Documented configuration files

Tr4sK · Jun 14, 2013 · 643353c · 643353c
1 parent ca047d9
commit 643353c
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -1 +1,7 @@
-README
+#############################################
+#
+#    PVE - FIREWALL
+#
+#############################################
+
+PVE-Firewall is a shell script designed to keep proxmox firewalling clear and simple.
diff --git a/bridged.rules b/bridged.rules
@@ -4,20 +4,30 @@
 #
 #####################################################
 #
+# Define Here rules for your bridged virtual machines
+#
 # Available rules:
-# - BRIDGED_VM_ALLOW_TCP_PORT address port
-# - BRIDGED_VM_ALLOW_UDP_PORT address port
-# - BRIDGED_VM_ALLOW_PORT address
+#
+#    - BRIDGED_VM_LIMIT_PING <address> <pings per second>
+#    - BRIDGED_VM_ALLOW_PING <address>
+#    - BRIDGED_VM_PROTECTED_TCP_PORT <address> <port>
+#    - BRIDGED_VM_PROTECTED_UDP_PORT <address> <port>
+#    - BRIDGED_VM_PROTECTED_PORT <address> <port>
+#    - BRIDGED_VM_ALLOW_TCP_PORT <address> <port>
+#    - BRIDGED_VM_ALLOW_UDP_PORT <address> <port>
+#    - BRIDGED_VM_ALLOW_PORT <address> <port>
 #
 # You can also use MACROS from /etc/pve-firewall/macros
 #
 
-# WWW.iutbeziers.fr
-WWW='194.199.227.125'
+# example www virtual machine
+WWW='192.168.1.10'
 BRIDGED_VM_ALLOW_HTTP $WWW
 BRIDGED_VM_ALLOW_HTTPS $WWW
 
-# webmail.iutbeziers.fr
-WEBMAIL='194.199.227.126'
-BRIDGED_VM_ALLOW_HTTP $WEBMAIL
-BRIDGED_VM_ALLOW_HTTPS $WEBMAIL
+# example DNS virtual machine
+DNS1='192.168.1.11'
+BRIDGED_VM_ALLOW_UDP_PORT 53 $DNS1
+BRIDGED_VM_ALLOW_TCP_PORT 53 $DNS1
+
+
diff --git a/common_bridged.rules b/common_bridged.rules
@@ -3,6 +3,21 @@
 #	COMMON BRIDGED VM RULES
 #
 ##############################################
+#
+# Thoses rules will be applied to all bridged VM
+#
+# Available Rules:
+#    - COMMON_BRIDGED_VM_ALLOW_PING
+#    - COMMON_BRIDGED_VM_LIMIT_PING <pings per second>
+#    - COMMON_BRIDGED_VM_PROTECTED_TCP_PORT <port>
+#    - COMMON_BRIDGED_VM_PROTECTED_UDP_PORT <port>
+#    - COMMON_BRIDGED_VM_PROTECTED_PORT <port>
+#    - COMMON_BRIDGED_VM_ALLOW_TCP_PORT <port>
+#    - COMMON_BRIDGED_VM_ALLOW_UDP_PORT <port>
+#    - COMMON_BRIDGED_VM_ALLOW_PORT <port>
+#
+#
+#
 
 COMMON_BRIDGED_VM_PROTECTED_SSH
 COMMON_BRIDGED_VM_PROTECTED_SNMP

diff --git a/global.conf b/global.conf
@@ -7,7 +7,7 @@
 # Trusted Networks and hosts
 TRUSTNETS='10.228.3.1/32 194.199.227.0/24'
 
-# PVE Peers
+# PVE Peers, all required protocols are enabled between nodes
 PROXMOX_PEERS='192.168.1.2 192.168.1.3'
 
 # This node IP address
@@ -56,17 +56,17 @@ PROXMOX_ADDR='192.168.1.15'
 
 #BRIDGED_VM_STRICT_SYN=1
 
-####################################
+#####################################
 #	IPTABLES user chains names
-####################################
+#####################################
 # Iptables User Chain names
 #COMMON_VM_CHAIN='common_vm_newin'
 #VM_CHAIN='vm_newin'
 #PROXMOX_CHAIN='proxmox_newin'
 #LOGDROP_CHAIN='log_drop'
 
-####################################
+######################################
 #	path to iptables executable
-####################################
+######################################
 
 #IPTABLES='/sbin/iptables'
diff --git a/hypervisor.rules b/hypervisor.rules
@@ -3,6 +3,19 @@
 #	HYPERVISOR RULES
 #
 ######################################
+#
+# Define here your rules for the hypervisor itself
+#
+#  Available rules:
+#    - HYPERVISOR_LIMIT_PING <PINGS PER SECONDS>
+#    - HYPERVISOR_ALLOW_PING
+#    - HYPERVISOR_PROTECTED_TCP_PORT <port>
+#    - HYPERVISOR_PROTECTED_UDP_PORT <port>
+#    - HYPERVISOR_PROTECTED_PORT <port>
+#    - HYPERVISOR_ALLOW_TCP_PORT <port>
+#    - HYPERVISOR_ALLOW_UDP_PORT <port>
+#    - HYPERVISOR_ALLOW_PORT <port>
+#
 
 HYPERVISOR_LIMIT_PING 30
 HYPERVISOR_PROTECTED_SNMP

diff --git a/macros b/macros
@@ -1,9 +1,14 @@
 ##########################################################
 #
-#	DEFINE HERE YOUR OWN MACROS
+#	DEFINE HERE YOUR OWN FUNCTIONS
 #
 ##########################################################
 #
+# This file can be used to define user functions.
+# It is sourced by the bash script, so write it carefully,
+# and protect it !
+#
+#
 # The following functions are available for defining macros:
 #
 # - BRIDGED_VM_ALLOW_TCP_PORT ip_addr port
@@ -19,6 +24,7 @@
 # - HYPERVISOR_ALLOW_TCP_PORT port
 # - HYPERVISOR_ALLOW_UDP_PORT port
 # - HYPERVISOR_ALLOW_PORT port
+#
 
 #######################################
 # BRIDGED Virtual Machines Macros

diff --git a/pve-firewall b/pve-firewall
@@ -108,12 +108,10 @@ fi
 
 # Apply user defined bridged vm rules
 function APPLY_BRIDGED_VM_RULES {
-
 	source $CONF_DIR/$BRIDGED_CONF_FILENAME
 }
 
 function APPLY_ROUTED_VM_RULES {
-
 	source $CONF_DIR/$ROUTED_CONF_FILENAME
 }
 
@@ -125,50 +123,58 @@ function APPLY_HYPERVISOR_RULES {
 	#####################################
 
 	# accept immediatly open sessions
-	$IPTABLES --table filter --append INPUT -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
+	$IPTABLES --table filter --append INPUT -m conntrack \
+	  --ctstate RELATED,ESTABLISHED --jump ACCEPT
 
 	############################################
 	#	LOG AND DROP STRANGE TCP PACKETS
 	############################################
 
 	# DROP XMAS Scan
 	if [ $HYPERVISOR_BLOCK_XMAS_SCAN -eq 1 ]; then
-		$IPTABLES --table filter --append INPUT --protocol tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH --jump $LOGDROP_CHAIN
-		$IPTABLES --table filter --append INPUT --protocol tcp --tcp-flags ALL ALL --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append INPUT --protocol tcp \
+		  --tcp-flags FIN,URG,PSH FIN,URG,PSH --jump $LOGDROP_CHAIN
+		$IPTABLES --table filter --append INPUT --protocol tcp \
+		  --tcp-flags ALL ALL --jump $LOGDROP_CHAIN;
 	fi
 
 	# DROP NULL Scan
 	if [ $HYPERVISOR_BLOCK_NULL_SCAN -eq 1 ]; then
-		$IPTABLES --table filter --append INPUT --protocol tcp --tcp-flags ALL NONE --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append INPUT --protocol tcp \
+		  --tcp-flags ALL NONE --jump $LOGDROP_CHAIN;
 	fi
 
 	# DROP FIN Scan
 	if [ $HYPERVISOR_BLOCK_FIN_SCAN -eq 1 ]; then
-		$IPTABLES --table filter --append INPUT --protocol tcp --tcp-flags ALL FIN --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append INPUT --protocol tcp \
+		  --tcp-flags ALL FIN --jump $LOGDROP_CHAIN;
 	fi
 
 	# STRICT_SYN
 	# DROP if SYN is not set, NEXT RULES WORK ON NEW CONNECTIONS ONLY !!!
 	if [ $HYPERVISOR_STRICT_SYN -eq 1 ]; then
-		$IPTABLES --table filter --append INPUT --protocol tcp ! --tcp-flags ALL SYN --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append INPUT --protocol tcp \
+		  ! --tcp-flags ALL SYN --jump $LOGDROP_CHAIN;
 	fi
 
 	#########################################
 	#	FILTER NEW CONNECTIONS
 	#########################################
 
 	# Filter new connections (TCP, UDP, ICMP, ...)
-	$IPTABLES --table filter --append INPUT -m conntrack --ctstate NEW --jump $PROXMOX_CHAIN
+	$IPTABLES --table filter --append INPUT -m conntrack \
+	  --ctstate NEW --jump $PROXMOX_CHAIN
 
 	# PEER Proxmox rules
 	for PROXMOX_PEER in $PROXMOX_PEERS
 	do
 		# SSH
-		$IPTABLES --table filter --append $PROXMOX_CHAIN --source $PROXMOX_PEER --protocol tcp --dport 22 --jump ACCEPT;
+		$IPTABLES --table filter --append $PROXMOX_CHAIN \
+		  --source $PROXMOX_PEER --protocol tcp --dport 22 --jump ACCEPT;
 
-		# Corosync
+		# Corosync ?
 
-		# etc...
+		# etc... ?
 	done
 
 	# ALLOW ALL FOR LOOPBACK INTERFACE
@@ -187,35 +193,42 @@ function APPLY_VM_COMMON_RULES {
 	##############################################
 
 	# Immediatly accept opened sessions
-	$IPTABLES --table filter --append FORWARD -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT
+	$IPTABLES --table filter --append FORWARD -m conntrack \
+	  --ctstate RELATED,ESTABLISHED --jump ACCEPT
 
 	# Allow initiating out traffic
-	$IPTABLES --table filter --append FORWARD -m physdev --physdev-in veth+ --jump ACCEPT
+	$IPTABLES --table filter --append FORWARD -m physdev \
+	  --physdev-in veth+ --jump ACCEPT
 
 	######################################
 	#	DROP STRANGE PACKETS
 	######################################
 
 	# DROP XMAS Scan
 	if [ "$BRIDGED_VM_BLOCK_XMAS_SCAN" -eq "1" ]; then
-		$IPTABLES --table filter --append FORWARD --protocol tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH --jump $LOGDROP_CHAIN
-		$IPTABLES --table filter --append FORWARD --protocol tcp --tcp-flags ALL ALL --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append FORWARD --protocol tcp \
+		  --tcp-flags FIN,URG,PSH FIN,URG,PSH --jump $LOGDROP_CHAIN
+		$IPTABLES --table filter --append FORWARD --protocol tcp \
+		  --tcp-flags ALL ALL --jump $LOGDROP_CHAIN;
 	fi
 
 	# DROP NULL Scan
 	if [ "$BRIDGED_VM_BLOCK_NULL_SCAN" -eq "1" ]; then
-		$IPTABLES --table filter --append FORWARD --protocol tcp --tcp-flags ALL NONE --jump $LOGDROP_CHAIN;
+		$IPTABLES --table filter --append FORWARD --protocol tcp \
+		  --tcp-flags ALL NONE --jump $LOGDROP_CHAIN;
 	fi
 
 	# DROP FIN Scan
 	if [ "$BRIDGED_VM_BLOCK_FIN_SCAN" -eq "1" ]; then
-		$IPTABLES --table filter --append FORWARD --protocol tcp --tcp-flags ALL FIN --jump $LOGDROP_CHAIN
+		$IPTABLES --table filter --append FORWARD --protocol tcp \
+		  --tcp-flags ALL FIN --jump $LOGDROP_CHAIN
 	fi
 
 	# STRICT SYN
 	# DROP if SYN is not set, NEXT RULES WORK ON NEW CONNECTIONS ONLY !!!
 	if [ "$BRIDGED_VM_STRICT_SYN" -eq "1" ]; then
-		$IPTABLES --table filter --append FORWARD --protocol tcp ! --tcp-flags ALL SYN --jump $LOGDROP_CHAIN
+		$IPTABLES --table filter --append FORWARD --protocol tcp \
+		  ! --tcp-flags ALL SYN --jump $LOGDROP_CHAIN
 	fi
 
 	# New connections (TCP, UDP, ICMP, ...) go to COMMON_VM_CHAIN
@@ -246,8 +259,10 @@ function ROUTED_VM_ALLOW_UDP_PORT {
 }
 
 function ROUTED_VM_ALLOW_PORT {
-	$IPTABLES --table nat --append PREROUTING --dport $2 --destination $PROXMOX_ADDR --jump DNAT --to-destination $1
-	$IPTABLES --table nat --append POSTROUTING --sport $2 --source $1 --jump SNAT --to-source $PROXMOX_ADDR
+	$IPTABLES --table nat --append PREROUTING --dport $2 \
+	  --destination $PROXMOX_ADDR --jump DNAT --to-destination $1
+	$IPTABLES --table nat --append POSTROUTING --sport $2 \
+	  --source $1 --jump SNAT --to-source $PROXMOX_ADDR
 }
 
 function ROUTED_VM_PROTECTED_TCP_PORT {

diff --git a/routed.rules b/routed.rules
@@ -3,3 +3,14 @@
 #	Routed VM rules
 #
 #######################################
+#
+# Define here your rules for routed virtual machines
+#
+#  Available rules:
+#    - ROUTED_VM_PROTECTED_TCP_PORT <port> <address>
+#    - ROUTED_VM_PROTECTED_UDP_PORT <port> <address>
+#    - ROUTED_VM_PROTECTED_PORT <port> <address>
+#    - ROUTED_VM_ALLOW_TCP_PORT <port> <address>
+#    - ROUTED_VM_ALLOW_UDP_PORT <port> <address>
+#    - ROUTED_VM_ALLOW_PORT <port> <address>
+#