#################################
# create the capo firewall chains
#################################
#-----------------------------------------------------------------------------------------
# chain to mark authenticated traffic, clients get dynamically inserted/removed
# first rule always checks if already MARKed
#-----------------------------------------------------------------------------------------
[% UNLESS ipset_version; THROW 'ipset_version undefined in config_hash'; END %]
[% IF ipset_version >= 4 %]
sudo ipset --create capo_sessions_ipset bitmap:ip,mac range [%- capture_net %]
[% ELSE %]
sudo ipset --create capo_sessions_ipset macipmap network [%- capture_net %]
[% END %]
sudo iptables -t mangle -N capo_sessions
# mark packets from authenticated clients ip/mac as auth
sudo iptables -t mangle -A capo_sessions -m set --match-set capo_sessions_ipset src,src -j MARK --set-mark 1
#-----------------------------------------------------------------------------------------
# chain to register all outgoing traffic with ip/mac for IDLE checks by purger
#-----------------------------------------------------------------------------------------
[% IF ipset_version >= 4 %]
sudo ipset --create capo_activity_ipset bitmap:ip,mac range [%- capture_net %]
sudo ipset --create capo_activity_swap_ipset bitmap:ip,mac range [%- capture_net %]
[% ELSE %]
sudo ipset --create capo_activity_ipset macipmap network [%- capture_net %]
sudo ipset --create capo_activity_swap_ipset macipmap network [%- capture_net %]
[% END %]
sudo iptables -t mangle -N capo_activity
# first test ip/mac, else delete ip and then set active client ip/mac in activity ipset
sudo iptables -t mangle -A capo_activity -m set --match-set capo_activity_ipset src,src -j RETURN
sudo iptables -t mangle -A capo_activity -j SET --del-set capo_activity_ipset src
sudo iptables -t mangle -A capo_activity -j SET --add-set capo_activity_ipset src,src
#-----------------------------------------------------------------------------------------
# chains to mark static allowed traffic for nets and services, like DNS, DHCP, VPN, ...
#-----------------------------------------------------------------------------------------
#########################################################################################
# define allowed services and allowed networks for local clients
#########################################################################################
#-----------------------------------------------------------------------------------------
# allow site local open services
#-----------------------------------------------------------------------------------------
sudo iptables -t mangle -N capo_open_services
[% UNLESS open_services; THROW 'open_services undefined in config_file'; END %]
[%- FOREACH proto IN open_services.keys -%]
[%- FOREACH service IN open_services.$proto -%]
[%- FOREACH server IN ipv4_aton(service.servers) -%]
sudo iptables -t mangle -A capo_open_services -d [%- server -%] \
-p [%- proto -%] -m multiport --dports [%- service.ports.join(',') -%] \
-j MARK --set-mark 1
[%- END -%]
[%- END -%]
[%- END -%]
#-------------------------------------------------------------------------------------------
# allow defined open clients
#-------------------------------------------------------------------------------------------
sudo iptables -t mangle -N capo_open_clients
[% UNLESS open_clients; THROW 'open_clients undefined in config_file'; END %]
[% FOREACH client IN open_clients %]
sudo iptables -t mangle -A capo_open_clients -m mac --mac-source [%- client -%] \
-j MARK --set-mark 1
[% END %]
#-------------------------------------------------------------------------------------------
# allow defined open networks
#-------------------------------------------------------------------------------------------
[% IF ipset_version >= 4 %]
sudo ipset --create capo_open_map_ipset hash:net
[% ELSE %]
sudo ipset --create capo_open_map_ipset iptreemap
[% END %]
sudo iptables -t mangle -N capo_open_map
sudo iptables -t mangle -A capo_open_map -m set --match-set capo_open_map_ipset dst -j MARK --set-mark 1
[% UNLESS open_networks; THROW 'open_networks undefined in config_file'; END %]
[% FOREACH network IN open_networks %]
sudo ipset --add capo_open_map_ipset [%- network -%]
[% END %]
#-------------------------------------------------------------------------------------------
# allow defined open servers
#-------------------------------------------------------------------------------------------
[% UNLESS open_servers; THROW 'open_servers undefined in config_file'; END %]
[% FOREACH server IN ipv4_aton(open_servers) %]
sudo ipset --add capo_open_map_ipset [%- server -%]
[% END %]
# vim: sw=2 ft=sh