3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
43 ## House border network (dmz). We have all of these, but .145
44 ## is reserved for the router.
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
58 ## 172.29.199.0/24 Trusted networks.
59 ## .0/25 house wired network
60 ## .128/27 mobile VPN hosts
61 ## .160/28 reserved, except .160/30 allocated for ITS
62 ## .176/28 internal colocated network
63 ## .192/27 house safe network
64 ## .224/27 anycast services
68 ## There are five blocks of publicly routable IPv6 addresses, though some of
69 ## them aren't very interesting. The ranges are as follows.
71 ## 2001:470:1f08:1b98::/64
72 ## Hurricane Electric tunnel network: only :1 (HE) and :2
75 ## 2001:470:1f09:1b98::/64
76 ## House border network (dmz).
79 ## Main house range. See below for allocation policy.
81 ## 2001:ba8:0:1d9::/64
82 ## Jump border network (jump): :1 is the router (supplied by
83 ## Jump); other addresses are ours.
86 ## Main colocated range. See below for allocation policy.
88 ## Addresses in the /64 networks are simply allocated in ascending order.
89 ## The /48s are split into /64s by appending a 16-bit network number. The
90 ## top nibble of the network number classifies the network, as follows.
95 ## 0xxx Unsafe, trusted
97 ## These have been chosen so that network properties can be deduced by
98 ## inspecting bits of the network number:
100 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
101 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
103 ## Finally, the low-order nibbles identify the site.
105 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
107 ## 2 Jump colocation.
109 ## Usually site-0 networks are allocated from the Jump range to improve
110 ## expected performance from/to external sites which don't engage in our
111 ## dynamic routing protocols.
113 ## Define the available network classes.
115 defnetclass scary scary trusted mcast
116 defnetclass untrusted scary untrusted trusted mcast
117 defnetclass trusted scary untrusted trusted safe noloop mcast
118 defnetclass safe trusted safe noloop mcast
119 defnetclass noloop trusted safe mcast
126 ###--------------------------------------------------------------------------
131 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
133 defnet unsafe trusted
134 addr 172.29.199.0/25 2001:470:9740:1::/64
137 addr 172.29.199.192/27 2001:470:9740:4001::/64
139 defnet untrusted untrusted
140 addr 172.29.198.0/25 2001:470:9740:8001::/64
143 defnet househub virtual
144 via housebdry dmz unsafe safe untrusted
145 defnet housebdry virtual
151 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
152 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
153 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
154 iface eth3 unsafe untrusted vpn default
157 iface vpn-precision colobdry vpn sgo
161 iface eth0 dmz unsafe
162 iface eth1 dmz unsafe
164 iface eth0 dmz unsafe
165 iface eth1 dmz unsafe
168 iface eth0 dmz unsafe untrusted
169 iface eth1 dmz unsafe untrusted
170 iface eth3 unsafe untrusted
173 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
174 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
175 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
176 iface eth0.7 unsafe untrusted vpn
177 iface vpn-precision colobdry vpn sgo
181 iface br-dmz dmz unsafe
182 iface br-unsafe unsafe
184 iface wlan0 untrusted
185 iface vpn-radius unsafe
188 iface wlan0 untrusted
189 iface vpn-radius unsafe
195 ## Colocated networks.
197 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
200 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
202 defnet colohub virtual
203 via colobdry jump colo
204 defnet colobdry virtual
206 defnet iodine untrusted
207 addr 172.29.198.128/28
212 iface br-jump jump colo
213 iface br-colo jump colo
216 iface eth0 jump colo vpn sgo
217 iface eth1 jump colo vpn sgo
218 iface vpn-mango binswood
219 iface vpn-radius housebdry vpn sgo
230 iface eth0 jump colo vpn
231 iface eth1 jump colo vpn
237 via housebdry colobdry
239 addr !172.29.198.0/23
245 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
252 defnet anycast trusted
253 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
254 via dmz unsafe safe untrusted jump colo vpn
256 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
257 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
258 addr 2001:ba8:1d9::/48 #temporary
259 via dmz unsafe untrusted jump colo
261 ## Satellite networks.
262 defnet binswood noloop
268 iface eth0 binswood default
269 iface vpn-precision colo
272 ###--------------------------------------------------------------------------
273 ### Connection tracking helper modules.
276 modprobe nf_conntrack_$i
280 ###--------------------------------------------------------------------------
281 ### Special forwarding exemptions.
286 ## Only allow these packets if they're not fragmented. (Don't trust safe
287 ## hosts's fragment reassembly to be robust against malicious fragments.)
288 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
289 ## of `! -f', so we do the negation using early return from a subchain.
290 clearchain fwd-spec-nofrag
291 run iptables -A fwd-spec-nofrag -j RETURN --fragment
292 run ip6tables -A fwd-spec-nofrag -j RETURN \
293 -m ipv6header --soft --header frag
294 run ip46tables -A FORWARD -j fwd-spec-nofrag
296 ## Allow ping from safe/noloop to untrusted networks.
297 run iptables -A fwd-spec-nofrag -j ACCEPT \
298 -p icmp --icmp-type echo-request \
299 -m mark --mark $to_untrusted/$MASK_TO
300 run iptables -A fwd-spec-nofrag -j ACCEPT \
301 -p icmp --icmp-type echo-reply \
302 -m mark --mark $from_untrusted/$MASK_FROM \
303 -m state --state ESTABLISHED
304 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
305 -p icmpv6 --icmpv6-type echo-request \
306 -m mark --mark $to_untrusted/$MASK_TO
307 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
308 -p icmpv6 --icmpv6-type echo-reply \
309 -m mark --mark $from_untrusted/$MASK_FROM \
310 -m state --state ESTABLISHED
312 ## Allow SSH from safe/noloop to untrusted networks.
313 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
314 -p tcp --destination-port $port_ssh \
315 -m mark --mark $to_untrusted/$MASK_TO
316 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
317 -p tcp --source-port $port_ssh \
318 -m mark --mark $from_untrusted/$MASK_FROM \
319 -m state --state ESTABLISHED
325 ###--------------------------------------------------------------------------
326 ### Kill things we don't understand properly.
328 ### I don't like having to do this, but since I don't know how to do proper
329 ### multicast filtering, I'm just going to ban it from being forwarded.
331 errorchain poorly-understood REJECT
333 ## Ban multicast destination addresses in forwarding.
336 run iptables -A FORWARD -g poorly-understood \
338 run ip6tables -A FORWARD -g poorly-understood \
344 ###--------------------------------------------------------------------------
345 ### Locally-bound packet inspection.
349 ## Track connections.
353 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
355 run iptables -A inbound -j ACCEPT \
356 -s 0.0.0.0 -d 255.255.255.255 \
357 -p udp --source-port $port_bootpc --destination-port $port_bootps
358 run iptables -A inbound -j ACCEPT \
360 -p udp --source-port $port_bootpc --destination-port $port_bootps
362 ## Allow incoming ping. This is the only ICMP left.
363 run ip46tables -A inbound -j ACCEPT -p icmp
366 ## Allow unusual things.
369 ## Inspect inbound packets from untrusted sources.
370 run ip46tables -A inbound -j forbidden
371 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
372 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
374 ## Allow responses from the scary outside world into the untrusted net, but
375 ## don't let untrusted things run services.
378 run ip46tables -A FORWARD -j ACCEPT \
379 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
380 -m state --state ESTABLISHED,RELATED
384 ## Otherwise process as indicated by the mark.
385 for i in $inchains; do
386 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
390 ###----- That's all, folks --------------------------------------------------