templates/orig/firewall/init.tt

#################################
# create the capo firewall chains
#################################
 
#-----------------------------------------------------------------------------------------
# chain to mark authenticated traffic, clients get dynamically inserted/removed
# first rule always checks if already MARKed
#-----------------------------------------------------------------------------------------

[% UNLESS ipset_version; THROW 'ipset_version undefined in config_hash'; END %]

[% IF ipset_version >= 4 %]
  sudo ipset --create capo_sessions_ipset bitmap:ip,mac range [%- capture_net %] 
[% ELSE %]
  sudo ipset --create capo_sessions_ipset macipmap network [%- capture_net %] 
[% END %]

sudo iptables -t mangle -N capo_sessions

# mark packets from authenticated clients ip/mac as auth
sudo iptables -t mangle -A capo_sessions -m set --match-set capo_sessions_ipset src,src -j MARK --set-mark 1

#-----------------------------------------------------------------------------------------
# chain to register all outgoing traffic with ip/mac for IDLE checks by purger
#-----------------------------------------------------------------------------------------
[% IF ipset_version >= 4 %]
  sudo ipset --create capo_activity_ipset      bitmap:ip,mac range [%- capture_net %] 
  sudo ipset --create capo_activity_swap_ipset bitmap:ip,mac range [%- capture_net %] 
[% ELSE %]
  sudo ipset --create capo_activity_ipset      macipmap network [%- capture_net %] 
  sudo ipset --create capo_activity_swap_ipset macipmap network [%- capture_net %] 
[% END %]

sudo iptables -t mangle -N capo_activity

# first test ip/mac, else delete ip and then set active client ip/mac in activity ipset
sudo iptables -t mangle -A capo_activity -m set --match-set capo_activity_ipset src,src -j RETURN
sudo iptables -t mangle -A capo_activity -j SET --del-set capo_activity_ipset src
sudo iptables -t mangle -A capo_activity -j SET --add-set capo_activity_ipset src,src

#-----------------------------------------------------------------------------------------
# chains to mark static allowed traffic for nets and services, like DNS, DHCP, VPN, ...
#-----------------------------------------------------------------------------------------

#########################################################################################
# define allowed services and allowed networks for local clients
#########################################################################################

#-----------------------------------------------------------------------------------------
# allow site local open services
#-----------------------------------------------------------------------------------------
sudo iptables -t mangle -N capo_open_services

[% UNLESS open_services; THROW 'open_services undefined in config_file'; END %]

[%- FOREACH proto IN open_services.keys -%]
  [%- FOREACH service IN open_services.$proto -%]
    [%- FOREACH server IN ipv4_aton(service.servers) -%]

sudo iptables -t mangle -A capo_open_services -d [%- server -%] \
  -p [%- proto -%] -m multiport --dports [%- service.ports.join(',') -%] \
  -j MARK --set-mark 1

    [%-  END -%]
  [%-  END -%]
[%-  END -%]

#-------------------------------------------------------------------------------------------
# allow defined open clients
#-------------------------------------------------------------------------------------------
sudo iptables -t mangle -N capo_open_clients

[% UNLESS open_clients; THROW 'open_clients undefined in config_file'; END %]

[% FOREACH client IN open_clients %]

  sudo iptables -t mangle -A capo_open_clients -m mac --mac-source [%- client -%] \
    -j MARK --set-mark 1

[% END %]

#-------------------------------------------------------------------------------------------
# allow defined open networks
#-------------------------------------------------------------------------------------------

[% IF ipset_version >= 4 %]
  sudo ipset --create capo_open_map_ipset hash:net
[% ELSE %]
  sudo ipset --create capo_open_map_ipset iptreemap
[% END %]

sudo iptables -t mangle -N capo_open_map
sudo iptables -t mangle -A capo_open_map -m set --match-set capo_open_map_ipset dst -j MARK --set-mark 1

[% UNLESS open_networks; THROW 'open_networks undefined in config_file'; END %]

[% FOREACH network IN open_networks %]
  sudo ipset --add capo_open_map_ipset [%- network -%]
[% END %]

#-------------------------------------------------------------------------------------------
# allow defined open servers
#-------------------------------------------------------------------------------------------

[% UNLESS open_servers; THROW 'open_servers undefined in config_file'; END %]

[% FOREACH server IN ipv4_aton(open_servers) %]

  sudo ipset --add capo_open_map_ipset [%- server -%]

[% END %]

# vim: sw=2 ft=sh
	Global
`s`	Focus search bar
`?`	Bring up this help dialog
	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)
	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse
	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)