3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
42 ## 81.2.113.195, 81.187.238.128/28
43 ## House border network (dmz). We have all of these; the loose
44 ## address is for the router.
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
57 ## .144/28 hippotat (IP-over-HTTP) network
58 ## .160/27 untrusted virtual network
60 ## 172.29.199.0/24 Trusted networks.
61 ## .0/25 house wired network
62 ## .128/27 mobile VPN hosts
63 ## .160/28 reserved, except .160/30 allocated for ITS
64 ## .176/28 internal colocated network
65 ## .192/27 house safe network
66 ## .224/27 anycast services
70 ## There are five blocks of publicly routable IPv6 addresses, though some of
71 ## them aren't very interesting. The ranges are as follows.
74 ## Main house range (aaisp). See below for allocation policy.
75 ## There is no explicit DMZ allocation (and no need for one).
77 ## 2001:ba8:0:1d9::/64
78 ## Jump border network (jump): :1 is the router (supplied by
79 ## Jump); other addresses are ours.
82 ## Main colocated range. See below for allocation policy.
84 ## Addresses in the /64 networks are simply allocated in ascending order.
85 ## The /48s are split into /64s by appending a 16-bit network number. The
86 ## top nibble of the network number classifies the network, as follows.
88 ## axxx Virtual, untrusted
92 ## 0xxx Unsafe, trusted
94 ## These have been chosen so that network properties can be deduced by
95 ## inspecting bits of the network number:
97 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
98 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
100 ## Finally, the low-order nibbles identify the site.
102 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
104 ## 2 Jump colocation.
105 ## fff Local border network.
107 ## Usually site-0 networks are allocated from the Jump range to improve
108 ## expected performance from/to external sites which don't engage in our
109 ## dynamic routing protocols.
111 ## Define the available network classes.
113 defnetclass scary scary trusted vpnnat mcast
114 defnetclass untrusted scary untrusted trusted mcast
115 defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
116 defnetclass safe trusted safe noloop vpnnat mcast
117 defnetclass noloop trusted safe mcast
118 defnetclass vpnnat scary trusted safe mcast
125 ###--------------------------------------------------------------------------
130 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
132 defnet unsafe trusted
133 addr 172.29.199.0/25 2001:8b0:c92:1::/64
136 addr 172.29.199.192/27 2001:8b0:c92:4001::/64
138 defnet untrusted untrusted
139 addr 172.29.198.0/25 2001:8b0:c92:8001::/64
142 defnet househub virtual
143 via housebdry dmz unsafe safe untrusted
144 defnet housebdry virtual
150 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
151 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
152 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
153 iface eth3 unsafe untrusted vpn default
156 iface vpn-precision colobdry vpn sgo
160 iface eth0 dmz unsafe
161 iface eth1 dmz unsafe
163 iface eth0 dmz unsafe
164 iface eth1 dmz unsafe
166 iface eth0 dmz unsafe
167 iface eth1 dmz unsafe
170 iface eth0 dmz unsafe untrusted
171 iface eth1 dmz unsafe untrusted
172 iface eth3 unsafe untrusted
175 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
176 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
177 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
178 iface eth0.7 unsafe untrusted vpn
179 iface vpn-precision colobdry vpn sgo
183 iface br-dmz dmz unsafe
184 iface br-unsafe unsafe
186 iface wlan0 untrusted
187 iface vpn-radius unsafe
190 iface wlan0 untrusted
191 iface vpn-radius unsafe
197 ## Colocated networks.
199 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
202 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
204 defnet colohub virtual
205 via colobdry jump colo
206 defnet colobdry virtual
208 defnet iodine untrusted
209 addr 172.29.198.128/28
211 defnet hippotat untrusted
212 addr 172.29.198.144/28
217 iface br-jump jump colo
218 iface br-colo jump colo
221 iface eth0 jump colo vpn sgo
222 iface eth1 jump colo vpn sgo
223 iface vpn-mango binswood
224 iface vpn-radius housebdry vpn sgo
226 iface vpn-national upn
236 iface eth0 jump colo vpn
237 iface eth1 jump colo vpn
239 iface hippo-svc hippotat
244 via housebdry colobdry
246 addr !172.29.198.0/23
253 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
260 defnet anycast trusted
261 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
262 via dmz unsafe safe untrusted jump colo vpn
264 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
265 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
266 addr 2001:ba8:1d9::/48 #temporary
267 via dmz unsafe untrusted jump colo
269 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
271 host national 1 ::1:1
276 iface vpn-precision colohub
278 ## Satellite networks.
279 defnet binswood vpnnat
284 iface eth0 binswood default
285 iface vpn-precision colo default
288 ###--------------------------------------------------------------------------
289 ### Connection tracking helper modules.
292 modprobe nf_conntrack_$i
296 ###--------------------------------------------------------------------------
297 ### Special forwarding exemptions.
302 ## Only allow these packets if they're not fragmented. (Don't trust safe
303 ## hosts's fragment reassembly to be robust against malicious fragments.)
304 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
305 ## of `! -f', so we do the negation using early return from a subchain.
306 clearchain fwd-spec-nofrag
307 run iptables -A fwd-spec-nofrag -j RETURN --fragment
308 run ip6tables -A fwd-spec-nofrag -j RETURN \
309 -m ipv6header --soft --header frag
310 run ip46tables -A FORWARD -j fwd-spec-nofrag
312 ## Allow ping from safe/noloop to untrusted networks.
313 run iptables -A fwd-spec-nofrag -j ACCEPT \
314 -p icmp --icmp-type echo-request \
315 -m mark --mark $to_untrusted/$MASK_TO
316 run iptables -A fwd-spec-nofrag -j ACCEPT \
317 -p icmp --icmp-type echo-reply \
318 -m mark --mark $from_untrusted/$MASK_FROM \
319 -m state --state ESTABLISHED
320 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
321 -p icmpv6 --icmpv6-type echo-request \
322 -m mark --mark $to_untrusted/$MASK_TO
323 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
324 -p icmpv6 --icmpv6-type echo-reply \
325 -m mark --mark $from_untrusted/$MASK_FROM \
326 -m state --state ESTABLISHED
328 ## Allow SSH from safe/noloop to untrusted networks.
329 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
330 -p tcp --destination-port $port_ssh \
331 -m mark --mark $to_untrusted/$MASK_TO
332 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
333 -p tcp --source-port $port_ssh \
334 -m mark --mark $from_untrusted/$MASK_FROM \
335 -m state --state ESTABLISHED
341 ###--------------------------------------------------------------------------
342 ### Kill things we don't understand properly.
344 ### I don't like having to do this, but since I don't know how to do proper
345 ### multicast filtering, I'm just going to ban it from being forwarded.
347 errorchain poorly-understood REJECT
349 ## Ban multicast destination addresses in forwarding.
352 run iptables -A FORWARD -g poorly-understood \
354 run ip6tables -A FORWARD -g poorly-understood \
360 ###--------------------------------------------------------------------------
361 ### Check for source routing.
363 clearchain check-srcroute
365 run iptables -A check-srcroute -g forbidden \
366 -m ipv4options --any --flags lsrr,ssrr
367 run ip6tables -A check-srcroute -g forbidden \
370 for c in INPUT FORWARD; do
371 for m in $from_scary $from_untrusted; do
372 run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
377 ###--------------------------------------------------------------------------
378 ### Locally-bound packet inspection.
382 ## Track connections.
386 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
388 run iptables -A inbound -j ACCEPT \
389 -s 0.0.0.0 -d 255.255.255.255 \
390 -p udp --source-port $port_bootpc --destination-port $port_bootps
391 run iptables -A inbound -j ACCEPT \
393 -p udp --source-port $port_bootpc --destination-port $port_bootps
395 ## Allow incoming ping. This is the only ICMP left.
396 run iptables -A inbound -j ACCEPT -p icmp
397 run ip6tables -A inbound -j ACCEPT -p icmpv6
400 ## Allow unusual things.
403 ## Inspect inbound packets from untrusted sources.
404 run ip46tables -A inbound -g forbidden
405 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
406 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
408 ## Allow responses from the scary outside world into the untrusted net, but
409 ## don't let untrusted things run services.
412 run ip46tables -A FORWARD -j ACCEPT \
413 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
414 -m state --state ESTABLISHED,RELATED
418 ## Otherwise process as indicated by the mark.
419 for i in $inchains; do
420 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
424 ###----- That's all, folks --------------------------------------------------