| 1 | ### -*-sh-*- |
| 2 | ### |
| 3 | ### Firewall configuration for fender actual |
| 4 | ### |
| 5 | ### (c) 2008 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | ###-------------------------------------------------------------------------- |
| 25 | ### fender-specific rules. |
| 26 | |
| 27 | m4_divert(86)m4_dnl |
| 28 | ## Externally visible services. |
| 29 | allowservices inbound tcp \ |
| 30 | ssh \ |
| 31 | ident |
| 32 | |
| 33 | ## We have to provide NTP service. The guests sync to our clock. |
| 34 | ntpclient inbound $ntp_servers |
| 35 | |
| 36 | ## Provide NTP service to untrusted clients. |
| 37 | run ip46tables -A inbound-untrusted -p udp -j ACCEPT \ |
| 38 | --source-port 123 --destination-port 123 |
| 39 | |
| 40 | ## Guaranteed black hole. Put this at the very front of the chain. |
| 41 | run iptables -I INPUT -d 212.13.198.78 -j DROP |
| 42 | run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP |
| 43 | |
| 44 | ## Ethernet bridge-level filtering for source addresses. |
| 45 | run ebtables -F |
| 46 | for i in log limit ip ip6; do run modprobe ebt-$i; done |
| 47 | |
| 48 | for c in bad-source-addr check-eth0 bcp38 check-bcp38; do |
| 49 | run ebtables -X $c >/dev/null 2>&1 || : |
| 50 | done |
| 51 | |
| 52 | for ch in bad-source-addr bcp38; do |
| 53 | run ebtables -N $ch |
| 54 | run ebtables -A $ch \ |
| 55 | --limit 20/second --limit-burst 100 \ |
| 56 | --log-prefix "fw: $ch(br)" --log-ip --log-ip6 |
| 57 | run ebtables -A $ch -j DROP |
| 58 | done |
| 59 | |
| 60 | run ebtables -N check-eth0 |
| 61 | run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28 |
| 62 | run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1 |
| 63 | run ebtables -A check-eth0 -j bad-source-addr \ |
| 64 | -p ip6 --ip6-source 2001:ba8:1d9::/48 |
| 65 | run ebtables -A check-eth0 -j bad-source-addr \ |
| 66 | -p ip6 --ip6-source 2001:ba8:0:1d9::/64 |
| 67 | run ebtables -A check-eth0 -j RETURN -p ip6 |
| 68 | run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30 |
| 69 | run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68 |
| 70 | run ebtables -A check-eth0 -j bad-source-addr -p ip |
| 71 | run ebtables -A INPUT -j check-eth0 -i bond0 |
| 72 | run ebtables -A FORWARD -j check-eth0 -i bond0 |
| 73 | |
| 74 | run ebtables -N check-bcp38 |
| 75 | run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28 |
| 76 | run ebtables -A check-bcp38 -j bcp38 -p ip |
| 77 | run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64 |
| 78 | run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48 |
| 79 | run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10 |
| 80 | run ebtables -A check-bcp38 -j bcp38 -p ip6 |
| 81 | run ebtables -A FORWARD -j check-bcp38 -o bond0 |
| 82 | |
| 83 | ## There's a hideous bug in Linux 3.2.51-1's ebtables: for some reason it |
| 84 | ## misparses (at least) locally originated multicast packets, and tries to |
| 85 | ## extract IP header fields relative to the start of the Ethernet frame. The |
| 86 | ## result is obviously a hideous mess. Don't try to do BCP38 checking for |
| 87 | ## locally originated packets until this is fixed. |
| 88 | ##run ebtables -A OUTPUT -j check-bcp38 -o bond0 |
| 89 | |
| 90 | m4_divert(-1) |
| 91 | ###----- That's all, folks -------------------------------------------------- |