[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
        "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
        addr 62.49.204.144/28
        forwards unsafe untrusted
defnet unsafe trusted
        addr 172.29.199.0/25
        forwards househub
defnet safe safe
        addr 172.29.199.192/28
        forwards househub
defnet untrusted untrusted
        addr 172.29.198.0/25
        forwards househub
defnet vpn safe
        addr 172.29.199.128/27
        forwards househub
        host crybaby 1
        host terror 2
defnet iodine untrusted
        addr 172.29.198.128/28

defnet househub virtual
        forwards housebdry dmz unsafe safe untrusted
defnet housebdry virtual
        forwards househub hub
        noxit dmz

## House hosts.
defhost radius
        router
        iface eth0 dmz
        iface eth1 unsafe
        iface eth2 safe
        iface eth3 untrusted
defhost roadstar
        iface eth0 dmz
        iface eth1 unsafe
defhost jem
        iface eth0 dmz
        iface eth1 unsafe
defhost artist
        iface eth0 dmz
        iface eth1 unsafe
defhost vampire
        router
        iface eth0.0 dmz
        iface eth0.1 unsafe
        iface eth0.3 untrusted
        iface dns0 dns
        iface vpn-+ vpn
        iface vpn-precision colobdry vpn
defhost ibanez
        iface br-dmz dmz
        iface br-unsafe unsafe

defhost gibson
        iface eth0 unsafe

## Colocated networks.
defnet jump trusted
        addr 212.13.198.64/28
        forwards colohub
defnet colo trusted
        addr 172.29.199.176/28
        forwards colohub
defnet colohub virtual
        forwards colobdry jump colo
defnet colobdry virtual
        forwards colohub hub
        noxit jump

## Colocated hosts.
defhost fender
        iface br-jump jump
        iface br-colo colo
defhost precision
        router
        iface eth0 jump
        iface eth1 colo
        iface vpn-+ vpn
        iface vpn-vampire housebdry vpn
defhost telecaster
        iface eth0 jump
        iface eth1 colo
defhost stratocaster
        iface eth0 jump
        iface eth1 colo
defhost jazz
        iface eth0 jump
        iface eth1 colo

## Other networks.
defnet hub virtual
        forwards housebdry colobdry
defnet default untrusted
        addr 62.49.204.144/28
        addr 212.13.198.64/28
        forwards dmz untrusted unsafe jump colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

## Only allow these packets if they're not fragmented.  (Don't trust safe
## hosts's fragment reassembly to be robust against malicious fragments.)
## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
## `! -f', so we do the negation using early return from a subchain.
clearchain fwd-spec-nofrag
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
        -m ipv6header --soft --header frag
run iptables -A FORWARD -j fwd-spec-nofrag

## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
        -p icmp --icmp-type echo-request \
        -m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
        -p icmp --icmp-type echo-reply \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p ipv6-icmp --icmpv6-type echo-request \
        -m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p ipv6-icmp --icmpv6-type echo-reply \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED

## Allow SSH from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --destination-port $port_ssh \
        -m mark --mark $to_untrusted/$MASK_TO
run iptables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --source-port $port_ssh \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --destination-port $port_ssh \
        -m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -p tcp --source-port $port_ssh \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED

m4_divert(60)m4_dnl
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
run iptables -A FORWARD -g poorly-understood \
        -d 224.0.0.0/4
run ip6tables -A FORWARD -g poorly-understood \
        -d ff::/8

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 255.255.255.255 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps

## Incoming multicast on a network interface associated with a trusted
## network is OK, since it must have originated there (or been forwarded, but
## we don't do that yet).
for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
  echo $i
done | {
  seen=:
  while read i; do
    case "$seen" in *:$i:*) continue ;; esac
    seen=$seen$i:
    run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 224.0.0.0/24 \
        -i $i
  done
}

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in INPUT FORWARD; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------