rep/ferm.conf

## ferm.conf
# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def	$INTERNET="eth0";
@def	$HOSTONLY0="vboxnet0";
@def	$HONET0="192.168.56.0/24";

@def	$VBOX0_INET=1;

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;
        interface $HOSTONLY0 ACCEPT;

        # respond to ping
        proto icmp ACCEPT;

        # allow service connections
        proto tcp dport ssh ACCEPT;
        proto tcp dport http ACCEPT;
    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        @if $VBOX0_INET {
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP set NOP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP update seconds 60 hitcount 10 REJECT reject-with tcp-reset;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP set NOP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP update seconds 60 hitcount 10 DROP;
            in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 ACCEPT;
        }

        LOG log-prefix "REJECT FORWARD: ";
        #proto tcp REJECT reject-with tcp-reset;
        REJECT reject-with icmp-admin-prohibited;
    }
}

table nat {
    chain POSTROUTING {
        out-interface $INTERNET source $HONET0 MASQUERADE;
    }
    chain PREROUTING {
        #in-interface $HOSTONLY0 proto tcp dport 25 DNAT to 192.168.56.1:25;
    }
}

@hook pre "echo 0 >/proc/sys/net/ipv4/ip_forward";
@hook post "echo 1 >/proc/sys/net/ipv4/ip_forward";
@hook flush "echo 0 >/proc/sys/net/ipv4/ip_forward";
	# -- shell-script --
	#
	# Configuration file for ferm(1).
	#

	@def $INTERNET="eth0";
	@def $HOSTONLY0="vboxnet0";
	@def $HONET0="192.168.56.0/24";

	@def $VBOX0_INET=1;

	table filter {
	chain INPUT {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;

	# allow local packet
	interface lo ACCEPT;
	interface $HOSTONLY0 ACCEPT;

	# respond to ping
	proto icmp ACCEPT;

	# allow service connections
	proto tcp dport ssh ACCEPT;
	proto tcp dport http ACCEPT;
	}
	chain OUTPUT {
	policy ACCEPT;

	# connection tracking
	#mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;
	}
	chain FORWARD {
	policy DROP;

	# connection tracking
	mod state state INVALID DROP;
	mod state state (ESTABLISHED RELATED) ACCEPT;

	@if $VBOX0_INET {
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP set NOP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto tcp mod state state NEW mod recent name SANDBOXTCP update seconds 60 hitcount 10 REJECT reject-with tcp-reset;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP set NOP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 proto udp mod recent name SANDBOXUDP update seconds 60 hitcount 10 DROP;
	in-interface $HOSTONLY0 out-interface $INTERNET source $HONET0 ACCEPT;
	}

	LOG log-prefix "REJECT FORWARD: ";
	#proto tcp REJECT reject-with tcp-reset;
	REJECT reject-with icmp-admin-prohibited;
	}
	}

	table nat {
	chain POSTROUTING {
	out-interface $INTERNET source $HONET0 MASQUERADE;
	}
	chain PREROUTING {
	#in-interface $HOSTONLY0 proto tcp dport 25 DNAT to 192.168.56.1:25;
	}
	}

	@hook pre "echo 0 >/proc/sys/net/ipv4/ip_forward";
	@hook post "echo 1 >/proc/sys/net/ipv4/ip_forward";
	@hook flush "echo 0 >/proc/sys/net/ipv4/ip_forward";