mdw@git.distorted.org.uk Git - firewall/blob - bookends.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Initialization and finishing touches for firewall scripts
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 m4_divert(30)m4_dnl
  25 ###--------------------------------------------------------------------------
  26 ### Clear existing firewall rules.
  27
  28 ## The main chains: set policy to drop, and then clear the rules.  For a
  29 ## while, incoming packets will be silently dropped, but we should have got
  30 ## everything going before anyone actually hits a timeout.
  31 ##
  32 ## We don't control some of the chains, so we should preserve them.  This
  33 ## introduces a whole bunch of problems.
  34
  35 ## Chains we're meant to preserve
  36 preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
  37
  38 ## Take the various IP versions in turn.
  39 unref=nil
  40 for ip in ip ip6; do
  41   if [ "$FW_NOACT" ]; then break; fi
  42
  43   for table in $(cat /proc/net/${ip}_tables_names); do
  44
  45     ## Step 1: clear out the builtin chains.
  46     ${ip}tables -nL -t $table |
  47     sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
  48     while read chain; do
  49       case $table in
  50         nat) policy=ACCEPT ;;
  51         *) policy=DROP ;;
  52       esac
  53       run ${ip}tables -t $table -P $chain $policy
  54       run ${ip}tables -t $table -F $chain
  55     done
  56
  57     ## Step 2: clear out user chains.  Unfortunately, we can only clear
  58     ## chains which have no references to them, so work through picking off
  59     ## unreferenced chains which aren't meant to be preserved until there are
  60     ## none left.
  61     while :; do
  62       progress=nil
  63       ${ip}tables -nL -t $table |
  64       sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
  65         >/var/run/firewall-chains.tmp
  66       while read chain; do
  67         match=nil
  68         for pat in $preserve_chains; do
  69           case "$table:$chain" in $pat) match=t ;; esac
  70         done
  71         case $match in
  72           nil)
  73             run ${ip}tables -t $table -F $chain
  74             run ${ip}tables -t $table -X $chain
  75             progress=t
  76             ;;
  77         esac
  78       done </var/run/firewall-chains.tmp
  79       case $progress in nil) break ;; esac
  80     done
  81
  82     ## Step 3: report on uncleared user chains.  This means that there's a
  83     ## serious problem.
  84     ${ip}tables -nL -t $table |
  85     sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
  86       >/var/run/firewall-chains.tmp
  87     while read chain refs; do
  88       match=nil
  89       for pat in $preserve_chains; do
  90         case "$table:$chain" in $pat) match=t ;; esac
  91       done
  92       case $match in
  93         nil)
  94           echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
  95           unref=t
  96           ;;
  97       esac
  98     done </var/run/firewall-chains.tmp
  99   done
 100 done
 101 rm -f /var/run/firewall-chains.tmp
 102 case $unref in t) exit 1 ;; esac
 103
 104 m4_divert(32)m4_dnl
 105 ###--------------------------------------------------------------------------
 106 ### Set safe IP options.
 107
 108 ## Set forwarding options.  Apparently setting ip_forward clobbers other
 109 ## settings, so put this first.
 110 case $host_type_<::>FWHOST in
 111   router) forward=1 host=0 ;;
 112   server) forward=0 host=0 ;;
 113   client) forward=0 host=1 ;;
 114 esac
 115 setopt ip_forward $forward
 116 setdevopt forwarding $forward
 117 for i in \
 118   accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
 119   accept_redirects
 120 do
 121   setdevopt $i $host
 122 done
 123 case $forward in
 124   0) inchains="INPUT" ;;
 125   1) inchains="INPUT FORWARD" ;;
 126 esac
 127
 128 ## Set dynamic port allocation.
 129 setopt ip_local_port_range $open_port_min $open_port_max
 130
 131 ## Deploy SYN-cookies if necessary.
 132 setopt tcp_syncookies 1
 133
 134 ## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
 135 setopt icmp_echo_ignore_broadcasts 0
 136
 137 ## Turn off iptables filtering for bridges.  We'll use ebtables if we need
 138 ## to; but right now the model is that we do filtering at the borders, and
 139 ## are tolerant of things which are local.
 140 if [ -x /sbin/brctl ]; then
 141   modprobe bridge || :
 142   if [ -d /proc/sys/net/bridge ]; then
 143     for filter in arptables iptables ip6tables; do
 144       run sysctl -q net.bridge.bridge-nf-call-$filter=0
 145     done
 146   fi
 147 fi
 148
 149 ## Turn off the reverse-path filter.  It's basically useless: the filter does
 150 ## nothing at all for single-homed hosts; and multi-homed hosts tend to have
 151 ## routing aysmmetries if there's any kind of cycle.
 152 setdevopt rp_filter 0
 153 setdevopt log_martians 0
 154
 155 ## Turn off things which can mess with our routing decisions.
 156 setdevopt accept_source_route 0
 157 setdevopt secure_redirects 1
 158
 159 ## If we're maent to stop the firewall, then now is the time to do it.
 160 $exit_after_clearing
 161
 162 m4_divert(34)m4_dnl
 163 ###--------------------------------------------------------------------------
 164 ### Establish error chains.
 165
 166 errorchain forbidden REJECT
 167 ## Generic `not allowed' chain.
 168
 169 errorchain tcp-fragment REJECT
 170 ## Chain for logging fragmented TCP segements.
 171
 172 errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
 173 ## Bad TCP segments (e.g., for unknown connections).  Sends a TCP reset.
 174
 175 errorchain mangle:bad-source-address DROP
 176 errorchain bad-source-address DROP
 177 ## Packet arrived on wrong interface for its source address.  Drops the
 178 ## packet, since there's nowhere sensible to send an error.
 179
 180 errorchain bad-destination-address REJECT
 181 ## Packet arrived on non-loopback interface with loopback destination.
 182
 183 errorchain interesting ACCEPT
 184 ## Not an error, just log interesting packets.
 185
 186 m4_divert(50)m4_dnl
 187 ###--------------------------------------------------------------------------
 188 ### Standard filtering.
 189
 190 ## Don't clobber local traffic
 191 run ip46tables -A INPUT -i lo -j ACCEPT
 192
 193 ## We really shouldn't see packets destined for localhost on any interface
 194 ## other than the loopback.
 195 run iptables -A INPUT -g bad-destination-address \
 196         -d 127.0.0.0/8
 197 run ip6tables -A INPUT -g bad-destination-address \
 198         -d ::1
 199
 200 ## We shouldn't be asked to forward things with link-local addresses.
 201 case $forward in
 202   1)
 203     run iptables -A FORWARD -g bad-source-address \
 204             -s 169.254.0.0/16
 205     run iptables -A FORWARD -g bad-destination-address \
 206             -d 169.254.0.0/16
 207     run ip6tables -A FORWARD -g bad-source-address \
 208             -s fe80::/10
 209     run ip6tables -A FORWARD -g bad-destination-address \
 210             -d fe80::/10
 211     ;;
 212 esac
 213
 214 ## Also, don't forward link-local broadcast or multicast.
 215 case $forward in
 216   1)
 217     run iptables -A FORWARD -g bad-destination-address \
 218             -d 255.255.255.255
 219     run iptables -A FORWARD -g bad-destination-address \
 220             -m addrtype --dst-type BROADCAST
 221     run iptables -A FORWARD -g bad-destination-address \
 222             -d 224.0.0.0/24
 223     clearchain check-fwd-multi
 224     for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
 225       run ip6tables -A check-fwd-multi -g bad-destination-address \
 226             -d ff${x}2::/16
 227     done
 228     run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
 229     ;;
 230 esac
 231
 232 ## Add a hook for fail2ban.
 233 clearchain fail2ban
 234 run ip46tables -A INPUT -j fail2ban
 235
 236 m4_divert(90)m4_dnl
 237 ###--------------------------------------------------------------------------
 238 ### Finishing touches.
 239
 240 m4_divert(94)m4_dnl
 241 ## Locally generated packets are all OK.
 242 run ip46tables -P OUTPUT ACCEPT
 243
 244 ## Other incoming things are forbidden.
 245 for chain in INPUT FORWARD; do
 246   run ip46tables -A $chain -g forbidden
 247 done
 248
 249 ## Allow stuff through unknown tables.
 250 for ip in ip ip6; do
 251   for table in $(cat /proc/net/${ip}_tables_names); do
 252     case $table in mangle | filter) continue ;; esac
 253     ${ip}tables -nL -t $table |
 254     sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
 255     while read chain; do
 256       run ${ip}tables -t $table -P $chain ACCEPT
 257     done
 258   done
 259 done
 260
 261 ## Dump the resulting configuration.
 262 if [ "$FW_DEBUG" ]; then
 263   for ip in ip ip6; do
 264     for table in mangle filter; do
 265       echo "----- $ip $table -----"
 266       echo
 267       ${ip}tables -t $table -nvL
 268       echo
 269     done
 270   done
 271 fi
 272
 273 m4_divert(-1)
 274 ###----- That's all, folks --------------------------------------------------