifests/rules/torify/reject_non_tor.pp
@@ -0,0 +1,32 @@
+define shorewall::rules::torify::reject_non_tor(
+  $user = '-',
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}"
+
+  if $originaldest == '-' {
+    $originaldest_real = $allow_rfc1918 ? {
+      false   => '!127.0.0.1',
+      default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+    }
+  } else {
+    $originaldest_real = $originaldest
+  }
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => 'all',
+        originaldest    => $originaldest_real,
+        user            => $user,
+        order           => 120,
+        action          => 'REJECT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
new file mode 100644
index 0000000..5caccfd
--- /dev/null
+++ b/manifests/rules/torify/user.pp
@@ -0,0 +1,27 @@
+define shorewall::rules::torify::user(
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  $user = $name
+
+  include shorewall::rules::torify::allow_tor_transparent_proxy
+
+  if $originaldest == '-' and $user == '-' {
+    include shorewall::rules::torify::allow_tor_user
+  }
+
+  shorewall::rules::torify::redirect_tcp_to_tor {
+    "redirect-to-tor-user=${user}-to=${originaldest}":
+      user         => $user,
+      originaldest => $originaldest
+  }
+
+  shorewall::rules::torify::reject_non_tor {
+    "reject-non-tor-user=${user}-to=${originaldest}":
+      user          => "$user",
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}