mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted
  39 defnetclass trusted untrusted trusted safe noloop
  40 defnetclass safe trusted safe noloop
  41 defnetclass noloop trusted safe
  42 m4_divert(-1)
  43
  44 m4_divert(26)m4_dnl
  45 ###--------------------------------------------------------------------------
  46 ### Network layout.
  47
  48 m4_divert(44)m4_dnl
  49 ## Network definitions.
  50 defiface $if_dmz \
  51         trusted:62.49.204.144/28 \
  52         trusted:172.29.199.0/25 \
  53         untrusted:default
  54 defiface $if_trusted \
  55         trusted:172.29.199.0/25 \
  56         untrusted:default
  57 defiface $if_safe safe:172.29.199.192/26
  58 defiface $if_untrusted \
  59         untrusted:172.29.198.0/25
  60 defvpn $if_vpn safe 172.29.199.128/27 \
  61         crybaby:172.29.199.129 \
  62         terror:172.29.199.130
  63 defiface $if_iodine untrusted:172.29.198.128/28
  64 defiface $if_its_mz safe:172.29.199.160/30
  65 defiface $if_its_pi safe:192.168.0.0/24
  66
  67
  68 m4_divert(80)m4_dnl
  69 ###--------------------------------------------------------------------------
  70 ### Special forwarding exemptions.
  71
  72 ## Only allow these packets if they're not fragmented.  (Don't trust safe
  73 ## hosts's fragment reassembly to be robust against malicious fragments.)
  74 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
  75 ## `! -f', so we do the negation using early return from a subchain.
  76 clearchain fwd-spec-nofrag
  77 run iptables -A fwd-spec-nofrag -j RETURN --fragment
  78 run ip6tables -A fwd-spec-nofrag -j RETURN \
  79         -m ipv6header --soft --header frag
  80 run iptables -A FORWARD -j fwd-spec-nofrag
  81
  82 ## Allow ping from safe/noloop to untrusted networks.
  83 run iptables -A fwd-spec-nofrag -j ACCEPT \
  84         -p icmp --icmp-type echo-request \
  85         -m mark --mark $to_untrusted/$MASK_TO
  86 run iptables -A fwd-spec-nofrag -j ACCEPT \
  87         -p icmp --icmp-type echo-reply \
  88         -m mark --mark $from_untrusted/$MASK_FROM \
  89         -m state --state ESTABLISHED
  90 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
  91         -p ipv6-icmp --icmpv6-type echo-request \
  92         -m mark --mark $to_untrusted/$MASK_TO
  93 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
  94         -p ipv6-icmp --icmpv6-type echo-reply \
  95         -m mark --mark $from_untrusted/$MASK_FROM \
  96         -m state --state ESTABLISHED
  97
  98 ## Allow SSH from safe/noloop to untrusted networks.
  99 run iptables -A fwd-spec-nofrag -j ACCEPT \
 100         -p tcp --destination-port $port_ssh \
 101         -m mark --mark $to_untrusted/$MASK_TO
 102 run iptables -A fwd-spec-nofrag -j ACCEPT \
 103         -p tcp --source-port $port_ssh \
 104         -m mark --mark $from_untrusted/$MASK_FROM \
 105         -m state --state ESTABLISHED
 106 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 107         -p tcp --destination-port $port_ssh \
 108         -m mark --mark $to_untrusted/$MASK_TO
 109 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 110         -p tcp --source-port $port_ssh \
 111         -m mark --mark $from_untrusted/$MASK_FROM \
 112         -m state --state ESTABLISHED
 113
 114 m4_divert(60)m4_dnl
 115 m4_divert(80)m4_dnl
 116 ###--------------------------------------------------------------------------
 117 ### Kill things we don't understand properly.
 118 ###
 119 ### I don't like having to do this, but since I don't know how to do proper
 120 ### multicast filtering, I'm just going to ban it from being forwarded.
 121
 122 errorchain poorly-understood REJECT
 123
 124 ## Ban multicast destination addresses in forwarding.
 125 run iptables -A FORWARD -g poorly-understood \
 126         -d 224.0.0.0/4
 127 run ip6tables -A FORWARD -g poorly-understood \
 128         -d ff::/8
 129
 130 m4_divert(84)m4_dnl
 131 ###--------------------------------------------------------------------------
 132 ### Locally-bound packet inspection.
 133
 134 clearchain inbound
 135
 136 ## Track connections.
 137 commonrules inbound
 138 conntrack inbound
 139
 140 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 141 ## local request.
 142 run iptables -A inbound -j ACCEPT \
 143         -s 0.0.0.0 -d 255.255.255.255 \
 144         -p udp --source-port $port_bootpc --destination-port $port_bootps
 145 run iptables -A inbound -j ACCEPT \
 146         -s 172.29.198.0/23 \
 147         -p udp --source-port $port_bootpc --destination-port $port_bootps
 148
 149 ## Incoming multicast on a network interface associated with a trusted
 150 ## network is OK, since it must have originated there (or been forwarded, but
 151 ## we don't do that yet).
 152 for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
 153   echo $i
 154 done | {
 155   seen=:
 156   while read i; do
 157     case "$seen" in *:$i:*) continue ;; esac
 158     seen=$seen$i:
 159     run iptables -A inbound -j ACCEPT \
 160         -s 0.0.0.0 -d 224.0.0.0/24 \
 161         -i $i
 162   done
 163 }
 164
 165 ## Allow incoming ping.  This is the only ICMP left.
 166 run ip46tables -A inbound -j ACCEPT -p icmp
 167
 168 m4_divert(88)m4_dnl
 169 ## Allow unusual things.
 170 openports inbound
 171
 172 ## Inspect inbound packets from untrusted sources.
 173 run ip46tables -A inbound -j forbidden
 174 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 175
 176 ## Otherwise process as indicated by the mark.
 177 for i in INPUT FORWARD; do
 178   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 179 done
 180
 181 m4_divert(-1)
 182 ###----- That's all, folks --------------------------------------------------