From c114b2ac29e69f499219b26776f43dcc7453b23b Mon Sep 17 00:00:00 2001 From: kev Date: Mon, 6 Jul 2015 08:35:53 +0800 Subject: [PATCH] add ferm --- ferm/Dockerfile | 11 +++++++++ ferm/README.md | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ openvpn/setup.sh | 30 +++++++++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 ferm/Dockerfile create mode 100644 ferm/README.md create mode 100755 openvpn/setup.sh diff --git a/ferm/Dockerfile b/ferm/Dockerfile new file mode 100644 index 0000000..2b1a88e --- /dev/null +++ b/ferm/Dockerfile @@ -0,0 +1,11 @@ +# +# Dockerfile for ferm +# + +FROM alpine +MAINTAINER kev + +RUN apk add -U ferm && rm -rf /var/cache/apk/* + +ENTRYPOINT ["ferm", "--remote"] +CMD ["-"] diff --git a/ferm/README.md b/ferm/README.md new file mode 100644 index 0000000..661973f --- /dev/null +++ b/ferm/README.md @@ -0,0 +1,62 @@ +ferm - for Easy Rule Making +=========================== + +![](https://badge.imagelayers.io/vimagick/ferm:latest.svg)] + +[`ferm`][1] is a frontend for iptables, providing a way to write manageable +rulesets without sacrificing flexibility. + +## Tutorial + +``` +$ alias ferm='docker run -i --rm vimagick/ferm' + +$ cat > iptables.rules <<_EOF_ +chain INPUT { + policy DROP; + mod state state (RELATED ESTABLISHED) ACCEPT; + proto tcp dport (http ftp ssh) ACCEPT; +} +_EOF_ + +$ ferm -h +Usage: + ferm *options* *inputfiles* + +Options: + -n, --noexec Do not execute the rules, just simulate + -F, --flush Flush all netfilter tables managed by ferm + -l, --lines Show all rules that were created + -i, --interactive Interactive mode: revert if user does not confirm + -t, --timeout s Define interactive mode timeout in seconds + --remote Remote mode; ignore host specific configuration. + This implies --noexec and --lines. + -V, --version Show current version number + -h, --help Look at this text + --slow Slow mode, don't use iptables-restore + --shell Generate a shell script which calls iptables-restore + --domain {ip|ip6} Handle only the specified domain + --def '$name=v' Override a variable + +$ ferm < iptables.rules +# Generated by ferm 2.2 on Mon Jul 6 00:32:04 2015 +*filter +:INPUT DROP [0:0] +-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT +-A INPUT --protocol tcp --dport http --jump ACCEPT +-A INPUT --protocol tcp --dport ftp --jump ACCEPT +-A INPUT --protocol tcp --dport ssh --jump ACCEPT +COMMIT + +$ ferm --slow - < iptables.rules +iptables -t filter -P INPUT ACCEPT +iptables -t filter -F +iptables -t filter -X +iptables -t filter -P INPUT DROP +iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT +iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT +iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT +iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT +``` + +[1]: http://ferm.foo-projects.org/ diff --git a/openvpn/setup.sh b/openvpn/setup.sh new file mode 100755 index 0000000..f3189b5 --- /dev/null +++ b/openvpn/setup.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# +# setup script for kylemanna/openvpn +# + +OVPN_DATA=${OVPN_DATA:-openvpn_data_1} +OVPN_SERVER=${OVPN_SERVER:-tcp://vpn.datageek.info} +OVPN_CLIENT=${OVPN_CLIENT:-client} + +select opt in server client quit +do + if [[ $opt == "server" ]] + then + echo "setup server ..." + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -c -u $OVPN_SERVER + docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki + elif [[ $opt == "client" ]] + then + echo "setup client ..." + docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full $OVPN_CLIENT nopass + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient $OVPN_CLIENT > $OVPN_CLIENT.ovpn + elif [[ $opt == "quit" ]] + then + echo "bye" + exit + else + echo "invalid" + fi +done +