~mdw / firewall / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
local.m4: New satellite network `binswood'.
[firewall] / local.m4
... / ...
CommitLineData
1### -*-sh-*-
2###
3### Local firewall configuration
4###
5### (c) 2008 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
10### This program is free software; you can redistribute it and/or modify
11### it under the terms of the GNU General Public License as published by
12### the Free Software Foundation; either version 2 of the License, or
13### (at your option) any later version.
14###
15### This program is distributed in the hope that it will be useful,
16### but WITHOUT ANY WARRANTY; without even the implied warranty of
17### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18### GNU General Public License for more details.
19###
20### You should have received a copy of the GNU General Public License
21### along with this program; if not, write to the Free Software Foundation,
22### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24###--------------------------------------------------------------------------
25### Local configuration.
26
27m4_divert(6)m4_dnl
28## Default NTP servers.
29defconf(ntp_servers,
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
31
32m4_divert(-1)
33###--------------------------------------------------------------------------
34### Packet classification.
35
36## IPv4 addressing.
37##
38## There are two small blocks of publicly routable IPv4 addresses, and a
39## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40## The former are as follows.
41##
42## 62.49.204.144/28
43## House border network (dmz). We have all of these, but .145
44## is reserved for the router.
45##
46## 212.13.18.64/28
47## Jump colocated network (jump). .65--68 are used by Jump
48## network infrastructure; we get the rest.
49##
50## The latter is the block 172.29.196.0/22. Currently the low half is
51## unallocated (and may be returned to the G-RIN); the remaining addresses
52## are allocated as follows.
53##
54## 172.29.198.0/24 Untrusted networks.
55## .0/25 house wireless net
56## .128/28 iodine (IP-over-DNS) network
57##
58## 172.29.199.0/24 Trusted networks.
59## .0/25 house wired network
60## .128/27 mobile VPN hosts
61## .160/28 reserved, except .160/30 allocated for ITS
62## .176/28 internal colocated network
63## .192/27 house safe network
64## .224/27 anycast services
65
66## IPv6 addressing.
67##
68## There are five blocks of publicly routable IPv6 addresses, though some of
69## them aren't very interesting. The ranges are as follows.
70##
71## 2001:470:1f08:1b98::/64
72## Hurricane Electric tunnel network: only :1 (HE) and :2
73## (radius) are used.
74##
75## 2001:470:1f09:1b98::/64
76## House border network (dmz).
77##
78## 2001:470:9740::/48
79## Main house range. See below for allocation policy.
80##
81## 2001:ba8:0:1d9::/64
82## Jump border network (jump): :1 is the router (supplied by
83## Jump); other addresses are ours.
84##
85## 2001:ba8:1d9::/48
86## Main colocated range. See below for allocation policy.
87##
88## Addresses in the /64 networks are simply allocated in ascending order.
89## The /48s are split into /64s by appending a 16-bit network number. The
90## top nibble of the network number classifies the network, as follows.
91##
92## 8xxx Untrusted
93## 6xxx Virtual
94## 4xxx Safe
95## 0xxx Unsafe, trusted
96##
97## These have been chosen so that network properties can be deduced by
98## inspecting bits of the network number:
99##
100## Bit 15 If set, the network is untrusted; otherwise it is trusted.
101## Bit 14 If set, the network is safe; otherwise it is unsafe.
102##
103## Finally, the low-order nibbles identify the site.
104##
105## 0 No specific site: mobile VPN endpoints or anycast addresses.
106## 1 House.
107## 2 Jump colocation.
108##
109## Usually site-0 networks are allocated from the Jump range to improve
110## expected performance from/to external sites which don't engage in our
111## dynamic routing protocols.
112
113## Define the available network classes.
114m4_divert(42)m4_dnl
115defnetclass untrusted untrusted trusted mcast
116defnetclass trusted untrusted trusted safe noloop mcast
117defnetclass safe trusted safe noloop mcast
118defnetclass noloop trusted safe mcast
119
120defnetclass link
121defnetclass mcast
122m4_divert(-1)
123
124m4_divert(26)m4_dnl
125###--------------------------------------------------------------------------
126### Network layout.
127
128## House networks.
129defnet dmz trusted
130 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
131 via unsafe untrusted
132defnet unsafe trusted
133 addr 172.29.199.0/25 2001:470:9740:1::/64
134 via househub
135defnet safe safe
136 addr 172.29.199.192/27 2001:470:9740:4001::/64
137 via househub
138defnet untrusted untrusted
139 addr 172.29.198.0/25 2001:470:9740:8001::/64
140 via househub
141
142defnet househub virtual
143 via housebdry dmz unsafe safe untrusted
144defnet housebdry virtual
145 via househub hub
146 noxit dmz
147
148## House hosts.
149defhost radius
150 hosttype router
151 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
152 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
153 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
154 iface eth3 untrusted vpn default
155 iface ppp0 default
156 iface t6-he default
157 iface vpn-precision colobdry vpn sgo
158 iface vpn-chiark sgo
159 iface vpn-+ vpn
160defhost roadstar
161 iface eth0 dmz unsafe
162 iface eth1 dmz unsafe
163defhost jem
164 iface eth0 dmz unsafe
165 iface eth1 dmz unsafe
166defhost artist
167 hosttype router
168 iface eth0 dmz unsafe untrusted
169 iface eth1 dmz unsafe untrusted
170 iface eth3 untrusted
171defhost vampire
172 hosttype router
173 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
174 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
175 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
176 iface eth0.7 untrusted
177 iface vpn-precision colobdry vpn sgo
178 iface vpn-chiark sgo
179 iface vpn-+ vpn
180defhost ibanez
181 iface br-dmz dmz unsafe
182 iface br-unsafe unsafe
183defhost orange
184 iface wlan0 untrusted
185 iface vpn-radius unsafe
186
187defhost gibson
188 hosttype client
189 iface eth0 unsafe
190
191## Colocated networks.
192defnet jump trusted
193 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
194 via colohub
195defnet colo trusted
196 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
197 via colohub
198defnet colohub virtual
199 via colobdry jump colo
200defnet colobdry virtual
201 via colohub hub
202 noxit jump
203defnet iodine untrusted
204 addr 172.29.198.128/28
205 via colohub
206
207## Colocated hosts.
208defhost fender
209 iface br-jump jump colo
210 iface br-colo jump colo
211defhost precision
212 hosttype router
213 iface eth0 jump colo vpn sgo
214 iface eth1 jump colo vpn sgo
215 iface vpn-mango binswood
216 iface vpn-radius housebdry vpn sgo
217 iface vpn-chiark sgo
218 iface vpn-+ vpn
219defhost telecaster
220 iface eth0 jump colo
221 iface eth1 jump colo
222defhost stratocaster
223 iface eth0 jump colo
224 iface eth1 jump colo
225defhost jazz
226 hosttype router
227 iface eth0 jump colo vpn
228 iface eth1 jump colo vpn
229 iface dns0 iodine
230 iface vpn-+ vpn
231
232## Other networks.
233defnet hub virtual
234 via housebdry colobdry
235defnet sgo noloop
236 addr !172.29.198.0/23
237 addr 10.0.0.0/8
238 addr 172.16.0.0/12
239 addr 192.168.0.0/16
240 via househub colohub
241defnet vpn safe
242 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
243 via househub colohub
244 host crybaby 1
245 host terror 2
246 host orange 3
247defnet anycast trusted
248 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
249 via dmz unsafe safe untrusted jump colo vpn
250defnet default untrusted
251 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
252 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
253 addr 2001:ba8:1d9::/48 #temporary
254 via dmz unsafe untrusted jump colo
255
256## Satellite networks.
257defnet binswood noloop
258 addr 10.165.27.0/24
259 via colohub
260
261m4_divert(80)m4_dnl
262###--------------------------------------------------------------------------
263### Special forwarding exemptions.
264
265case $forward in
266 1)
267
268 ## Only allow these packets if they're not fragmented. (Don't trust safe
269 ## hosts's fragment reassembly to be robust against malicious fragments.)
270 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
271 ## of `! -f', so we do the negation using early return from a subchain.
272 clearchain fwd-spec-nofrag
273 run iptables -A fwd-spec-nofrag -j RETURN --fragment
274 run ip6tables -A fwd-spec-nofrag -j RETURN \
275 -m ipv6header --soft --header frag
276 run ip46tables -A FORWARD -j fwd-spec-nofrag
277
278 ## Allow ping from safe/noloop to untrusted networks.
279 run iptables -A fwd-spec-nofrag -j ACCEPT \
280 -p icmp --icmp-type echo-request \
281 -m mark --mark $to_untrusted/$MASK_TO
282 run iptables -A fwd-spec-nofrag -j ACCEPT \
283 -p icmp --icmp-type echo-reply \
284 -m mark --mark $from_untrusted/$MASK_FROM \
285 -m state --state ESTABLISHED
286 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
287 -p icmpv6 --icmpv6-type echo-request \
288 -m mark --mark $to_untrusted/$MASK_TO
289 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
290 -p icmpv6 --icmpv6-type echo-reply \
291 -m mark --mark $from_untrusted/$MASK_FROM \
292 -m state --state ESTABLISHED
293
294 ## Allow SSH from safe/noloop to untrusted networks.
295 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
296 -p tcp --destination-port $port_ssh \
297 -m mark --mark $to_untrusted/$MASK_TO
298 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
299 -p tcp --source-port $port_ssh \
300 -m mark --mark $from_untrusted/$MASK_FROM \
301 -m state --state ESTABLISHED
302
303 ;;
304esac
305
306m4_divert(80)m4_dnl
307###--------------------------------------------------------------------------
308### Kill things we don't understand properly.
309###
310### I don't like having to do this, but since I don't know how to do proper
311### multicast filtering, I'm just going to ban it from being forwarded.
312
313errorchain poorly-understood REJECT
314
315## Ban multicast destination addresses in forwarding.
316case $forward in
317 1)
318 run iptables -A FORWARD -g poorly-understood \
319 -d 224.0.0.0/4
320 run ip6tables -A FORWARD -g poorly-understood \
321 -d ff::/8
322 ;;
323esac
324
325m4_divert(84)m4_dnl
326###--------------------------------------------------------------------------
327### Locally-bound packet inspection.
328
329clearchain inbound
330
331## Track connections.
332commonrules inbound
333conntrack inbound
334
335## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
336## local request.
337run iptables -A inbound -j ACCEPT \
338 -s 0.0.0.0 -d 255.255.255.255 \
339 -p udp --source-port $port_bootpc --destination-port $port_bootps
340run iptables -A inbound -j ACCEPT \
341 -s 172.29.198.0/23 \
342 -p udp --source-port $port_bootpc --destination-port $port_bootps
343
344## Allow incoming ping. This is the only ICMP left.
345run ip46tables -A inbound -j ACCEPT -p icmp
346
347m4_divert(88)m4_dnl
348## Allow unusual things.
349openports inbound
350
351## Inspect inbound packets from untrusted sources.
352run ip46tables -A inbound -j forbidden
353run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
354
355## Otherwise process as indicated by the mark.
356for i in $inchains; do
357 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
358done
359
360m4_divert(-1)
361###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.