Commit | Line | Data |
---|---|---|
775bd287 | 1 | ### -*-sh-*- |
bfdc045d MW |
2 | ### |
3 | ### Local firewall configuration | |
4 | ### | |
5 | ### (c) 2008 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
335b2afe MW |
25 | ### Local configuration. |
26 | ||
27 | m4_divert(6)m4_dnl | |
28 | ## Default NTP servers. | |
29 | defconf(ntp_servers, | |
c8d1a00b | 30 | "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::") |
335b2afe MW |
31 | |
32 | m4_divert(-1) | |
33 | ###-------------------------------------------------------------------------- | |
bfdc045d MW |
34 | ### Packet classification. |
35 | ||
36e36cc7 MW |
36 | ## IPv4 addressing. |
37 | ## | |
38 | ## There are two small blocks of publicly routable IPv4 addresses, and a | |
39 | ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN. | |
40 | ## The former are as follows. | |
41 | ## | |
ddbe1eaa | 42 | ## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28 |
295959ea MW |
43 | ## House border network (dmz). We have all of these; the loose |
44 | ## address is for the router. | |
f01cdc79 | 45 | ## |
36e36cc7 MW |
46 | ## The latter is the block 172.29.196.0/22. Currently the low half is |
47 | ## unallocated (and may be returned to the G-RIN); the remaining addresses | |
48 | ## are allocated as follows. | |
49 | ## | |
50 | ## 172.29.198.0/24 Untrusted networks. | |
51 | ## .0/25 house wireless net | |
52 | ## .128/28 iodine (IP-over-DNS) network | |
d0409c90 | 53 | ## .144/28 hippotat (IP-over-HTTP) network |
42f784e2 | 54 | ## .160/27 untrusted virtual network |
36e36cc7 MW |
55 | ## |
56 | ## 172.29.199.0/24 Trusted networks. | |
57 | ## .0/25 house wired network | |
58 | ## .128/27 mobile VPN hosts | |
59 | ## .160/28 reserved, except .160/30 allocated for ITS | |
60 | ## .176/28 internal colocated network | |
61 | ## .192/27 house safe network | |
62 | ## .224/27 anycast services | |
63 | ||
64 | ## IPv6 addressing. | |
65 | ## | |
66 | ## There are five blocks of publicly routable IPv6 addresses, though some of | |
67 | ## them aren't very interesting. The ranges are as follows. | |
68 | ## | |
f01cdc79 MW |
69 | ## 2001:8b0:c92::/48 |
70 | ## Main house range (aaisp). See below for allocation policy. | |
71 | ## There is no explicit DMZ allocation (and no need for one). | |
72 | ## | |
36e36cc7 MW |
73 | ## Addresses in the /64 networks are simply allocated in ascending order. |
74 | ## The /48s are split into /64s by appending a 16-bit network number. The | |
75 | ## top nibble of the network number classifies the network, as follows. | |
76 | ## | |
42f784e2 | 77 | ## axxx Virtual, untrusted |
36e36cc7 | 78 | ## 8xxx Untrusted |
2caaca79 | 79 | ## 6xxx Virtual, safe |
36e36cc7 MW |
80 | ## 4xxx Safe |
81 | ## 0xxx Unsafe, trusted | |
82 | ## | |
83 | ## These have been chosen so that network properties can be deduced by | |
84 | ## inspecting bits of the network number: | |
85 | ## | |
86 | ## Bit 15 If set, the network is untrusted; otherwise it is trusted. | |
87 | ## Bit 14 If set, the network is safe; otherwise it is unsafe. | |
88 | ## | |
89 | ## Finally, the low-order nibbles identify the site. | |
90 | ## | |
91 | ## 0 No specific site: mobile VPN endpoints or anycast addresses. | |
92 | ## 1 House. | |
295959ea | 93 | ## fff Local border network. |
36e36cc7 | 94 | |
bfdc045d MW |
95 | ## Define the available network classes. |
96 | m4_divert(42)m4_dnl | |
1b101247 MW |
97 | defnetclass scary scary trusted vpnnat mcast |
98 | defnetclass untrusted scary untrusted trusted mcast | |
99 | defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast | |
100 | defnetclass safe trusted safe noloop vpnnat mcast | |
101 | defnetclass noloop trusted safe mcast | |
102 | defnetclass vpnnat scary trusted safe mcast | |
951e7943 | 103 | |
44f95827 MW |
104 | defnetclass link |
105 | defnetclass mcast | |
a4d8cae3 | 106 | m4_divert(-1) |
bfdc045d | 107 | |
a4d8cae3 | 108 | m4_divert(26)m4_dnl |
bfdc045d MW |
109 | ###-------------------------------------------------------------------------- |
110 | ### Network layout. | |
111 | ||
beb4f0ee MW |
112 | ## House networks. |
113 | defnet dmz trusted | |
ddbe1eaa | 114 | addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64 |
17a45245 | 115 | via unsafe untrusted |
beb4f0ee | 116 | defnet unsafe trusted |
295959ea | 117 | addr 172.29.199.0/25 2001:8b0:c92:1::/64 |
17a45245 | 118 | via househub |
beb4f0ee | 119 | defnet safe safe |
295959ea | 120 | addr 172.29.199.192/27 2001:8b0:c92:4001::/64 |
17a45245 | 121 | via househub |
beb4f0ee | 122 | defnet untrusted untrusted |
295959ea | 123 | addr 172.29.198.0/25 2001:8b0:c92:8001::/64 |
17a45245 | 124 | via househub |
bfdc045d | 125 | |
beb4f0ee | 126 | defnet househub virtual |
17a45245 | 127 | via housebdry dmz unsafe safe untrusted |
beb4f0ee | 128 | defnet housebdry virtual |
17a45245 | 129 | via househub hub |
beb4f0ee MW |
130 | |
131 | ## House hosts. | |
132 | defhost radius | |
4eb9f4df | 133 | hosttype router |
ddbe1eaa MW |
134 | iface eth0 dmz unsafe safe untrusted vpn sgo default |
135 | iface eth1 dmz unsafe safe untrusted vpn sgo default | |
136 | iface eth2 dmz unsafe safe untrusted vpn sgo | |
83cc1e6c | 137 | iface eth3 unsafe untrusted vpn default |
8506ff83 | 138 | iface ppp0 default |
a7e48c06 | 139 | iface t6-he default |
ddbe1eaa | 140 | iface vpn-precision vpn sgo |
68f0829f MW |
141 | iface vpn-chiark sgo |
142 | iface vpn-+ vpn | |
beb4f0ee | 143 | defhost roadstar |
ce6434f7 MW |
144 | iface eth0 dmz unsafe |
145 | iface eth1 dmz unsafe | |
beb4f0ee | 146 | defhost jem |
ce6434f7 MW |
147 | iface eth0 dmz unsafe |
148 | iface eth1 dmz unsafe | |
97320b7d MW |
149 | defhost universe |
150 | iface eth0 dmz unsafe | |
151 | iface eth1 dmz unsafe | |
beb4f0ee | 152 | defhost artist |
564c6939 | 153 | hosttype router |
490003e4 MW |
154 | iface eth0 dmz unsafe untrusted |
155 | iface eth1 dmz unsafe untrusted | |
83cc1e6c | 156 | iface eth3 unsafe untrusted |
beb4f0ee | 157 | defhost vampire |
4eb9f4df | 158 | hosttype router |
ddbe1eaa MW |
159 | iface eth0.4 dmz unsafe untrusted safe vpn sgo |
160 | iface eth0.5 dmz unsafe untrusted safe vpn sgo | |
161 | iface eth0.6 dmz unsafe safe untrusted vpn sgo | |
83cc1e6c | 162 | iface eth0.7 unsafe untrusted vpn |
ddbe1eaa | 163 | iface vpn-precision vpn sgo |
ebaa31a7 MW |
164 | iface vpn-chiark sgo |
165 | iface vpn-+ vpn | |
beb4f0ee | 166 | defhost ibanez |
06ff8082 | 167 | iface br-dmz dmz unsafe |
beb4f0ee | 168 | iface br-unsafe unsafe |
6fd217ae MW |
169 | defhost orange |
170 | iface wlan0 untrusted | |
171 | iface vpn-radius unsafe | |
49b81a66 MW |
172 | defhost groove |
173 | iface eth0 unsafe | |
24ddb007 MW |
174 | iface wlan0 untrusted |
175 | iface vpn-radius unsafe | |
beb4f0ee MW |
176 | |
177 | defhost gibson | |
4eb9f4df | 178 | hosttype client |
d8e50664 | 179 | iface eth0 unsafe |
beb4f0ee | 180 | |
ddbe1eaa | 181 | ## Formerly colocated hosts. |
beb4f0ee | 182 | defhost fender |
ddbe1eaa MW |
183 | iface br-dmz dmz unsafe |
184 | iface br-unsafe dmz unsafe | |
beb4f0ee | 185 | defhost precision |
4eb9f4df | 186 | hosttype router |
ddbe1eaa MW |
187 | iface eth0 dmz unsafe vpn sgo |
188 | iface eth1 dmz unsafe vpn sgo | |
1fd9cef9 | 189 | iface vpn-mango binswood |
ebaa31a7 | 190 | iface vpn-chiark sgo |
38e85ca3 | 191 | iface vpn-national upn |
175f1d48 | 192 | iface vpn-mdwdev upn |
5632bf51 | 193 | iface vpn-eggle upn |
ebaa31a7 | 194 | iface vpn-+ vpn |
beb4f0ee | 195 | defhost telecaster |
ddbe1eaa MW |
196 | iface eth0 dmz unsafe vpn sgo |
197 | iface eth1 dmz unsafe vpn sgo | |
beb4f0ee | 198 | defhost stratocaster |
ddbe1eaa MW |
199 | iface eth0 dmz unsafe vpn sgo |
200 | iface eth1 dmz unsafe vpn sgo | |
beb4f0ee | 201 | defhost jazz |
560ae309 | 202 | hosttype router |
ddbe1eaa MW |
203 | iface eth0 dmz unsafe vpn sgo |
204 | iface eth1 dmz unsafe vpn sgo | |
148d527c | 205 | iface dns0 iodine |
d0409c90 | 206 | iface hippo-svc hippotat |
560ae309 | 207 | iface vpn-+ vpn |
beb4f0ee | 208 | |
ddbe1eaa MW |
209 | ## Stunt connectivity networks. |
210 | defnet iodine untrusted | |
211 | addr 172.29.198.128/28 | |
212 | via colohub | |
213 | defnet hippotat untrusted | |
214 | addr 172.29.198.144/28 | |
215 | via colohub | |
216 | ||
217 | ||
beb4f0ee MW |
218 | ## Other networks. |
219 | defnet hub virtual | |
ddbe1eaa | 220 | via housebdry |
ebaa31a7 MW |
221 | defnet sgo noloop |
222 | addr !172.29.198.0/23 | |
1b101247 | 223 | addr !10.165.27.0/24 |
ebaa31a7 MW |
224 | addr 10.0.0.0/8 |
225 | addr 172.16.0.0/12 | |
226 | addr 192.168.0.0/16 | |
ddbe1eaa | 227 | via househub |
57644f26 | 228 | defnet vpn trusted |
ddbe1eaa MW |
229 | addr 172.29.199.128/27 2001:8b0:c92:6000::/64 |
230 | via househub | |
eec061c0 MW |
231 | host crybaby 1 ::1:1 |
232 | host terror 2 ::2:1 | |
233 | host orange 3 ::3:1 | |
a28edce0 | 234 | host haze 4 ::4:1 |
ea2e5ed4 | 235 | host spirit 9 ::9:1 |
194c72b5 | 236 | host groove 10 ::10:1 |
c68b8ecc | 237 | defnet anycast trusted |
ddbe1eaa MW |
238 | addr 172.29.199.224/27 2001:8b0:c92:0::/64 |
239 | via dmz unsafe safe untrusted vpn nvpn | |
1b534b6a | 240 | defnet default scary |
ddbe1eaa MW |
241 | addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \ |
242 | 2001:8b0:c92::/48 | |
243 | via dmz unsafe untrusted | |
42f784e2 | 244 | defnet upn untrusted |
ddbe1eaa MW |
245 | addr 172.29.198.160/27 2001:8b0:c92:a000::/64 |
246 | via househub | |
38e85ca3 | 247 | host national 1 ::1:1 |
175f1d48 | 248 | host mdwdev 2 ::2:1 |
5632bf51 | 249 | host eggle 3 ::3:1 |
38e85ca3 | 250 | |
badaaa08 | 251 | ## VPS hosts. |
5632bf51 MW |
252 | defhost eggle |
253 | iface eth0 default | |
254 | iface vpn-precision househub | |
38e85ca3 MW |
255 | defhost national |
256 | iface eth0 default | |
ddbe1eaa | 257 | iface vpn-precision househub |
1ee6211d | 258 | |
1fd9cef9 | 259 | ## Satellite networks. |
1b101247 | 260 | defnet binswood vpnnat |
1fd9cef9 | 261 | addr 10.165.27.0/24 |
ddbe1eaa | 262 | via househub |
31c0a107 MW |
263 | defhost mango |
264 | hosttype router | |
265 | iface eth0 binswood default | |
ddbe1eaa | 266 | iface vpn-precision dmz default |
31c0a107 | 267 | |
a4d8cae3 | 268 | m4_divert(80)m4_dnl |
bfdc045d | 269 | ###-------------------------------------------------------------------------- |
5c5fcd73 MW |
270 | ### Connection tracking helper modules. |
271 | ||
272 | for i in ftp; do | |
273 | modprobe nf_conntrack_$i | |
274 | done | |
275 | ||
276 | m4_divert(80)m4_dnl | |
277 | ###-------------------------------------------------------------------------- | |
bfdc045d MW |
278 | ### Special forwarding exemptions. |
279 | ||
78af294c MW |
280 | case $forward in |
281 | 1) | |
282 | ||
283 | ## Only allow these packets if they're not fragmented. (Don't trust safe | |
284 | ## hosts's fragment reassembly to be robust against malicious fragments.) | |
285 | ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning | |
286 | ## of `! -f', so we do the negation using early return from a subchain. | |
287 | clearchain fwd-spec-nofrag | |
288 | run iptables -A fwd-spec-nofrag -j RETURN --fragment | |
289 | run ip6tables -A fwd-spec-nofrag -j RETURN \ | |
290 | -m ipv6header --soft --header frag | |
87bf1592 | 291 | run ip46tables -A FORWARD -j fwd-spec-nofrag |
78af294c MW |
292 | |
293 | ## Allow ping from safe/noloop to untrusted networks. | |
294 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
295 | -p icmp --icmp-type echo-request \ | |
296 | -m mark --mark $to_untrusted/$MASK_TO | |
297 | run iptables -A fwd-spec-nofrag -j ACCEPT \ | |
298 | -p icmp --icmp-type echo-reply \ | |
299 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
300 | -m state --state ESTABLISHED | |
301 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
8b021091 | 302 | -p icmpv6 --icmpv6-type echo-request \ |
78af294c MW |
303 | -m mark --mark $to_untrusted/$MASK_TO |
304 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ | |
8b021091 | 305 | -p icmpv6 --icmpv6-type echo-reply \ |
78af294c MW |
306 | -m mark --mark $from_untrusted/$MASK_FROM \ |
307 | -m state --state ESTABLISHED | |
308 | ||
309 | ## Allow SSH from safe/noloop to untrusted networks. | |
cbbd5e39 | 310 | run ip46tables -A fwd-spec-nofrag -j ACCEPT \ |
78af294c MW |
311 | -p tcp --destination-port $port_ssh \ |
312 | -m mark --mark $to_untrusted/$MASK_TO | |
cbbd5e39 | 313 | run ip46tables -A fwd-spec-nofrag -j ACCEPT \ |
78af294c MW |
314 | -p tcp --source-port $port_ssh \ |
315 | -m mark --mark $from_untrusted/$MASK_FROM \ | |
316 | -m state --state ESTABLISHED | |
317 | ||
318 | ;; | |
319 | esac | |
320 | ||
a4d8cae3 | 321 | m4_divert(80)m4_dnl |
ade2c052 MW |
322 | ###-------------------------------------------------------------------------- |
323 | ### Kill things we don't understand properly. | |
324 | ### | |
325 | ### I don't like having to do this, but since I don't know how to do proper | |
326 | ### multicast filtering, I'm just going to ban it from being forwarded. | |
327 | ||
328 | errorchain poorly-understood REJECT | |
329 | ||
330 | ## Ban multicast destination addresses in forwarding. | |
78af294c MW |
331 | case $forward in |
332 | 1) | |
333 | run iptables -A FORWARD -g poorly-understood \ | |
334 | -d 224.0.0.0/4 | |
335 | run ip6tables -A FORWARD -g poorly-understood \ | |
336 | -d ff::/8 | |
337 | ;; | |
338 | esac | |
ade2c052 | 339 | |
7377aca7 MW |
340 | m4_divert(82)m4_dnl |
341 | ###-------------------------------------------------------------------------- | |
342 | ### Check for source routing. | |
343 | ||
344 | clearchain check-srcroute | |
345 | ||
346 | run iptables -A check-srcroute -g forbidden \ | |
347 | -m ipv4options --any --flags lsrr,ssrr | |
348 | run ip6tables -A check-srcroute -g forbidden \ | |
349 | -m rt | |
350 | ||
351 | for c in INPUT FORWARD; do | |
352 | for m in $from_scary $from_untrusted; do | |
353 | run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute | |
354 | done | |
355 | done | |
356 | ||
a4d8cae3 | 357 | m4_divert(84)m4_dnl |
bfdc045d MW |
358 | ###-------------------------------------------------------------------------- |
359 | ### Locally-bound packet inspection. | |
360 | ||
361 | clearchain inbound | |
94ce6e76 | 362 | clearchain inbound-untrusted |
bfdc045d MW |
363 | |
364 | ## Track connections. | |
ecdca131 | 365 | commonrules inbound |
bfdc045d MW |
366 | conntrack inbound |
367 | ||
368 | ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a | |
369 | ## local request. | |
370 | run iptables -A inbound -j ACCEPT \ | |
371 | -s 0.0.0.0 -d 255.255.255.255 \ | |
372 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
373 | run iptables -A inbound -j ACCEPT \ | |
374 | -s 172.29.198.0/23 \ | |
375 | -p udp --source-port $port_bootpc --destination-port $port_bootps | |
376 | ||
377 | ## Allow incoming ping. This is the only ICMP left. | |
8bd7e0fe MW |
378 | run iptables -A inbound -j ACCEPT -p icmp |
379 | run ip6tables -A inbound -j ACCEPT -p icmpv6 | |
bfdc045d MW |
380 | |
381 | m4_divert(88)m4_dnl | |
382 | ## Allow unusual things. | |
383 | openports inbound | |
384 | ||
385 | ## Inspect inbound packets from untrusted sources. | |
8a3660c1 | 386 | run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted |
94ce6e76 | 387 | run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted |
94ce6e76 | 388 | run ip46tables -A inbound-untrusted -g forbidden |
994ac8d0 | 389 | run ip46tables -A inbound -g forbidden |
4f8c1989 | 390 | run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound |
0291d6d5 | 391 | run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound |
bfdc045d | 392 | |
1b534b6a | 393 | ## Allow responses from the scary outside world into the untrusted net, but |
43e20546 | 394 | ## don't let untrusted things run services. |
1b534b6a MW |
395 | case $forward in |
396 | 1) | |
397 | run ip46tables -A FORWARD -j ACCEPT \ | |
398 | -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \ | |
399 | -m state --state ESTABLISHED,RELATED | |
400 | ;; | |
401 | esac | |
402 | ||
bfdc045d | 403 | ## Otherwise process as indicated by the mark. |
f0033e07 MW |
404 | for i in $inchains; do |
405 | run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT | |
406 | done | |
bfdc045d MW |
407 | |
408 | m4_divert(-1) | |
409 | ###----- That's all, folks -------------------------------------------------- |