Commit | Line | Data |
---|---|---|
775bd287 | 1 | ### -*-sh-*- |
bfdc045d MW |
2 | ### |
3 | ### Local firewall configuration | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
25 | ### Packet classification. | |
26 | ||
27 | ## Define the available network classes. | |
28 | m4_divert(42)m4_dnl | |
29 | defnetclass untrusted untrusted trusted | |
30 | defnetclass trusted untrusted trusted safe noloop | |
31 | defnetclass safe trusted safe noloop | |
32 | defnetclass noloop trusted safe | |
33 | m4_divert(-1)m4_dnl | |
34 | ||
35 | ###-------------------------------------------------------------------------- | |
36 | ### Network layout. | |
37 | ||
38 | m4_divert(46)m4_dnl | |
39 | ## Networks and routing. | |
40 | ||
08926d25 MW |
41 | defiface $if_dmz \ |
42 | trusted:62.49.204.144/28 \ | |
43 | trusted:172.29.199.0/25 \ | |
44 | untrusted:default | |
45 | defiface $if_trusted \ | |
46 | trusted:172.29.199.0/25 \ | |
47 | untrusted:default | |
48 | defiface $if_safe safe:172.29.199.192/26 | |
bfdc045d | 49 | defiface $if_untrusted \ |
f98dfdf6 | 50 | untrusted:172.29.198.0/25 |
bfdc045d | 51 | defvpn $if_vpn safe 172.29.199.128/27 \ |
9ec5456a MW |
52 | crybaby:172.29.199.129 \ |
53 | terror:172.29.199.130 | |
f98dfdf6 | 54 | defiface $if_iodine untrusted:172.29.198.128/28 |
bfdc045d MW |
55 | defiface $if_its_mz safe:172.29.199.160/30 |
56 | defiface $if_its_pi safe:192.168.0.0/24 | |
57 | ||
1ee6211d MW |
58 | ## Default NTP servers. |
59 | ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" | |
60 | ||
bfdc045d MW |
61 | m4_divert(60)m4_dnl |
62 | ###-------------------------------------------------------------------------- | |
63 | ### Special forwarding exemptions. | |
64 | ||
c70bfbbb MW |
65 | ## Only allow these packets if they're not fragmented. (Don't trust safe |
66 | ## hosts's fragment reassembly to be robust against malicious fragments.) | |
67 | ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of | |
68 | ## `! -f', so we do the negation using early return from a subchain. | |
69 | clearchain fwd-spec-nofrag | |
70 | run iptables -A fwd-spec-nofrag -j RETURN --fragment | |
71 | run ip6tables -A fwd-spec-nofrag -j RETURN \ | |
72 | -m ipv6header --soft --header frag | |
73 | run iptables -A FORWARD -j fwd-spec-nofrag | |
74 | ||
bfdc045d | 75 | ## Allow ping from safe/noloop to untrusted networks. |
c70bfbbb MW |
76 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
77 | -p icmp --icmp-type echo-request \ | |
bfdc045d | 78 | -m mark --mark $to_untrusted/$MASK_TO |
c70bfbbb MW |
79 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
80 | -p icmp --icmp-type echo-reply \ | |
bfdc045d MW |
81 | -m mark --mark $from_untrusted/$MASK_FROM \ |
82 | -m state --state ESTABLISHED | |
c70bfbbb | 83 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
0291d6d5 | 84 | -p ipv6-icmp --icmpv6-type echo-request \ |
0291d6d5 | 85 | -m mark --mark $to_untrusted/$MASK_TO |
c70bfbbb | 86 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
0291d6d5 | 87 | -p ipv6-icmp --icmpv6-type echo-reply \ |
0291d6d5 MW |
88 | -m mark --mark $from_untrusted/$MASK_FROM \ |
89 | -m state --state ESTABLISHED | |
bfdc045d MW |
90 | |
91 | ## Allow SSH from safe/noloop to untrusted networks. | |
c70bfbbb MW |
92 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
93 | -p tcp --destination-port $port_ssh \ | |
bfdc045d | 94 | -m mark --mark $to_untrusted/$MASK_TO |
c70bfbbb MW |
95 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
96 | -p tcp --source-port $port_ssh \ | |
bfdc045d MW |
97 | -m mark --mark $from_untrusted/$MASK_FROM \ |
98 | -m state --state ESTABLISHED | |
c70bfbbb | 99 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
0291d6d5 | 100 | -p tcp --destination-port $port_ssh \ |
0291d6d5 | 101 | -m mark --mark $to_untrusted/$MASK_TO |
c70bfbbb | 102 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
0291d6d5 | 103 | -p tcp --source-port $port_ssh \ |
0291d6d5 MW |
104 | -m mark --mark $from_untrusted/$MASK_FROM \ |
105 | -m state --state ESTABLISHED | |
bfdc045d | 106 | |
ade2c052 MW |
107 | m4_divert(60)m4_dnl |
108 | ###-------------------------------------------------------------------------- | |
109 | ### Kill things we don't understand properly. | |
110 | ### | |
111 | ### I don't like having to do this, but since I don't know how to do proper | |
112 | ### multicast filtering, I'm just going to ban it from being forwarded. | |
113 | ||
114 | errorchain poorly-understood REJECT | |
115 | ||
116 | ## Ban multicast destination addresses in forwarding. | |
117 | run iptables -A FORWARD -g poorly-understood \ | |
118 | -d 224.0.0.0/4 | |
119 | run ip6tables -A FORWARD -g poorly-understood \ | |
120 | -d ff::/8 | |
121 | ||
bfdc045d MW |
122 | m4_divert(80)m4_dnl |
123 | ###-------------------------------------------------------------------------- | |
124 | ### Locally-bound packet inspection. | |
125 | ||
126 | clearchain inbound | |
127 | ||
128 | ## Track connections. | |
ecdca131 | 129 | commonrules inbound |
bfdc045d MW |
130 | conntrack inbound |
131 | ||
132 | ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a | |
133 | ## local request. | |
134 | run iptables -A inbound -j ACCEPT \ | |
135 | -s 0.0.0.0 -d 255.255.255.255 \ | |
136 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
137 | run iptables -A inbound -j ACCEPT \ | |
138 | -s 172.29.198.0/23 \ | |
139 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
140 | ||
08926d25 MW |
141 | ## Incoming multicast on a network interface associated with a trusted |
142 | ## network is OK, since it must have originated there (or been forwarded, but | |
143 | ## we don't do that yet). | |
144 | for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do | |
145 | echo $i | |
146 | done | { | |
147 | seen=: | |
148 | while read i; do | |
149 | case "$seen" in *:$i:*) continue ;; esac | |
150 | seen=$seen$i: | |
151 | run iptables -A inbound -j ACCEPT \ | |
429f4314 | 152 | -s 0.0.0.0 -d 224.0.0.0/24 \ |
08926d25 MW |
153 | -i $i |
154 | done | |
155 | } | |
429f4314 | 156 | |
bfdc045d | 157 | ## Allow incoming ping. This is the only ICMP left. |
0291d6d5 | 158 | run ip46tables -A inbound -j ACCEPT -p icmp |
bfdc045d MW |
159 | |
160 | m4_divert(88)m4_dnl | |
161 | ## Allow unusual things. | |
162 | openports inbound | |
163 | ||
164 | ## Inspect inbound packets from untrusted sources. | |
0291d6d5 MW |
165 | run ip46tables -A inbound -j forbidden |
166 | run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound | |
bfdc045d MW |
167 | |
168 | ## Otherwise process as indicated by the mark. | |
169 | for i in INPUT FORWARD; do | |
0291d6d5 | 170 | run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT |
bfdc045d MW |
171 | done |
172 | ||
173 | m4_divert(-1) | |
174 | ###----- That's all, folks -------------------------------------------------- |