[firewall] / local.m4

### -*-m4-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
m4_divert(-1)m4_dnl

###--------------------------------------------------------------------------
### Network layout.

m4_divert(46)m4_dnl
## Networks and routing.

defiface $if_trusted \
	trusted:172.29.199.0/26 \
	safe:172.29.199.64/27 \
	untrusted:default
defiface $if_untrusted \
	untrusted:172.29.198.0/24
defvpn $if_vpn safe 172.29.199.128/27 \
	crybaby:172.29.199.129
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24

m4_divert(60)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

## Allow ping from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
	-p icmp ! -f --icmp-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
	-p icmp ! -f --icmp-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
    	-p tcp ! -f --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
	-p tcp ! -f --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run iptables -A inbound -j forbidden
run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
  run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
bfdc045d MW	1	### --m4--
	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Packet classification.
	26
	27	## Define the available network classes.
	28	m4_divert(42)m4_dnl
	29	defnetclass untrusted untrusted trusted
	30	defnetclass trusted untrusted trusted safe noloop
	31	defnetclass safe trusted safe noloop
	32	defnetclass noloop trusted safe
	33	m4_divert(-1)m4_dnl
	34
	35	###--------------------------------------------------------------------------
	36	### Network layout.
	37
	38	m4_divert(46)m4_dnl
	39	## Networks and routing.
	40
	41	defiface $if_trusted \
	42	trusted:172.29.199.0/26 \
	43	safe:172.29.199.64/27 \
	44	untrusted:default
	45	defiface $if_untrusted \
	46	untrusted:172.29.198.0/24
	47	defvpn $if_vpn safe 172.29.199.128/27 \
	48	crybaby:172.29.199.129
	49	defiface $if_its_mz safe:172.29.199.160/30
	50	defiface $if_its_pi safe:192.168.0.0/24
	51
	52	m4_divert(60)m4_dnl
	53	###--------------------------------------------------------------------------
	54	### Special forwarding exemptions.
	55
	56	## Allow ping from safe/noloop to untrusted networks.
	57	run iptables -A FORWARD -j ACCEPT \
ecdca131	58	-p icmp ! -f --icmp-type echo-request \
bfdc045d MW	59	-m mark --mark $to_untrusted/$MASK_TO
bfdc045d MW	60	run iptables -A FORWARD -j ACCEPT \
ecdca131	61	-p icmp ! -f --icmp-type echo-reply \
bfdc045d MW	62	-m mark --mark $from_untrusted/$MASK_FROM \
	63	-m state --state ESTABLISHED
	64
	65	## Allow SSH from safe/noloop to untrusted networks.
	66	run iptables -A FORWARD -j ACCEPT \
ecdca131	67	-p tcp ! -f --destination-port $port_ssh \
bfdc045d MW	68	-m mark --mark $to_untrusted/$MASK_TO
bfdc045d MW	69	run iptables -A FORWARD -j ACCEPT \
ecdca131	70	-p tcp ! -f --source-port $port_ssh \
bfdc045d MW	71	-m mark --mark $from_untrusted/$MASK_FROM \
	72	-m state --state ESTABLISHED
	73
	74	m4_divert(80)m4_dnl
	75	###--------------------------------------------------------------------------
	76	### Locally-bound packet inspection.
	77
	78	clearchain inbound
	79
	80	## Track connections.
ecdca131	81	commonrules inbound
bfdc045d MW	82	conntrack inbound
	83
	84	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	85	## local request.
	86	run iptables -A inbound -j ACCEPT \
	87	-s 0.0.0.0 -d 255.255.255.255 \
	88	-p udp --source-port $port_bootpc --destination-port $port_bootps
	89	run iptables -A inbound -j ACCEPT \
	90	-s 172.29.198.0/23 \
	91	-p udp --source-port $port_bootpc --destination-port $port_bootps
	92
	93	## Allow incoming ping. This is the only ICMP left.
	94	run iptables -A inbound -j ACCEPT -p icmp
	95
	96	m4_divert(88)m4_dnl
	97	## Allow unusual things.
	98	openports inbound
	99
	100	## Inspect inbound packets from untrusted sources.
	101	run iptables -A inbound -j forbidden
	102	run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
	103
	104	## Otherwise process as indicated by the mark.
	105	for i in INPUT FORWARD; do
	106	run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
	107	done
	108
	109	m4_divert(-1)
	110	###----- That's all, folks --------------------------------------------------