[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
##		House border network (dmz).  We have all of these; the loose
##		address is for the router.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##	.0/25		house wireless net
##	.128/28		iodine (IP-over-DNS) network
##	.144/28		hippotat (IP-over-HTTP) network
##	.160/27		untrusted virtual network
##
## 172.29.199.0/24  Trusted networks.
##	.0/25		house wired network
##	.128/27		mobile VPN hosts
##	.160/28		reserved, except .160/30 allocated for ITS
##	.176/28		internal colocated network
##	.192/27		house safe network
##	.224/27		anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:8b0:c92::/48
##		Main house range (aaisp).  See below for allocation policy.
##		There is no explicit DMZ allocation (and no need for one).
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## axxx		Virtual, untrusted
## 8xxx		Untrusted
## 6xxx		Virtual, safe
## 4xxx		Safe
## 0xxx		Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15	If set, the network is untrusted; otherwise it is trusted.
## Bit 14	If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0		No specific site: mobile VPN endpoints or anycast addresses.
## 1		House.
## fff		Local border network.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary	scary		trusted		    vpnnat mcast
defnetclass untrusted	scary untrusted trusted			   mcast
defnetclass trusted	scary untrusted trusted safe noloop vpnnat mcast
defnetclass safe			trusted safe noloop vpnnat mcast
defnetclass noloop			trusted safe		   mcast
defnetclass vpnnat	scary		trusted safe		   mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
	via unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25 2001:8b0:c92:1::/64
	via househub
defnet safe safe
	addr 172.29.199.192/27 2001:8b0:c92:4001::/64
	via househub
defnet untrusted untrusted
	addr 172.29.198.0/25 2001:8b0:c92:8001::/64
	via househub

defnet househub virtual
	via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	via househub hub

## House hosts.
defhost radius
	hosttype router
	iface eth0 dmz unsafe safe untrusted vpn sgo default
	iface eth1 dmz unsafe safe untrusted vpn sgo default
	iface eth2 dmz unsafe safe untrusted vpn sgo
	iface eth3 unsafe untrusted vpn default
	iface ppp0 default
	iface t6-he default
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost roadstar
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost jem
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost universe
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost artist
	hosttype router
	iface eth0 dmz unsafe untrusted
	iface eth1 dmz unsafe untrusted
	iface eth3 unsafe untrusted
defhost vampire
	hosttype router
	iface eth0.4 dmz unsafe untrusted safe vpn sgo
	iface eth0.5 dmz unsafe untrusted safe vpn sgo
	iface eth0.6 dmz unsafe safe untrusted vpn sgo
	iface eth0.7 unsafe untrusted vpn
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost ibanez
	iface br-dmz dmz unsafe
	iface br-unsafe unsafe
defhost orange
	iface wlan0 untrusted
	iface vpn-radius unsafe
defhost groove
	iface eth0 unsafe
	iface wlan0 untrusted
	iface vpn-radius unsafe

defhost gibson
	hosttype client
	iface eth0 unsafe

## Formerly colocated hosts.
defhost fender
	iface br-dmz dmz unsafe
	iface br-unsafe dmz unsafe
defhost precision
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface vpn-mango binswood
	iface vpn-chiark sgo
	iface vpn-national upn
	iface vpn-mdwdev upn
	iface vpn-+ vpn
defhost telecaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost stratocaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost jazz
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface dns0 iodine
	iface hippo-svc hippotat
	iface vpn-+ vpn

## Stunt connectivity networks.
defnet iodine untrusted
	addr 172.29.198.128/28
	via colohub
defnet hippotat untrusted
	addr 172.29.198.144/28
	via colohub


## Other networks.
defnet hub virtual
	via housebdry
defnet sgo noloop
	addr !172.29.198.0/23
	addr !10.165.27.0/24
	addr 10.0.0.0/8
	addr 172.16.0.0/12
	addr 192.168.0.0/16
	via househub
defnet vpn trusted
	addr 172.29.199.128/27 2001:8b0:c92:6000::/64
	via househub
	host crybaby 1 ::1:1
	host terror 2 ::2:1
	host orange 3 ::3:1
	host haze 4 ::4:1
	host spirit 9 ::9:1
	host groove 10 ::10:1
defnet anycast trusted
	addr 172.29.199.224/27 2001:8b0:c92:0::/64
	via dmz unsafe safe untrusted vpn nvpn
defnet default scary
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
		2001:8b0:c92::/48
	via dmz unsafe untrusted
defnet upn untrusted
	addr 172.29.198.160/27 2001:8b0:c92:a000::/64
	via househub
	host national 1 ::1:1
	host mdwdev 2 ::2:1

## Linode hosts.
defhost national
	iface eth0 default
	iface vpn-precision househub

## Satellite networks.
defnet binswood vpnnat
	addr 10.165.27.0/24
	via househub
defhost mango
	hosttype router
	iface eth0 binswood default
	iface vpn-precision dmz default

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
	    -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
	    -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
	    -d ff::/8
    ;;
esac

m4_divert(82)m4_dnl
###--------------------------------------------------------------------------
### Check for source routing.

clearchain check-srcroute

run iptables -A check-srcroute -g forbidden \
    -m ipv4options --any --flags lsrr,ssrr
run ip6tables -A check-srcroute -g forbidden \
    -m rt

for c in INPUT FORWARD; do
  for m in $from_scary $from_untrusted; do
    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
  done
done

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound
clearchain inbound-untrusted

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp
run ip6tables -A inbound -j ACCEPT -p icmpv6

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
	-m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
	-m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d MW	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
335b2afe MW	25	### Local configuration.
	26
	27	m4_divert(6)m4_dnl
	28	## Default NTP servers.
	29	defconf(ntp_servers,
c8d1a00b	30	"81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")
335b2afe MW	31
	32	m4_divert(-1)
	33	###--------------------------------------------------------------------------
bfdc045d MW	34	### Packet classification.
bfdc045d MW	35
36e36cc7 MW	36	## IPv4 addressing.
	37	##
	38	## There are two small blocks of publicly routable IPv4 addresses, and a
	39	## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
	40	## The former are as follows.
	41	##
ddbe1eaa	42	## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
295959ea MW	43	## House border network (dmz). We have all of these; the loose
295959ea MW	44	## address is for the router.
f01cdc79	45	##
36e36cc7 MW	46	## The latter is the block 172.29.196.0/22. Currently the low half is
	47	## unallocated (and may be returned to the G-RIN); the remaining addresses
	48	## are allocated as follows.
	49	##
	50	## 172.29.198.0/24 Untrusted networks.
	51	## .0/25 house wireless net
	52	## .128/28 iodine (IP-over-DNS) network
d0409c90	53	## .144/28 hippotat (IP-over-HTTP) network
42f784e2	54	## .160/27 untrusted virtual network
36e36cc7 MW	55	##
	56	## 172.29.199.0/24 Trusted networks.
	57	## .0/25 house wired network
	58	## .128/27 mobile VPN hosts
	59	## .160/28 reserved, except .160/30 allocated for ITS
	60	## .176/28 internal colocated network
	61	## .192/27 house safe network
	62	## .224/27 anycast services
	63
	64	## IPv6 addressing.
	65	##
	66	## There are five blocks of publicly routable IPv6 addresses, though some of
	67	## them aren't very interesting. The ranges are as follows.
	68	##
f01cdc79 MW	69	## 2001:8b0:c92::/48
	70	## Main house range (aaisp). See below for allocation policy.
	71	## There is no explicit DMZ allocation (and no need for one).
	72	##
36e36cc7 MW	73	## Addresses in the /64 networks are simply allocated in ascending order.
	74	## The /48s are split into /64s by appending a 16-bit network number. The
	75	## top nibble of the network number classifies the network, as follows.
	76	##
42f784e2	77	## axxx Virtual, untrusted
36e36cc7	78	## 8xxx Untrusted
2caaca79	79	## 6xxx Virtual, safe
36e36cc7 MW	80	## 4xxx Safe
	81	## 0xxx Unsafe, trusted
	82	##
	83	## These have been chosen so that network properties can be deduced by
	84	## inspecting bits of the network number:
	85	##
	86	## Bit 15 If set, the network is untrusted; otherwise it is trusted.
	87	## Bit 14 If set, the network is safe; otherwise it is unsafe.
	88	##
	89	## Finally, the low-order nibbles identify the site.
	90	##
	91	## 0 No specific site: mobile VPN endpoints or anycast addresses.
	92	## 1 House.
295959ea	93	## fff Local border network.
36e36cc7	94
bfdc045d MW	95	## Define the available network classes.
bfdc045d MW	96	m4_divert(42)m4_dnl
1b101247 MW	97	defnetclass scary scary trusted vpnnat mcast
	98	defnetclass untrusted scary untrusted trusted mcast
	99	defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
	100	defnetclass safe trusted safe noloop vpnnat mcast
	101	defnetclass noloop trusted safe mcast
	102	defnetclass vpnnat scary trusted safe mcast
951e7943	103
44f95827 MW	104	defnetclass link
44f95827 MW	105	defnetclass mcast
a4d8cae3	106	m4_divert(-1)
bfdc045d	107
a4d8cae3	108	m4_divert(26)m4_dnl
bfdc045d MW	109	###--------------------------------------------------------------------------
	110	### Network layout.
	111
beb4f0ee MW	112	## House networks.
beb4f0ee MW	113	defnet dmz trusted
ddbe1eaa	114	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
17a45245	115	via unsafe untrusted
beb4f0ee	116	defnet unsafe trusted
295959ea	117	addr 172.29.199.0/25 2001:8b0:c92:1::/64
17a45245	118	via househub
beb4f0ee	119	defnet safe safe
295959ea	120	addr 172.29.199.192/27 2001:8b0:c92:4001::/64
17a45245	121	via househub
beb4f0ee	122	defnet untrusted untrusted
295959ea	123	addr 172.29.198.0/25 2001:8b0:c92:8001::/64
17a45245	124	via househub
bfdc045d	125
beb4f0ee	126	defnet househub virtual
17a45245	127	via housebdry dmz unsafe safe untrusted
beb4f0ee	128	defnet housebdry virtual
17a45245	129	via househub hub
beb4f0ee MW	130
	131	## House hosts.
	132	defhost radius
4eb9f4df	133	hosttype router
ddbe1eaa MW	134	iface eth0 dmz unsafe safe untrusted vpn sgo default
	135	iface eth1 dmz unsafe safe untrusted vpn sgo default
	136	iface eth2 dmz unsafe safe untrusted vpn sgo
83cc1e6c	137	iface eth3 unsafe untrusted vpn default
8506ff83	138	iface ppp0 default
a7e48c06	139	iface t6-he default
ddbe1eaa	140	iface vpn-precision vpn sgo
68f0829f MW	141	iface vpn-chiark sgo
68f0829f MW	142	iface vpn-+ vpn
beb4f0ee	143	defhost roadstar
ce6434f7 MW	144	iface eth0 dmz unsafe
ce6434f7 MW	145	iface eth1 dmz unsafe
beb4f0ee	146	defhost jem
ce6434f7 MW	147	iface eth0 dmz unsafe
ce6434f7 MW	148	iface eth1 dmz unsafe
97320b7d MW	149	defhost universe
	150	iface eth0 dmz unsafe
	151	iface eth1 dmz unsafe
beb4f0ee	152	defhost artist
564c6939	153	hosttype router
490003e4 MW	154	iface eth0 dmz unsafe untrusted
490003e4 MW	155	iface eth1 dmz unsafe untrusted
83cc1e6c	156	iface eth3 unsafe untrusted
beb4f0ee	157	defhost vampire
4eb9f4df	158	hosttype router
ddbe1eaa MW	159	iface eth0.4 dmz unsafe untrusted safe vpn sgo
	160	iface eth0.5 dmz unsafe untrusted safe vpn sgo
	161	iface eth0.6 dmz unsafe safe untrusted vpn sgo
83cc1e6c	162	iface eth0.7 unsafe untrusted vpn
ddbe1eaa	163	iface vpn-precision vpn sgo
ebaa31a7 MW	164	iface vpn-chiark sgo
ebaa31a7 MW	165	iface vpn-+ vpn
beb4f0ee	166	defhost ibanez
06ff8082	167	iface br-dmz dmz unsafe
beb4f0ee	168	iface br-unsafe unsafe
6fd217ae MW	169	defhost orange
	170	iface wlan0 untrusted
	171	iface vpn-radius unsafe
49b81a66 MW	172	defhost groove
49b81a66 MW	173	iface eth0 unsafe
24ddb007 MW	174	iface wlan0 untrusted
24ddb007 MW	175	iface vpn-radius unsafe
beb4f0ee MW	176
beb4f0ee MW	177	defhost gibson
4eb9f4df	178	hosttype client
d8e50664	179	iface eth0 unsafe
beb4f0ee	180
ddbe1eaa	181	## Formerly colocated hosts.
beb4f0ee	182	defhost fender
ddbe1eaa MW	183	iface br-dmz dmz unsafe
ddbe1eaa MW	184	iface br-unsafe dmz unsafe
beb4f0ee	185	defhost precision
4eb9f4df	186	hosttype router
ddbe1eaa MW	187	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	188	iface eth1 dmz unsafe vpn sgo
1fd9cef9	189	iface vpn-mango binswood
ebaa31a7	190	iface vpn-chiark sgo
38e85ca3	191	iface vpn-national upn
175f1d48	192	iface vpn-mdwdev upn
ebaa31a7	193	iface vpn-+ vpn
beb4f0ee	194	defhost telecaster
ddbe1eaa MW	195	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	196	iface eth1 dmz unsafe vpn sgo
beb4f0ee	197	defhost stratocaster
ddbe1eaa MW	198	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	199	iface eth1 dmz unsafe vpn sgo
beb4f0ee	200	defhost jazz
560ae309	201	hosttype router
ddbe1eaa MW	202	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	203	iface eth1 dmz unsafe vpn sgo
148d527c	204	iface dns0 iodine
d0409c90	205	iface hippo-svc hippotat
560ae309	206	iface vpn-+ vpn
beb4f0ee	207
ddbe1eaa MW	208	## Stunt connectivity networks.
	209	defnet iodine untrusted
	210	addr 172.29.198.128/28
	211	via colohub
	212	defnet hippotat untrusted
	213	addr 172.29.198.144/28
	214	via colohub
	215
	216
beb4f0ee MW	217	## Other networks.
beb4f0ee MW	218	defnet hub virtual
ddbe1eaa	219	via housebdry
ebaa31a7 MW	220	defnet sgo noloop
ebaa31a7 MW	221	addr !172.29.198.0/23
1b101247	222	addr !10.165.27.0/24
ebaa31a7 MW	223	addr 10.0.0.0/8
	224	addr 172.16.0.0/12
	225	addr 192.168.0.0/16
ddbe1eaa	226	via househub
57644f26	227	defnet vpn trusted
ddbe1eaa MW	228	addr 172.29.199.128/27 2001:8b0:c92:6000::/64
ddbe1eaa MW	229	via househub
eec061c0 MW	230	host crybaby 1 ::1:1
	231	host terror 2 ::2:1
	232	host orange 3 ::3:1
a28edce0	233	host haze 4 ::4:1
ea2e5ed4	234	host spirit 9 ::9:1
194c72b5	235	host groove 10 ::10:1
c68b8ecc	236	defnet anycast trusted
ddbe1eaa MW	237	addr 172.29.199.224/27 2001:8b0:c92:0::/64
ddbe1eaa MW	238	via dmz unsafe safe untrusted vpn nvpn
1b534b6a	239	defnet default scary
ddbe1eaa MW	240	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
	241	2001:8b0:c92::/48
	242	via dmz unsafe untrusted
42f784e2	243	defnet upn untrusted
ddbe1eaa MW	244	addr 172.29.198.160/27 2001:8b0:c92:a000::/64
ddbe1eaa MW	245	via househub
38e85ca3	246	host national 1 ::1:1
175f1d48	247	host mdwdev 2 ::2:1
38e85ca3 MW	248
	249	## Linode hosts.
	250	defhost national
	251	iface eth0 default
ddbe1eaa	252	iface vpn-precision househub
1ee6211d	253
1fd9cef9	254	## Satellite networks.
1b101247	255	defnet binswood vpnnat
1fd9cef9	256	addr 10.165.27.0/24
ddbe1eaa	257	via househub
31c0a107 MW	258	defhost mango
	259	hosttype router
	260	iface eth0 binswood default
ddbe1eaa	261	iface vpn-precision dmz default
31c0a107	262
a4d8cae3	263	m4_divert(80)m4_dnl
bfdc045d	264	###--------------------------------------------------------------------------
5c5fcd73 MW	265	### Connection tracking helper modules.
	266
	267	for i in ftp; do
	268	modprobe nf_conntrack_$i
	269	done
	270
	271	m4_divert(80)m4_dnl
	272	###--------------------------------------------------------------------------
bfdc045d MW	273	### Special forwarding exemptions.
bfdc045d MW	274
78af294c MW	275	case $forward in
	276	1)
	277
	278	## Only allow these packets if they're not fragmented. (Don't trust safe
	279	## hosts's fragment reassembly to be robust against malicious fragments.)
	280	## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
	281	## of `! -f', so we do the negation using early return from a subchain.
	282	clearchain fwd-spec-nofrag
	283	run iptables -A fwd-spec-nofrag -j RETURN --fragment
	284	run ip6tables -A fwd-spec-nofrag -j RETURN \
	285	-m ipv6header --soft --header frag
87bf1592	286	run ip46tables -A FORWARD -j fwd-spec-nofrag
78af294c MW	287
	288	## Allow ping from safe/noloop to untrusted networks.
	289	run iptables -A fwd-spec-nofrag -j ACCEPT \
	290	-p icmp --icmp-type echo-request \
	291	-m mark --mark $to_untrusted/$MASK_TO
	292	run iptables -A fwd-spec-nofrag -j ACCEPT \
	293	-p icmp --icmp-type echo-reply \
	294	-m mark --mark $from_untrusted/$MASK_FROM \
	295	-m state --state ESTABLISHED
	296	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
8b021091	297	-p icmpv6 --icmpv6-type echo-request \
78af294c MW	298	-m mark --mark $to_untrusted/$MASK_TO
78af294c MW	299	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
8b021091	300	-p icmpv6 --icmpv6-type echo-reply \
78af294c MW	301	-m mark --mark $from_untrusted/$MASK_FROM \
	302	-m state --state ESTABLISHED
	303
	304	## Allow SSH from safe/noloop to untrusted networks.
cbbd5e39	305	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
78af294c MW	306	-p tcp --destination-port $port_ssh \
78af294c MW	307	-m mark --mark $to_untrusted/$MASK_TO
cbbd5e39	308	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
78af294c MW	309	-p tcp --source-port $port_ssh \
	310	-m mark --mark $from_untrusted/$MASK_FROM \
	311	-m state --state ESTABLISHED
	312
	313	;;
	314	esac
	315
a4d8cae3	316	m4_divert(80)m4_dnl
ade2c052 MW	317	###--------------------------------------------------------------------------
	318	### Kill things we don't understand properly.
	319	###
	320	### I don't like having to do this, but since I don't know how to do proper
	321	### multicast filtering, I'm just going to ban it from being forwarded.
	322
	323	errorchain poorly-understood REJECT
	324
	325	## Ban multicast destination addresses in forwarding.
78af294c MW	326	case $forward in
	327	1)
	328	run iptables -A FORWARD -g poorly-understood \
	329	-d 224.0.0.0/4
	330	run ip6tables -A FORWARD -g poorly-understood \
	331	-d ff::/8
	332	;;
	333	esac
ade2c052	334
7377aca7 MW	335	m4_divert(82)m4_dnl
	336	###--------------------------------------------------------------------------
	337	### Check for source routing.
	338
	339	clearchain check-srcroute
	340
	341	run iptables -A check-srcroute -g forbidden \
	342	-m ipv4options --any --flags lsrr,ssrr
	343	run ip6tables -A check-srcroute -g forbidden \
	344	-m rt
	345
	346	for c in INPUT FORWARD; do
	347	for m in $from_scary $from_untrusted; do
	348	run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
	349	done
	350	done
	351
a4d8cae3	352	m4_divert(84)m4_dnl
bfdc045d MW	353	###--------------------------------------------------------------------------
	354	### Locally-bound packet inspection.
	355
	356	clearchain inbound
94ce6e76	357	clearchain inbound-untrusted
bfdc045d MW	358
bfdc045d MW	359	## Track connections.
ecdca131	360	commonrules inbound
bfdc045d MW	361	conntrack inbound
	362
	363	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	364	## local request.
	365	run iptables -A inbound -j ACCEPT \
	366	-s 0.0.0.0 -d 255.255.255.255 \
	367	-p udp --source-port $port_bootpc --destination-port $port_bootps
	368	run iptables -A inbound -j ACCEPT \
	369	-s 172.29.198.0/23 \
	370	-p udp --source-port $port_bootpc --destination-port $port_bootps
	371
	372	## Allow incoming ping. This is the only ICMP left.
8bd7e0fe MW	373	run iptables -A inbound -j ACCEPT -p icmp
8bd7e0fe MW	374	run ip6tables -A inbound -j ACCEPT -p icmpv6
bfdc045d MW	375
	376	m4_divert(88)m4_dnl
	377	## Allow unusual things.
	378	openports inbound
	379
	380	## Inspect inbound packets from untrusted sources.
8a3660c1	381	run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
94ce6e76	382	run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
94ce6e76	383	run ip46tables -A inbound-untrusted -g forbidden
994ac8d0	384	run ip46tables -A inbound -g forbidden
4f8c1989	385	run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
0291d6d5	386	run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
bfdc045d	387
1b534b6a	388	## Allow responses from the scary outside world into the untrusted net, but
43e20546	389	## don't let untrusted things run services.
1b534b6a MW	390	case $forward in
	391	1)
	392	run ip46tables -A FORWARD -j ACCEPT \
	393	-m mark --mark $(( $from_scary \| $to_untrusted ))/$(( $MASK_FROM \| $MASK_TO )) \
	394	-m state --state ESTABLISHED,RELATED
	395	;;
	396	esac
	397
bfdc045d	398	## Otherwise process as indicated by the mark.
f0033e07 MW	399	for i in $inchains; do
	400	run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
	401	done
bfdc045d MW	402
	403	m4_divert(-1)
	404	###----- That's all, folks --------------------------------------------------