~mdw / firewall / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
New host `orange'.
[firewall] / local.m4
... / ...
CommitLineData
1### -*-sh-*-
2###
3### Local firewall configuration
4###
5### (c) 2008 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
10### This program is free software; you can redistribute it and/or modify
11### it under the terms of the GNU General Public License as published by
12### the Free Software Foundation; either version 2 of the License, or
13### (at your option) any later version.
14###
15### This program is distributed in the hope that it will be useful,
16### but WITHOUT ANY WARRANTY; without even the implied warranty of
17### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18### GNU General Public License for more details.
19###
20### You should have received a copy of the GNU General Public License
21### along with this program; if not, write to the Free Software Foundation,
22### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24###--------------------------------------------------------------------------
25### Local configuration.
26
27m4_divert(6)m4_dnl
28## Default NTP servers.
29defconf(ntp_servers,
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
31
32m4_divert(-1)
33###--------------------------------------------------------------------------
34### Packet classification.
35
36## IPv4 addressing.
37##
38## There are two small blocks of publicly routable IPv4 addresses, and a
39## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40## The former are as follows.
41##
42## 62.49.204.144/28
43## House border network (dmz). We have all of these, but .145
44## is reserved for the router.
45##
46## 212.13.18.64/28
47## Jump colocated network (jump). .65--68 are used by Jump
48## network infrastructure; we get the rest.
49##
50## The latter is the block 172.29.196.0/22. Currently the low half is
51## unallocated (and may be returned to the G-RIN); the remaining addresses
52## are allocated as follows.
53##
54## 172.29.198.0/24 Untrusted networks.
55## .0/25 house wireless net
56## .128/28 iodine (IP-over-DNS) network
57##
58## 172.29.199.0/24 Trusted networks.
59## .0/25 house wired network
60## .128/27 mobile VPN hosts
61## .160/28 reserved, except .160/30 allocated for ITS
62## .176/28 internal colocated network
63## .192/27 house safe network
64## .224/27 anycast services
65
66## IPv6 addressing.
67##
68## There are five blocks of publicly routable IPv6 addresses, though some of
69## them aren't very interesting. The ranges are as follows.
70##
71## 2001:470:1f08:1b98::/64
72## Hurricane Electric tunnel network: only :1 (HE) and :2
73## (radius) are used.
74##
75## 2001:470:1f09:1b98::/64
76## House border network (dmz).
77##
78## 2001:470:9740::/48
79## Main house range. See below for allocation policy.
80##
81## 2001:ba8:0:1d9::/64
82## Jump border network (jump): :1 is the router (supplied by
83## Jump); other addresses are ours.
84##
85## 2001:ba8:1d9::/48
86## Main colocated range. See below for allocation policy.
87##
88## Addresses in the /64 networks are simply allocated in ascending order.
89## The /48s are split into /64s by appending a 16-bit network number. The
90## top nibble of the network number classifies the network, as follows.
91##
92## 8xxx Untrusted
93## 6xxx Virtual
94## 4xxx Safe
95## 0xxx Unsafe, trusted
96##
97## These have been chosen so that network properties can be deduced by
98## inspecting bits of the network number:
99##
100## Bit 15 If set, the network is untrusted; otherwise it is trusted.
101## Bit 14 If set, the network is safe; otherwise it is unsafe.
102##
103## Finally, the low-order nibbles identify the site.
104##
105## 0 No specific site: mobile VPN endpoints or anycast addresses.
106## 1 House.
107## 2 Jump colocation.
108##
109## Usually site-0 networks are allocated from the Jump range to improve
110## expected performance from/to external sites which don't engage in our
111## dynamic routing protocols.
112
113## Define the available network classes.
114m4_divert(42)m4_dnl
115defnetclass untrusted untrusted trusted mcast
116defnetclass trusted untrusted trusted safe noloop mcast
117defnetclass safe trusted safe noloop mcast
118defnetclass noloop trusted safe mcast
119defnetclass link
120defnetclass mcast
121m4_divert(-1)
122
123m4_divert(26)m4_dnl
124###--------------------------------------------------------------------------
125### Network layout.
126
127## House networks.
128defnet dmz trusted
129 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
130 forwards unsafe untrusted
131defnet unsafe trusted
132 addr 172.29.199.0/25 2001:470:9740:1::/64
133 forwards househub
134defnet safe safe
135 addr 172.29.199.192/27 2001:470:9740:4001::/64
136 forwards househub
137defnet untrusted untrusted
138 addr 172.29.198.0/25 2001:470:9740:8001::/64
139 forwards househub
140
141defnet househub virtual
142 forwards housebdry dmz unsafe safe untrusted
143defnet housebdry virtual
144 forwards househub hub
145 noxit dmz
146
147## House hosts.
148defhost radius
149 hosttype router
150 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
151 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
152 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
153 iface eth3 untrusted vpn default
154 iface ppp0 default
155 iface t6-he default
156 iface vpn-precision colobdry vpn sgo
157 iface vpn-chiark sgo
158 iface vpn-+ vpn
159defhost roadstar
160 iface eth0 dmz unsafe
161 iface eth1 dmz unsafe
162defhost jem
163 iface eth0 dmz unsafe
164 iface eth1 dmz unsafe
165defhost artist
166 hosttype router
167 iface eth0 dmz unsafe untrusted
168 iface eth1 dmz unsafe untrusted
169 iface eth3 untrusted
170defhost vampire
171 hosttype router
172 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
173 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
174 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
175 iface eth0.7 untrusted
176 iface vpn-precision colobdry vpn sgo
177 iface vpn-chiark sgo
178 iface vpn-+ vpn
179defhost ibanez
180 iface br-dmz dmz unsafe
181 iface br-unsafe unsafe
182defhost orange
183 iface wlan0 untrusted
184 iface vpn-radius unsafe
185
186defhost gibson
187 hosttype client
188 iface eth0 unsafe
189
190## Colocated networks.
191defnet jump trusted
192 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
193 forwards colohub
194defnet colo trusted
195 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
196 forwards colohub
197defnet colohub virtual
198 forwards colobdry jump colo iodine
199defnet colobdry virtual
200 forwards colohub hub
201 noxit jump
202defnet iodine untrusted
203 addr 172.29.198.128/28
204 forwards colohub
205
206## Colocated hosts.
207defhost fender
208 iface br-jump jump colo
209 iface br-colo jump colo
210defhost precision
211 hosttype router
212 iface eth0 jump colo vpn sgo
213 iface eth1 jump colo vpn sgo
214 iface vpn-radius housebdry vpn sgo
215 iface vpn-chiark sgo
216 iface vpn-+ vpn
217defhost telecaster
218 iface eth0 jump colo
219 iface eth1 jump colo
220defhost stratocaster
221 iface eth0 jump colo
222 iface eth1 jump colo
223defhost jazz
224 hosttype router
225 iface eth0 jump colo vpn
226 iface eth1 jump colo vpn
227 iface dns0 iodine
228 iface vpn-+ vpn
229
230## Other networks.
231defnet hub virtual
232 forwards housebdry colobdry
233defnet sgo noloop
234 addr !172.29.198.0/23
235 addr 10.0.0.0/8
236 addr 172.16.0.0/12
237 addr 192.168.0.0/16
238 forwards househub colohub
239defnet vpn safe
240 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
241 forwards househub colohub
242 host crybaby 1
243 host terror 2
244 host orange 3
245defnet anycast trusted
246 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
247 forwards dmz unsafe safe untrusted jump colo vpn
248defnet default untrusted
249 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
250 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
251 addr 2001:ba8:1d9::/48 #temporary
252 forwards dmz unsafe untrusted jump colo
253
254m4_divert(80)m4_dnl
255###--------------------------------------------------------------------------
256### Special forwarding exemptions.
257
258case $forward in
259 1)
260
261 ## Only allow these packets if they're not fragmented. (Don't trust safe
262 ## hosts's fragment reassembly to be robust against malicious fragments.)
263 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
264 ## of `! -f', so we do the negation using early return from a subchain.
265 clearchain fwd-spec-nofrag
266 run iptables -A fwd-spec-nofrag -j RETURN --fragment
267 run ip6tables -A fwd-spec-nofrag -j RETURN \
268 -m ipv6header --soft --header frag
269 run ip46tables -A FORWARD -j fwd-spec-nofrag
270
271 ## Allow ping from safe/noloop to untrusted networks.
272 run iptables -A fwd-spec-nofrag -j ACCEPT \
273 -p icmp --icmp-type echo-request \
274 -m mark --mark $to_untrusted/$MASK_TO
275 run iptables -A fwd-spec-nofrag -j ACCEPT \
276 -p icmp --icmp-type echo-reply \
277 -m mark --mark $from_untrusted/$MASK_FROM \
278 -m state --state ESTABLISHED
279 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
280 -p icmpv6 --icmpv6-type echo-request \
281 -m mark --mark $to_untrusted/$MASK_TO
282 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
283 -p icmpv6 --icmpv6-type echo-reply \
284 -m mark --mark $from_untrusted/$MASK_FROM \
285 -m state --state ESTABLISHED
286
287 ## Allow SSH from safe/noloop to untrusted networks.
288 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
289 -p tcp --destination-port $port_ssh \
290 -m mark --mark $to_untrusted/$MASK_TO
291 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
292 -p tcp --source-port $port_ssh \
293 -m mark --mark $from_untrusted/$MASK_FROM \
294 -m state --state ESTABLISHED
295
296 ;;
297esac
298
299m4_divert(80)m4_dnl
300###--------------------------------------------------------------------------
301### Kill things we don't understand properly.
302###
303### I don't like having to do this, but since I don't know how to do proper
304### multicast filtering, I'm just going to ban it from being forwarded.
305
306errorchain poorly-understood REJECT
307
308## Ban multicast destination addresses in forwarding.
309case $forward in
310 1)
311 run iptables -A FORWARD -g poorly-understood \
312 -d 224.0.0.0/4
313 run ip6tables -A FORWARD -g poorly-understood \
314 -d ff::/8
315 ;;
316esac
317
318m4_divert(84)m4_dnl
319###--------------------------------------------------------------------------
320### Locally-bound packet inspection.
321
322clearchain inbound
323
324## Track connections.
325commonrules inbound
326conntrack inbound
327
328## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
329## local request.
330run iptables -A inbound -j ACCEPT \
331 -s 0.0.0.0 -d 255.255.255.255 \
332 -p udp --source-port $port_bootpc --destination-port $port_bootps
333run iptables -A inbound -j ACCEPT \
334 -s 172.29.198.0/23 \
335 -p udp --source-port $port_bootpc --destination-port $port_bootps
336
337## Allow incoming ping. This is the only ICMP left.
338run ip46tables -A inbound -j ACCEPT -p icmp
339
340m4_divert(88)m4_dnl
341## Allow unusual things.
342openports inbound
343
344## Inspect inbound packets from untrusted sources.
345run ip46tables -A inbound -j forbidden
346run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
347
348## Otherwise process as indicated by the mark.
349for i in $inchains; do
350 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
351done
352
353m4_divert(-1)
354###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.