{"id":146,"date":"2014-03-25T10:23:32","date_gmt":"2014-03-25T09:23:32","guid":{"rendered":"https:\/\/chroot-me.in\/blog\/?p=146"},"modified":"2014-03-25T10:23:32","modified_gmt":"2014-03-25T09:23:32","slug":"gnulinux-netfilter-admin-with-ferm-for-easy-rule-making","status":"publish","type":"post","link":"https:\/\/chroot-me.in\/blog\/2014\/03\/gnulinux-netfilter-admin-with-ferm-for-easy-rule-making\/","title":{"rendered":"GNU\/Linux netfilter admin with Ferm: For Easy Rule Making"},"content":{"rendered":"

Ferm rules them all when you need to manage complex netfilter (iptables\/ip6tables\/ebtables) firewall.<\/p>\n

Project homepage : http:\/\/ferm.foo-projects.org\/<\/a><\/p>\n

First, a dumb `ferm` wrapper enhancing edit and debug usage: bash Ferm wrapper<\/a><\/p>\n

Current file layout:<\/p>\n

9:39 rboissat@dresda \/etc\/ferm% ls -R\r\n.:\r\nconf.d  ferm.conf  ferm.conf.orig\r\n\r\n.\/conf.d:\r\n00-vars.ferm  01-functions.ferm  02-policies.ferm  03-custom-chains.ferm  10-table-filter.ferm  20-table-mangle.ferm  30-table-nat.ferm<\/pre>\n
ferm.conf<\/p>\n
# -*- shell-script -*-\r\n#\r\n#  Configuration file for ferm(1).\r\n#\r\n\r\n@include 'conf.d\/';<\/pre>\n
00-vars.ferm (edited out)<\/p>\n
# FERM Variables;\r\n\r\n## Interfaces;\r\n@def $DEV_WAN4    = eth0;\r\n@def $DEV_WAN6    = hev6;\r\n@def $DEV_VPN     = brVPN;\r\n\r\n## Networks;\r\n@def $NET4_VPN    = (192.168.144.96\/27);\r\n@def $NET4_CHUN   = (192.168.144.0\/22);\r\n@def $NET6_VPN    = (2001:470:c8be:1::\/64);\r\n@def $NET6_CHUN   = (2001:470:c8be::\/48);\r\n@def $NET6_OVH    = (2001:41d0:1:8dc7::\/64);\r\n(...)<\/pre>\n
01-functions.ferm<\/p>\n
# FERM Hooks\r\n@hook post  \"echo 1 >| \/proc\/sys\/net\/ipv4\/ip_forward\";\r\n@hook post  \"echo 1 >| \/proc\/sys\/net\/ipv6\/conf\/all\/forwarding\";\r\n@hook flush \"echo 0 >| \/proc\/sys\/net\/ipv4\/ip_forward\";\r\n@hook flush \"echo 0 >| \/proc\/sys\/net\/ipv6\/conf\/all\/forwarding\";\r\n\r\n# FERM Functions\r\n@def &PORT_FORWARD($proto, $port, $outside, $inside) = {\r\n  daddr $outside proto $proto dport $port DNAT to $inside;\r\n}<\/pre>\n
02-policies.ferm<\/p>\n
# default policies\r\ndomain ( ip ip6 ) table filter {\r\n  chain FORWARD policy DROP;\r\n  chain INPUT   policy DROP;\r\n  chain OUTPUT  policy ACCEPT;\r\n}<\/pre>\n
Some cherry picked rules (did you really expect my entire ruleset? :P)<\/p>\n
 # wan input\r\n mod conntrack ctstate NEW daddr @ipfilter(($ADDR4_WAN $ADDR6_WAN)) proto tcp dport $TCP_IN_WAN ACCEPT;\r\n mod conntrack ctstate NEW daddr @ipfilter(($ADDR4_WAN $ADDR6_WAN)) proto udp dport $UDP_IN_WAN ACCEPT;\r\n\r\n# new to wan from local subnets\r\n@if @eq($DOMAIN, ip) {\r\n  outerface $DEV_WAN4 saddr $NET4_CHUN ACCEPT;\r\n} @else {\r\n  outerface $DEV_WAN6 saddr $NET6_CHUN ACCEPT;\r\n}<\/pre>\n
That’s all folks. This setup should be further documented in my wiki.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ferm rules them all when you need to manage complex netfilter (iptables\/ip6tables\/ebtables) firewall. Project homepage : http:\/\/ferm.foo-projects.org\/ First, a dumb `ferm` wrapper enhancing edit and debug usage: bash Ferm wrapper Current file layout: 9:39 rboissat@dresda \/etc\/ferm% ls -R .: conf.d ferm.conf ferm.conf.orig .\/conf.d: 00-vars.ferm 01-functions.ferm 02-policies.ferm 03-custom-chains.ferm 10-table-filter.ferm 20-table-mangle.ferm 30-table-nat.ferm ferm.conf # -*- shell-script -*- … Continuer la lecture de « GNU\/Linux netfilter admin with Ferm: For Easy Rule Making »<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4],"tags":[],"class_list":["post-146","post","type-post","status-publish","format-standard","hentry","category-english","category-geek"],"_links":{"self":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/comments?post=146"}],"version-history":[{"count":0,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/posts\/146\/revisions"}],"wp:attachment":[{"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/media?parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/categories?post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chroot-me.in\/blog\/wp-json\/wp\/v2\/tags?post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}