Added nether helper scripts and a simple example policy

for the file backend.

Change-Id: Ife2f173d9964cb9f65a9c88d8779872020ab6e46

diff --git a/config/nether.policy b/config/nether.policy
new file mode 100644 (file)
index 0000000..324a7e3
--- /dev/null
+++ b/config/nether.policy
@@ -0,0 +1,7 @@
+# Nether policy
+# $UID:$GID:$SECCTX ALLOW|DENY|ALLOW_LOG
+#
+
+0::_:ALLOW
+5002::_:DENY
+1354787703::_:ALLOW
\ No newline at end of file

diff --git a/config/nether.rules b/config/nether.rules
new file mode 100644 (file)
index 0000000..72d4ebe
--- /dev/null
+++ b/config/nether.rules
@@ -0,0 +1,29 @@
+# nether iptables rules
+*nat
+:PREROUTING ACCEPT [214977:18048203]
+:INPUT ACCEPT [24506:3910785]
+:OUTPUT ACCEPT [46836:3016993]
+:POSTROUTING ACCEPT [45527:2930737]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [1008811:2134498122]
+:INPUT ACCEPT [948545:2129919738]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [816152:74580343]
+:POSTROUTING ACCEPT [824147:75308906]
+-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p udp -j NFQUEUE --queue-num 0 --queue-bypass
+-A OUTPUT -p icmp -j NFQUEUE --queue-num 0 --queue-bypass
+COMMIT
+*filter
+:INPUT ACCEPT [927054:2081201095]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [805408:74228055]
+:NETHER-ALLOWLOG - [0:0]
+:NETHER-DENY - [0:0]
+-A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
+-A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG
+-A NETHER-ALLOWLOG -j AUDIT --type accept
+-A NETHER-DENY -j AUDIT --type reject
+-A NETHER-DENY -j REJECT --reject-with icmp-port-unreachable
+COMMIT

diff --git a/config/setrules.sh b/config/setrules.sh
new file mode 100755 (executable)
index 0000000..94e6e40
--- /dev/null
+++ b/config/setrules.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+DENY_CHAIN="NETHER-DENY"
+ALLOWLOG_CHAIN="NETHER-ALLOWLOG"
+TEST_HOST="198.145.20.7"
+TEST_PORT=443
+TEST_PROTO="tcp"
+TEST_QUEUE=0
+AUDITCTL=auditctl
+DENY_MARK="0x3"
+ALLOWLOG_MARK="0x4"
+
+function runcmd {
+       echo -ne "\t>> $@\n"
+       $@
+}
+
+function clean {
+       echo "Cleanup"
+       echo
+       iptables -t mangle -D OUTPUT -m state --state NEW -p $TEST_PROTO -d $TEST_HOST --dport $TEST_PORT -j NFQUEUE --queue-num 0 --queue-bypass 2> /dev/null
+       iptables -D OUTPUT -m mark --mark $DENY_MARK -j $DENY_CHAIN 2> /dev/null
+       iptables -D OUTPUT -m mark --mark $ALLOWLOG_MARK -j $ALLOWLOG_CHAIN 2> /dev/null
+       iptables -F $DENY_CHAIN 2> /dev/null
+       iptables -F $ALLOWLOG_CHAIN 2> /dev/null
+       iptables -X $DENY_CHAIN 2> /dev/null
+       iptables -X $ALLOWLOG_CHAIN 2> /dev/null
+       echo
+}
+
+function create {
+       echo "Creating chain"
+       echo
+       runcmd iptables -N $DENY_CHAIN  
+       runcmd iptables -N $ALLOWLOG_CHAIN
+       runcmd iptables -A $DENY_CHAIN -j AUDIT --type REJECT
+       runcmd iptables -A $DENY_CHAIN -j REJECT
+       runcmd iptables -A $ALLOWLOG_CHAIN -j AUDIT --type ACCEPT
+       echo
+}
+
+function create_rules {
+       echo "Writing rules to output chain $OUTPUT_CHAIN"
+       echo
+       runcmd iptables -t mangle -A OUTPUT -m state --state NEW -p $TEST_PROTO -d $TEST_HOST --dport $TEST_PORT -j NFQUEUE --queue-num 0 --queue-bypass
+       runcmd iptables -A OUTPUT -m mark --mark $DENY_MARK -j $DENY_CHAIN
+       runcmd iptables -A OUTPUT -m mark --mark $ALLOWLOG_MARK -j $ALLOWLOG_CHAIN
+       echo
+}
+
+function enable_audit {
+       if type $AUDITCTL; then
+               echo -n "Enable audit: "
+               runcmd $AUDITCTL -e 1 >/dev/null
+               if [ $? == 0 ]; then
+                       echo "OK"
+               else
+                       echo "Failed"
+               fi
+       else
+               echo "$AUDITCTL does not exist, can't enable audit"
+       fi
+       echo
+}
+
+clean
+create
+create_rules
+enable_audit