~mdw / firewall / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
local.m4, local.mk, national.m4: New virtual host `national'.
[firewall] / bookends.m4
1 ### -*-sh-*-
2 ###
3 ### Initialization and finishing touches for firewall scripts
4 ###
5 ### (c) 2008 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 m4_divert(30)m4_dnl
25 ###--------------------------------------------------------------------------
26 ### Clear existing firewall rules.
27
28 ## The main chains: set policy to drop, and then clear the rules. For a
29 ## while, incoming packets will be silently dropped, but we should have got
30 ## everything going before anyone actually hits a timeout.
31 ##
32 ## We don't control some of the chains, so we should preserve them. This
33 ## introduces a whole bunch of problems.
34
35 ## Chains we're meant to preserve
36 preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
37
38 ## Take the various IP versions in turn.
39 unref=nil
40 for ip in ip ip6; do
41 if [ "$FW_NOACT" ]; then break; fi
42
43 for table in $(cat /proc/net/${ip}_tables_names); do
44
45 ## Step 1: clear out the builtin chains.
46 ${ip}tables -nL -t $table |
47 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
48 while read chain; do
49 case $table in
50 nat) policy=ACCEPT ;;
51 *) policy=DROP ;;
52 esac
53 run ${ip}tables -t $table -P $chain $policy
54 run ${ip}tables -t $table -F $chain
55 done
56
57 ## Step 2: clear out user chains. Unfortunately, we can only clear
58 ## chains which have no references to them, so work through picking off
59 ## unreferenced chains which aren't meant to be preserved until there are
60 ## none left.
61 while :; do
62 progress=nil
63 ${ip}tables -nL -t $table |
64 sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
65 >/var/run/firewall-chains.tmp
66 while read chain; do
67 match=nil
68 for pat in $preserve_chains; do
69 case "$table:$chain" in $pat) match=t ;; esac
70 done
71 case $match in
72 nil)
73 run ${ip}tables -t $table -F $chain
74 run ${ip}tables -t $table -X $chain
75 progress=t
76 ;;
77 esac
78 done </var/run/firewall-chains.tmp
79 case $progress in nil) break ;; esac
80 done
81
82 ## Step 3: report on uncleared user chains. This means that there's a
83 ## serious problem.
84 ${ip}tables -nL -t $table |
85 sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
86 >/var/run/firewall-chains.tmp
87 while read chain refs; do
88 match=nil
89 for pat in $preserve_chains; do
90 case "$table:$chain" in $pat) match=t ;; esac
91 done
92 case $match in
93 nil)
94 echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
95 unref=t
96 ;;
97 esac
98 done </var/run/firewall-chains.tmp
99 done
100 done
101 rm -f /var/run/firewall-chains.tmp
102 case $unref in t) exit 1 ;; esac
103
104 m4_divert(32)m4_dnl
105 ###--------------------------------------------------------------------------
106 ### Set safe IP options.
107
108 ## Set forwarding options. Apparently setting ip_forward clobbers other
109 ## settings, so put this first.
110 case $host_type_<::>FWHOST in
111 router) forward=1 host=0 ;;
112 server) forward=0 host=0 ;;
113 client) forward=0 host=1 ;;
114 esac
115 setopt ip_forward $forward
116 setdevopt forwarding $forward
117 for i in \
118 accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
119 accept_redirects
120 do
121 setdevopt $i $host
122 done
123 case $forward in
124 0) inchains="INPUT" ;;
125 1) inchains="INPUT FORWARD" ;;
126 esac
127
128 ## Set dynamic port allocation.
129 setopt ip_local_port_range $open_port_min $open_port_max
130
131 ## Deploy SYN-cookies if necessary.
132 setopt tcp_syncookies 1
133
134 ## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
135 setopt icmp_echo_ignore_broadcasts 0
136
137 ## Turn off iptables filtering for bridges. We'll use ebtables if we need
138 ## to; but right now the model is that we do filtering at the borders, and
139 ## are tolerant of things which are local.
140 if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then
141 modprobe bridge || :
142 fi
143 if [ -d /proc/sys/net/bridge ]; then
144 for filter in arptables iptables ip6tables; do
145 run sysctl -q net.bridge.bridge-nf-call-$filter=0
146 done
147 fi
148
149 ## Turn off the reverse-path filter. It's basically useless: the filter does
150 ## nothing at all for single-homed hosts; and multi-homed hosts tend to have
151 ## routing aysmmetries if there's any kind of cycle.
152 setdevopt rp_filter 0
153 setdevopt log_martians 0
154
155 ## Turn off things which can mess with our routing decisions.
156 setdevopt accept_source_route 0
157 setdevopt secure_redirects 1
158
159 ## If we're maent to stop the firewall, then now is the time to do it.
160 $exit_after_clearing
161
162 m4_divert(34)m4_dnl
163 ###--------------------------------------------------------------------------
164 ### Establish error chains.
165
166 errorchain forbidden REJECT
167 ## Generic `not allowed' chain.
168
169 errorchain tcp-fragment REJECT
170 ## Chain for logging fragmented TCP segements.
171
172 errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
173 ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset.
174
175 errorchain mangle:bad-source-address DROP
176 errorchain bad-source-address DROP
177 ## Packet arrived on wrong interface for its source address. Drops the
178 ## packet, since there's nowhere sensible to send an error.
179
180 errorchain dns-rate-limit DROP
181 ## Dropped incoming DNS query due to rate limiting. The source address is
182 ## suspicious, so don't produce ICMP.
183
184 errorchain bad-destination-address REJECT
185 ## Packet arrived on non-loopback interface with loopback destination.
186
187 errorchain interesting ACCEPT
188 ## Not an error, just log interesting packets.
189
190 m4_divert(50)m4_dnl
191 ###--------------------------------------------------------------------------
192 ### Standard filtering.
193
194 ## Don't clobber local traffic
195 run ip46tables -A INPUT -i lo -j ACCEPT
196
197 ## We really shouldn't see packets destined for localhost on any interface
198 ## other than the loopback.
199 run iptables -A INPUT -g bad-destination-address \
200 -d 127.0.0.0/8
201 run ip6tables -A INPUT -g bad-destination-address \
202 -d ::1
203
204 ## We shouldn't be asked to forward things with link-local addresses.
205 case $forward in
206 1)
207 run iptables -A FORWARD -g bad-source-address \
208 -s 169.254.0.0/16
209 run iptables -A FORWARD -g bad-destination-address \
210 -d 169.254.0.0/16
211 run ip6tables -A FORWARD -g bad-source-address \
212 -s fe80::/10
213 run ip6tables -A FORWARD -g bad-destination-address \
214 -d fe80::/10
215 ;;
216 esac
217
218 ## Also, don't forward link-local broadcast or multicast.
219 case $forward in
220 1)
221 run iptables -A FORWARD -g bad-destination-address \
222 -d 255.255.255.255
223 run iptables -A FORWARD -g bad-destination-address \
224 -m addrtype --dst-type BROADCAST
225 run iptables -A FORWARD -g bad-destination-address \
226 -d 224.0.0.0/24
227 clearchain check-fwd-multi
228 for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
229 run ip6tables -A check-fwd-multi -g bad-destination-address \
230 -d ff${x}2::/16
231 done
232 run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
233 ;;
234 esac
235
236 ## Add a hook for fail2ban.
237 clearchain fail2ban
238 run ip46tables -A INPUT -j fail2ban
239
240 m4_divert(90)m4_dnl
241 ###--------------------------------------------------------------------------
242 ### Finishing touches.
243
244 m4_divert(94)m4_dnl
245 ## Locally generated packets are all OK.
246 run ip46tables -P OUTPUT ACCEPT
247
248 ## Other incoming things are forbidden.
249 for chain in INPUT FORWARD; do
250 run ip46tables -A $chain -g forbidden
251 done
252
253 ## Allow stuff through unknown tables.
254 for ip in ip ip6; do
255 for table in $(cat /proc/net/${ip}_tables_names); do
256 case $table in mangle | filter) continue ;; esac
257 ${ip}tables -nL -t $table |
258 sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
259 while read chain; do
260 run ${ip}tables -t $table -P $chain ACCEPT
261 done
262 done
263 done
264
265 ## Dump the resulting configuration.
266 if [ "$FW_DEBUG" ]; then
267 for ip in ip ip6; do
268 for table in mangle filter; do
269 echo "----- $ip $table -----"
270 echo
271 ${ip}tables -t $table -nvL
272 echo
273 done
274 done
275 fi
276
277 m4_divert(-1)
278 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.