mdw@git.distorted.org.uk Git - firewall/blame_incremental

... / ...

Commit	Line	Data
	1	### --sh--
	2	###
	3	### Local firewall configuration
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Local configuration.
	26
	27	m4_divert(6)m4_dnl
	28	## Default NTP servers.
	29	defconf(ntp_servers,
	30	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
	31
	32	m4_divert(-1)
	33	###--------------------------------------------------------------------------
	34	### Packet classification.
	35
	36	## Define the available network classes.
	37	m4_divert(42)m4_dnl
	38	defnetclass untrusted untrusted mcast
	39
	40	defnetclass link
	41	defnetclass mcast
	42	m4_divert(-1)
	43
	44	m4_divert(26)m4_dnl
	45	###--------------------------------------------------------------------------
	46	### Network layout.
	47
	48	defnet default untrusted
	49
	50	## Colocated hosts.
	51	defhost jaguar
	52	defhost jaguar
	53	iface eth0 default
	54
	55	m4_divert(80)m4_dnl
	56	###--------------------------------------------------------------------------
	57	### Special forwarding exemptions.
	58
	59	case $forward in
	60	1)
	61
	62	## Only allow these packets if they're not fragmented. (Don't trust safe
	63	## hosts's fragment reassembly to be robust against malicious fragments.)
	64	## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
	65	## of `! -f', so we do the negation using early return from a subchain.
	66	clearchain fwd-spec-nofrag
	67	run iptables -A fwd-spec-nofrag -j RETURN --fragment
	68	run ip6tables -A fwd-spec-nofrag -j RETURN \
	69	-m ipv6header --soft --header frag
	70	run ip46tables -A FORWARD -j fwd-spec-nofrag
	71
	72	## Allow ping from safe/noloop to untrusted networks.
	73	run iptables -A fwd-spec-nofrag -j ACCEPT \
	74	-p icmp --icmp-type echo-request \
	75	-m mark --mark $to_untrusted/$MASK_TO
	76	run iptables -A fwd-spec-nofrag -j ACCEPT \
	77	-p icmp --icmp-type echo-reply \
	78	-m mark --mark $from_untrusted/$MASK_FROM \
	79	-m state --state ESTABLISHED
	80	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	81	-p icmpv6 --icmpv6-type echo-request \
	82	-m mark --mark $to_untrusted/$MASK_TO
	83	run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	84	-p icmpv6 --icmpv6-type echo-reply \
	85	-m mark --mark $from_untrusted/$MASK_FROM \
	86	-m state --state ESTABLISHED
	87
	88	## Allow SSH from safe/noloop to untrusted networks.
	89	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	90	-p tcp --destination-port $port_ssh \
	91	-m mark --mark $to_untrusted/$MASK_TO
	92	run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	93	-p tcp --source-port $port_ssh \
	94	-m mark --mark $from_untrusted/$MASK_FROM \
	95	-m state --state ESTABLISHED
	96
	97	;;
	98	esac
	99
	100	m4_divert(80)m4_dnl
	101	###--------------------------------------------------------------------------
	102	### Kill things we don't understand properly.
	103	###
	104	### I don't like having to do this, but since I don't know how to do proper
	105	### multicast filtering, I'm just going to ban it from being forwarded.
	106
	107	errorchain poorly-understood REJECT
	108
	109	## Ban multicast destination addresses in forwarding.
	110	case $forward in
	111	1)
	112	run iptables -A FORWARD -g poorly-understood \
	113	-d 224.0.0.0/4
	114	run ip6tables -A FORWARD -g poorly-understood \
	115	-d ff::/8
	116	;;
	117	esac
	118
	119	m4_divert(84)m4_dnl
	120	###--------------------------------------------------------------------------
	121	### Locally-bound packet inspection.
	122
	123	clearchain inbound
	124
	125	## Track connections.
	126	commonrules inbound
	127	conntrack inbound
	128
	129	## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
	130	## local request.
	131	run iptables -A inbound -j ACCEPT \
	132	-s 0.0.0.0 -d 255.255.255.255 \
	133	-p udp --source-port $port_bootpc --destination-port $port_bootps
	134	run iptables -A inbound -j ACCEPT \
	135	-s 172.29.198.0/23 \
	136	-p udp --source-port $port_bootpc --destination-port $port_bootps
	137
	138	## Allow incoming ping. This is the only ICMP left.
	139	run ip46tables -A inbound -j ACCEPT -p icmp
	140
	141	m4_divert(88)m4_dnl
	142	## Allow unusual things.
	143	openports inbound
	144
	145	## Inspect inbound packets from untrusted sources.
	146	run ip46tables -A inbound -j forbidden
	147	run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
	148
	149	## Otherwise process as indicated by the mark.
	150	for i in $inchains; do
	151	run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
	152	done
	153
	154	m4_divert(-1)
	155	###----- That's all, folks --------------------------------------------------