Make FW_NOACT work properly.
[firewall] / bookends.m4
CommitLineData
775bd287 1### -*-sh-*-
bfdc045d
MW
2###
3### Initialization and finishing touches for firewall scripts
4###
5### (c) 2008 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
10### This program is free software; you can redistribute it and/or modify
11### it under the terms of the GNU General Public License as published by
12### the Free Software Foundation; either version 2 of the License, or
13### (at your option) any later version.
14###
15### This program is distributed in the hope that it will be useful,
16### but WITHOUT ANY WARRANTY; without even the implied warranty of
17### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18### GNU General Public License for more details.
19###
20### You should have received a copy of the GNU General Public License
21### along with this program; if not, write to the Free Software Foundation,
22### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24m4_divert(30)m4_dnl
25###--------------------------------------------------------------------------
26### Clear existing firewall rules.
27
28## The main chains: set policy to drop, and then clear the rules. For a
29## while, incoming packets will be silently dropped, but we should have got
30## everything going before anyone actually hits a timeout.
42dae9ae
MW
31##
32## We don't control some of the chains, so we should preserve them. This
33## introduces a whole bunch of problems.
34
35## Chains we're meant to preserve
36preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
37
38## Take the various IP versions in turn.
39unref=nil
40for ip in ip ip6; do
fb7845a8
MW
41 if [ "$FW_NOACT" ]; then break; fi
42
42dae9ae
MW
43 for table in $(cat /proc/net/${ip}_tables_names); do
44
45 ## Step 1: clear out the builtin chains.
46 ${ip}tables -nL -t $table |
47 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
48 while read chain; do
49 case $table in
50 nat) policy=ACCEPT ;;
51 *) policy=DROP ;;
52 esac
53 run ${ip}tables -t $table -P $chain $policy
54 run ${ip}tables -t $table -F $chain
55 done
56
57 ## Step 2: clear out user chains. Unfortunately, we can only clear
58 ## chains which have no references to them, so work through picking off
59 ## unreferenced chains which aren't meant to be preserved until there are
60 ## none left.
61 while :; do
62 progress=nil
63 ${ip}tables -nL -t $table |
64 sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
65 >/var/run/firewall-chains.tmp
66 while read chain; do
67 match=nil
68 for pat in $preserve_chains; do
69 case "$table:$chain" in $pat) match=t ;; esac
70 done
71 case $match in
72 nil)
73 run ${ip}tables -t $table -F $chain
74 run ${ip}tables -t $table -X $chain
75 progress=t
76 ;;
77 esac
78 done </var/run/firewall-chains.tmp
79 case $progress in nil) break ;; esac
80 done
81
82 ## Step 3: report on uncleared user chains. This means that there's a
83 ## serious problem.
84 ${ip}tables -nL -t $table |
85 sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
86 >/var/run/firewall-chains.tmp
87 while read chain refs; do
88 match=nil
89 for pat in $preserve_chains; do
90 case "$table:$chain" in $pat) match=t ;; esac
91 done
92 case $match in
93 nil)
94 echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
95 unref=t
96 ;;
97 esac
98 done </var/run/firewall-chains.tmp
bfdc045d 99 done
bfdc045d 100done
42dae9ae
MW
101rm -f /var/run/firewall-chains.tmp
102case $unref in t) exit 1 ;; esac
bfdc045d
MW
103
104m4_divert(32)m4_dnl
105###--------------------------------------------------------------------------
106### Set safe IP options.
107
108## Set forwarding options. Apparently setting ip_forward clobbers other
109## settings, so put this first.
78af294c
MW
110case $host_type_<::>FWHOST in
111 router) forward=1 ;;
112 *) forward=0 ;;
113esac
bfdc045d
MW
114setopt ip_forward $forward
115setdevopt forwarding $forward
f0033e07
MW
116case $forward in
117 0) inchains="INPUT" ;;
118 1) inchains="INPUT FORWARD" ;;
119esac
bfdc045d
MW
120
121## Set dynamic port allocation.
122setopt ip_local_port_range $open_port_min $open_port_max
123
124## Deploy SYN-cookies if necessary.
125setopt tcp_syncookies 1
126
c8d422ec
MW
127## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
128setopt icmp_echo_ignore_broadcasts 0
129
429f4314
MW
130## Turn off iptables filtering for bridges. We'll use ebtables if we need
131## to; but right now the model is that we do filtering at the borders, and
132## are tolerant of things which are local.
6d47692a
MW
133if [ -x /sbin/brctl ]; then
134 modprobe bridge || :
135 if [ -d /proc/sys/net/bridge ]; then
136 for filter in arptables iptables ip6tables; do
137 run sysctl -q net.bridge.bridge-nf-call-$filter=0
138 done
139 fi
140fi
429f4314 141
78af294c
MW
142## Turn off the reverse-path filter. It's basically useless: the filter does
143## nothing at all for single-homed hosts; and multi-homed hosts tend to have
144## routing aysmmetries if there's any kind of cycle.
145setdevopt rp_filter 0
146setdevopt log_martians 0
bfdc045d
MW
147
148## Turn off things which can mess with our routing decisions.
149setdevopt accept_source_route 0
150setdevopt accept_redirects 0
151
152## If we're maent to stop the firewall, then now is the time to do it.
153$exit_after_clearing
154
155m4_divert(34)m4_dnl
156###--------------------------------------------------------------------------
157### Establish error chains.
158
0291d6d5
MW
159errorchain forbidden REJECT
160## Generic `not allowed' chain.
bfdc045d 161
0291d6d5
MW
162errorchain tcp-fragment REJECT
163## Chain for logging fragmented TCP segements.
bfdc045d
MW
164
165errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
166## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset.
167
168errorchain mangle:bad-source-address DROP
0291d6d5 169errorchain bad-source-address DROP
bfdc045d
MW
170## Packet arrived on wrong interface for its source address. Drops the
171## packet, since there's nowhere sensible to send an error.
172
0291d6d5
MW
173errorchain bad-destination-address REJECT
174## Packet arrived on non-loopback interface with loopback destination.
f381cc0a 175
bfdc045d
MW
176errorchain interesting ACCEPT
177## Not an error, just log interesting packets.
178
a4d8cae3 179m4_divert(50)m4_dnl
bfdc045d 180###--------------------------------------------------------------------------
f543dab7 181### Standard filtering.
bfdc045d 182
f381cc0a 183## Don't clobber local traffic
0291d6d5 184run ip46tables -A INPUT -i lo -j ACCEPT
bfdc045d 185
f381cc0a
MW
186## We really shouldn't see packets destined for localhost on any interface
187## other than the loopback.
188run iptables -A INPUT -g bad-destination-address \
189 -d 127.0.0.0/8
0291d6d5
MW
190run ip6tables -A INPUT -g bad-destination-address \
191 -d ::1
192
193## We shouldn't be asked to forward things with link-local addresses.
78af294c
MW
194case $forward in
195 1)
196 run iptables -A FORWARD -g bad-source-address \
197 -s 169.254.0.0/16
198 run iptables -A FORWARD -g bad-destination-address \
199 -d 169.254.0.0/16
200 run ip6tables -A FORWARD -g bad-source-address \
201 -s fe80::/10
202 run ip6tables -A FORWARD -g bad-destination-address \
203 -d fe80::/10
204 ;;
205esac
f381cc0a 206
429f4314 207## Also, don't forward link-local broadcast or multicast.
78af294c
MW
208case $forward in
209 1)
210 run iptables -A FORWARD -g bad-destination-address \
211 -d 255.255.255.255
212 run iptables -A FORWARD -g bad-destination-address \
213 -m addrtype --dst-type BROADCAST
214 run iptables -A FORWARD -g bad-destination-address \
215 -d 224.0.0.0/24
e6d64b67 216 clearchain check-fwd-multi
78af294c 217 for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
e6d64b67
MW
218 run ip6tables -A check-fwd-multi -g bad-destination-address \
219 -d ff${x}2::/16
78af294c 220 done
fb7845a8 221 run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
78af294c
MW
222 ;;
223esac
429f4314 224
f543dab7
MW
225## Add a hook for fail2ban.
226clearchain fail2ban
227run ip46tables -A INPUT -j fail2ban
228
bfdc045d
MW
229m4_divert(90)m4_dnl
230###--------------------------------------------------------------------------
231### Finishing touches.
232
233m4_divert(94)m4_dnl
234## Locally generated packets are all OK.
c1c877c2 235run ip46tables -P OUTPUT ACCEPT
bfdc045d
MW
236
237## Other incoming things are forbidden.
238for chain in INPUT FORWARD; do
c1c877c2 239 run ip46tables -A $chain -g forbidden
bfdc045d
MW
240done
241
86c975b5
MW
242## Allow stuff through unknown tables.
243for ip in ip ip6; do
244 for table in $(cat /proc/net/${ip}_tables_names); do
245 case $table in mangle | filter) continue ;; esac
246 ${ip}tables -nL -t $table |
247 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
248 while read chain; do
249 run ${ip}tables -t $table -P $chain ACCEPT
250 done
251 done
252done
253
d8852323
MW
254## Dump the resulting configuration.
255if [ "$FW_DEBUG" ]; then
256 for ip in ip ip6; do
257 for table in mangle filter; do
258 echo "----- $ip $table -----"
259 echo
260 ${ip}tables -t $table -nvL
261 echo
262 done
263 done
264fi
265
bfdc045d
MW
266m4_divert(-1)
267###----- That's all, folks --------------------------------------------------