mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted mcast
  39 defnetclass trusted untrusted trusted safe noloop mcast
  40 defnetclass safe trusted safe noloop mcast
  41 defnetclass noloop trusted safe mcast
  42 defnetclass link
  43 defnetclass mcast
  44 m4_divert(-1)
  45
  46 m4_divert(26)m4_dnl
  47 ###--------------------------------------------------------------------------
  48 ### Network layout.
  49
  50 ## House networks.
  51 defnet dmz trusted
  52         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
  53         forwards unsafe untrusted
  54 defnet unsafe trusted
  55         addr 172.29.199.0/25 2001:470:9740:1::/64
  56         forwards househub
  57 defnet safe safe
  58         addr 172.29.199.192/27 2001:470:9740:4001::/64
  59         forwards househub
  60 defnet untrusted untrusted
  61         addr 172.29.198.0/25 2001:470:9740:8001::/64
  62         forwards househub
  63
  64 defnet househub virtual
  65         forwards housebdry dmz unsafe safe untrusted
  66 defnet housebdry virtual
  67         forwards househub hub
  68         noxit dmz
  69
  70 ## House hosts.
  71 defhost radius
  72         hosttype router
  73         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
  74         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
  75         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
  76         iface eth3 untrusted vpn default
  77         iface ppp0 default
  78         iface t6-he default
  79         iface vpn-precision colobdry vpn sgo
  80         iface vpn-chiark sgo
  81         iface vpn-+ vpn
  82 defhost roadstar
  83         iface eth0 dmz unsafe
  84         iface eth1 dmz unsafe
  85 defhost jem
  86         iface eth0 dmz unsafe
  87         iface eth1 dmz unsafe
  88 defhost artist
  89         hosttype router
  90         iface eth0 dmz unsafe untrusted
  91         iface eth1 dmz unsafe untrusted
  92         iface eth3 untrusted
  93 defhost vampire
  94         hosttype router
  95         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
  96         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
  97         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
  98         iface eth0.7 untrusted
  99         iface vpn-precision colobdry vpn sgo
 100         iface vpn-chiark sgo
 101         iface vpn-+ vpn
 102 defhost ibanez
 103         iface br-dmz dmz unsafe
 104         iface br-unsafe unsafe
 105
 106 defhost gibson
 107         hosttype client
 108         iface eth0 unsafe
 109
 110 ## Colocated networks.
 111 defnet jump trusted
 112         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 113         forwards colohub
 114 defnet colo trusted
 115         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 116         forwards colohub
 117 defnet colohub virtual
 118         forwards colobdry jump colo iodine
 119 defnet colobdry virtual
 120         forwards colohub hub
 121         noxit jump
 122 defnet iodine untrusted
 123         addr 172.29.198.128/28
 124         forwards colohub
 125
 126 ## Colocated hosts.
 127 defhost fender
 128         iface br-jump jump colo
 129         iface br-colo jump colo
 130 defhost precision
 131         hosttype router
 132         iface eth0 jump colo sgo
 133         iface eth1 jump colo sgo
 134         iface vpn-radius housebdry vpn sgo
 135         iface vpn-chiark sgo
 136         iface vpn-+ vpn
 137 defhost telecaster
 138         iface eth0 jump colo
 139         iface eth1 jump colo
 140 defhost stratocaster
 141         iface eth0 jump colo
 142         iface eth1 jump colo
 143 defhost jazz
 144         iface eth0 jump colo
 145         iface eth1 jump colo
 146         iface dns0 iodine
 147
 148 ## Other networks.
 149 defnet hub virtual
 150         forwards housebdry colobdry
 151 defnet sgo noloop
 152         addr !172.29.198.0/23
 153         addr 10.0.0.0/8
 154         addr 172.16.0.0/12
 155         addr 192.168.0.0/16
 156         forwards househub colohub
 157 defnet vpn safe
 158         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 159         forwards househub colohub
 160         host crybaby 1
 161         host terror 2
 162 defnet anycast trusted
 163         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 164         forwards dmz unsafe safe untrusted jump colo vpn
 165 defnet default untrusted
 166         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 167         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 168         addr 2001:ba8:1d9::/48 #temporary
 169         forwards dmz unsafe untrusted jump colo
 170
 171 m4_divert(80)m4_dnl
 172 ###--------------------------------------------------------------------------
 173 ### Special forwarding exemptions.
 174
 175 case $forward in
 176   1)
 177
 178     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 179     ## hosts's fragment reassembly to be robust against malicious fragments.)
 180     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 181     ## of `! -f', so we do the negation using early return from a subchain.
 182     clearchain fwd-spec-nofrag
 183     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 184     run ip6tables -A fwd-spec-nofrag -j RETURN \
 185             -m ipv6header --soft --header frag
 186     run ip46tables -A FORWARD -j fwd-spec-nofrag
 187
 188     ## Allow ping from safe/noloop to untrusted networks.
 189     run iptables -A fwd-spec-nofrag -j ACCEPT \
 190             -p icmp --icmp-type echo-request \
 191             -m mark --mark $to_untrusted/$MASK_TO
 192     run iptables -A fwd-spec-nofrag -j ACCEPT \
 193             -p icmp --icmp-type echo-reply \
 194             -m mark --mark $from_untrusted/$MASK_FROM \
 195             -m state --state ESTABLISHED
 196     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 197             -p icmpv6 --icmpv6-type echo-request \
 198             -m mark --mark $to_untrusted/$MASK_TO
 199     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 200             -p icmpv6 --icmpv6-type echo-reply \
 201             -m mark --mark $from_untrusted/$MASK_FROM \
 202             -m state --state ESTABLISHED
 203
 204     ## Allow SSH from safe/noloop to untrusted networks.
 205     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 206             -p tcp --destination-port $port_ssh \
 207             -m mark --mark $to_untrusted/$MASK_TO
 208     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 209             -p tcp --source-port $port_ssh \
 210             -m mark --mark $from_untrusted/$MASK_FROM \
 211             -m state --state ESTABLISHED
 212
 213     ;;
 214 esac
 215
 216 m4_divert(80)m4_dnl
 217 ###--------------------------------------------------------------------------
 218 ### Kill things we don't understand properly.
 219 ###
 220 ### I don't like having to do this, but since I don't know how to do proper
 221 ### multicast filtering, I'm just going to ban it from being forwarded.
 222
 223 errorchain poorly-understood REJECT
 224
 225 ## Ban multicast destination addresses in forwarding.
 226 case $forward in
 227   1)
 228     run iptables -A FORWARD -g poorly-understood \
 229             -d 224.0.0.0/4
 230     run ip6tables -A FORWARD -g poorly-understood \
 231             -d ff::/8
 232     ;;
 233 esac
 234
 235 m4_divert(84)m4_dnl
 236 ###--------------------------------------------------------------------------
 237 ### Locally-bound packet inspection.
 238
 239 clearchain inbound
 240
 241 ## Track connections.
 242 commonrules inbound
 243 conntrack inbound
 244
 245 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 246 ## local request.
 247 run iptables -A inbound -j ACCEPT \
 248         -s 0.0.0.0 -d 255.255.255.255 \
 249         -p udp --source-port $port_bootpc --destination-port $port_bootps
 250 run iptables -A inbound -j ACCEPT \
 251         -s 172.29.198.0/23 \
 252         -p udp --source-port $port_bootpc --destination-port $port_bootps
 253
 254 ## Allow incoming ping.  This is the only ICMP left.
 255 run ip46tables -A inbound -j ACCEPT -p icmp
 256
 257 m4_divert(88)m4_dnl
 258 ## Allow unusual things.
 259 openports inbound
 260
 261 ## Inspect inbound packets from untrusted sources.
 262 run ip46tables -A inbound -j forbidden
 263 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 264
 265 ## Otherwise process as indicated by the mark.
 266 for i in $inchains; do
 267   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 268 done
 269
 270 m4_divert(-1)
 271 ###----- That's all, folks --------------------------------------------------