local.m4, etc.: Establish `inbound-untrusted' chain and deploy.

[firewall] / fender.m4

### -*-sh-*-
###
### Firewall configuration for fender actual
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### fender-specific rules.

m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
	ssh \
	ident

## We have to provide NTP service.  The guests sync to our clock.
ntpclient inbound $ntp_servers

## Provide NTP service to untrusted clients.
run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
	  --source-port 123 --destination-port 123

## Guaranteed black hole.  Put this at the very front of the chain.
run iptables -I INPUT -d 212.13.198.78 -j DROP
run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP

## Ethernet bridge-level filtering for source addresses.
run ebtables -F
for i in log limit ip ip6; do run modprobe ebt-$i; done

for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
  run ebtables -X $c >/dev/null 2>&1 || :
done

for ch in bad-source-addr bcp38; do
  run ebtables -N $ch
  run ebtables -A $ch \
	  --limit 20/second --limit-burst 100 \
	  --log-prefix "fw: $ch(br)" --log-ip --log-ip6
  run ebtables -A $ch -j DROP
done

run ebtables -N check-eth0
run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
run ebtables -A check-eth0 -j bad-source-addr \
	-p ip6 --ip6-source 2001:ba8:1d9::/48
run ebtables -A check-eth0 -j bad-source-addr \
	-p ip6 --ip6-source 2001:ba8:0:1d9::/64
run ebtables -A check-eth0 -j RETURN -p ip6
run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
run ebtables -A check-eth0 -j bad-source-addr -p ip
run ebtables -A INPUT -j check-eth0 -i bond0
run ebtables -A FORWARD -j check-eth0 -i bond0

run ebtables -N check-bcp38
run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
run ebtables -A check-bcp38 -j bcp38 -p ip
run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
run ebtables -A check-bcp38 -j bcp38 -p ip6
run ebtables -A FORWARD -j check-bcp38 -o bond0

## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it
## misparses (at least) locally originated multicast packets, and tries to
## extract IP header fields relative to the start of the Ethernet frame.  The
## result is obviously a hideous mess.  Don't try to do BCP38 checking for
## locally originated packets until this is fixed.
##run ebtables -A OUTPUT -j check-bcp38 -o bond0

m4_divert(-1)
###----- That's all, folks --------------------------------------------------