114 lines
2.9 KiB
Bash
114 lines
2.9 KiB
Bash
# -*- shell-script -*-
|
|
#
|
|
# Configuration file for ferm(1).
|
|
#
|
|
|
|
@def $DEV_ADM = enp0s3;
|
|
@def $DEV_DMZ = enp0s8;
|
|
@def $DEV_WORLD = enp0s9;
|
|
@def $DEV_VPN = enp0s10;
|
|
@def $DEV_LINK = enp0s16;
|
|
|
|
@def $NET_ADM = 192.168.99.0/24;
|
|
@def $NET_DMZ = 192.168.100.0/24;
|
|
@def $NET_WORLD = 192.168.0.0/24;
|
|
@def $NET_LINKV = 192.168.1.0/30;
|
|
@def $NET_LINK = 192.168.200.0/24;
|
|
|
|
# mon ip static
|
|
#@def $HOST_STATIC =
|
|
@include '/root/tools/ansible/gsb/roles/r-ext/files/mkferm |';
|
|
#@def $HOST_PASSERELLEDMZ = 172.16.0.1;
|
|
|
|
@def &FORWARD_TCP($proto, $port, $dest) = {
|
|
table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT;
|
|
table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest;
|
|
}
|
|
#@def &FORWARD($proto, $port, $dest) = {
|
|
# table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT;
|
|
# table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest;
|
|
#}
|
|
|
|
#&FORWARD(tcp, 3306, 10.0.0.2);
|
|
#&FORWARD_TCP(tcp, http, 192.168.100.254);
|
|
#&FORWARD_TCP(tcp, smtp, 192.168.1.3);
|
|
|
|
table filter {
|
|
chain INPUT {
|
|
policy DROP;
|
|
|
|
# connection tracking
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
# allow local packet
|
|
interface lo ACCEPT;
|
|
|
|
# respond to ping
|
|
proto icmp ACCEPT;
|
|
|
|
# allow IPsec
|
|
interface ($DEV_LINK) {
|
|
proto udp dport 500 ACCEPT;
|
|
proto (esp ah) ACCEPT;
|
|
}
|
|
# allow SSH connections
|
|
interface ($DEV_ADM) {
|
|
proto tcp dport ssh ACCEPT;
|
|
}
|
|
# we provide DNS for the internal net
|
|
interface ($DEV_WORLD $DEV_DMZ) {
|
|
proto (udp tcp) dport domain ACCEPT;
|
|
proto (tcp) dport http ACCEPT;
|
|
}
|
|
|
|
}
|
|
chain OUTPUT {
|
|
policy ACCEPT;
|
|
|
|
# connection tracking
|
|
#mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
}
|
|
chain FORWARD {
|
|
policy DROP;
|
|
|
|
# connection tracking
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
# the DMZ may only access the internet
|
|
interface ($DEV_DMZ $DEV_LINK) {
|
|
outerface $DEV_WORLD ACCEPT;
|
|
# report failure gracefully
|
|
REJECT reject-with icmp-net-prohibited;
|
|
}
|
|
|
|
interface ($DEV_WORLD) {
|
|
proto tcp dport http outerface $DEV_DMZ ACCEPT;
|
|
# report failure gracefully
|
|
REJECT reject-with icmp-net-prohibited;
|
|
}
|
|
}
|
|
}
|
|
|
|
table nat {
|
|
chain POSTROUTING {
|
|
# masquerade private IP addresses
|
|
saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
# IPv6:
|
|
#domain ip6 {
|
|
# table filter {
|
|
# chain INPUT {
|
|
# policy ACCEPT;
|
|
# # ...
|
|
# }
|
|
# # ...
|
|
# }
|
|
#}
|