mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## IPv4 addressing.
  37 ##
  38 ## There are two small blocks of publicly routable IPv4 addresses, and a
  39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
  40 ## The former are as follows.
  41 ##
  42 ## 62.49.204.144/28
  43 ##              House border network (dmz).  We have all of these, but .145
  44 ##              is reserved for the router.
  45 ##
  46 ## 212.13.18.64/28
  47 ##              Jump colocated network (jump).  .65--68 are used by Jump
  48 ##              network infrastructure; we get the rest.
  49 ##
  50 ## The latter is the block 172.29.196.0/22.  Currently the low half is
  51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
  52 ## are allocated as follows.
  53 ##
  54 ## 172.29.198.0/24  Untrusted networks.
  55 ##      .0/25           house wireless net
  56 ##      .128/28         iodine (IP-over-DNS) network
  57 ##
  58 ## 172.29.199.0/24  Trusted networks.
  59 ##      .0/25           house wired network
  60 ##      .128/27         mobile VPN hosts
  61 ##      .160/28         reserved, except .160/30 allocated for ITS
  62 ##      .176/28         internal colocated network
  63 ##      .192/27         house safe network
  64 ##      .224/27         anycast services
  65
  66 ## IPv6 addressing.
  67 ##
  68 ## There are five blocks of publicly routable IPv6 addresses, though some of
  69 ## them aren't very interesting.  The ranges are as follows.
  70 ##
  71 ## 2001:470:1f08:1b98::/64
  72 ##              Hurricane Electric tunnel network: only :1 (HE) and :2
  73 ##              (radius) are used.
  74 ##
  75 ## 2001:470:1f09:1b98::/64
  76 ##              House border network (dmz).
  77 ##
  78 ## 2001:470:9740::/48
  79 ##              Main house range.  See below for allocation policy.
  80 ##
  81 ## 2001:ba8:0:1d9::/64
  82 ##              Jump border network (jump): :1 is the router (supplied by
  83 ##              Jump); other addresses are ours.
  84 ##
  85 ## 2001:ba8:1d9::/48
  86 ##              Main colocated range.  See below for allocation policy.
  87 ##
  88 ## Addresses in the /64 networks are simply allocated in ascending order.
  89 ## The /48s are split into /64s by appending a 16-bit network number.  The
  90 ## top nibble of the network number classifies the network, as follows.
  91 ##
  92 ## 8xxx         Untrusted
  93 ## 6xxx         Virtual, safe
  94 ## 4xxx         Safe
  95 ## 0xxx         Unsafe, trusted
  96 ##
  97 ## These have been chosen so that network properties can be deduced by
  98 ## inspecting bits of the network number:
  99 ##
 100 ## Bit 15       If set, the network is untrusted; otherwise it is trusted.
 101 ## Bit 14       If set, the network is safe; otherwise it is unsafe.
 102 ##
 103 ## Finally, the low-order nibbles identify the site.
 104 ##
 105 ## 0            No specific site: mobile VPN endpoints or anycast addresses.
 106 ## 1            House.
 107 ## 2            Jump colocation.
 108 ##
 109 ## Usually site-0 networks are allocated from the Jump range to improve
 110 ## expected performance from/to external sites which don't engage in our
 111 ## dynamic routing protocols.
 112
 113 ## Define the available network classes.
 114 m4_divert(42)m4_dnl
 115 defnetclass scary       scary           trusted             mcast
 116 defnetclass untrusted   scary untrusted trusted             mcast
 117 defnetclass trusted     scary untrusted trusted safe noloop mcast
 118 defnetclass safe                        trusted safe noloop mcast
 119 defnetclass noloop                      trusted safe        mcast
 120
 121 defnetclass link
 122 defnetclass mcast
 123 m4_divert(-1)
 124
 125 m4_divert(26)m4_dnl
 126 ###--------------------------------------------------------------------------
 127 ### Network layout.
 128
 129 ## House networks.
 130 defnet dmz trusted
 131         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 132         via unsafe untrusted
 133 defnet unsafe trusted
 134         addr 172.29.199.0/25 2001:470:9740:1::/64
 135         via househub
 136 defnet safe safe
 137         addr 172.29.199.192/27 2001:470:9740:4001::/64
 138         via househub
 139 defnet untrusted untrusted
 140         addr 172.29.198.0/25 2001:470:9740:8001::/64
 141         via househub
 142
 143 defnet househub virtual
 144         via housebdry dmz unsafe safe untrusted
 145 defnet housebdry virtual
 146         via househub hub
 147
 148 ## House hosts.
 149 defhost radius
 150         hosttype router
 151         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
 152         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
 153         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
 154         iface eth3 unsafe untrusted vpn default
 155         iface ppp0 default
 156         iface t6-he default
 157         iface vpn-precision colobdry vpn sgo
 158         iface vpn-chiark sgo
 159         iface vpn-+ vpn
 160 defhost roadstar
 161         iface eth0 dmz unsafe
 162         iface eth1 dmz unsafe
 163 defhost jem
 164         iface eth0 dmz unsafe
 165         iface eth1 dmz unsafe
 166 defhost artist
 167         hosttype router
 168         iface eth0 dmz unsafe untrusted
 169         iface eth1 dmz unsafe untrusted
 170         iface eth3 unsafe untrusted
 171 defhost vampire
 172         hosttype router
 173         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
 174         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
 175         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
 176         iface eth0.7 unsafe untrusted vpn
 177         iface vpn-precision colobdry vpn sgo
 178         iface vpn-chiark sgo
 179         iface vpn-+ vpn
 180 defhost ibanez
 181         iface br-dmz dmz unsafe
 182         iface br-unsafe unsafe
 183 defhost orange
 184         iface wlan0 untrusted
 185         iface vpn-radius unsafe
 186 defhost groove
 187         iface eth0 unsafe
 188         iface wlan0 untrusted
 189         iface vpn-radius unsafe
 190
 191 defhost gibson
 192         hosttype client
 193         iface eth0.5 unsafe
 194
 195 ## Colocated networks.
 196 defnet jump trusted
 197         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 198         via colohub
 199 defnet colo trusted
 200         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 201         via colohub
 202 defnet colohub virtual
 203         via colobdry jump colo
 204 defnet colobdry virtual
 205         via colohub hub
 206 defnet iodine untrusted
 207         addr 172.29.198.128/28
 208         via colohub
 209
 210 ## Colocated hosts.
 211 defhost fender
 212         iface br-jump jump colo
 213         iface br-colo jump colo
 214 defhost precision
 215         hosttype router
 216         iface eth0 jump colo vpn sgo
 217         iface eth1 jump colo vpn sgo
 218         iface vpn-mango binswood
 219         iface vpn-radius housebdry vpn sgo
 220         iface vpn-chiark sgo
 221         iface vpn-+ vpn
 222 defhost telecaster
 223         iface eth0 jump colo
 224         iface eth1 jump colo
 225 defhost stratocaster
 226         iface eth0 jump colo
 227         iface eth1 jump colo
 228 defhost jazz
 229         hosttype router
 230         iface eth0 jump colo vpn
 231         iface eth1 jump colo vpn
 232         iface dns0 iodine
 233         iface vpn-+ vpn
 234
 235 ## Other networks.
 236 defnet hub virtual
 237         via housebdry colobdry
 238 defnet sgo noloop
 239         addr !172.29.198.0/23
 240         addr 10.0.0.0/8
 241         addr 172.16.0.0/12
 242         addr 192.168.0.0/16
 243         via househub colohub
 244 defnet vpn safe
 245         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 246         via househub colohub
 247         host crybaby 1 ::1:1
 248         host terror 2 ::2:1
 249         host orange 3 ::3:1
 250         host haze 4 ::4:1
 251         host groove 5 ::5:1
 252 defnet anycast trusted
 253         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 254         via dmz unsafe safe untrusted jump colo vpn
 255 defnet default scary
 256         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 257         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 258         addr 2001:ba8:1d9::/48 #temporary
 259         via dmz unsafe untrusted jump colo
 260
 261 ## Satellite networks.
 262 defnet binswood noloop
 263         addr 10.165.27.0/24
 264         via colohub
 265
 266 defhost mango
 267         hosttype router
 268         iface eth0 binswood default
 269         iface vpn-precision colo
 270
 271 m4_divert(80)m4_dnl
 272 ###--------------------------------------------------------------------------
 273 ### Connection tracking helper modules.
 274
 275 for i in ftp; do
 276   modprobe nf_conntrack_$i
 277 done
 278
 279 m4_divert(80)m4_dnl
 280 ###--------------------------------------------------------------------------
 281 ### Special forwarding exemptions.
 282
 283 case $forward in
 284   1)
 285
 286     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 287     ## hosts's fragment reassembly to be robust against malicious fragments.)
 288     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 289     ## of `! -f', so we do the negation using early return from a subchain.
 290     clearchain fwd-spec-nofrag
 291     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 292     run ip6tables -A fwd-spec-nofrag -j RETURN \
 293             -m ipv6header --soft --header frag
 294     run ip46tables -A FORWARD -j fwd-spec-nofrag
 295
 296     ## Allow ping from safe/noloop to untrusted networks.
 297     run iptables -A fwd-spec-nofrag -j ACCEPT \
 298             -p icmp --icmp-type echo-request \
 299             -m mark --mark $to_untrusted/$MASK_TO
 300     run iptables -A fwd-spec-nofrag -j ACCEPT \
 301             -p icmp --icmp-type echo-reply \
 302             -m mark --mark $from_untrusted/$MASK_FROM \
 303             -m state --state ESTABLISHED
 304     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 305             -p icmpv6 --icmpv6-type echo-request \
 306             -m mark --mark $to_untrusted/$MASK_TO
 307     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 308             -p icmpv6 --icmpv6-type echo-reply \
 309             -m mark --mark $from_untrusted/$MASK_FROM \
 310             -m state --state ESTABLISHED
 311
 312     ## Allow SSH from safe/noloop to untrusted networks.
 313     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 314             -p tcp --destination-port $port_ssh \
 315             -m mark --mark $to_untrusted/$MASK_TO
 316     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 317             -p tcp --source-port $port_ssh \
 318             -m mark --mark $from_untrusted/$MASK_FROM \
 319             -m state --state ESTABLISHED
 320
 321     ;;
 322 esac
 323
 324 m4_divert(80)m4_dnl
 325 ###--------------------------------------------------------------------------
 326 ### Kill things we don't understand properly.
 327 ###
 328 ### I don't like having to do this, but since I don't know how to do proper
 329 ### multicast filtering, I'm just going to ban it from being forwarded.
 330
 331 errorchain poorly-understood REJECT
 332
 333 ## Ban multicast destination addresses in forwarding.
 334 case $forward in
 335   1)
 336     run iptables -A FORWARD -g poorly-understood \
 337             -d 224.0.0.0/4
 338     run ip6tables -A FORWARD -g poorly-understood \
 339             -d ff::/8
 340     ;;
 341 esac
 342
 343 m4_divert(84)m4_dnl
 344 ###--------------------------------------------------------------------------
 345 ### Locally-bound packet inspection.
 346
 347 clearchain inbound
 348
 349 ## Track connections.
 350 commonrules inbound
 351 conntrack inbound
 352
 353 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 354 ## local request.
 355 run iptables -A inbound -j ACCEPT \
 356         -s 0.0.0.0 -d 255.255.255.255 \
 357         -p udp --source-port $port_bootpc --destination-port $port_bootps
 358 run iptables -A inbound -j ACCEPT \
 359         -s 172.29.198.0/23 \
 360         -p udp --source-port $port_bootpc --destination-port $port_bootps
 361
 362 ## Allow incoming ping.  This is the only ICMP left.
 363 run iptables -A inbound -j ACCEPT -p icmp
 364 run ip6tables -A inbound -j ACCEPT -p icmpv6
 365
 366 m4_divert(88)m4_dnl
 367 ## Allow unusual things.
 368 openports inbound
 369
 370 ## Inspect inbound packets from untrusted sources.
 371 run ip46tables -A inbound -j forbidden
 372 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 373 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 374
 375 ## Allow responses from the scary outside world into the untrusted net, but
 376 ## don't let untrusted things run services.
 377 case $forward in
 378   1)
 379     run ip46tables -A FORWARD -j ACCEPT \
 380         -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
 381         -m state --state ESTABLISHED,RELATED
 382     ;;
 383 esac
 384
 385 ## Otherwise process as indicated by the mark.
 386 for i in $inchains; do
 387   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 388 done
 389
 390 m4_divert(-1)
 391 ###----- That's all, folks --------------------------------------------------