funollet · January 13, 2015 17:00
diff --git a/ferm variables b/ferm variables
 ferm_tcp_dports_accept:
    - "5666"
    - "http"
    - "https"
    - "30301 saddr 192.168.141.200"

 ferm_tcp_forward:
    - "(5757 5758), 192.168.164.195, 5758"           
    - "20, 192.168.124.43, 20"                      
    - "21, 192.168.124.43, 21"                      
    - "49152:49260, 192.168.124.43, 49152-49260"    

 ferm_tcp_redirect:
    - "15012, 80"

diff --git a/ferm.conf.j2 (ansible template) b/ferm.conf.j2 (ansible template)
 # -*- shell-script -*-

 @def &FORWARD_TCP($fwdport, $daddr, $dport) = {
 # Creates rules to forward local ports to a remote machine.
 #
 #       @fwdport:  local port(s) to be forwarded; can be a ferm list
 #       @daddr: remote address to forward to
 #       @dport: remote port(s) to forward to; multiple ports separated by ':'
 #
        table filter chain FORWARD proto tcp dport $fwdport daddr $daddr ACCEPT ;
        table nat chain PREROUTING proto tcp dport $fwdport DNAT to "$daddr:$dport" ;
        table nat chain POSTROUTING proto tcp dport $fwdport MASQUERADE ;
 }


 @def &REDIRECT_TCP($dport, $to) = {
 # Redirect a local port to another port.
    table filter chain INPUT proto tcp dport $dport ACCEPT ;
    table nat chain PREROUTING proto tcp dport $dport REDIRECT to-ports $to ;
 }


 table filter {
    chain INPUT {
        policy DROP;
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
        # allow local packet
        interface lo ACCEPT;
        # respond to ping
        proto icmp ACCEPT; 

        proto tcp dport ssh ACCEPT;
 {% for port in ferm_tcp_dports_accept %}
        proto tcp dport {{ port }} ACCEPT;
 {% endfor %}    }
    chain OUTPUT {
        policy ACCEPT;
        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP ;
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
 }

 {% for params in ferm_tcp_forward %}
 &FORWARD_TCP({{ params }}) ;
 {% endfor %}
 {% for params in ferm_tcp_redirect %}
 &REDIRECT_TCP({{ params }}) ;
 {% endfor %}
diff --git a/trivial ferm variables b/trivial ferm variables
 ferm_tcp_dports_accept:
    - "5666"
    - "http"
    - "https"
    - "30301 saddr 188.40.141.200"
diff --git a/trivial ferm.conf b/trivial ferm.conf
 # -*- shell-script -*-

 table filter {
    chain INPUT {
        policy DROP;
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
        # allow local packet
        interface lo ACCEPT;
        # respond to ping
        proto icmp ACCEPT; 

        proto tcp dport (ssh 5666 http https) ACCEPT;
        proto tcp dport 30301 saddr 188.40.141.200 ACCEPT;
    }
    chain OUTPUT {
        policy ACCEPT;
        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP ;
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
 }
	ferm_tcp_dports_accept:
	- "5666"
	- "http"
	- "https"
	- "30301 saddr 192.168.141.200"

	ferm_tcp_forward:
	- "(5757 5758), 192.168.164.195, 5758"
	- "20, 192.168.124.43, 20"
	- "21, 192.168.124.43, 21"
	- "49152:49260, 192.168.124.43, 49152-49260"

	ferm_tcp_redirect:
	- "15012, 80"
	# -- shell-script --

	@def &FORWARD_TCP($fwdport, $daddr, $dport) = {
	# Creates rules to forward local ports to a remote machine.
	#
	# @fwdport: local port(s) to be forwarded; can be a ferm list
	# @daddr: remote address to forward to
	# @dport: remote port(s) to forward to; multiple ports separated by ':'
	#
	table filter chain FORWARD proto tcp dport $fwdport daddr $daddr ACCEPT ;
	table nat chain PREROUTING proto tcp dport $fwdport DNAT to "$daddr:$dport" ;
	table nat chain POSTROUTING proto tcp dport $fwdport MASQUERADE ;
	}


	@def &REDIRECT_TCP($dport, $to) = {
	# Redirect a local port to another port.
	table filter chain INPUT proto tcp dport $dport ACCEPT ;
	table nat chain PREROUTING proto tcp dport $dport REDIRECT to-ports $to ;
	}


	table filter {
	chain INPUT {
	policy DROP;
	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	# allow local packet
	interface lo ACCEPT;
	# respond to ping
	proto icmp ACCEPT;

	proto tcp dport ssh ACCEPT;
	{% for port in ferm_tcp_dports_accept %}
	proto tcp dport {{ port }} ACCEPT;
	{% endfor %} }
	chain OUTPUT {
	policy ACCEPT;
	# connection tracking
	#mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	chain FORWARD {
	policy DROP ;
	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	}

	{% for params in ferm_tcp_forward %}
	&FORWARD_TCP({{ params }}) ;
	{% endfor %}
	{% for params in ferm_tcp_redirect %}
	&REDIRECT_TCP({{ params }}) ;
	{% endfor %}