local.m4: Default addresses reach the IPv6 tunnel interface.

[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted mcast
defnetclass trusted untrusted trusted safe noloop mcast
defnetclass safe trusted safe noloop mcast
defnetclass noloop trusted safe mcast
defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 62.49.204.144/28 2001:470:1f09:1b98::/64
	forwards unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25 2001:470:9740:1::/64
	forwards househub
defnet safe safe
	addr 172.29.199.192/27 2001:470:9740:4001::/64
	forwards househub
defnet untrusted untrusted
	addr 172.29.198.0/25 2001:470:9740:8001::/64
	forwards househub
defnet iodine untrusted
	addr 172.29.198.128/28

defnet househub virtual
	forwards housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	forwards househub hub
	noxit dmz

## House hosts.
defhost radius
	hosttype router
	iface eth0 dmz unsafe safe default
	iface eth1 dmz unsafe safe default
	iface eth2 safe
	iface eth3 untrusted default
	iface t6-he default
defhost roadstar
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost jem
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost artist
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost vampire
	hosttype router
	iface eth0.0 dmz unsafe safe
	iface eth0.1 dmz unsafe safe
	iface eth0.2 safe
	iface eth0.3 untrusted
	iface dns0 iodine
	iface vpn-precision colobdry vpn
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost ibanez
	iface br-dmz dmz unsafe
	iface br-unsafe unsafe

defhost gibson
	hosttype client
	iface eth0 unsafe

## Colocated networks.
defnet jump trusted
	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
	forwards colohub
defnet colo trusted
	addr 172.29.199.176/28 2001:ba8:1d9:2::/64
	forwards colohub
defnet colohub virtual
	forwards colobdry jump colo
defnet colobdry virtual
	forwards colohub hub
	noxit jump

## Colocated hosts.
defhost fender
	iface br-jump jump colo
	iface br-colo jump colo
defhost precision
	hosttype router
	iface eth0 jump colo
	iface eth1 jump colo
	iface vpn-vampire housebdry vpn
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost telecaster
	iface eth0 jump colo
	iface eth1 jump colo
defhost stratocaster
	iface eth0 jump colo
	iface eth1 jump colo
defhost jazz
	iface eth0 jump colo
	iface eth1 jump colo

## Other networks.
defnet hub virtual
	forwards housebdry colobdry
defnet sgo noloop
	addr !172.29.198.0/23
	addr 10.0.0.0/8
	addr 172.16.0.0/12
	addr 192.168.0.0/16
	forwards househub colohub
defnet vpn safe
	addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
	forwards househub colohub
	host crybaby 1
	host terror 2
defnet anycast trusted
	addr 172.29.199.224/27 2001:ba8:1d9:0::/64
	forwards dmz unsafe safe untrusted jump colo vpn
defnet default untrusted
	addr 62.49.204.144/28 2001:470:1f09:1b98::/64
	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
	addr 2001:ba8:1d9::/48 #temporary
	forwards dmz unsafe untrusted jump colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
	    -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
	    -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
	    -d ff::/8
    ;;
esac

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------