mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted mcast
  39 defnetclass trusted untrusted trusted safe noloop mcast
  40 defnetclass safe trusted safe noloop mcast
  41 defnetclass noloop trusted safe mcast
  42 defnetclass link
  43 defnetclass mcast
  44 m4_divert(-1)
  45
  46 m4_divert(26)m4_dnl
  47 ###--------------------------------------------------------------------------
  48 ### Network layout.
  49
  50 ## House networks.
  51 defnet dmz trusted
  52         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
  53         forwards unsafe untrusted
  54 defnet unsafe trusted
  55         addr 172.29.199.0/25 2001:470:9740:1::/64
  56         forwards househub
  57 defnet safe safe
  58         addr 172.29.199.192/27 2001:470:9740:4001::/64
  59         forwards househub
  60 defnet untrusted untrusted
  61         addr 172.29.198.0/25 2001:470:9740:8001::/64
  62         forwards househub
  63 defnet iodine untrusted
  64         addr 172.29.198.128/28
  65
  66 defnet househub virtual
  67         forwards housebdry dmz unsafe safe untrusted
  68 defnet housebdry virtual
  69         forwards househub hub
  70         noxit dmz
  71
  72 ## House hosts.
  73 defhost radius
  74         hosttype router
  75         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
  76         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
  77         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
  78         iface eth3 untrusted vpn default
  79         iface ppp0 default
  80         iface t6-he default
  81         iface vpn-precision colobdry vpn sgo
  82         iface vpn-chiark sgo
  83         iface vpn-+ vpn
  84 defhost roadstar
  85         iface eth0 dmz unsafe
  86         iface eth1 dmz unsafe
  87 defhost jem
  88         iface eth0 dmz unsafe
  89         iface eth1 dmz unsafe
  90 defhost artist
  91         hosttype router
  92         iface eth0 dmz unsafe untrusted
  93         iface eth1 dmz unsafe untrusted
  94         iface eth3 untrusted
  95 defhost vampire
  96         hosttype router
  97         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
  98         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
  99         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
 100         iface eth0.7 untrusted
 101         iface dns0 iodine
 102         iface vpn-precision colobdry vpn sgo
 103         iface vpn-chiark sgo
 104         iface vpn-+ vpn
 105 defhost ibanez
 106         iface br-dmz dmz unsafe
 107         iface br-unsafe unsafe
 108
 109 defhost gibson
 110         hosttype client
 111         iface eth0 unsafe
 112
 113 ## Colocated networks.
 114 defnet jump trusted
 115         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 116         forwards colohub
 117 defnet colo trusted
 118         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 119         forwards colohub
 120 defnet colohub virtual
 121         forwards colobdry jump colo
 122 defnet colobdry virtual
 123         forwards colohub hub
 124         noxit jump
 125
 126 ## Colocated hosts.
 127 defhost fender
 128         iface br-jump jump colo
 129         iface br-colo jump colo
 130 defhost precision
 131         hosttype router
 132         iface eth0 jump colo sgo
 133         iface eth1 jump colo sgo
 134         iface vpn-radius housebdry vpn sgo
 135         iface vpn-chiark sgo
 136         iface vpn-+ vpn
 137 defhost telecaster
 138         iface eth0 jump colo
 139         iface eth1 jump colo
 140 defhost stratocaster
 141         iface eth0 jump colo
 142         iface eth1 jump colo
 143 defhost jazz
 144         iface eth0 jump colo
 145         iface eth1 jump colo
 146
 147 ## Other networks.
 148 defnet hub virtual
 149         forwards housebdry colobdry
 150 defnet sgo noloop
 151         addr !172.29.198.0/23
 152         addr 10.0.0.0/8
 153         addr 172.16.0.0/12
 154         addr 192.168.0.0/16
 155         forwards househub colohub
 156 defnet vpn safe
 157         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 158         forwards househub colohub
 159         host crybaby 1
 160         host terror 2
 161 defnet anycast trusted
 162         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 163         forwards dmz unsafe safe untrusted jump colo vpn
 164 defnet default untrusted
 165         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 166         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 167         addr 2001:ba8:1d9::/48 #temporary
 168         forwards dmz unsafe untrusted jump colo
 169
 170 m4_divert(80)m4_dnl
 171 ###--------------------------------------------------------------------------
 172 ### Special forwarding exemptions.
 173
 174 case $forward in
 175   1)
 176
 177     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 178     ## hosts's fragment reassembly to be robust against malicious fragments.)
 179     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 180     ## of `! -f', so we do the negation using early return from a subchain.
 181     clearchain fwd-spec-nofrag
 182     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 183     run ip6tables -A fwd-spec-nofrag -j RETURN \
 184             -m ipv6header --soft --header frag
 185     run ip46tables -A FORWARD -j fwd-spec-nofrag
 186
 187     ## Allow ping from safe/noloop to untrusted networks.
 188     run iptables -A fwd-spec-nofrag -j ACCEPT \
 189             -p icmp --icmp-type echo-request \
 190             -m mark --mark $to_untrusted/$MASK_TO
 191     run iptables -A fwd-spec-nofrag -j ACCEPT \
 192             -p icmp --icmp-type echo-reply \
 193             -m mark --mark $from_untrusted/$MASK_FROM \
 194             -m state --state ESTABLISHED
 195     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 196             -p icmpv6 --icmpv6-type echo-request \
 197             -m mark --mark $to_untrusted/$MASK_TO
 198     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 199             -p icmpv6 --icmpv6-type echo-reply \
 200             -m mark --mark $from_untrusted/$MASK_FROM \
 201             -m state --state ESTABLISHED
 202
 203     ## Allow SSH from safe/noloop to untrusted networks.
 204     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 205             -p tcp --destination-port $port_ssh \
 206             -m mark --mark $to_untrusted/$MASK_TO
 207     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 208             -p tcp --source-port $port_ssh \
 209             -m mark --mark $from_untrusted/$MASK_FROM \
 210             -m state --state ESTABLISHED
 211
 212     ;;
 213 esac
 214
 215 m4_divert(80)m4_dnl
 216 ###--------------------------------------------------------------------------
 217 ### Kill things we don't understand properly.
 218 ###
 219 ### I don't like having to do this, but since I don't know how to do proper
 220 ### multicast filtering, I'm just going to ban it from being forwarded.
 221
 222 errorchain poorly-understood REJECT
 223
 224 ## Ban multicast destination addresses in forwarding.
 225 case $forward in
 226   1)
 227     run iptables -A FORWARD -g poorly-understood \
 228             -d 224.0.0.0/4
 229     run ip6tables -A FORWARD -g poorly-understood \
 230             -d ff::/8
 231     ;;
 232 esac
 233
 234 m4_divert(84)m4_dnl
 235 ###--------------------------------------------------------------------------
 236 ### Locally-bound packet inspection.
 237
 238 clearchain inbound
 239
 240 ## Track connections.
 241 commonrules inbound
 242 conntrack inbound
 243
 244 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 245 ## local request.
 246 run iptables -A inbound -j ACCEPT \
 247         -s 0.0.0.0 -d 255.255.255.255 \
 248         -p udp --source-port $port_bootpc --destination-port $port_bootps
 249 run iptables -A inbound -j ACCEPT \
 250         -s 172.29.198.0/23 \
 251         -p udp --source-port $port_bootpc --destination-port $port_bootps
 252
 253 ## Allow incoming ping.  This is the only ICMP left.
 254 run ip46tables -A inbound -j ACCEPT -p icmp
 255
 256 m4_divert(88)m4_dnl
 257 ## Allow unusual things.
 258 openports inbound
 259
 260 ## Inspect inbound packets from untrusted sources.
 261 run ip46tables -A inbound -j forbidden
 262 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 263
 264 ## Otherwise process as indicated by the mark.
 265 for i in $inchains; do
 266   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 267 done
 268
 269 m4_divert(-1)
 270 ###----- That's all, folks --------------------------------------------------