add ferm config for lollo - ansible-configs

commit e6db93fa4393ade99fee8f1c84ef27f6a5e21d94
parent 734b84c27175f1e26520d196ec905b77f3ce79ad
Author: Leah Thein <leah@toaster.home.ctu.cx>
Date: Sun, 6 Dec 2020 23:32:16 +0100

add ferm config for lollo

1 file changed, 88 insertions(+), 0 deletions(-)

config-files/ferm/ferm-lollo.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

diff --git a/config-files/ferm/ferm-lollo.conf b/config-files/ferm/ferm-lollo.conf
@@ -0,0 +1,87 @@
+# -*- shell-script -*-
+#
+# Ferm example script
+#
+# Firewall configuration for a router with a dynamic IP.
+#
+# Author: Max Kellermann <max@duempel.org>
+#
+
+@def $DEV_LAN = brlan0;
+@def $DEV_WAN = eth0;
+
+@def $NET_LAN = 10.0.0.0/24;
+
+# globally accessible services
+@def $WAN_TCP = ( 22 );
+@def $WAN_UDP = ( 1194 );
+# ( ssh )
+# ( wireguard )
+
+# locally accessible services
+@def $LAN_TCP = ( 53 22 );
+@def $LAN_UDP = ( 53 67 69 123 );
+# ( dns ssh )
+# ( dns dhcp tftp ntp )
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp ACCEPT;
+
+
+        # local services
+        interface ! $DEV_WAN {
+            proto tcp dport $LAN_TCP ACCEPT;
+            proto udp mod multiport destination-ports $LAN_UDP ACCEPT;
+        }
+
+        proto tcp dport $WAN_TCP ACCEPT;
+        proto udp dport $WAN_UDP ACCEPT;
+    }
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # local clients can do whatever
+        interface $DEV_LAN ACCEPT;
+
+
+        proto icmp ACCEPT;
+
+        mod conntrack ctstate DNAT ACCEPT;
+
+        # the rest is dropped by the above policy
+    }
+}
+
+table nat {
+    chain PREROUTING {
+        policy ACCEPT;
+
+        # port forwards, ala daddr $WAN_IP dport 65522 DNAT to 192.168.0.2:22;
+    }
+
+    chain POSTROUTING {
+        policy ACCEPT;
+
+        outerface $DEV_WAN MASQUERADE;
+        saddr $NET_LAN mod conntrack ctstate DNAT MASQUERADE; # needle point loopback
+    }
+}+
\ No newline at end of file