1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

table nat {
    chain ( PREROUTING INPUT OUTPUT ) { policy ACCEPT; }
    chain POSTROUTING {
  policy ACCEPT;
  proto ( tcp udp ) saddr 192.168.122.0/24 daddr ! 192.168.122.0/24 MASQUERADE to-ports 1024-65535;
  saddr 192.168.122.0/24 daddr ! 192.168.122.0/24 MASQUERADE;
  saddr 192.168.0.0/24 daddr ! 192.168.0.0/24 MASQUERADE;
  outerface tap0 MASQUERADE;
    }
}

table mangle {
    chain ( PREROUTING INPUT FORWARD OUTPUT POSTROUTING ) { policy ACCEPT ; }
}

    ##spammers ipset hash generation/handling.
  @hook pre 'ipset -exist create spammers hash:net';
  @hook pre 'ipset flush spammers ; cat /etc/spammers | xargs -d"\n" -P4 -I{} echo "add spammers {}" | ipset - 1>/dev/null';
  @hook flush 'ipset flush spammers';


    ##trustnets ipset hash generation/handling.
  @hook pre 'ipset -exist create trustout hash:net';
  @hook pre 'ipset -exist create trustin hash:net';
  @hook pre 'ipset flush trustout ; echo "192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 127.0.0.1/32" | xargs -d" " -P4 -I{} echo "add trustout {}" | ipset - 1>/dev/null';
  @hook pre 'ipset flush trustin ; echo "192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 172.20.55.204 172.20.55.65 172.21.10.108 172.20.55.179" | xargs -d" " -P4 -I{} echo "add trustin {}" | ipset - 1>/dev/null';
  @hook flush 'ipset flush trustout';
  @hook flush 'ipset flush trustin';

    ##trustforwards ipset hash generation/handling.
  @hook pre 'ipset -exist create trustforward hash:net';
  @hook pre 'ipset flush trustforward ; echo "192.168.122.0/24 192.168.1.0/24 192.168.0.0/24 10.0.0.0/24 10.0.3.0/24 172.20.55.65/32 172.20.55.130/32 172.21.10.108/32 172.20.55.204/32 172.20.55.179/32" | xargs -d" " -P4 -I{} echo "add trustforward {}" | ipset - 1>/dev/null';
  @hook flush 'ipset flush trustforward';


table filter {

    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface ( lo virbr0 tap0 wlan0 ) ACCEPT;

  proto all {
    saddr ( 172.20.55.204 172.20.55.65 172.21.10.108 172.20.55.179 172.21.10.108 ) ACCEPT;
    saddr ( 172.20.22.78 172.20.22.79 ) DROP;
  }

  proto all mod set set spammers src @subchain "SPAMMERS" {
    LOG log-prefix "Blocked-IP per rule $LINE: " log-level warning;
    DROP;
  }


        # respond to ping
        proto icmp ACCEPT; 

        # allow IPsec
        proto udp dport 500 ACCEPT;
  LOG log-prefix "IPSec connection event: " log-level warning proto (esp ah);
        proto (esp ah) ACCEPT;

        # enable services
        proto tcp {
    # Restrict unknown hosts to no more than 8 ssh attempts every three minutes.
    dport ssh @subchain SSH-ALL {
      mod recent name SSH {
        set NOP;
        update seconds 180 hitcount 8 @subchain SSH-BLOCKED {
          LOG log-prefix "Blocked-ssh per rule $LINE: " log-level warning;
          DROP;
        }
      }
    LOG log-prefix "Accepted-ssh per rule $LINE: " log-level warning;
    ACCEPT;
    }
    dport ( domain http https ) ACCEPT;
    dport ( rsync nfs ) saddr ( 172.20.20.161 192.168.122.0/24 192.168.1.0/24 ) ACCEPT;
    sport ( ldap ldaps ) ACCEPT;
    sport ( http https ) saddr ( 172.20.28.15 172.20.28.16 ) ACCEPT;
  }

  proto udp {
    dport ( domain nfs ) daddr ( 192.168.1.0/24 192.168.122.0/24 192.168.0.0/24 ) ACCEPT;
  }
    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

  # Trusted Private
  @def $TRUST_OUT = ( 192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 127.0.0.1 );
  @def $TRUST_IN = ( 192.168.0.0/24 192.168.1.0/24 192.168.122.0/24 172.20.55.204 172.20.55.65 172.21.10.108 172.20.55.179 );
  proto all { 
    mod set set trustout src ACCEPT;
    mod set set trustin src @subchain TRUSTIN-OUTPUT {
      mod set set trustout dst ACCEPT;
    }
    daddr ( 172.20.55.204 172.20.55.65 172.20.55.130 172.20.55.179  172.21.10.108 127.0.0.1 ) ACCEPT;
  }
  proto tcp {
    LOG log-prefix "Accept-DNS out: rule $LINE: " log-level warning dport domain ;
    dport ( ssh smtp http https ldap ldaps domain ) ACCEPT;
    sport ( http https ) ACCEPT;
  }
  proto udp {
    LOG log-prefix "Accept-DNS out: rule $LINE: " log-level warning dport domain;
    dport domain ACCEPT ;
  }
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

  saddr ( 172.20.22.78 172.20.22.79 ) DROP;
  mod set set trustforward src @subchain TRUSTFORWARDS {
    mod set set trustforward dst ACCEPT;
  }
  proto tcp {
    sport (http https) saddr ( 172.20.28.15 172.20.28.16 ) ACCEPT;
    dport (http https) daddr ( 172.20.28.15 172.20.28.16 ) ACCEPT;
  }
    }
}