mdw@git.distorted.org.uk Git - firewall/blob - fender.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Firewall configuration for fender actual
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### fender-specific rules.
  26
  27 m4_divert(86)m4_dnl
  28 ## Externally visible services.
  29 allowservices inbound tcp \
  30         ssh \
  31         ident
  32
  33 ## We have to provide NTP service.  The guests sync to our clock.
  34 ntpclient inbound $ntp_servers
  35
  36 ## Guaranteed black hole.  Put this at the very front of the chain.
  37 run iptables -I INPUT -d 212.13.198.78 -j DROP
  38 run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
  39
  40 ## Ethernet bridge-level filtering for source addresses.
  41 run ebtables -F
  42 for i in log limit ip ip6; do run modprobe ebt-$i; done
  43
  44 for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
  45   run ebtables -X $c >/dev/null 2>&1 || :
  46 done
  47
  48 for ch in bad-source-addr bcp38; do
  49   run ebtables -N $ch
  50   run ebtables -A $ch \
  51           --limit 20/second --limit-burst 100 \
  52           --log-prefix "fw: $ch(br)" --log-ip --log-ip6
  53   run ebtables -A $ch -j DROP
  54 done
  55
  56 run ebtables -N check-eth0
  57 run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
  58 run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
  59 run ebtables -A check-eth0 -j bad-source-addr \
  60         -p ip6 --ip6-source 2001:ba8:1d9::/48
  61 run ebtables -A check-eth0 -j bad-source-addr \
  62         -p ip6 --ip6-source 2001:ba8:0:1d9::/64
  63 run ebtables -A check-eth0 -j RETURN -p ip6
  64 run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
  65 run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
  66 run ebtables -A check-eth0 -j bad-source-addr -p ip
  67 run ebtables -A INPUT -j check-eth0 -i bond0
  68 run ebtables -A FORWARD -j check-eth0 -i bond0
  69
  70 run ebtables -N check-bcp38
  71 run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
  72 run ebtables -A check-bcp38 -j bcp38 -p ip
  73 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
  74 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
  75 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
  76 run ebtables -A check-bcp38 -j bcp38 -p ip6
  77 run ebtables -A FORWARD -j check-bcp38 -o bond0
  78
  79 ## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it
  80 ## misparses (at least) locally originated multicast packets, and tries to
  81 ## extract IP header fields relative to the start of the Ethernet frame.  The
  82 ## result is obviously a hideous mess.  Don't try to do BCP38 checking for
  83 ## locally originated packets until this is fixed.
  84 ##run ebtables -A OUTPUT -j check-bcp38 -o bond0
  85
  86 m4_divert(-1)
  87 ###----- That's all, folks --------------------------------------------------