5 files changed, 135 insertions, 0 deletions
diff --git a/puppet/modules/shorewall/manifests/rules/torify/allow_tor_transparent_proxy.pp b/puppet/modules/shorewall/manifests/rules/torify/allow_tor_transparent_proxy.pp
new file mode 100644
index 00000000..3c18db69
--- /dev/null
+++ b/puppet/modules/shorewall/manifests/rules/torify/allow_tor_transparent_proxy.pp
@@ -0,0 +1,21 @@
+class shorewall::rules::torify::allow_tor_transparent_proxy {
+
+  $rule = "allow-tor-transparent-proxy"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    # A weirdness in shorewall forces us to explicitly allow traffic to
+    # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even
+    # if $FW->$FW traffic is allowed. This anyway avoids us special-casing
+    # the remote Tor transparent proxy situation.
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => "net:${shorewall::tor_transparent_proxy_host}",
+        proto           => 'tcp',
+        destinationport => $shorewall::tor_transparent_proxy_port,
+        order           => 100,
+        action          => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/puppet/modules/shorewall/manifests/rules/torify/allow_tor_user.pp b/puppet/modules/shorewall/manifests/rules/torify/allow_tor_user.pp
new file mode 100644
index 00000000..f44c1f01
--- /dev/null
+++ b/puppet/modules/shorewall/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+  $whitelist_rule = "allow-from-tor-user"
+  if !defined(Shorewall::Rule["$whitelist_rule"]) {
+    shorewall::rule {
+      "$whitelist_rule":
+        source      => '$FW',
+        destination => 'all',
+        user        => $shorewall::tor_user,
+        order       => 101,
+        action      => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/puppet/modules/shorewall/manifests/rules/torify/redirect_tcp_to_tor.pp b/puppet/modules/shorewall/manifests/rules/torify/redirect_tcp_to_tor.pp
new file mode 100644
index 00000000..2bee6584
--- /dev/null
+++ b/puppet/modules/shorewall/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -0,0 +1,40 @@
+define shorewall::rules::torify::redirect_tcp_to_tor(
+  $user = '-',
+  $originaldest = '-'
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+
+    $originaldest_real = $originaldest ? {
+      '-'     => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+      default => $originaldest,
+    }
+
+    $user_real = $user ? {
+      '-'     => "!${shorewall::tor_user}",
+      default => $user,
+    }
+
+    $destzone = $shorewall::tor_transparent_proxy_host ? {
+      '127.0.0.1' => '$FW',
+      default     => 'net'
+    }
+    
+    shorewall::rule {
+      "$rule":
+        source       => '$FW',
+        destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
+        proto        => 'tcp:syn',
+        originaldest => $originaldest_real,
+        user         => $user_real,
+        order        => 110,
+        action       => 'DNAT';
+    }
+
+  }
+
+}
diff --git a/puppet/modules/shorewall/manifests/rules/torify/reject_non_tor.pp b/puppet/modules/shorewall/manifests/rules/torify/reject_non_tor.pp
new file mode 100644
index 00000000..80240ec7
--- /dev/null
+++ b/puppet/modules/shorewall/manifests/rules/torify/reject_non_tor.pp
@@ -0,0 +1,32 @@
+define shorewall::rules::torify::reject_non_tor(
+  $user = '-',
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}"
+
+  if $originaldest == '-' {
+    $originaldest_real = $allow_rfc1918 ? {
+      false   => '!127.0.0.1',
+      default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+    }
+  } else {
+    $originaldest_real = $originaldest
+  }
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => 'all',
+        originaldest    => $originaldest_real,
+        user            => $user,
+        order           => 120,
+        action          => 'REJECT';
+    }
+  }
+
+}
diff --git a/puppet/modules/shorewall/manifests/rules/torify/user.pp b/puppet/modules/shorewall/manifests/rules/torify/user.pp
new file mode 100644
index 00000000..5caccfd6
--- /dev/null
+++ b/puppet/modules/shorewall/manifests/rules/torify/user.pp
@@ -0,0 +1,27 @@
+define shorewall::rules::torify::user(
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  $user = $name
+
+  include shorewall::rules::torify::allow_tor_transparent_proxy
+
+  if $originaldest == '-' and $user == '-' {
+    include shorewall::rules::torify::allow_tor_user
+  }
+
+  shorewall::rules::torify::redirect_tcp_to_tor {
+    "redirect-to-tor-user=${user}-to=${originaldest}":
+      user         => $user,
+      originaldest => $originaldest
+  }
+
+  shorewall::rules::torify::reject_non_tor {
+    "reject-non-tor-user=${user}-to=${originaldest}":
+      user          => "$user",
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}