rep · December 14, 2015 20:18
diff --git a/ferm.conf b/ferm.conf
 # -*- shell-script -*-
 #
 #  Configuration file for ferm(1).
 #

 @def	$INTERNET="eth0";
 @def	$HOSTONLY0="vboxnet0";
 @def	$HONET0="192.168.56.0/24";

 @def	$VBOX0_INET=1;

 table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;
        interface $HOSTONLY0 ACCEPT;

        # respond to ping
        proto icmp ACCEPT; 

        # allow service connections
        proto tcp dport ssh ACCEPT;
        proto tcp dport http ACCEPT;
    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        @if $VBOX0_INET {
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP set NOP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP update seconds 60 hitcount 10 REJECT reject-with tcp-reset;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP set NOP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP update seconds 60 hitcount 10 DROP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 ACCEPT;
        }

        LOG log-prefix "REJECT FORWARD: ";
        #proto tcp REJECT reject-with tcp-reset;
        REJECT reject-with icmp-admin-prohibited;
    }
 }

 table nat {
    chain POSTROUTING {
        out-interface $INTERNET source $HONET0 MASQUERADE;
    }
    chain PREROUTING {
        #in-interface $HOSTONLY0 proto tcp dport 25 DNAT to 192.168.56.1:25;
    }
 }

 @hook pre "echo 0 >/proc/sys/net/ipv4/ip_forward";
 @hook post "echo 1 >/proc/sys/net/ipv4/ip_forward";
 @hook flush "echo 0 >/proc/sys/net/ipv4/ip_forward";
	# -- shell-script --
	#
	# Configuration file for ferm(1).
	#

	@def $INTERNET="eth0";
	@def $HOSTONLY0="vboxnet0";
	@def $HONET0="192.168.56.0/24";

	@def $VBOX0_INET=1;

	table filter {
	chain INPUT {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;

	# allow local packet
	interface lo ACCEPT;
	interface $HOSTONLY0 ACCEPT;

	# respond to ping
	proto icmp ACCEPT;

	# allow service connections
	proto tcp dport ssh ACCEPT;
	proto tcp dport http ACCEPT;
	}
	chain OUTPUT {
	policy ACCEPT;

	# connection tracking
	#mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	chain FORWARD {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;

	@if $VBOX0_INET {
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP set NOP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP update seconds 60 hitcount 10 REJECT reject-with tcp-reset;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP set NOP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP update seconds 60 hitcount 10 DROP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 ACCEPT;
	}

	LOG log-prefix "REJECT FORWARD: ";
	#proto tcp REJECT reject-with tcp-reset;
	REJECT reject-with icmp-admin-prohibited;
	}
	}

	table nat {
	chain POSTROUTING {
	out-interface $INTERNET source $HONET0 MASQUERADE;
	}
	chain PREROUTING {
	#in-interface $HOSTONLY0 proto tcp dport 25 DNAT to 192.168.56.1:25;
	}
	}

	@hook pre "echo 0 >/proc/sys/net/ipv4/ip_forward";
	@hook post "echo 1 >/proc/sys/net/ipv4/ip_forward";
	@hook flush "echo 0 >/proc/sys/net/ipv4/ip_forward";