# -*- shell-script -*-## Configuration file for ferm(1).#table nat {

1. # -*- shell-script -*-
2. #
3. # Configuration file for ferm(1).
4. #
5.  
6. table nat {
7. chain ( PREROUTING INPUT OUTPUT ) { policy ACCEPT; }
8. chain POSTROUTING {
9. policy ACCEPT;
10. proto ( tcp udp ) saddr 192.168.122.0/24 daddr ! 192.168.122.0/24 MASQUERADE to-ports 1024-65535;
11. saddr 192.168.122.0/24 daddr ! 192.168.122.0/24 MASQUERADE;
12. saddr 192.168.0.0/24 daddr ! 192.168.0.0/24 MASQUERADE;
13. outerface tap0 MASQUERADE;
14. }
15. }
16.  
17. table mangle {
18. chain ( PREROUTING INPUT FORWARD OUTPUT POSTROUTING ) { policy ACCEPT ; }
19. }
20.  
21.  
22. ##blackhole ipset hash generation/handling.
23. @hook pre 'ipset -exist create blackhole hash:ip timeout 180';
24. @hook flush 'ipset flush blackhole';
25.  
26. ##proxies ipset hash generation/handling.
27. @hook pre 'ipset -exist create proxies hash:ip,port';
28. @hook pre 'ipset flush proxies ; echo "172.20.28.15,80 172.20.28.15,443 172.20.28.16,80 172.20.28.16,443" | xargs -d" " -P4 -I{} echo "add proxies {}" | ipset - 1>dev/null';
29. @hook flush 'ipset flush proxies';
30.  
31. ##spammers ipset hash generation/handling.
32. @hook pre 'ipset -exist create spammers hash:net';
33. @hook pre 'ipset flush spammers ; cat /etc/spammers | xargs -d"\n" -P4 -I{} echo "add spammers {}" | ipset - 1>/dev/null';
34. @hook flush 'ipset flush spammers';
35.  
36.  
37. ##trustnets ipset hash generation/handling.
38. @hook pre 'ipset -exist create trustout hash:net';
39. @hook pre 'ipset -exist create trustin hash:net';
40. @hook pre 'ipset flush trustout ; echo "192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 172.20.55.130 127.0.0.1/32" | xargs -d" " -P4 -I{} echo "add trustout {}" | ipset - 1>/dev/null';
41. @hook pre 'ipset flush trustin ; echo "192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 172.20.55.204 172.20.55.65 172.21.10.108 172.20.55.179" | xargs -d" " -P4 -I{} echo "add trustin {}" | ipset - 1>/dev/null';
42. @hook flush 'ipset flush trustout';
43. @hook flush 'ipset flush trustin';
44.  
45. ##trustforwards ipset hash generation/handling.
46. @hook pre 'ipset -exist create trustforward hash:net';
47. @hook pre 'ipset flush trustforward ; echo "192.168.122.0/24 192.168.1.0/24 192.168.0.0/24 10.0.0.0/24 10.0.3.0/24 172.20.55.65/32 172.20.55.130/32 172.21.10.108/32 172.20.55.204/32 172.20.55.179/32" | xargs -d" " -P4 -I{} echo "add trustforward {}" | ipset - 1>/dev/null';
48. @hook flush 'ipset flush trustforward';
49.  
50. ##fileport/filenet ipset handling/generation.
51. @hook pre 'ipset -exist create fileport bitmap:port range 0-10000';
52. @hook pre 'ipset flush fileport; echo "873 2049" | xargs -d" " -P4 -I{} echo "add fileport {}" | ipset - 1>/dev/null;';
53. @hook flush 'ipset flush fileport';
54. @hook pre 'ipset -exist create filenet hash:net';
55. @hook pre 'ipset flush filenet; echo "172.20.20.161/32 192.168.122.0/24 192.168.1.0/24" | xargs -d" " -P4 -I{} echo "add filenet {}" | ipset - 1>/dev/null;';
56. @hook flush 'ipset flush filenet';
57.  
58. table filter {
59.  
60. chain INPUT {
61. policy DROP;
62.  
63. # connection tracking
64. mod state state INVALID DROP;
65. mod state state (ESTABLISHED RELATED) ACCEPT;
66.  
67. # allow local packet
68. interface ( lo virbr0 tap0 wlan0 ) ACCEPT;
69.  
70. proto all {
71. mod set set trustin src ACCEPT;
72. mod set set blackhole src DROP;
73. saddr ( 172.20.22.78 172.20.22.79 ) DROP;
74. }
75.  
76. proto all mod set set spammers src @subchain "SPAMMERS" {
77. LOG log-prefix "Blocked-IP per rule $LINE: " log-level warning;
78. DROP;
79. }
80.  
81.  
82. # respond to ping
83. proto icmp ACCEPT;
84.  
85. # allow IPsec
86. proto udp dport 500 ACCEPT;
87. LOG log-prefix "IPSec connection event: " log-level warning proto (esp ah);
88. proto (esp ah) ACCEPT;
89.  
90. # enable services
91. proto tcp {
92. # Restrict unknown hosts to no more than 8 ssh attempts every three minutes.
93. dport ssh @subchain SSH-ALL {
94. mod recent name SSH {
95. set NOP;
96. update seconds 180 hitcount 8 @subchain SSH-BLOCKED {
97. LOG log-prefix "Blocked-ssh per rule $LINE: " log-level warning;
98. SET add-set blackhole src;
99. DROP;
100. }
101. }
102. LOG log-prefix "Accepted-ssh per rule $LINE: " log-level warning;
103. ACCEPT;
104. }
105. dport ( domain http https ) ACCEPT;
106. mod set set filenet src @subchain FILETRANSFER {
107. mod set set fileport dst ACCEPT;
108. RETURN;
109. }
110. sport ( ldap ldaps ) ACCEPT;
111. mod set set proxies src ACCEPT;
112. }
113.  
114. proto udp {
115. mod set set trustout dst @subchain TRUSTIN-UDP {
116. dport domain ACCEPT;
117. mod set set fileport src ACCEPT;
118. RETURN;
119. }
120. }
121. }
122. chain OUTPUT {
123. policy ACCEPT;
124.  
125. # connection tracking
126. #mod state state INVALID DROP;
127. mod state state (ESTABLISHED RELATED) ACCEPT;
128.  
129. # Trusted Private
130. proto all {
131. mod set set trustout src ACCEPT;
132. mod set set trustin src @subchain TRUSTIN-OUTPUT {
133. mod set set trustout dst ACCEPT;
134. RETURN;
135. }
136. mod set set trustout dst ACCEPT;
137. }
138. proto tcp {
139. LOG log-prefix "Accept-DNS out: rule $LINE: " log-level warning dport domain ;
140. dport ( ssh smtp http https ldap ldaps domain ) ACCEPT;
141. sport ( http https ) ACCEPT;
142. }
143. proto udp {
144. LOG log-prefix "Accept-DNS out: rule $LINE: " log-level warning dport domain;
145. dport domain ACCEPT ;
146. }
147. }
148. chain FORWARD {
149. policy DROP;
150.  
151. # connection tracking
152. mod state state INVALID DROP;
153. mod state state (ESTABLISHED RELATED) ACCEPT;
154.  
155. saddr ( 172.20.22.78 172.20.22.79 ) DROP;
156. mod set set trustforward src @subchain TRUSTFORWARDS {
157. mod set set trustforward dst ACCEPT;
158. RETURN;
159. }
160. proto tcp {
161. mod set set proxies src ACCEPT;
162. mod set set proxies dst ACCEPT;
163. RETURN;
164. }
165. }
166. }