mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Packet classification.
  26
  27 ## Define the available network classes.
  28 m4_divert(42)m4_dnl
  29 defnetclass untrusted untrusted trusted
  30 defnetclass trusted untrusted trusted safe noloop
  31 defnetclass safe trusted safe noloop
  32 defnetclass noloop trusted safe
  33 m4_divert(-1)m4_dnl
  34
  35 ###--------------------------------------------------------------------------
  36 ### Network layout.
  37
  38 m4_divert(46)m4_dnl
  39 ## Networks and routing.
  40
  41 defiface $if_untrusted \
  42         untrusted:172.29.198.0/25
  43 defvpn $if_vpn safe 172.29.199.128/27 \
  44         crybaby:172.29.199.129 \
  45         terror:172.29.199.130
  46 defiface $if_iodine untrusted:172.29.198.128/28
  47 defiface $if_its_mz safe:172.29.199.160/30
  48 defiface $if_its_pi safe:192.168.0.0/24
  49 defiface $if_trusted \
  50         trusted:172.29.199.0/26 \
  51         safe:172.29.199.64/27 \
  52         untrusted:default
  53
  54 ## Default NTP servers.
  55 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
  56
  57 m4_divert(60)m4_dnl
  58 ###--------------------------------------------------------------------------
  59 ### Special forwarding exemptions.
  60
  61 ## Allow ping from safe/noloop to untrusted networks.
  62 run iptables -A FORWARD -j ACCEPT \
  63         -p icmp ! -f --icmp-type echo-request \
  64         -m mark --mark $to_untrusted/$MASK_TO
  65 run iptables -A FORWARD -j ACCEPT \
  66         -p icmp ! -f --icmp-type echo-reply \
  67         -m mark --mark $from_untrusted/$MASK_FROM \
  68         -m state --state ESTABLISHED
  69 run ip6tables -A FORWARD -j ACCEPT \
  70         -p ipv6-icmp --icmpv6-type echo-request \
  71         -m ipv6header --soft ! --header frag \
  72         -m mark --mark $to_untrusted/$MASK_TO
  73 run ip6tables -A FORWARD -j ACCEPT \
  74         -p ipv6-icmp --icmpv6-type echo-reply \
  75         -m ipv6header --soft ! --header frag \
  76         -m mark --mark $from_untrusted/$MASK_FROM \
  77         -m state --state ESTABLISHED
  78
  79 ## Allow SSH from safe/noloop to untrusted networks.
  80 run iptables -A FORWARD -j ACCEPT \
  81         -p tcp ! -f --destination-port $port_ssh \
  82         -m mark --mark $to_untrusted/$MASK_TO
  83 run iptables -A FORWARD -j ACCEPT \
  84         -p tcp ! -f --source-port $port_ssh \
  85         -m mark --mark $from_untrusted/$MASK_FROM \
  86         -m state --state ESTABLISHED
  87 run ip6tables -A FORWARD -j ACCEPT \
  88         -p tcp --destination-port $port_ssh \
  89         -m ipv6header --soft ! --header frag \
  90         -m mark --mark $to_untrusted/$MASK_TO
  91 run ip6tables -A FORWARD -j ACCEPT \
  92         -p tcp --source-port $port_ssh \
  93         -m ipv6header --soft ! --header frag \
  94         -m mark --mark $from_untrusted/$MASK_FROM \
  95         -m state --state ESTABLISHED
  96
  97 m4_divert(60)m4_dnl
  98 ###--------------------------------------------------------------------------
  99 ### Kill things we don't understand properly.
 100 ###
 101 ### I don't like having to do this, but since I don't know how to do proper
 102 ### multicast filtering, I'm just going to ban it from being forwarded.
 103
 104 errorchain poorly-understood REJECT
 105
 106 ## Ban multicast destination addresses in forwarding.
 107 run iptables -A FORWARD -g poorly-understood \
 108         -d 224.0.0.0/4
 109 run ip6tables -A FORWARD -g poorly-understood \
 110         -d ff::/8
 111
 112 m4_divert(80)m4_dnl
 113 ###--------------------------------------------------------------------------
 114 ### Locally-bound packet inspection.
 115
 116 clearchain inbound
 117
 118 ## Track connections.
 119 commonrules inbound
 120 conntrack inbound
 121
 122 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 123 ## local request.
 124 run iptables -A inbound -j ACCEPT \
 125         -s 0.0.0.0 -d 255.255.255.255 \
 126         -p udp --source-port $port_bootpc --destination-port $port_bootps
 127 run iptables -A inbound -j ACCEPT \
 128         -s 172.29.198.0/23 \
 129         -p udp --source-port $port_bootpc --destination-port $port_bootps
 130
 131 ## Allow incoming ping.  This is the only ICMP left.
 132 run ip46tables -A inbound -j ACCEPT -p icmp
 133
 134 m4_divert(88)m4_dnl
 135 ## Allow unusual things.
 136 openports inbound
 137
 138 ## Inspect inbound packets from untrusted sources.
 139 run ip46tables -A inbound -j forbidden
 140 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 141
 142 ## Otherwise process as indicated by the mark.
 143 for i in INPUT FORWARD; do
 144   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 145 done
 146
 147 m4_divert(-1)
 148 ###----- That's all, folks --------------------------------------------------