Commit | Line | Data |
---|---|---|
775bd287 | 1 | ### -*-sh-*- |
bfdc045d MW |
2 | ### |
3 | ### Local firewall configuration | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
335b2afe MW |
25 | ### Local configuration. |
26 | ||
27 | m4_divert(6)m4_dnl | |
28 | ## Default NTP servers. | |
29 | defconf(ntp_servers, | |
30 | "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232") | |
31 | ||
32 | m4_divert(-1) | |
33 | ###-------------------------------------------------------------------------- | |
bfdc045d MW |
34 | ### Packet classification. |
35 | ||
36 | ## Define the available network classes. | |
37 | m4_divert(42)m4_dnl | |
38 | defnetclass untrusted untrusted trusted | |
39 | defnetclass trusted untrusted trusted safe noloop | |
40 | defnetclass safe trusted safe noloop | |
41 | defnetclass noloop trusted safe | |
a4d8cae3 | 42 | m4_divert(-1) |
bfdc045d | 43 | |
a4d8cae3 | 44 | m4_divert(26)m4_dnl |
bfdc045d MW |
45 | ###-------------------------------------------------------------------------- |
46 | ### Network layout. | |
47 | ||
beb4f0ee MW |
48 | ## House networks. |
49 | defnet dmz trusted | |
50 | addr 62.49.204.144/28 | |
51 | forwards unsafe untrusted | |
52 | defnet unsafe trusted | |
53 | addr 172.29.199.0/25 | |
54 | forwards househub | |
55 | defnet safe safe | |
56 | addr 172.29.199.192/28 | |
57 | forwards househub | |
58 | defnet untrusted untrusted | |
59 | addr 172.29.198.0/25 | |
60 | forwards househub | |
61 | defnet vpn safe | |
62 | addr 172.29.199.128/27 | |
63 | forwards househub | |
64 | host crybaby 1 | |
65 | host terror 2 | |
66 | defnet iodine untrusted | |
67 | addr 172.29.198.128/28 | |
bfdc045d | 68 | |
beb4f0ee MW |
69 | defnet househub virtual |
70 | forwards housebdry dmz unsafe safe untrusted | |
71 | defnet housebdry virtual | |
72 | forwards househub hub | |
73 | noxit dmz | |
74 | ||
75 | ## House hosts. | |
76 | defhost radius | |
77 | router | |
ce6434f7 MW |
78 | iface eth0 dmz unsafe |
79 | iface eth1 dmz unsafe | |
beb4f0ee MW |
80 | iface eth2 safe |
81 | iface eth3 untrusted | |
82 | defhost roadstar | |
ce6434f7 MW |
83 | iface eth0 dmz unsafe |
84 | iface eth1 dmz unsafe | |
beb4f0ee | 85 | defhost jem |
ce6434f7 MW |
86 | iface eth0 dmz unsafe |
87 | iface eth1 dmz unsafe | |
beb4f0ee | 88 | defhost artist |
ce6434f7 MW |
89 | iface eth0 dmz unsafe |
90 | iface eth1 dmz unsafe | |
beb4f0ee MW |
91 | defhost vampire |
92 | router | |
ce6434f7 MW |
93 | iface eth0.0 dmz unsafe |
94 | iface eth0.1 dmz unsafe | |
beb4f0ee MW |
95 | iface eth0.3 untrusted |
96 | iface dns0 dns | |
97 | iface vpn-+ vpn | |
98 | iface vpn-precision colobdry vpn | |
99 | defhost ibanez | |
06ff8082 | 100 | iface br-dmz dmz unsafe |
beb4f0ee MW |
101 | iface br-unsafe unsafe |
102 | ||
103 | defhost gibson | |
104 | iface eth0 unsafe | |
105 | ||
106 | ## Colocated networks. | |
107 | defnet jump trusted | |
108 | addr 212.13.198.64/28 | |
109 | forwards colohub | |
110 | defnet colo trusted | |
111 | addr 172.29.199.176/28 | |
112 | forwards colohub | |
113 | defnet colohub virtual | |
114 | forwards colobdry jump colo | |
115 | defnet colobdry virtual | |
116 | forwards colohub hub | |
117 | noxit jump | |
118 | ||
119 | ## Colocated hosts. | |
120 | defhost fender | |
ce6434f7 MW |
121 | iface br-jump jump colo |
122 | iface br-colo jump colo | |
beb4f0ee MW |
123 | defhost precision |
124 | router | |
ce6434f7 MW |
125 | iface eth0 jump colo |
126 | iface eth1 jump colo | |
beb4f0ee MW |
127 | iface vpn-+ vpn |
128 | iface vpn-vampire housebdry vpn | |
129 | defhost telecaster | |
ce6434f7 MW |
130 | iface eth0 jump colo |
131 | iface eth1 jump colo | |
beb4f0ee | 132 | defhost stratocaster |
ce6434f7 MW |
133 | iface eth0 jump colo |
134 | iface eth1 jump colo | |
beb4f0ee | 135 | defhost jazz |
ce6434f7 MW |
136 | iface eth0 jump colo |
137 | iface eth1 jump colo | |
beb4f0ee MW |
138 | |
139 | ## Other networks. | |
140 | defnet hub virtual | |
141 | forwards housebdry colobdry | |
142 | defnet default untrusted | |
143 | addr 62.49.204.144/28 | |
144 | addr 212.13.198.64/28 | |
145 | forwards dmz untrusted unsafe jump colo | |
1ee6211d | 146 | |
a4d8cae3 | 147 | m4_divert(80)m4_dnl |
bfdc045d MW |
148 | ###-------------------------------------------------------------------------- |
149 | ### Special forwarding exemptions. | |
150 | ||
78af294c MW |
151 | case $forward in |
152 | 1) | |
153 | ||
154 | ## Only allow these packets if they're not fragmented. (Don't trust safe | |
155 | ## hosts's fragment reassembly to be robust against malicious fragments.) | |
156 | ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning | |
157 | ## of `! -f', so we do the negation using early return from a subchain. | |
158 | clearchain fwd-spec-nofrag | |
159 | run iptables -A fwd-spec-nofrag -j RETURN --fragment | |
160 | run ip6tables -A fwd-spec-nofrag -j RETURN \ | |
161 | -m ipv6header --soft --header frag | |
162 | run iptables -A FORWARD -j fwd-spec-nofrag | |
163 | ||
164 | ## Allow ping from safe/noloop to untrusted networks. | |
165 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
166 | -p icmp --icmp-type echo-request \ | |
167 | -m mark --mark $to_untrusted/$MASK_TO | |
168 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
169 | -p icmp --icmp-type echo-reply \ | |
170 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
171 | -m state --state ESTABLISHED | |
172 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
173 | -p ipv6-icmp --icmpv6-type echo-request \ | |
174 | -m mark --mark $to_untrusted/$MASK_TO | |
175 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
176 | -p ipv6-icmp --icmpv6-type echo-reply \ | |
177 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
178 | -m state --state ESTABLISHED | |
179 | ||
180 | ## Allow SSH from safe/noloop to untrusted networks. | |
181 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
182 | -p tcp --destination-port $port_ssh \ | |
183 | -m mark --mark $to_untrusted/$MASK_TO | |
184 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
185 | -p tcp --source-port $port_ssh \ | |
186 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
187 | -m state --state ESTABLISHED | |
188 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
189 | -p tcp --destination-port $port_ssh \ | |
190 | -m mark --mark $to_untrusted/$MASK_TO | |
191 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
192 | -p tcp --source-port $port_ssh \ | |
193 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
194 | -m state --state ESTABLISHED | |
195 | ||
196 | ;; | |
197 | esac | |
198 | ||
a4d8cae3 | 199 | m4_divert(80)m4_dnl |
ade2c052 MW |
200 | ###-------------------------------------------------------------------------- |
201 | ### Kill things we don't understand properly. | |
202 | ### | |
203 | ### I don't like having to do this, but since I don't know how to do proper | |
204 | ### multicast filtering, I'm just going to ban it from being forwarded. | |
205 | ||
206 | errorchain poorly-understood REJECT | |
207 | ||
208 | ## Ban multicast destination addresses in forwarding. | |
78af294c MW |
209 | case $forward in |
210 | 1) | |
211 | run iptables -A FORWARD -g poorly-understood \ | |
212 | -d 224.0.0.0/4 | |
213 | run ip6tables -A FORWARD -g poorly-understood \ | |
214 | -d ff::/8 | |
215 | ;; | |
216 | esac | |
ade2c052 | 217 | |
a4d8cae3 | 218 | m4_divert(84)m4_dnl |
bfdc045d MW |
219 | ###-------------------------------------------------------------------------- |
220 | ### Locally-bound packet inspection. | |
221 | ||
222 | clearchain inbound | |
223 | ||
224 | ## Track connections. | |
ecdca131 | 225 | commonrules inbound |
bfdc045d MW |
226 | conntrack inbound |
227 | ||
228 | ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a | |
229 | ## local request. | |
230 | run iptables -A inbound -j ACCEPT \ | |
231 | -s 0.0.0.0 -d 255.255.255.255 \ | |
232 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
233 | run iptables -A inbound -j ACCEPT \ | |
234 | -s 172.29.198.0/23 \ | |
235 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
236 | ||
08926d25 MW |
237 | ## Incoming multicast on a network interface associated with a trusted |
238 | ## network is OK, since it must have originated there (or been forwarded, but | |
239 | ## we don't do that yet). | |
fc489c16 MW |
240 | seen=:-: |
241 | for net in $allnets; do | |
242 | eval class=\$net_class_$net | |
243 | case $class in trusted) ;; *) continue ;; esac | |
244 | for iface in $(net_interfaces FWHOST $net); do | |
245 | case "$seen" in *:$iface:*) continue ;; esac | |
246 | seen=$seen$iface: | |
08926d25 | 247 | run iptables -A inbound -j ACCEPT \ |
429f4314 | 248 | -s 0.0.0.0 -d 224.0.0.0/24 \ |
fc489c16 | 249 | -i $iface |
08926d25 | 250 | done |
fc489c16 | 251 | done |
429f4314 | 252 | |
bfdc045d | 253 | ## Allow incoming ping. This is the only ICMP left. |
0291d6d5 | 254 | run ip46tables -A inbound -j ACCEPT -p icmp |
bfdc045d MW |
255 | |
256 | m4_divert(88)m4_dnl | |
257 | ## Allow unusual things. | |
258 | openports inbound | |
259 | ||
260 | ## Inspect inbound packets from untrusted sources. | |
0291d6d5 MW |
261 | run ip46tables -A inbound -j forbidden |
262 | run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound | |
bfdc045d MW |
263 | |
264 | ## Otherwise process as indicated by the mark. | |
78af294c MW |
265 | run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT |
266 | case $forward in | |
267 | 1) | |
268 | run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT | |
269 | ;; | |
270 | esac | |
bfdc045d MW |
271 | |
272 | m4_divert(-1) | |
273 | ###----- That's all, folks -------------------------------------------------- |