~mdw / firewall / blame
| Commit | Line | Data |
|---|---|---|
| 775bd287 | 1 | ### -*-sh-*- |
| bfdc045d MW |
2 | ### |
| 3 | ### Local firewall configuration | |
| 4 | ### | |
| 5 | ### (c) 2008 Mark Wooding | |
| 6 | ### | |
| 7 | ||
| 8 | ###----- Licensing notice --------------------------------------------------- | |
| 9 | ### | |
| 10 | ### This program is free software; you can redistribute it and/or modify | |
| 11 | ### it under the terms of the GNU General Public License as published by | |
| 12 | ### the Free Software Foundation; either version 2 of the License, or | |
| 13 | ### (at your option) any later version. | |
| 14 | ### | |
| 15 | ### This program is distributed in the hope that it will be useful, | |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 18 | ### GNU General Public License for more details. | |
| 19 | ### | |
| 20 | ### You should have received a copy of the GNU General Public License | |
| 21 | ### along with this program; if not, write to the Free Software Foundation, | |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
| 23 | ||
| 24 | ###-------------------------------------------------------------------------- | |
| 25 | ### Packet classification. | |
| 26 | ||
| 27 | ## Define the available network classes. | |
| 28 | m4_divert(42)m4_dnl | |
| 29 | defnetclass untrusted untrusted trusted | |
| 30 | defnetclass trusted untrusted trusted safe noloop | |
| 31 | defnetclass safe trusted safe noloop | |
| 32 | defnetclass noloop trusted safe | |
| 33 | m4_divert(-1)m4_dnl | |
| 34 | ||
| 35 | ###-------------------------------------------------------------------------- | |
| 36 | ### Network layout. | |
| 37 | ||
| 38 | m4_divert(46)m4_dnl | |
| 39 | ## Networks and routing. | |
| 40 | ||
| bfdc045d | 41 | defiface $if_untrusted \ |
| f98dfdf6 | 42 | untrusted:172.29.198.0/25 |
| bfdc045d | 43 | defvpn $if_vpn safe 172.29.199.128/27 \ |
| 9ec5456a MW |
44 | crybaby:172.29.199.129 \ |
| 45 | terror:172.29.199.130 | |
| f98dfdf6 | 46 | defiface $if_iodine untrusted:172.29.198.128/28 |
| bfdc045d MW |
47 | defiface $if_its_mz safe:172.29.199.160/30 |
| 48 | defiface $if_its_pi safe:192.168.0.0/24 | |
| 422ec1b2 MW |
49 | defiface $if_trusted \ |
| 50 | trusted:172.29.199.0/26 \ | |
| 51 | safe:172.29.199.64/27 \ | |
| 52 | untrusted:default | |
| bfdc045d | 53 | |
| 1ee6211d MW |
54 | ## Default NTP servers. |
| 55 | ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" | |
| 56 | ||
| bfdc045d MW |
57 | m4_divert(60)m4_dnl |
| 58 | ###-------------------------------------------------------------------------- | |
| 59 | ### Special forwarding exemptions. | |
| 60 | ||
| c70bfbbb MW |
61 | ## Only allow these packets if they're not fragmented. (Don't trust safe |
| 62 | ## hosts's fragment reassembly to be robust against malicious fragments.) | |
| 63 | ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of | |
| 64 | ## `! -f', so we do the negation using early return from a subchain. | |
| 65 | clearchain fwd-spec-nofrag | |
| 66 | run iptables -A fwd-spec-nofrag -j RETURN --fragment | |
| 67 | run ip6tables -A fwd-spec-nofrag -j RETURN \ | |
| 68 | -m ipv6header --soft --header frag | |
| 69 | run iptables -A FORWARD -j fwd-spec-nofrag | |
| 70 | ||
| bfdc045d | 71 | ## Allow ping from safe/noloop to untrusted networks. |
| c70bfbbb MW |
72 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 73 | -p icmp --icmp-type echo-request \ | |
| bfdc045d | 74 | -m mark --mark $to_untrusted/$MASK_TO |
| c70bfbbb MW |
75 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 76 | -p icmp --icmp-type echo-reply \ | |
| bfdc045d MW |
77 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 78 | -m state --state ESTABLISHED | |
| c70bfbbb | 79 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 0291d6d5 | 80 | -p ipv6-icmp --icmpv6-type echo-request \ |
| 0291d6d5 | 81 | -m mark --mark $to_untrusted/$MASK_TO |
| c70bfbbb | 82 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 0291d6d5 | 83 | -p ipv6-icmp --icmpv6-type echo-reply \ |
| 0291d6d5 MW |
84 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 85 | -m state --state ESTABLISHED | |
| bfdc045d MW |
86 | |
| 87 | ## Allow SSH from safe/noloop to untrusted networks. | |
| c70bfbbb MW |
88 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 89 | -p tcp --destination-port $port_ssh \ | |
| bfdc045d | 90 | -m mark --mark $to_untrusted/$MASK_TO |
| c70bfbbb MW |
91 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 92 | -p tcp --source-port $port_ssh \ | |
| bfdc045d MW |
93 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 94 | -m state --state ESTABLISHED | |
| c70bfbbb | 95 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 0291d6d5 | 96 | -p tcp --destination-port $port_ssh \ |
| 0291d6d5 | 97 | -m mark --mark $to_untrusted/$MASK_TO |
| c70bfbbb | 98 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 0291d6d5 | 99 | -p tcp --source-port $port_ssh \ |
| 0291d6d5 MW |
100 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 101 | -m state --state ESTABLISHED | |
| bfdc045d | 102 | |
| ade2c052 MW |
103 | m4_divert(60)m4_dnl |
| 104 | ###-------------------------------------------------------------------------- | |
| 105 | ### Kill things we don't understand properly. | |
| 106 | ### | |
| 107 | ### I don't like having to do this, but since I don't know how to do proper | |
| 108 | ### multicast filtering, I'm just going to ban it from being forwarded. | |
| 109 | ||
| 110 | errorchain poorly-understood REJECT | |
| 111 | ||
| 112 | ## Ban multicast destination addresses in forwarding. | |
| 113 | run iptables -A FORWARD -g poorly-understood \ | |
| 114 | -d 224.0.0.0/4 | |
| 115 | run ip6tables -A FORWARD -g poorly-understood \ | |
| 116 | -d ff::/8 | |
| 117 | ||
| bfdc045d MW |
118 | m4_divert(80)m4_dnl |
| 119 | ###-------------------------------------------------------------------------- | |
| 120 | ### Locally-bound packet inspection. | |
| 121 | ||
| 122 | clearchain inbound | |
| 123 | ||
| 124 | ## Track connections. | |
| ecdca131 | 125 | commonrules inbound |
| bfdc045d MW |
126 | conntrack inbound |
| 127 | ||
| 128 | ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a | |
| 129 | ## local request. | |
| 130 | run iptables -A inbound -j ACCEPT \ | |
| 131 | -s 0.0.0.0 -d 255.255.255.255 \ | |
| 132 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
| 133 | run iptables -A inbound -j ACCEPT \ | |
| 134 | -s 172.29.198.0/23 \ | |
| 135 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
| 136 | ||
| 429f4314 MW |
137 | ## Incoming broadcast multicast on a network interface associated with the |
| 138 | ## trusted network is OK, since it must have originated there (or been | |
| 139 | ## forwarded, but we don't do that yet). | |
| 140 | run iptables -A inbound -j ACCEPT \ | |
| 141 | -s 0.0.0.0 -d 224.0.0.0/24 \ | |
| 142 | -i $if_trusted | |
| 143 | ||
| bfdc045d | 144 | ## Allow incoming ping. This is the only ICMP left. |
| 0291d6d5 | 145 | run ip46tables -A inbound -j ACCEPT -p icmp |
| bfdc045d MW |
146 | |
| 147 | m4_divert(88)m4_dnl | |
| 148 | ## Allow unusual things. | |
| 149 | openports inbound | |
| 150 | ||
| 151 | ## Inspect inbound packets from untrusted sources. | |
| 0291d6d5 MW |
152 | run ip46tables -A inbound -j forbidden |
| 153 | run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound | |
| bfdc045d MW |
154 | |
| 155 | ## Otherwise process as indicated by the mark. | |
| 156 | for i in INPUT FORWARD; do | |
| 0291d6d5 | 157 | run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT |
| bfdc045d MW |
158 | done |
| 159 | ||
| 160 | m4_divert(-1) | |
| 161 | ###----- That's all, folks -------------------------------------------------- |