[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 62.49.204.144/28
	forwards unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25
	forwards househub
defnet safe safe
	addr 172.29.199.192/28
	forwards househub
defnet untrusted untrusted
	addr 172.29.198.0/25
	forwards househub
defnet vpn safe
	addr 172.29.199.128/27
	forwards househub
	host crybaby 1
	host terror 2
defnet iodine untrusted
	addr 172.29.198.128/28

defnet househub virtual
	forwards housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	forwards househub hub
	noxit dmz

## House hosts.
defhost radius
	router
	iface eth0 dmz
	iface eth1 unsafe
	iface eth2 safe
	iface eth3 untrusted
defhost roadstar
	iface eth0 dmz
	iface eth1 unsafe
defhost jem
	iface eth0 dmz
	iface eth1 unsafe
defhost artist
	iface eth0 dmz
	iface eth1 unsafe
defhost vampire
	router
	iface eth0.0 dmz
	iface eth0.1 unsafe
	iface eth0.3 untrusted
	iface dns0 dns
	iface vpn-+ vpn
	iface vpn-precision colobdry vpn
defhost ibanez
	iface br-dmz dmz
	iface br-unsafe unsafe

defhost gibson
	iface eth0 unsafe

## Colocated networks.
defnet jump trusted
	addr 212.13.198.64/28
	forwards colohub
defnet colo trusted
	addr 172.29.199.176/28
	forwards colohub
defnet colohub virtual
	forwards colobdry jump colo
defnet colobdry virtual
	forwards colohub hub
	noxit jump

## Colocated hosts.
defhost fender
	iface br-jump jump
	iface br-colo colo
defhost precision
	router
	iface eth0 jump
	iface eth1 colo
	iface vpn-+ vpn
	iface vpn-vampire housebdry vpn
defhost telecaster
	iface eth0 jump
	iface eth1 colo
defhost stratocaster
	iface eth0 jump
	iface eth1 colo
defhost jazz
	iface eth0 jump
	iface eth1 colo

## Other networks.
defnet hub virtual
	forwards housebdry colobdry
defnet default untrusted
	addr 62.49.204.144/28
	addr 212.13.198.64/28
	forwards dmz untrusted unsafe jump colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

## Only allow these packets if they're not fragmented.  (Don't trust safe
## hosts's fragment reassembly to be robust against malicious fragments.)
## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
## `! -f', so we do the negation using early return from a subchain.
clearchain fwd-spec-nofrag
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
	-m ipv6header --soft --header frag
run iptables -A FORWARD -j fwd-spec-nofrag

## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

## Allow SSH from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

m4_divert(60)m4_dnl
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
run iptables -A FORWARD -g poorly-understood \
	-d 224.0.0.0/4
run ip6tables -A FORWARD -g poorly-understood \
	-d ff::/8

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Incoming multicast on a network interface associated with a trusted
## network is OK, since it must have originated there (or been forwarded, but
## we don't do that yet).
for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
  echo $i
done | {
  seen=:
  while read i; do
    case "$seen" in *:$i:*) continue ;; esac
    seen=$seen$i:
    run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 224.0.0.0/24 \
	-i $i
  done
}

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d MW	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
335b2afe MW	25	### Local configuration.
	26
	27	m4_divert(6)m4_dnl
	28	## Default NTP servers.
	29	defconf(ntp_servers,
	30	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
	31
	32	m4_divert(-1)
	33	###--------------------------------------------------------------------------
bfdc045d MW	34	### Packet classification.
	35
	36	## Define the available network classes.
	37	m4_divert(42)m4_dnl
	38	defnetclass untrusted untrusted trusted
	39	defnetclass trusted untrusted trusted safe noloop
	40	defnetclass safe trusted safe noloop
	41	defnetclass noloop trusted safe
a4d8cae3	42	m4_divert(-1)
bfdc045d	43
a4d8cae3	44	m4_divert(26)m4_dnl
bfdc045d MW	45	###--------------------------------------------------------------------------
	46	### Network layout.
	47
beb4f0ee MW	48	## House networks.
	49	defnet dmz trusted
	50	addr 62.49.204.144/28
	51	forwards unsafe untrusted
	52	defnet unsafe trusted
	53	addr 172.29.199.0/25
	54	forwards househub
	55	defnet safe safe
	56	addr 172.29.199.192/28
	57	forwards househub
	58	defnet untrusted untrusted
	59	addr 172.29.198.0/25
	60	forwards househub
	61	defnet vpn safe
	62	addr 172.29.199.128/27
	63	forwards househub
	64	host crybaby 1
	65	host terror 2
	66	defnet iodine untrusted
	67	addr 172.29.198.128/28
bfdc045d	68
beb4f0ee MW	69	defnet househub virtual
	70	forwards housebdry dmz unsafe safe untrusted
	71	defnet housebdry virtual
	72	forwards househub hub
	73	noxit dmz
	74
	75	## House hosts.
	76	defhost radius
	77	router
	78	iface eth0 dmz
	79	iface eth1 unsafe
	80	iface eth2 safe
	81	iface eth3 untrusted
	82	defhost roadstar
	83	iface eth0 dmz
	84	iface eth1 unsafe
	85	defhost jem
	86	iface eth0 dmz
	87	iface eth1 unsafe
	88	defhost artist
	89	iface eth0 dmz
	90	iface eth1 unsafe
	91	defhost vampire
	92	router
	93	iface eth0.0 dmz
	94	iface eth0.1 unsafe
	95	iface eth0.3 untrusted
	96	iface dns0 dns
	97	iface vpn-+ vpn
	98	iface vpn-precision colobdry vpn
	99	defhost ibanez
	100	iface br-dmz dmz
	101	iface br-unsafe unsafe
	102
	103	defhost gibson
	104	iface eth0 unsafe
	105
	106	## Colocated networks.
	107	defnet jump trusted
	108	addr 212.13.198.64/28
	109	forwards colohub
	110	defnet colo trusted
	111	addr 172.29.199.176/28
	112	forwards colohub
	113	defnet colohub virtual
	114	forwards colobdry jump colo
	115	defnet colobdry virtual
	116	forwards colohub hub
	117	noxit jump
	118
	119	## Colocated hosts.
	120	defhost fender
	121	iface br-jump jump
	122	iface br-colo colo
	123	defhost precision
	124	router
	125	iface eth0 jump
	126	iface eth1 colo
	127	iface vpn-+ vpn
	128	iface vpn-vampire housebdry vpn
	129	defhost telecaster
	130	iface eth0 jump
	131	iface eth1 colo
	132	defhost stratocaster
133	iface eth0 jump
134	iface eth1 colo
135	defhost jazz
136	iface eth0 jump
137	iface eth1 colo
138
139	## Other networks.
140	defnet hub virtual
141	forwards housebdry colobdry
142	defnet default untrusted
143	addr 62.49.204.144/28
144	addr 212.13.198.64/28
145	forwards dmz untrusted unsafe jump colo
1ee6211d	146
a4d8cae3	147	m4_divert(80)m4_dnl
bfdc045d MW	148	###--------------------------------------------------------------------------
	149	### Special forwarding exemptions.
	150
c70bfbbb MW	151	## Only allow these packets if they're not fragmented. (Don't trust safe
	152	## hosts's fragment reassembly to be robust against malicious fragments.)
	153	## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
	154	## `! -f', so we do the negation using early return from a subchain.
	155	clearchain fwd-spec-nofrag
	156	run iptables -A fwd-spec-nofrag -j RETURN --fragment
	157	run ip6tables -A fwd-spec-nofrag -j RETURN \
	158	-m ipv6header --soft --header frag
	159	run iptables -A FORWARD -j fwd-spec-nofrag
	160
bfdc045d	161	## Allow ping from safe/noloop to untrusted networks.
c70bfbbb MW	162	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	163	-p icmp --icmp-type echo-request \
bfdc045d	164	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb MW	165	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	166	-p icmp --icmp-type echo-reply \
bfdc045d MW	167	-m mark --mark $from_untrusted/$MASK_FROM \
bfdc045d MW	168	-m state --state ESTABLISHED
c70bfbbb	169	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	170	-p ipv6-icmp --icmpv6-type echo-request \
0291d6d5	171	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb	172	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	173	-p ipv6-icmp --icmpv6-type echo-reply \
0291d6d5 MW	174	-m mark --mark $from_untrusted/$MASK_FROM \
0291d6d5 MW	175	-m state --state ESTABLISHED
bfdc045d MW	176
bfdc045d MW	177	## Allow SSH from safe/noloop to untrusted networks.
c70bfbbb MW	178	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	179	-p tcp --destination-port $port_ssh \
bfdc045d	180	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb MW	181	run iptables -A fwd-spec-nofrag -j ACCEPT \
c70bfbbb MW	182	-p tcp --source-port $port_ssh \
bfdc045d MW	183	-m mark --mark $from_untrusted/$MASK_FROM \
bfdc045d MW	184	-m state --state ESTABLISHED
c70bfbbb	185	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	186	-p tcp --destination-port $port_ssh \
0291d6d5	187	-m mark --mark $to_untrusted/$MASK_TO
c70bfbbb	188	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
0291d6d5	189	-p tcp --source-port $port_ssh \
0291d6d5 MW	190	-m mark --mark $from_untrusted/$MASK_FROM \
0291d6d5 MW	191	-m state --state ESTABLISHED
bfdc045d	192
ade2c052	193	m4_divert(60)m4_dnl
a4d8cae3	194	m4_divert(80)m4_dnl
ade2c052 MW	195	###--------------------------------------------------------------------------
	196	### Kill things we don't understand properly.
	197	###
	198	### I don't like having to do this, but since I don't know how to do proper
	199	### multicast filtering, I'm just going to ban it from being forwarded.
	200
	201	errorchain poorly-understood REJECT
	202
	203	## Ban multicast destination addresses in forwarding.
	204	run iptables -A FORWARD -g poorly-understood \
	205	-d 224.0.0.0/4
	206	run ip6tables -A FORWARD -g poorly-understood \
	207	-d ff::/8
	208
a4d8cae3	209	m4_divert(84)m4_dnl
bfdc045d MW	210	###--------------------------------------------------------------------------
	211	### Locally-bound packet inspection.
	212
	213	clearchain inbound
	214
	215	## Track connections.
ecdca131	216	commonrules inbound
bfdc045d MW	217	conntrack inbound
	218
	219	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	220	## local request.
	221	run iptables -A inbound -j ACCEPT \
	222	-s 0.0.0.0 -d 255.255.255.255 \
	223	-p udp --source-port $port_bootpc --destination-port $port_bootps
	224	run iptables -A inbound -j ACCEPT \
	225	-s 172.29.198.0/23 \
	226	-p udp --source-port $port_bootpc --destination-port $port_bootps
	227
08926d25 MW	228	## Incoming multicast on a network interface associated with a trusted
	229	## network is OK, since it must have originated there (or been forwarded, but
	230	## we don't do that yet).
	231	for i in $(echo $if_trusted $if_dmz $if_safe \| sed 'y/,/ /'); do
	232	echo $i
	233	done \| {
	234	seen=:
	235	while read i; do
	236	case "$seen" in :$i:) continue ;; esac
	237	seen=$seen$i:
	238	run iptables -A inbound -j ACCEPT \
429f4314	239	-s 0.0.0.0 -d 224.0.0.0/24 \
08926d25 MW	240	-i $i
	241	done
	242	}
429f4314	243
bfdc045d	244	## Allow incoming ping. This is the only ICMP left.
0291d6d5	245	run ip46tables -A inbound -j ACCEPT -p icmp
bfdc045d MW	246
	247	m4_divert(88)m4_dnl
	248	## Allow unusual things.
	249	openports inbound
	250
	251	## Inspect inbound packets from untrusted sources.
0291d6d5 MW	252	run ip46tables -A inbound -j forbidden
0291d6d5 MW	253	run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
bfdc045d MW	254
	255	## Otherwise process as indicated by the mark.
	256	for i in INPUT FORWARD; do
0291d6d5	257	run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
bfdc045d MW	258	done
	259
	260	m4_divert(-1)
	261	###----- That's all, folks --------------------------------------------------