[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
##		House border network (dmz).  We have all of these; the loose
##		address is for the router.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##	.0/25		house wireless net
##	.128/28		iodine (IP-over-DNS) network
##	.144/28		hippotat (IP-over-HTTP) network
##	.160/27		untrusted virtual network
##
## 172.29.199.0/24  Trusted networks.
##	.0/25		house wired network
##	.128/27		mobile VPN hosts
##	.160/28		reserved, except .160/30 allocated for ITS
##	.176/28		internal colocated network
##	.192/27		house safe network
##	.224/27		anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:8b0:c92::/48
##		Main house range (aaisp).  See below for allocation policy.
##		There is no explicit DMZ allocation (and no need for one).
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## axxx		Virtual, untrusted
## 8xxx		Untrusted
## 6xxx		Virtual, safe
## 4xxx		Safe
## 0xxx		Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15	If set, the network is untrusted; otherwise it is trusted.
## Bit 14	If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0		No specific site: mobile VPN endpoints or anycast addresses.
## 1		House.
## fff		Local border network.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary	scary		trusted		    vpnnat mcast
defnetclass untrusted	scary untrusted trusted			   mcast
defnetclass trusted	scary untrusted trusted safe noloop vpnnat mcast
defnetclass safe			trusted safe noloop vpnnat mcast
defnetclass noloop			trusted safe		   mcast
defnetclass vpnnat	scary		trusted safe		   mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
	via unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25 2001:8b0:c92:1::/64
	via househub
defnet safe safe
	addr 172.29.199.192/27 2001:8b0:c92:4001::/64
	via househub
defnet untrusted untrusted
	addr 172.29.198.0/25 2001:8b0:c92:8001::/64
	via househub

defnet househub virtual
	via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	via househub hub

## House hosts.
defhost radius
	hosttype router
	iface eth0 dmz unsafe safe untrusted vpn sgo default
	iface eth1 dmz unsafe safe untrusted vpn sgo default
	iface eth2 dmz unsafe safe untrusted vpn sgo
	iface eth3 unsafe untrusted vpn default
	iface ppp0 default
	iface t6-he default
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost roadstar
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost jem
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost universe
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost artist
	hosttype router
	iface eth0 dmz unsafe untrusted
	iface eth1 dmz unsafe untrusted
	iface eth3 unsafe untrusted
defhost vampire
	hosttype router
	iface eth0.4 dmz unsafe untrusted safe vpn sgo
	iface eth0.5 dmz unsafe untrusted safe vpn sgo
	iface eth0.6 dmz unsafe safe untrusted vpn sgo
	iface eth0.7 unsafe untrusted vpn
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost ibanez
	iface br-dmz dmz unsafe
	iface br-unsafe unsafe
defhost orange
	iface wlan0 untrusted
	iface vpn-radius unsafe
defhost groove
	iface eth0 unsafe
	iface wlan0 untrusted
	iface vpn-radius unsafe

defhost gibson
	hosttype client
	iface eth0 unsafe

## Formerly colocated hosts.
defhost fender
	iface br-dmz dmz unsafe
	iface br-unsafe dmz unsafe
defhost precision
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface vpn-mango binswood
	iface vpn-chiark sgo
	iface vpn-national upn
	iface vpn-mdwdev upn
	iface vpn-eggle upn
	iface vpn-+ vpn
defhost telecaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost stratocaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost jazz
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface dns0 iodine
	iface hippo-svc hippotat
	iface vpn-+ vpn

## Stunt connectivity networks.
defnet iodine untrusted
	addr 172.29.198.128/28
	via colohub
defnet hippotat untrusted
	addr 172.29.198.144/28
	via colohub


## Other networks.
defnet hub virtual
	via housebdry
defnet sgo noloop
	addr !172.29.198.0/23
	addr !10.165.27.0/24
	addr 10.0.0.0/8
	addr 172.16.0.0/12
	addr 192.168.0.0/16
	via househub
defnet vpn trusted
	addr 172.29.199.128/27 2001:8b0:c92:6000::/64
	via househub
	host crybaby 1 ::1:1
	host terror 2 ::2:1
	host orange 3 ::3:1
	host haze 4 ::4:1
	host spirit 9 ::9:1
	host groove 10 ::10:1
defnet anycast trusted
	addr 172.29.199.224/27 2001:8b0:c92:0::/64
	via dmz unsafe safe untrusted vpn nvpn
defnet default scary
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
		2001:8b0:c92::/48
	via dmz unsafe untrusted
defnet upn untrusted
	addr 172.29.198.160/27 2001:8b0:c92:a000::/64
	via househub
	host national 1 ::1:1
	host mdwdev 2 ::2:1
	host eggle 3 ::3:1

## VPS hosts.
defhost eggle
	iface eth0 default
	iface vpn-precision househub
defhost national
	iface eth0 default
	iface vpn-precision househub

## Satellite networks.
defnet binswood vpnnat
	addr 10.165.27.0/24
	via househub
defhost mango
	hosttype router
	iface eth0 binswood default
	iface vpn-precision dmz default

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
	    -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
	    -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
	    -d ff::/8
    ;;
esac

m4_divert(82)m4_dnl
###--------------------------------------------------------------------------
### Check for source routing.

clearchain check-srcroute

run iptables -A check-srcroute -g forbidden \
    -m ipv4options --any --flags lsrr,ssrr
run ip6tables -A check-srcroute -g forbidden \
    -m rt

for c in INPUT FORWARD; do
  for m in $from_scary $from_untrusted; do
    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
  done
done

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound
clearchain inbound-untrusted

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp
run ip6tables -A inbound -j ACCEPT -p icmpv6

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
	-m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
	-m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d MW	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
335b2afe MW	25	### Local configuration.
	26
	27	m4_divert(6)m4_dnl
	28	## Default NTP servers.
	29	defconf(ntp_servers,
c8d1a00b	30	"81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")
335b2afe MW	31
	32	m4_divert(-1)
	33	###--------------------------------------------------------------------------
bfdc045d MW	34	### Packet classification.
bfdc045d MW	35
36e36cc7 MW	36	## IPv4 addressing.
	37	##
	38	## There are two small blocks of publicly routable IPv4 addresses, and a
	39	## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
	40	## The former are as follows.
	41	##
ddbe1eaa	42	## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
295959ea MW	43	## House border network (dmz). We have all of these; the loose
295959ea MW	44	## address is for the router.
f01cdc79	45	##
36e36cc7 MW	46	## The latter is the block 172.29.196.0/22. Currently the low half is
	47	## unallocated (and may be returned to the G-RIN); the remaining addresses
	48	## are allocated as follows.
	49	##
	50	## 172.29.198.0/24 Untrusted networks.
	51	## .0/25 house wireless net
	52	## .128/28 iodine (IP-over-DNS) network
d0409c90	53	## .144/28 hippotat (IP-over-HTTP) network
42f784e2	54	## .160/27 untrusted virtual network
36e36cc7 MW	55	##
	56	## 172.29.199.0/24 Trusted networks.
	57	## .0/25 house wired network
	58	## .128/27 mobile VPN hosts
	59	## .160/28 reserved, except .160/30 allocated for ITS
	60	## .176/28 internal colocated network
	61	## .192/27 house safe network
	62	## .224/27 anycast services
	63
	64	## IPv6 addressing.
	65	##
	66	## There are five blocks of publicly routable IPv6 addresses, though some of
	67	## them aren't very interesting. The ranges are as follows.
	68	##
f01cdc79 MW	69	## 2001:8b0:c92::/48
	70	## Main house range (aaisp). See below for allocation policy.
	71	## There is no explicit DMZ allocation (and no need for one).
	72	##
36e36cc7 MW	73	## Addresses in the /64 networks are simply allocated in ascending order.
	74	## The /48s are split into /64s by appending a 16-bit network number. The
	75	## top nibble of the network number classifies the network, as follows.
	76	##
42f784e2	77	## axxx Virtual, untrusted
36e36cc7	78	## 8xxx Untrusted
2caaca79	79	## 6xxx Virtual, safe
36e36cc7 MW	80	## 4xxx Safe
	81	## 0xxx Unsafe, trusted
	82	##
	83	## These have been chosen so that network properties can be deduced by
	84	## inspecting bits of the network number:
	85	##
	86	## Bit 15 If set, the network is untrusted; otherwise it is trusted.
	87	## Bit 14 If set, the network is safe; otherwise it is unsafe.
	88	##
	89	## Finally, the low-order nibbles identify the site.
	90	##
	91	## 0 No specific site: mobile VPN endpoints or anycast addresses.
	92	## 1 House.
295959ea	93	## fff Local border network.
36e36cc7	94
bfdc045d MW	95	## Define the available network classes.
bfdc045d MW	96	m4_divert(42)m4_dnl
1b101247 MW	97	defnetclass scary scary trusted vpnnat mcast
	98	defnetclass untrusted scary untrusted trusted mcast
	99	defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
	100	defnetclass safe trusted safe noloop vpnnat mcast
	101	defnetclass noloop trusted safe mcast
	102	defnetclass vpnnat scary trusted safe mcast
951e7943	103
44f95827 MW	104	defnetclass link
44f95827 MW	105	defnetclass mcast
a4d8cae3	106	m4_divert(-1)
bfdc045d	107
a4d8cae3	108	m4_divert(26)m4_dnl
bfdc045d MW	109	###--------------------------------------------------------------------------
	110	### Network layout.
	111
beb4f0ee MW	112	## House networks.
beb4f0ee MW	113	defnet dmz trusted
ddbe1eaa	114	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
17a45245	115	via unsafe untrusted
beb4f0ee	116	defnet unsafe trusted
295959ea	117	addr 172.29.199.0/25 2001:8b0:c92:1::/64
17a45245	118	via househub
beb4f0ee	119	defnet safe safe
295959ea	120	addr 172.29.199.192/27 2001:8b0:c92:4001::/64
17a45245	121	via househub
beb4f0ee	122	defnet untrusted untrusted
295959ea	123	addr 172.29.198.0/25 2001:8b0:c92:8001::/64
17a45245	124	via househub
bfdc045d	125
beb4f0ee	126	defnet househub virtual
17a45245	127	via housebdry dmz unsafe safe untrusted
beb4f0ee	128	defnet housebdry virtual
17a45245	129	via househub hub
beb4f0ee MW	130
	131	## House hosts.
	132	defhost radius
4eb9f4df	133	hosttype router
ddbe1eaa MW	134	iface eth0 dmz unsafe safe untrusted vpn sgo default
	135	iface eth1 dmz unsafe safe untrusted vpn sgo default
	136	iface eth2 dmz unsafe safe untrusted vpn sgo
83cc1e6c	137	iface eth3 unsafe untrusted vpn default
8506ff83	138	iface ppp0 default
a7e48c06	139	iface t6-he default
ddbe1eaa	140	iface vpn-precision vpn sgo
68f0829f MW	141	iface vpn-chiark sgo
68f0829f MW	142	iface vpn-+ vpn
beb4f0ee	143	defhost roadstar
ce6434f7 MW	144	iface eth0 dmz unsafe
ce6434f7 MW	145	iface eth1 dmz unsafe
beb4f0ee	146	defhost jem
ce6434f7 MW	147	iface eth0 dmz unsafe
ce6434f7 MW	148	iface eth1 dmz unsafe
97320b7d MW	149	defhost universe
	150	iface eth0 dmz unsafe
	151	iface eth1 dmz unsafe
beb4f0ee	152	defhost artist
564c6939	153	hosttype router
490003e4 MW	154	iface eth0 dmz unsafe untrusted
490003e4 MW	155	iface eth1 dmz unsafe untrusted
83cc1e6c	156	iface eth3 unsafe untrusted
beb4f0ee	157	defhost vampire
4eb9f4df	158	hosttype router
ddbe1eaa MW	159	iface eth0.4 dmz unsafe untrusted safe vpn sgo
	160	iface eth0.5 dmz unsafe untrusted safe vpn sgo
	161	iface eth0.6 dmz unsafe safe untrusted vpn sgo
83cc1e6c	162	iface eth0.7 unsafe untrusted vpn
ddbe1eaa	163	iface vpn-precision vpn sgo
ebaa31a7 MW	164	iface vpn-chiark sgo
ebaa31a7 MW	165	iface vpn-+ vpn
beb4f0ee	166	defhost ibanez
06ff8082	167	iface br-dmz dmz unsafe
beb4f0ee	168	iface br-unsafe unsafe
6fd217ae MW	169	defhost orange
	170	iface wlan0 untrusted
	171	iface vpn-radius unsafe
49b81a66 MW	172	defhost groove
49b81a66 MW	173	iface eth0 unsafe
24ddb007 MW	174	iface wlan0 untrusted
24ddb007 MW	175	iface vpn-radius unsafe
beb4f0ee MW	176
beb4f0ee MW	177	defhost gibson
4eb9f4df	178	hosttype client
d8e50664	179	iface eth0 unsafe
beb4f0ee	180
ddbe1eaa	181	## Formerly colocated hosts.
beb4f0ee	182	defhost fender
ddbe1eaa MW	183	iface br-dmz dmz unsafe
ddbe1eaa MW	184	iface br-unsafe dmz unsafe
beb4f0ee	185	defhost precision
4eb9f4df	186	hosttype router
ddbe1eaa MW	187	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	188	iface eth1 dmz unsafe vpn sgo
1fd9cef9	189	iface vpn-mango binswood
ebaa31a7	190	iface vpn-chiark sgo
38e85ca3	191	iface vpn-national upn
175f1d48	192	iface vpn-mdwdev upn
5632bf51	193	iface vpn-eggle upn
ebaa31a7	194	iface vpn-+ vpn
beb4f0ee	195	defhost telecaster
ddbe1eaa MW	196	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	197	iface eth1 dmz unsafe vpn sgo
beb4f0ee	198	defhost stratocaster
ddbe1eaa MW	199	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	200	iface eth1 dmz unsafe vpn sgo
beb4f0ee	201	defhost jazz
560ae309	202	hosttype router
ddbe1eaa MW	203	iface eth0 dmz unsafe vpn sgo
ddbe1eaa MW	204	iface eth1 dmz unsafe vpn sgo
148d527c	205	iface dns0 iodine
d0409c90	206	iface hippo-svc hippotat
560ae309	207	iface vpn-+ vpn
beb4f0ee	208
ddbe1eaa MW	209	## Stunt connectivity networks.
	210	defnet iodine untrusted
	211	addr 172.29.198.128/28
	212	via colohub
	213	defnet hippotat untrusted
	214	addr 172.29.198.144/28
	215	via colohub
	216
	217
beb4f0ee MW	218	## Other networks.
beb4f0ee MW	219	defnet hub virtual
ddbe1eaa	220	via housebdry
ebaa31a7 MW	221	defnet sgo noloop
ebaa31a7 MW	222	addr !172.29.198.0/23
1b101247	223	addr !10.165.27.0/24
ebaa31a7 MW	224	addr 10.0.0.0/8
	225	addr 172.16.0.0/12
	226	addr 192.168.0.0/16
ddbe1eaa	227	via househub
57644f26	228	defnet vpn trusted
ddbe1eaa MW	229	addr 172.29.199.128/27 2001:8b0:c92:6000::/64
ddbe1eaa MW	230	via househub
eec061c0 MW	231	host crybaby 1 ::1:1
	232	host terror 2 ::2:1
	233	host orange 3 ::3:1
a28edce0	234	host haze 4 ::4:1
ea2e5ed4	235	host spirit 9 ::9:1
194c72b5	236	host groove 10 ::10:1
c68b8ecc	237	defnet anycast trusted
ddbe1eaa MW	238	addr 172.29.199.224/27 2001:8b0:c92:0::/64
ddbe1eaa MW	239	via dmz unsafe safe untrusted vpn nvpn
1b534b6a	240	defnet default scary
ddbe1eaa MW	241	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
	242	2001:8b0:c92::/48
	243	via dmz unsafe untrusted
42f784e2	244	defnet upn untrusted
ddbe1eaa MW	245	addr 172.29.198.160/27 2001:8b0:c92:a000::/64
ddbe1eaa MW	246	via househub
38e85ca3	247	host national 1 ::1:1
175f1d48	248	host mdwdev 2 ::2:1
5632bf51	249	host eggle 3 ::3:1
38e85ca3	250
badaaa08	251	## VPS hosts.
5632bf51 MW	252	defhost eggle
	253	iface eth0 default
	254	iface vpn-precision househub
38e85ca3 MW	255	defhost national
38e85ca3 MW	256	iface eth0 default
ddbe1eaa	257	iface vpn-precision househub
1ee6211d	258
1fd9cef9	259	## Satellite networks.
1b101247	260	defnet binswood vpnnat
1fd9cef9	261	addr 10.165.27.0/24
ddbe1eaa	262	via househub
31c0a107 MW	263	defhost mango
	264	hosttype router
	265	iface eth0 binswood default
ddbe1eaa	266	iface vpn-precision dmz default
31c0a107	267
a4d8cae3	268	m4_divert(80)m4_dnl
bfdc045d	269	###--------------------------------------------------------------------------
5c5fcd73 MW	270	### Connection tracking helper modules.
	271
	272	for i in ftp; do
	273	modprobe nf_conntrack_$i
	274	done
	275
	276	m4_divert(80)m4_dnl
	277	###--------------------------------------------------------------------------
bfdc045d MW	278	### Special forwarding exemptions.
bfdc045d MW	279
78af294c MW	280	case $forward in
	281	1)
	282
	283	## Only allow these packets if they're not fragmented. (Don't trust safe
	284	## hosts's fragment reassembly to be robust against malicious fragments.)
	285	## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
	286	## of `! -f', so we do the negation using early return from a subchain.
	287	clearchain fwd-spec-nofrag
	288	run iptables -A fwd-spec-nofrag -j RETURN --fragment
	289	run ip6tables -A fwd-spec-nofrag -j RETURN \
	290	-m ipv6header --soft --header frag
87bf1592	291	run ip46tables -A FORWARD -j fwd-spec-nofrag
78af294c MW	292
	293	## Allow ping from safe/noloop to untrusted networks.
	294	run iptables -A fwd-spec-nofrag -j ACCEPT \
	295	-p icmp --icmp-type echo-request \
	296	-m mark --mark $to_untrusted/$MASK_TO
	297	run iptables -A fwd-spec-nofrag -j ACCEPT \
	298	-p icmp --icmp-type echo-reply \
	299	-m mark --mark $from_untrusted/$MASK_FROM \
	300	-m state --state ESTABLISHED
	301	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
8b021091	302	-p icmpv6 --icmpv6-type echo-request \
78af294c MW	303	-m mark --mark $to_untrusted/$MASK_TO
78af294c MW	304	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
8b021091	305	-p icmpv6 --icmpv6-type echo-reply \
78af294c MW	306	-m mark --mark $from_untrusted/$MASK_FROM \
	307	-m state --state ESTABLISHED
	308
	309	## Allow SSH from safe/noloop to untrusted networks.
cbbd5e39	310	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
78af294c MW	311	-p tcp --destination-port $port_ssh \
78af294c MW	312	-m mark --mark $to_untrusted/$MASK_TO
cbbd5e39	313	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
78af294c MW	314	-p tcp --source-port $port_ssh \
	315	-m mark --mark $from_untrusted/$MASK_FROM \
	316	-m state --state ESTABLISHED
	317
	318	;;
	319	esac
	320
a4d8cae3	321	m4_divert(80)m4_dnl
ade2c052 MW	322	###--------------------------------------------------------------------------
	323	### Kill things we don't understand properly.
	324	###
	325	### I don't like having to do this, but since I don't know how to do proper
	326	### multicast filtering, I'm just going to ban it from being forwarded.
	327
	328	errorchain poorly-understood REJECT
	329
	330	## Ban multicast destination addresses in forwarding.
78af294c MW	331	case $forward in
	332	1)
	333	run iptables -A FORWARD -g poorly-understood \
	334	-d 224.0.0.0/4
	335	run ip6tables -A FORWARD -g poorly-understood \
	336	-d ff::/8
	337	;;
	338	esac
ade2c052	339
7377aca7 MW	340	m4_divert(82)m4_dnl
	341	###--------------------------------------------------------------------------
	342	### Check for source routing.
	343
	344	clearchain check-srcroute
	345
	346	run iptables -A check-srcroute -g forbidden \
	347	-m ipv4options --any --flags lsrr,ssrr
	348	run ip6tables -A check-srcroute -g forbidden \
	349	-m rt
	350
	351	for c in INPUT FORWARD; do
	352	for m in $from_scary $from_untrusted; do
	353	run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
	354	done
	355	done
	356
a4d8cae3	357	m4_divert(84)m4_dnl
bfdc045d MW	358	###--------------------------------------------------------------------------
	359	### Locally-bound packet inspection.
	360
	361	clearchain inbound
94ce6e76	362	clearchain inbound-untrusted
bfdc045d MW	363
bfdc045d MW	364	## Track connections.
ecdca131	365	commonrules inbound
bfdc045d MW	366	conntrack inbound
	367
	368	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	369	## local request.
	370	run iptables -A inbound -j ACCEPT \
	371	-s 0.0.0.0 -d 255.255.255.255 \
	372	-p udp --source-port $port_bootpc --destination-port $port_bootps
	373	run iptables -A inbound -j ACCEPT \
	374	-s 172.29.198.0/23 \
	375	-p udp --source-port $port_bootpc --destination-port $port_bootps
	376
	377	## Allow incoming ping. This is the only ICMP left.
8bd7e0fe MW	378	run iptables -A inbound -j ACCEPT -p icmp
8bd7e0fe MW	379	run ip6tables -A inbound -j ACCEPT -p icmpv6
bfdc045d MW	380
	381	m4_divert(88)m4_dnl
	382	## Allow unusual things.
	383	openports inbound
	384
	385	## Inspect inbound packets from untrusted sources.
8a3660c1	386	run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
94ce6e76	387	run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
94ce6e76	388	run ip46tables -A inbound-untrusted -g forbidden
994ac8d0	389	run ip46tables -A inbound -g forbidden
4f8c1989	390	run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
0291d6d5	391	run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
bfdc045d	392
1b534b6a	393	## Allow responses from the scary outside world into the untrusted net, but
43e20546	394	## don't let untrusted things run services.
1b534b6a MW	395	case $forward in
	396	1)
	397	run ip46tables -A FORWARD -j ACCEPT \
	398	-m mark --mark $(( $from_scary \| $to_untrusted ))/$(( $MASK_FROM \| $MASK_TO )) \
	399	-m state --state ESTABLISHED,RELATED
	400	;;
	401	esac
	402
bfdc045d	403	## Otherwise process as indicated by the mark.
f0033e07 MW	404	for i in $inchains; do
	405	run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
	406	done
bfdc045d MW	407
	408	m4_divert(-1)
	409	###----- That's all, folks --------------------------------------------------