Commit | Line | Data |
---|---|---|
775bd287 | 1 | ### -*-sh-*- |
bfdc045d MW |
2 | ### |
3 | ### Initialization and finishing touches for firewall scripts | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | m4_divert(30)m4_dnl | |
25 | ###-------------------------------------------------------------------------- | |
26 | ### Clear existing firewall rules. | |
27 | ||
28 | ## The main chains: set policy to drop, and then clear the rules. For a | |
29 | ## while, incoming packets will be silently dropped, but we should have got | |
30 | ## everything going before anyone actually hits a timeout. | |
42dae9ae MW |
31 | ## |
32 | ## We don't control some of the chains, so we should preserve them. This | |
33 | ## introduces a whole bunch of problems. | |
34 | ||
35 | ## Chains we're meant to preserve | |
36 | preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" | |
37 | ||
38 | ## Take the various IP versions in turn. | |
39 | unref=nil | |
40 | for ip in ip ip6; do | |
41 | for table in $(cat /proc/net/${ip}_tables_names); do | |
42 | ||
43 | ## Step 1: clear out the builtin chains. | |
44 | ${ip}tables -nL -t $table | | |
45 | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | | |
46 | while read chain; do | |
47 | case $table in | |
48 | nat) policy=ACCEPT ;; | |
49 | *) policy=DROP ;; | |
50 | esac | |
51 | run ${ip}tables -t $table -P $chain $policy | |
52 | run ${ip}tables -t $table -F $chain | |
53 | done | |
54 | ||
55 | ## Step 2: clear out user chains. Unfortunately, we can only clear | |
56 | ## chains which have no references to them, so work through picking off | |
57 | ## unreferenced chains which aren't meant to be preserved until there are | |
58 | ## none left. | |
59 | while :; do | |
60 | progress=nil | |
61 | ${ip}tables -nL -t $table | | |
62 | sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ | |
63 | >/var/run/firewall-chains.tmp | |
64 | while read chain; do | |
65 | match=nil | |
66 | for pat in $preserve_chains; do | |
67 | case "$table:$chain" in $pat) match=t ;; esac | |
68 | done | |
69 | case $match in | |
70 | nil) | |
71 | run ${ip}tables -t $table -F $chain | |
72 | run ${ip}tables -t $table -X $chain | |
73 | progress=t | |
74 | ;; | |
75 | esac | |
76 | done </var/run/firewall-chains.tmp | |
77 | case $progress in nil) break ;; esac | |
78 | done | |
79 | ||
80 | ## Step 3: report on uncleared user chains. This means that there's a | |
81 | ## serious problem. | |
82 | ${ip}tables -nL -t $table | | |
83 | sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \ | |
84 | >/var/run/firewall-chains.tmp | |
85 | while read chain refs; do | |
86 | match=nil | |
87 | for pat in $preserve_chains; do | |
88 | case "$table:$chain" in $pat) match=t ;; esac | |
89 | done | |
90 | case $match in | |
91 | nil) | |
92 | echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" | |
93 | unref=t | |
94 | ;; | |
95 | esac | |
96 | done </var/run/firewall-chains.tmp | |
bfdc045d | 97 | done |
bfdc045d | 98 | done |
42dae9ae MW |
99 | rm -f /var/run/firewall-chains.tmp |
100 | case $unref in t) exit 1 ;; esac | |
bfdc045d MW |
101 | |
102 | m4_divert(32)m4_dnl | |
103 | ###-------------------------------------------------------------------------- | |
104 | ### Set safe IP options. | |
105 | ||
106 | ## Set forwarding options. Apparently setting ip_forward clobbers other | |
107 | ## settings, so put this first. | |
108 | setopt ip_forward $forward | |
109 | setdevopt forwarding $forward | |
110 | ||
111 | ## Set dynamic port allocation. | |
112 | setopt ip_local_port_range $open_port_min $open_port_max | |
113 | ||
114 | ## Deploy SYN-cookies if necessary. | |
115 | setopt tcp_syncookies 1 | |
116 | ||
c8d422ec MW |
117 | ## Allow broadcast and multicast ping, because it's a useful diagnostic tool. |
118 | setopt icmp_echo_ignore_broadcasts 0 | |
119 | ||
429f4314 MW |
120 | ## Turn off iptables filtering for bridges. We'll use ebtables if we need |
121 | ## to; but right now the model is that we do filtering at the borders, and | |
122 | ## are tolerant of things which are local. | |
6d47692a MW |
123 | if [ -x /sbin/brctl ]; then |
124 | modprobe bridge || : | |
125 | if [ -d /proc/sys/net/bridge ]; then | |
126 | for filter in arptables iptables ip6tables; do | |
127 | run sysctl -q net.bridge.bridge-nf-call-$filter=0 | |
128 | done | |
129 | fi | |
130 | fi | |
429f4314 | 131 | |
bfdc045d | 132 | ## Turn on the reverse-path filter, and log weird things. |
a0ade6f1 MW |
133 | setdevopt rp_filter $rp_filter |
134 | setdevopt log_martians $log_martians | |
bfdc045d MW |
135 | |
136 | ## Turn off things which can mess with our routing decisions. | |
137 | setdevopt accept_source_route 0 | |
138 | setdevopt accept_redirects 0 | |
139 | ||
140 | ## If we're maent to stop the firewall, then now is the time to do it. | |
141 | $exit_after_clearing | |
142 | ||
143 | m4_divert(34)m4_dnl | |
144 | ###-------------------------------------------------------------------------- | |
145 | ### Establish error chains. | |
146 | ||
0291d6d5 MW |
147 | errorchain forbidden REJECT |
148 | ## Generic `not allowed' chain. | |
bfdc045d | 149 | |
0291d6d5 MW |
150 | errorchain tcp-fragment REJECT |
151 | ## Chain for logging fragmented TCP segements. | |
bfdc045d MW |
152 | |
153 | errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset | |
154 | ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset. | |
155 | ||
156 | errorchain mangle:bad-source-address DROP | |
0291d6d5 | 157 | errorchain bad-source-address DROP |
bfdc045d MW |
158 | ## Packet arrived on wrong interface for its source address. Drops the |
159 | ## packet, since there's nowhere sensible to send an error. | |
160 | ||
0291d6d5 MW |
161 | errorchain bad-destination-address REJECT |
162 | ## Packet arrived on non-loopback interface with loopback destination. | |
f381cc0a | 163 | |
bfdc045d MW |
164 | errorchain interesting ACCEPT |
165 | ## Not an error, just log interesting packets. | |
166 | ||
167 | m4_divert(36)m4_dnl | |
168 | ###-------------------------------------------------------------------------- | |
f543dab7 | 169 | ### Standard filtering. |
bfdc045d | 170 | |
f381cc0a | 171 | ## Don't clobber local traffic |
0291d6d5 | 172 | run ip46tables -A INPUT -i lo -j ACCEPT |
bfdc045d | 173 | |
f381cc0a MW |
174 | ## We really shouldn't see packets destined for localhost on any interface |
175 | ## other than the loopback. | |
176 | run iptables -A INPUT -g bad-destination-address \ | |
177 | -d 127.0.0.0/8 | |
0291d6d5 MW |
178 | run ip6tables -A INPUT -g bad-destination-address \ |
179 | -d ::1 | |
180 | ||
181 | ## We shouldn't be asked to forward things with link-local addresses. | |
182 | run iptables -A FORWARD -g bad-source-address \ | |
183 | -s 169.254.0.0/16 | |
184 | run iptables -A FORWARD -g bad-destination-address \ | |
185 | -d 169.254.0.0/16 | |
186 | run ip6tables -A FORWARD -g bad-source-address \ | |
187 | -s fe80::/10 | |
188 | run ip6tables -A FORWARD -g bad-destination-address \ | |
189 | -d fe80::/10 | |
f381cc0a | 190 | |
429f4314 MW |
191 | ## Also, don't forward link-local broadcast or multicast. |
192 | run iptables -A FORWARD -g bad-destination-address \ | |
193 | -d 255.255.255.255 | |
194 | run iptables -A FORWARD -g bad-destination-address \ | |
195 | -m addrtype --dst-type BROADCAST | |
196 | run iptables -A FORWARD -g bad-destination-address \ | |
197 | -d 224.0.0.0/24 | |
198 | for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do | |
199 | run ip6tables -A FORWARD -g bad-destination-address \ | |
200 | -d fe${x}2::/16 | |
201 | done | |
202 | ||
f543dab7 MW |
203 | ## Add a hook for fail2ban. |
204 | clearchain fail2ban | |
205 | run ip46tables -A INPUT -j fail2ban | |
206 | ||
bfdc045d MW |
207 | m4_divert(90)m4_dnl |
208 | ###-------------------------------------------------------------------------- | |
209 | ### Finishing touches. | |
210 | ||
211 | m4_divert(94)m4_dnl | |
212 | ## Locally generated packets are all OK. | |
c1c877c2 | 213 | run ip46tables -P OUTPUT ACCEPT |
bfdc045d MW |
214 | |
215 | ## Other incoming things are forbidden. | |
216 | for chain in INPUT FORWARD; do | |
c1c877c2 | 217 | run ip46tables -A $chain -g forbidden |
bfdc045d MW |
218 | done |
219 | ||
220 | m4_divert(-1) | |
221 | ###----- That's all, folks -------------------------------------------------- |