[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

m4_divert(44)m4_dnl
## Network definitions.
defiface $if_dmz \
	trusted:62.49.204.144/28 \
	trusted:172.29.199.0/25 \
	untrusted:default
defiface $if_trusted \
	trusted:172.29.199.0/25 \
	untrusted:default
defiface $if_safe safe:172.29.199.192/26
defiface $if_untrusted \
	untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
	crybaby:172.29.199.129 \
	terror:172.29.199.130
defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24


m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

## Only allow these packets if they're not fragmented.  (Don't trust safe
## hosts's fragment reassembly to be robust against malicious fragments.)
## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
## `! -f', so we do the negation using early return from a subchain.
clearchain fwd-spec-nofrag
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
	-m ipv6header --soft --header frag
run iptables -A FORWARD -j fwd-spec-nofrag

## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

## Allow SSH from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

m4_divert(60)m4_dnl
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
run iptables -A FORWARD -g poorly-understood \
	-d 224.0.0.0/4
run ip6tables -A FORWARD -g poorly-understood \
	-d ff::/8

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Incoming multicast on a network interface associated with a trusted
## network is OK, since it must have originated there (or been forwarded, but
## we don't do that yet).
for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
  echo $i
done | {
  seen=:
  while read i; do
    case "$seen" in *:$i:*) continue ;; esac
    seen=$seen$i:
    run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 224.0.0.0/24 \
	-i $i
  done
}

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d MW	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
335b2afe MW	25	### Local configuration.
	26
	27	m4_divert(6)m4_dnl
	28	## Default NTP servers.
	29	defconf(ntp_servers,
	30	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
	31
	32	m4_divert(-1)
	33	###--------------------------------------------------------------------------
bfdc045d MW	34	### Packet classification.
	35
	36	## Define the available network classes.
	37	m4_divert(42)m4_dnl
	38	defnetclass untrusted untrusted trusted
	39	defnetclass trusted untrusted trusted safe noloop
	40	defnetclass safe trusted safe noloop
	41	defnetclass noloop trusted safe
a4d8cae3	42	m4_divert(-1)
bfdc045d	43
a4d8cae3	44	m4_divert(26)m4_dnl
bfdc045d MW	45	###--------------------------------------------------------------------------
	46	### Network layout.
	47
a4d8cae3 MW	48	m4_divert(44)m4_dnl
a4d8cae3 MW	49	## Network definitions.
08926d25 MW	50	defiface $if_dmz \
	51	trusted:62.49.204.144/28 \
	52	trusted:172.29.199.0/25 \
	53	untrusted:default
	54	defiface $if_trusted \
	55	trusted:172.29.199.0/25 \
	56	untrusted:default
	57	defiface $if_safe safe:172.29.199.192/26
bfdc045d	58	defiface $if_untrusted \
f98dfdf6	59	untrusted:172.29.198.0/25
bfdc045d	60	defvpn $if_vpn safe 172.29.199.128/27 \
9ec5456a MW	61	crybaby:172.29.199.129 \
9ec5456a MW	62	terror:172.29.199.130
f98dfdf6	63	defiface $if_iodine untrusted:172.29.198.128/28
bfdc045d MW	64	defiface $if_its_mz safe:172.29.199.160/30
	65	defiface $if_its_pi safe:192.168.0.0/24
	66
1ee6211d	67
a4d8cae3	68	m4_divert(80)m4_dnl
bfdc045d MW	69	###--------------------------------------------------------------------------
	70	### Special forwarding exemptions.
	71
c70bfbbb MW	72	## Only allow these packets if they're not fragmented. (Don't trust safe
	73	## hosts's fragment reassembly to be robust against malicious fragments.)
	74	## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
	75	## `! -f', so we do the negation using early return from a subchain.
	76	clearchain fwd-spec-nofrag
	77	run iptables -A fwd-spec-nofrag -j RETURN --fragment
	78	run ip6tables -A fwd-spec-nofrag -j RETURN \
	79	-m ipv6header --soft --header frag
	80	run iptables -A FORWARD -j fwd-spec-nofrag
	81
bfdc045d	82	## Allow ping from safe/noloop to untrusted networks.
c70bfbbb MW	83	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	84	-p icmp --icmp-type echo-request \
bfdc045d	85	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb MW	86	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	87	-p icmp --icmp-type echo-reply \
bfdc045d MW	88	-m mark --mark $from_untrusted/$MASK_FROM \
bfdc045d MW	89	-m state --state ESTABLISHED
c70bfbbb	90	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	91	-p ipv6-icmp --icmpv6-type echo-request \
0291d6d5	92	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb	93	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	94	-p ipv6-icmp --icmpv6-type echo-reply \
0291d6d5 MW	95	-m mark --mark $from_untrusted/$MASK_FROM \
0291d6d5 MW	96	-m state --state ESTABLISHED
bfdc045d MW	97
bfdc045d MW	98	## Allow SSH from safe/noloop to untrusted networks.
c70bfbbb MW	99	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	100	-p tcp --destination-port $port_ssh \
bfdc045d	101	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb MW	102	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	103	-p tcp --source-port $port_ssh \
bfdc045d MW	104	-m mark --mark $from_untrusted/$MASK_FROM \
bfdc045d MW	105	-m state --state ESTABLISHED
c70bfbbb	106	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	107	-p tcp --destination-port $port_ssh \
0291d6d5	108	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb	109	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	110	-p tcp --source-port $port_ssh \
0291d6d5 MW	111	-m mark --mark $from_untrusted/$MASK_FROM \
0291d6d5 MW	112	-m state --state ESTABLISHED
bfdc045d	113
ade2c052	114	m4_divert(60)m4_dnl
a4d8cae3	115	m4_divert(80)m4_dnl
ade2c052 MW	116	###--------------------------------------------------------------------------
	117	### Kill things we don't understand properly.
	118	###
	119	### I don't like having to do this, but since I don't know how to do proper
	120	### multicast filtering, I'm just going to ban it from being forwarded.
	121
	122	errorchain poorly-understood REJECT
	123
	124	## Ban multicast destination addresses in forwarding.
	125	run iptables -A FORWARD -g poorly-understood \
	126	-d 224.0.0.0/4
	127	run ip6tables -A FORWARD -g poorly-understood \
	128	-d ff::/8
	129
a4d8cae3	130	m4_divert(84)m4_dnl
bfdc045d MW	131	###--------------------------------------------------------------------------
	132	### Locally-bound packet inspection.
	133
	134	clearchain inbound
	135
	136	## Track connections.
ecdca131	137	commonrules inbound
bfdc045d MW	138	conntrack inbound
	139
	140	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	141	## local request.
	142	run iptables -A inbound -j ACCEPT \
	143	-s 0.0.0.0 -d 255.255.255.255 \
	144	-p udp --source-port $port_bootpc --destination-port $port_bootps
	145	run iptables -A inbound -j ACCEPT \
	146	-s 172.29.198.0/23 \
	147	-p udp --source-port $port_bootpc --destination-port $port_bootps
	148
08926d25 MW	149	## Incoming multicast on a network interface associated with a trusted
	150	## network is OK, since it must have originated there (or been forwarded, but
	151	## we don't do that yet).
	152	for i in $(echo $if_trusted $if_dmz $if_safe \| sed 'y/,/ /'); do
	153	echo $i
	154	done \| {
	155	seen=:
	156	while read i; do
	157	case "$seen" in :$i:) continue ;; esac
	158	seen=$seen$i:
	159	run iptables -A inbound -j ACCEPT \
429f4314	160	-s 0.0.0.0 -d 224.0.0.0/24 \
08926d25 MW	161	-i $i
	162	done
	163	}
429f4314	164
bfdc045d	165	## Allow incoming ping. This is the only ICMP left.
0291d6d5	166	run ip46tables -A inbound -j ACCEPT -p icmp
bfdc045d MW	167
	168	m4_divert(88)m4_dnl
	169	## Allow unusual things.
	170	openports inbound
	171
	172	## Inspect inbound packets from untrusted sources.
0291d6d5 MW	173	run ip46tables -A inbound -j forbidden
0291d6d5 MW	174	run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
bfdc045d MW	175
	176	## Otherwise process as indicated by the mark.
	177	for i in INPUT FORWARD; do
0291d6d5	178	run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
bfdc045d MW	179	done
	180
	181	m4_divert(-1)
	182	###----- That's all, folks --------------------------------------------------