From b39b5c24910f8816c3b9e6d2a0211ad892b36aa6 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Fri, 17 Dec 2010 19:39:44 +0100
Subject: Add support for Tor-ified traffic.

---
 manifests/init.pp                                  | 18 +++++++++-
 manifests/rules/torify.pp                          | 29 ++++++++++++++++
 .../rules/torify/allow_tor_transparent_proxy.pp    | 21 ++++++++++++
 manifests/rules/torify/allow_tor_user.pp           | 15 ++++++++
 manifests/rules/torify/redirect_tcp_to_tor.pp      | 40 ++++++++++++++++++++++
 manifests/rules/torify/reject_non_tor.pp           | 32 +++++++++++++++++
 manifests/rules/torify/user.pp                     | 27 +++++++++++++++
 7 files changed, 181 insertions(+), 1 deletion(-)
 create mode 100644 manifests/rules/torify.pp
 create mode 100644 manifests/rules/torify/allow_tor_transparent_proxy.pp
 create mode 100644 manifests/rules/torify/allow_tor_user.pp
 create mode 100644 manifests/rules/torify/redirect_tcp_to_tor.pp
 create mode 100644 manifests/rules/torify/reject_non_tor.pp
 create mode 100644 manifests/rules/torify/user.pp

(limited to 'manifests')

diff --git a/manifests/init.pp b/manifests/init.pp
index 3e759db..f69a6f2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -5,7 +5,10 @@ class shorewall {
 
   case $operatingsystem {
     gentoo: { include shorewall::gentoo }
-    debian: { include shorewall::debian }
+    debian: {
+      include shorewall::debian
+      $dist_tor_user = 'debian-tor'
+    }
     centos: { include shorewall::base }
     ubuntu: {
     case $lsbdistcodename {
@@ -19,6 +22,19 @@ class shorewall {
     }
   }
 
+  case $tor_transparent_proxy_host {
+    '': { $tor_transparent_proxy_host = '127.0.0.1' }
+  }
+  case $tor_transparent_proxy_port {
+    '': { $tor_transparent_proxy_port = '9040' }
+  }
+  if $tor_user == '' {
+    $tor_user = $dist_tor_user ? {
+      ''      => 'tor',
+      default => $dist_tor_user,
+    }
+  }
+
   file {"/var/lib/puppet/modules/shorewall":
     ensure => directory,
     force => true,
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
new file mode 100644
index 0000000..f6e62d8
--- /dev/null
+++ b/manifests/rules/torify.pp
@@ -0,0 +1,29 @@
+# shorewall::rules::torify
+#
+# Note: shorewall::rules::torify cannot be used several times with the
+# same user listed in the $users array. This restriction applies to
+# using this define multiple times without providing a $users
+# parameter.
+#
+# Parameters:
+#
+# - users: every element of this array must be valid in shorewall
+#   rules user/group column.
+# - destinations: every element of this array must be valid in
+#   shorewall rules original destination column.
+
+define shorewall::rules::torify(
+  $users        = ['-'],
+  $destinations = ['-'],
+  $allow_rfc1918 = true
+){
+
+  $originaldest = join($destinations,',')
+
+  shorewall::rules::torify::user {
+    $users:
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp
new file mode 100644
index 0000000..3c18db6
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp
@@ -0,0 +1,21 @@
+class shorewall::rules::torify::allow_tor_transparent_proxy {
+
+  $rule = "allow-tor-transparent-proxy"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    # A weirdness in shorewall forces us to explicitly allow traffic to
+    # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even
+    # if $FW->$FW traffic is allowed. This anyway avoids us special-casing
+    # the remote Tor transparent proxy situation.
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => "net:${shorewall::tor_transparent_proxy_host}",
+        proto           => 'tcp',
+        destinationport => $shorewall::tor_transparent_proxy_port,
+        order           => 100,
+        action          => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
new file mode 100644
index 0000000..f44c1f0
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+  $whitelist_rule = "allow-from-tor-user"
+  if !defined(Shorewall::Rule["$whitelist_rule"]) {
+    shorewall::rule {
+      "$whitelist_rule":
+        source      => '$FW',
+        destination => 'all',
+        user        => $shorewall::tor_user,
+        order       => 101,
+        action      => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
new file mode 100644
index 0000000..2bee658
--- /dev/null
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -0,0 +1,40 @@
+define shorewall::rules::torify::redirect_tcp_to_tor(
+  $user = '-',
+  $originaldest = '-'
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+
+    $originaldest_real = $originaldest ? {
+      '-'     => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+      default => $originaldest,
+    }
+
+    $user_real = $user ? {
+      '-'     => "!${shorewall::tor_user}",
+      default => $user,
+    }
+
+    $destzone = $shorewall::tor_transparent_proxy_host ? {
+      '127.0.0.1' => '$FW',
+      default     => 'net'
+    }
+    
+    shorewall::rule {
+      "$rule":
+        source       => '$FW',
+        destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
+        proto        => 'tcp:syn',
+        originaldest => $originaldest_real,
+        user         => $user_real,
+        order        => 110,
+        action       => 'DNAT';
+    }
+
+  }
+
+}
diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp
new file mode 100644
index 0000000..80240ec
--- /dev/null
+++ b/manifests/rules/torify/reject_non_tor.pp
@@ -0,0 +1,32 @@
+define shorewall::rules::torify::reject_non_tor(
+  $user = '-',
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}"
+
+  if $originaldest == '-' {
+    $originaldest_real = $allow_rfc1918 ? {
+      false   => '!127.0.0.1',
+      default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+    }
+  } else {
+    $originaldest_real = $originaldest
+  }
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => 'all',
+        originaldest    => $originaldest_real,
+        user            => $user,
+        order           => 120,
+        action          => 'REJECT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
new file mode 100644
index 0000000..5caccfd
--- /dev/null
+++ b/manifests/rules/torify/user.pp
@@ -0,0 +1,27 @@
+define shorewall::rules::torify::user(
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  $user = $name
+
+  include shorewall::rules::torify::allow_tor_transparent_proxy
+
+  if $originaldest == '-' and $user == '-' {
+    include shorewall::rules::torify::allow_tor_user
+  }
+
+  shorewall::rules::torify::redirect_tcp_to_tor {
+    "redirect-to-tor-user=${user}-to=${originaldest}":
+      user         => $user,
+      originaldest => $originaldest
+  }
+
+  shorewall::rules::torify::reject_non_tor {
+    "reject-non-tor-user=${user}-to=${originaldest}":
+      user          => "$user",
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
-- 
cgit v1.2.3