Commit | Line | Data |
---|---|---|
775bd287 | 1 | ### -*-sh-*- |
bfdc045d MW |
2 | ### |
3 | ### Initialization and finishing touches for firewall scripts | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | m4_divert(30)m4_dnl | |
25 | ###-------------------------------------------------------------------------- | |
26 | ### Clear existing firewall rules. | |
27 | ||
28 | ## The main chains: set policy to drop, and then clear the rules. For a | |
29 | ## while, incoming packets will be silently dropped, but we should have got | |
30 | ## everything going before anyone actually hits a timeout. | |
42dae9ae MW |
31 | ## |
32 | ## We don't control some of the chains, so we should preserve them. This | |
33 | ## introduces a whole bunch of problems. | |
34 | ||
35 | ## Chains we're meant to preserve | |
36 | preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" | |
37 | ||
38 | ## Take the various IP versions in turn. | |
39 | unref=nil | |
40 | for ip in ip ip6; do | |
fb7845a8 MW |
41 | if [ "$FW_NOACT" ]; then break; fi |
42 | ||
42dae9ae MW |
43 | for table in $(cat /proc/net/${ip}_tables_names); do |
44 | ||
45 | ## Step 1: clear out the builtin chains. | |
46 | ${ip}tables -nL -t $table | | |
47 | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | | |
48 | while read chain; do | |
49 | case $table in | |
50 | nat) policy=ACCEPT ;; | |
51 | *) policy=DROP ;; | |
52 | esac | |
53 | run ${ip}tables -t $table -P $chain $policy | |
54 | run ${ip}tables -t $table -F $chain | |
55 | done | |
56 | ||
57 | ## Step 2: clear out user chains. Unfortunately, we can only clear | |
58 | ## chains which have no references to them, so work through picking off | |
59 | ## unreferenced chains which aren't meant to be preserved until there are | |
60 | ## none left. | |
61 | while :; do | |
62 | progress=nil | |
63 | ${ip}tables -nL -t $table | | |
64 | sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ | |
65 | >/var/run/firewall-chains.tmp | |
66 | while read chain; do | |
67 | match=nil | |
68 | for pat in $preserve_chains; do | |
69 | case "$table:$chain" in $pat) match=t ;; esac | |
70 | done | |
71 | case $match in | |
72 | nil) | |
73 | run ${ip}tables -t $table -F $chain | |
74 | run ${ip}tables -t $table -X $chain | |
75 | progress=t | |
76 | ;; | |
77 | esac | |
78 | done </var/run/firewall-chains.tmp | |
79 | case $progress in nil) break ;; esac | |
80 | done | |
81 | ||
82 | ## Step 3: report on uncleared user chains. This means that there's a | |
83 | ## serious problem. | |
84 | ${ip}tables -nL -t $table | | |
85 | sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \ | |
86 | >/var/run/firewall-chains.tmp | |
87 | while read chain refs; do | |
88 | match=nil | |
89 | for pat in $preserve_chains; do | |
90 | case "$table:$chain" in $pat) match=t ;; esac | |
91 | done | |
92 | case $match in | |
93 | nil) | |
94 | echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" | |
95 | unref=t | |
96 | ;; | |
97 | esac | |
98 | done </var/run/firewall-chains.tmp | |
bfdc045d | 99 | done |
bfdc045d | 100 | done |
42dae9ae MW |
101 | rm -f /var/run/firewall-chains.tmp |
102 | case $unref in t) exit 1 ;; esac | |
bfdc045d MW |
103 | |
104 | m4_divert(32)m4_dnl | |
105 | ###-------------------------------------------------------------------------- | |
106 | ### Set safe IP options. | |
107 | ||
108 | ## Set forwarding options. Apparently setting ip_forward clobbers other | |
109 | ## settings, so put this first. | |
78af294c | 110 | case $host_type_<::>FWHOST in |
64de9249 MW |
111 | router) forward=1 host=0 ;; |
112 | server) forward=0 host=0 ;; | |
113 | client) forward=0 host=1 ;; | |
78af294c | 114 | esac |
bfdc045d MW |
115 | setopt ip_forward $forward |
116 | setdevopt forwarding $forward | |
64de9249 MW |
117 | for i in \ |
118 | accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen | |
119 | do | |
120 | setdevopt $i $host | |
121 | done | |
f0033e07 MW |
122 | case $forward in |
123 | 0) inchains="INPUT" ;; | |
124 | 1) inchains="INPUT FORWARD" ;; | |
125 | esac | |
bfdc045d MW |
126 | |
127 | ## Set dynamic port allocation. | |
128 | setopt ip_local_port_range $open_port_min $open_port_max | |
129 | ||
130 | ## Deploy SYN-cookies if necessary. | |
131 | setopt tcp_syncookies 1 | |
132 | ||
c8d422ec MW |
133 | ## Allow broadcast and multicast ping, because it's a useful diagnostic tool. |
134 | setopt icmp_echo_ignore_broadcasts 0 | |
135 | ||
429f4314 MW |
136 | ## Turn off iptables filtering for bridges. We'll use ebtables if we need |
137 | ## to; but right now the model is that we do filtering at the borders, and | |
138 | ## are tolerant of things which are local. | |
6d47692a MW |
139 | if [ -x /sbin/brctl ]; then |
140 | modprobe bridge || : | |
141 | if [ -d /proc/sys/net/bridge ]; then | |
142 | for filter in arptables iptables ip6tables; do | |
143 | run sysctl -q net.bridge.bridge-nf-call-$filter=0 | |
144 | done | |
145 | fi | |
146 | fi | |
429f4314 | 147 | |
78af294c MW |
148 | ## Turn off the reverse-path filter. It's basically useless: the filter does |
149 | ## nothing at all for single-homed hosts; and multi-homed hosts tend to have | |
150 | ## routing aysmmetries if there's any kind of cycle. | |
151 | setdevopt rp_filter 0 | |
152 | setdevopt log_martians 0 | |
bfdc045d MW |
153 | |
154 | ## Turn off things which can mess with our routing decisions. | |
155 | setdevopt accept_source_route 0 | |
156 | setdevopt accept_redirects 0 | |
157 | ||
158 | ## If we're maent to stop the firewall, then now is the time to do it. | |
159 | $exit_after_clearing | |
160 | ||
161 | m4_divert(34)m4_dnl | |
162 | ###-------------------------------------------------------------------------- | |
163 | ### Establish error chains. | |
164 | ||
0291d6d5 MW |
165 | errorchain forbidden REJECT |
166 | ## Generic `not allowed' chain. | |
bfdc045d | 167 | |
0291d6d5 MW |
168 | errorchain tcp-fragment REJECT |
169 | ## Chain for logging fragmented TCP segements. | |
bfdc045d MW |
170 | |
171 | errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset | |
172 | ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset. | |
173 | ||
174 | errorchain mangle:bad-source-address DROP | |
0291d6d5 | 175 | errorchain bad-source-address DROP |
bfdc045d MW |
176 | ## Packet arrived on wrong interface for its source address. Drops the |
177 | ## packet, since there's nowhere sensible to send an error. | |
178 | ||
0291d6d5 MW |
179 | errorchain bad-destination-address REJECT |
180 | ## Packet arrived on non-loopback interface with loopback destination. | |
f381cc0a | 181 | |
bfdc045d MW |
182 | errorchain interesting ACCEPT |
183 | ## Not an error, just log interesting packets. | |
184 | ||
a4d8cae3 | 185 | m4_divert(50)m4_dnl |
bfdc045d | 186 | ###-------------------------------------------------------------------------- |
f543dab7 | 187 | ### Standard filtering. |
bfdc045d | 188 | |
f381cc0a | 189 | ## Don't clobber local traffic |
0291d6d5 | 190 | run ip46tables -A INPUT -i lo -j ACCEPT |
bfdc045d | 191 | |
f381cc0a MW |
192 | ## We really shouldn't see packets destined for localhost on any interface |
193 | ## other than the loopback. | |
194 | run iptables -A INPUT -g bad-destination-address \ | |
195 | -d 127.0.0.0/8 | |
0291d6d5 MW |
196 | run ip6tables -A INPUT -g bad-destination-address \ |
197 | -d ::1 | |
198 | ||
199 | ## We shouldn't be asked to forward things with link-local addresses. | |
78af294c MW |
200 | case $forward in |
201 | 1) | |
202 | run iptables -A FORWARD -g bad-source-address \ | |
203 | -s 169.254.0.0/16 | |
204 | run iptables -A FORWARD -g bad-destination-address \ | |
205 | -d 169.254.0.0/16 | |
206 | run ip6tables -A FORWARD -g bad-source-address \ | |
207 | -s fe80::/10 | |
208 | run ip6tables -A FORWARD -g bad-destination-address \ | |
209 | -d fe80::/10 | |
210 | ;; | |
211 | esac | |
f381cc0a | 212 | |
429f4314 | 213 | ## Also, don't forward link-local broadcast or multicast. |
78af294c MW |
214 | case $forward in |
215 | 1) | |
216 | run iptables -A FORWARD -g bad-destination-address \ | |
217 | -d 255.255.255.255 | |
218 | run iptables -A FORWARD -g bad-destination-address \ | |
219 | -m addrtype --dst-type BROADCAST | |
220 | run iptables -A FORWARD -g bad-destination-address \ | |
221 | -d 224.0.0.0/24 | |
e6d64b67 | 222 | clearchain check-fwd-multi |
78af294c | 223 | for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do |
e6d64b67 MW |
224 | run ip6tables -A check-fwd-multi -g bad-destination-address \ |
225 | -d ff${x}2::/16 | |
78af294c | 226 | done |
fb7845a8 | 227 | run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 |
78af294c MW |
228 | ;; |
229 | esac | |
429f4314 | 230 | |
f543dab7 MW |
231 | ## Add a hook for fail2ban. |
232 | clearchain fail2ban | |
233 | run ip46tables -A INPUT -j fail2ban | |
234 | ||
bfdc045d MW |
235 | m4_divert(90)m4_dnl |
236 | ###-------------------------------------------------------------------------- | |
237 | ### Finishing touches. | |
238 | ||
239 | m4_divert(94)m4_dnl | |
240 | ## Locally generated packets are all OK. | |
c1c877c2 | 241 | run ip46tables -P OUTPUT ACCEPT |
bfdc045d MW |
242 | |
243 | ## Other incoming things are forbidden. | |
244 | for chain in INPUT FORWARD; do | |
c1c877c2 | 245 | run ip46tables -A $chain -g forbidden |
bfdc045d MW |
246 | done |
247 | ||
86c975b5 MW |
248 | ## Allow stuff through unknown tables. |
249 | for ip in ip ip6; do | |
250 | for table in $(cat /proc/net/${ip}_tables_names); do | |
251 | case $table in mangle | filter) continue ;; esac | |
252 | ${ip}tables -nL -t $table | | |
253 | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | | |
254 | while read chain; do | |
255 | run ${ip}tables -t $table -P $chain ACCEPT | |
256 | done | |
257 | done | |
258 | done | |
259 | ||
d8852323 MW |
260 | ## Dump the resulting configuration. |
261 | if [ "$FW_DEBUG" ]; then | |
262 | for ip in ip ip6; do | |
263 | for table in mangle filter; do | |
264 | echo "----- $ip $table -----" | |
265 | echo | |
266 | ${ip}tables -t $table -nvL | |
267 | echo | |
268 | done | |
269 | done | |
270 | fi | |
271 | ||
bfdc045d MW |
272 | m4_divert(-1) |
273 | ###----- That's all, folks -------------------------------------------------- |