Overhaul address classification.

[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 62.49.204.144/28
	forwards unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25
	forwards househub
defnet safe safe
	addr 172.29.199.192/28
	forwards househub
defnet untrusted untrusted
	addr 172.29.198.0/25
	forwards househub
defnet vpn safe
	addr 172.29.199.128/27
	forwards househub
	host crybaby 1
	host terror 2
defnet iodine untrusted
	addr 172.29.198.128/28

defnet househub virtual
	forwards housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	forwards househub hub
	noxit dmz

## House hosts.
defhost radius
	router
	iface eth0 dmz
	iface eth1 unsafe
	iface eth2 safe
	iface eth3 untrusted
defhost roadstar
	iface eth0 dmz
	iface eth1 unsafe
defhost jem
	iface eth0 dmz
	iface eth1 unsafe
defhost artist
	iface eth0 dmz
	iface eth1 unsafe
defhost vampire
	router
	iface eth0.0 dmz
	iface eth0.1 unsafe
	iface eth0.3 untrusted
	iface dns0 dns
	iface vpn-+ vpn
	iface vpn-precision colobdry vpn
defhost ibanez
	iface br-dmz dmz
	iface br-unsafe unsafe

defhost gibson
	iface eth0 unsafe

## Colocated networks.
defnet jump trusted
	addr 212.13.198.64/28
	forwards colohub
defnet colo trusted
	addr 172.29.199.176/28
	forwards colohub
defnet colohub virtual
	forwards colobdry jump colo
defnet colobdry virtual
	forwards colohub hub
	noxit jump

## Colocated hosts.
defhost fender
	iface br-jump jump
	iface br-colo colo
defhost precision
	router
	iface eth0 jump
	iface eth1 colo
	iface vpn-+ vpn
	iface vpn-vampire housebdry vpn
defhost telecaster
	iface eth0 jump
	iface eth1 colo
defhost stratocaster
	iface eth0 jump
	iface eth1 colo
defhost jazz
	iface eth0 jump
	iface eth1 colo

## Other networks.
defnet hub virtual
	forwards housebdry colobdry
defnet default untrusted
	addr 62.49.204.144/28
	addr 212.13.198.64/28
	forwards dmz untrusted unsafe jump colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

## Only allow these packets if they're not fragmented.  (Don't trust safe
## hosts's fragment reassembly to be robust against malicious fragments.)
## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
## `! -f', so we do the negation using early return from a subchain.
clearchain fwd-spec-nofrag
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
	-m ipv6header --soft --header frag
run iptables -A FORWARD -j fwd-spec-nofrag

## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p icmp --icmp-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-request \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p ipv6-icmp --icmpv6-type echo-reply \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

## Allow SSH from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --destination-port $port_ssh \
	-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	-p tcp --source-port $port_ssh \
	-m mark --mark $from_untrusted/$MASK_FROM \
	-m state --state ESTABLISHED

m4_divert(60)m4_dnl
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
run iptables -A FORWARD -g poorly-understood \
	-d 224.0.0.0/4
run ip6tables -A FORWARD -g poorly-understood \
	-d ff::/8

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Incoming multicast on a network interface associated with a trusted
## network is OK, since it must have originated there (or been forwarded, but
## we don't do that yet).
for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
  echo $i
done | {
  seen=:
  while read i; do
    case "$seen" in *:$i:*) continue ;; esac
    seen=$seen$i:
    run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 224.0.0.0/24 \
	-i $i
  done
}

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------