| 1 | ### -*-sh-*- |
| 2 | ### |
| 3 | ### Initialization and finishing touches for firewall scripts |
| 4 | ### |
| 5 | ### (c) 2008 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | m4_divert(30)m4_dnl |
| 25 | ###-------------------------------------------------------------------------- |
| 26 | ### Clear existing firewall rules. |
| 27 | |
| 28 | ## The main chains: set policy to drop, and then clear the rules. For a |
| 29 | ## while, incoming packets will be silently dropped, but we should have got |
| 30 | ## everything going before anyone actually hits a timeout. |
| 31 | ## |
| 32 | ## We don't control some of the chains, so we should preserve them. This |
| 33 | ## introduces a whole bunch of problems. |
| 34 | |
| 35 | ## Chains we're meant to preserve |
| 36 | preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" |
| 37 | |
| 38 | ## Take the various IP versions in turn. |
| 39 | unref=nil |
| 40 | for ip in ip ip6; do |
| 41 | for table in $(cat /proc/net/${ip}_tables_names); do |
| 42 | |
| 43 | ## Step 1: clear out the builtin chains. |
| 44 | ${ip}tables -nL -t $table | |
| 45 | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | |
| 46 | while read chain; do |
| 47 | case $table in |
| 48 | nat) policy=ACCEPT ;; |
| 49 | *) policy=DROP ;; |
| 50 | esac |
| 51 | run ${ip}tables -t $table -P $chain $policy |
| 52 | run ${ip}tables -t $table -F $chain |
| 53 | done |
| 54 | |
| 55 | ## Step 2: clear out user chains. Unfortunately, we can only clear |
| 56 | ## chains which have no references to them, so work through picking off |
| 57 | ## unreferenced chains which aren't meant to be preserved until there are |
| 58 | ## none left. |
| 59 | while :; do |
| 60 | progress=nil |
| 61 | ${ip}tables -nL -t $table | |
| 62 | sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ |
| 63 | >/var/run/firewall-chains.tmp |
| 64 | while read chain; do |
| 65 | match=nil |
| 66 | for pat in $preserve_chains; do |
| 67 | case "$table:$chain" in $pat) match=t ;; esac |
| 68 | done |
| 69 | case $match in |
| 70 | nil) |
| 71 | run ${ip}tables -t $table -F $chain |
| 72 | run ${ip}tables -t $table -X $chain |
| 73 | progress=t |
| 74 | ;; |
| 75 | esac |
| 76 | done </var/run/firewall-chains.tmp |
| 77 | case $progress in nil) break ;; esac |
| 78 | done |
| 79 | |
| 80 | ## Step 3: report on uncleared user chains. This means that there's a |
| 81 | ## serious problem. |
| 82 | ${ip}tables -nL -t $table | |
| 83 | sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \ |
| 84 | >/var/run/firewall-chains.tmp |
| 85 | while read chain refs; do |
| 86 | match=nil |
| 87 | for pat in $preserve_chains; do |
| 88 | case "$table:$chain" in $pat) match=t ;; esac |
| 89 | done |
| 90 | case $match in |
| 91 | nil) |
| 92 | echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" |
| 93 | unref=t |
| 94 | ;; |
| 95 | esac |
| 96 | done </var/run/firewall-chains.tmp |
| 97 | done |
| 98 | done |
| 99 | rm -f /var/run/firewall-chains.tmp |
| 100 | case $unref in t) exit 1 ;; esac |
| 101 | |
| 102 | m4_divert(32)m4_dnl |
| 103 | ###-------------------------------------------------------------------------- |
| 104 | ### Set safe IP options. |
| 105 | |
| 106 | ## Set forwarding options. Apparently setting ip_forward clobbers other |
| 107 | ## settings, so put this first. |
| 108 | case $host_type_<::>FWHOST in |
| 109 | router) forward=1 ;; |
| 110 | *) forward=0 ;; |
| 111 | esac |
| 112 | setopt ip_forward $forward |
| 113 | setdevopt forwarding $forward |
| 114 | |
| 115 | ## Set dynamic port allocation. |
| 116 | setopt ip_local_port_range $open_port_min $open_port_max |
| 117 | |
| 118 | ## Deploy SYN-cookies if necessary. |
| 119 | setopt tcp_syncookies 1 |
| 120 | |
| 121 | ## Allow broadcast and multicast ping, because it's a useful diagnostic tool. |
| 122 | setopt icmp_echo_ignore_broadcasts 0 |
| 123 | |
| 124 | ## Turn off iptables filtering for bridges. We'll use ebtables if we need |
| 125 | ## to; but right now the model is that we do filtering at the borders, and |
| 126 | ## are tolerant of things which are local. |
| 127 | if [ -x /sbin/brctl ]; then |
| 128 | modprobe bridge || : |
| 129 | if [ -d /proc/sys/net/bridge ]; then |
| 130 | for filter in arptables iptables ip6tables; do |
| 131 | run sysctl -q net.bridge.bridge-nf-call-$filter=0 |
| 132 | done |
| 133 | fi |
| 134 | fi |
| 135 | |
| 136 | ## Turn off the reverse-path filter. It's basically useless: the filter does |
| 137 | ## nothing at all for single-homed hosts; and multi-homed hosts tend to have |
| 138 | ## routing aysmmetries if there's any kind of cycle. |
| 139 | setdevopt rp_filter 0 |
| 140 | setdevopt log_martians 0 |
| 141 | |
| 142 | ## Turn off things which can mess with our routing decisions. |
| 143 | setdevopt accept_source_route 0 |
| 144 | setdevopt accept_redirects 0 |
| 145 | |
| 146 | ## If we're maent to stop the firewall, then now is the time to do it. |
| 147 | $exit_after_clearing |
| 148 | |
| 149 | m4_divert(34)m4_dnl |
| 150 | ###-------------------------------------------------------------------------- |
| 151 | ### Establish error chains. |
| 152 | |
| 153 | errorchain forbidden REJECT |
| 154 | ## Generic `not allowed' chain. |
| 155 | |
| 156 | errorchain tcp-fragment REJECT |
| 157 | ## Chain for logging fragmented TCP segements. |
| 158 | |
| 159 | errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset |
| 160 | ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset. |
| 161 | |
| 162 | errorchain mangle:bad-source-address DROP |
| 163 | errorchain bad-source-address DROP |
| 164 | ## Packet arrived on wrong interface for its source address. Drops the |
| 165 | ## packet, since there's nowhere sensible to send an error. |
| 166 | |
| 167 | errorchain bad-destination-address REJECT |
| 168 | ## Packet arrived on non-loopback interface with loopback destination. |
| 169 | |
| 170 | errorchain interesting ACCEPT |
| 171 | ## Not an error, just log interesting packets. |
| 172 | |
| 173 | m4_divert(50)m4_dnl |
| 174 | ###-------------------------------------------------------------------------- |
| 175 | ### Standard filtering. |
| 176 | |
| 177 | ## Don't clobber local traffic |
| 178 | run ip46tables -A INPUT -i lo -j ACCEPT |
| 179 | |
| 180 | ## We really shouldn't see packets destined for localhost on any interface |
| 181 | ## other than the loopback. |
| 182 | run iptables -A INPUT -g bad-destination-address \ |
| 183 | -d 127.0.0.0/8 |
| 184 | run ip6tables -A INPUT -g bad-destination-address \ |
| 185 | -d ::1 |
| 186 | |
| 187 | ## We shouldn't be asked to forward things with link-local addresses. |
| 188 | case $forward in |
| 189 | 1) |
| 190 | run iptables -A FORWARD -g bad-source-address \ |
| 191 | -s 169.254.0.0/16 |
| 192 | run iptables -A FORWARD -g bad-destination-address \ |
| 193 | -d 169.254.0.0/16 |
| 194 | run ip6tables -A FORWARD -g bad-source-address \ |
| 195 | -s fe80::/10 |
| 196 | run ip6tables -A FORWARD -g bad-destination-address \ |
| 197 | -d fe80::/10 |
| 198 | ;; |
| 199 | esac |
| 200 | |
| 201 | ## Also, don't forward link-local broadcast or multicast. |
| 202 | case $forward in |
| 203 | 1) |
| 204 | run iptables -A FORWARD -g bad-destination-address \ |
| 205 | -d 255.255.255.255 |
| 206 | run iptables -A FORWARD -g bad-destination-address \ |
| 207 | -m addrtype --dst-type BROADCAST |
| 208 | run iptables -A FORWARD -g bad-destination-address \ |
| 209 | -d 224.0.0.0/24 |
| 210 | for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do |
| 211 | run ip6tables -A FORWARD -g bad-destination-address \ |
| 212 | -d fe${x}2::/16 |
| 213 | done |
| 214 | ;; |
| 215 | esac |
| 216 | |
| 217 | ## Add a hook for fail2ban. |
| 218 | clearchain fail2ban |
| 219 | run ip46tables -A INPUT -j fail2ban |
| 220 | |
| 221 | m4_divert(90)m4_dnl |
| 222 | ###-------------------------------------------------------------------------- |
| 223 | ### Finishing touches. |
| 224 | |
| 225 | m4_divert(94)m4_dnl |
| 226 | ## Locally generated packets are all OK. |
| 227 | run ip46tables -P OUTPUT ACCEPT |
| 228 | |
| 229 | ## Other incoming things are forbidden. |
| 230 | for chain in INPUT FORWARD; do |
| 231 | run ip46tables -A $chain -g forbidden |
| 232 | done |
| 233 | |
| 234 | ## Allow stuff through unknown tables. |
| 235 | for ip in ip ip6; do |
| 236 | for table in $(cat /proc/net/${ip}_tables_names); do |
| 237 | case $table in mangle | filter) continue ;; esac |
| 238 | ${ip}tables -nL -t $table | |
| 239 | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | |
| 240 | while read chain; do |
| 241 | run ${ip}tables -t $table -P $chain ACCEPT |
| 242 | done |
| 243 | done |
| 244 | done |
| 245 | |
| 246 | ## Dump the resulting configuration. |
| 247 | if [ "$FW_DEBUG" ]; then |
| 248 | for ip in ip ip6; do |
| 249 | for table in mangle filter; do |
| 250 | echo "----- $ip $table -----" |
| 251 | echo |
| 252 | ${ip}tables -t $table -nvL |
| 253 | echo |
| 254 | done |
| 255 | done |
| 256 | fi |
| 257 | |
| 258 | m4_divert(-1) |
| 259 | ###----- That's all, folks -------------------------------------------------- |