3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
43 ## House border network (dmz). We have all of these, but .145
44 ## is reserved for the router.
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
57 ## .160/27 untrusted virtual network
59 ## 172.29.199.0/24 Trusted networks.
60 ## .0/25 house wired network
61 ## .128/27 mobile VPN hosts
62 ## .160/28 reserved, except .160/30 allocated for ITS
63 ## .176/28 internal colocated network
64 ## .192/27 house safe network
65 ## .224/27 anycast services
69 ## There are five blocks of publicly routable IPv6 addresses, though some of
70 ## them aren't very interesting. The ranges are as follows.
72 ## 2001:470:1f08:1b98::/64
73 ## Hurricane Electric tunnel network: only :1 (HE) and :2
76 ## 2001:470:1f09:1b98::/64
77 ## House border network (dmz).
80 ## Main house range. See below for allocation policy.
82 ## 2001:ba8:0:1d9::/64
83 ## Jump border network (jump): :1 is the router (supplied by
84 ## Jump); other addresses are ours.
87 ## Main colocated range. See below for allocation policy.
89 ## Addresses in the /64 networks are simply allocated in ascending order.
90 ## The /48s are split into /64s by appending a 16-bit network number. The
91 ## top nibble of the network number classifies the network, as follows.
93 ## axxx Virtual, untrusted
97 ## 0xxx Unsafe, trusted
99 ## These have been chosen so that network properties can be deduced by
100 ## inspecting bits of the network number:
102 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
103 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
105 ## Finally, the low-order nibbles identify the site.
107 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
109 ## 2 Jump colocation.
111 ## Usually site-0 networks are allocated from the Jump range to improve
112 ## expected performance from/to external sites which don't engage in our
113 ## dynamic routing protocols.
115 ## Define the available network classes.
117 defnetclass scary scary trusted mcast
118 defnetclass untrusted scary untrusted trusted mcast
119 defnetclass trusted scary untrusted trusted safe noloop mcast
120 defnetclass safe trusted safe noloop mcast
121 defnetclass noloop trusted safe mcast
128 ###--------------------------------------------------------------------------
133 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
135 defnet unsafe trusted
136 addr 172.29.199.0/25 2001:470:9740:1::/64
139 addr 172.29.199.192/27 2001:470:9740:4001::/64
141 defnet untrusted untrusted
142 addr 172.29.198.0/25 2001:470:9740:8001::/64
145 defnet househub virtual
146 via housebdry dmz unsafe safe untrusted
147 defnet housebdry virtual
153 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
154 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
155 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
156 iface eth3 unsafe untrusted vpn default
159 iface vpn-precision colobdry vpn sgo
163 iface eth0 dmz unsafe
164 iface eth1 dmz unsafe
166 iface eth0 dmz unsafe
167 iface eth1 dmz unsafe
169 iface eth0 dmz unsafe
170 iface eth1 dmz unsafe
173 iface eth0 dmz unsafe untrusted
174 iface eth1 dmz unsafe untrusted
175 iface eth3 unsafe untrusted
178 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
179 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
180 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
181 iface eth0.7 unsafe untrusted vpn
182 iface vpn-precision colobdry vpn sgo
186 iface br-dmz dmz unsafe
187 iface br-unsafe unsafe
189 iface wlan0 untrusted
190 iface vpn-radius unsafe
193 iface wlan0 untrusted
194 iface vpn-radius unsafe
200 ## Colocated networks.
202 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
205 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
207 defnet colohub virtual
208 via colobdry jump colo
209 defnet colobdry virtual
211 defnet iodine untrusted
212 addr 172.29.198.128/28
217 iface br-jump jump colo
218 iface br-colo jump colo
221 iface eth0 jump colo vpn sgo
222 iface eth1 jump colo vpn sgo
223 iface vpn-mango binswood
224 iface vpn-radius housebdry vpn sgo
226 iface vpn-national upn
236 iface eth0 jump colo vpn
237 iface eth1 jump colo vpn
243 via housebdry colobdry
245 addr !172.29.198.0/23
251 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
258 defnet anycast trusted
259 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
260 via dmz unsafe safe untrusted jump colo vpn
262 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
263 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
264 addr 2001:ba8:1d9::/48 #temporary
265 via dmz unsafe untrusted jump colo
267 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
269 host national 1 ::1:1
274 iface vpn-precision colohub
276 ## Satellite networks.
277 defnet binswood noloop
282 iface eth0 binswood default
283 iface vpn-precision colo
286 ###--------------------------------------------------------------------------
287 ### Connection tracking helper modules.
290 modprobe nf_conntrack_$i
294 ###--------------------------------------------------------------------------
295 ### Special forwarding exemptions.
300 ## Only allow these packets if they're not fragmented. (Don't trust safe
301 ## hosts's fragment reassembly to be robust against malicious fragments.)
302 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
303 ## of `! -f', so we do the negation using early return from a subchain.
304 clearchain fwd-spec-nofrag
305 run iptables -A fwd-spec-nofrag -j RETURN --fragment
306 run ip6tables -A fwd-spec-nofrag -j RETURN \
307 -m ipv6header --soft --header frag
308 run ip46tables -A FORWARD -j fwd-spec-nofrag
310 ## Allow ping from safe/noloop to untrusted networks.
311 run iptables -A fwd-spec-nofrag -j ACCEPT \
312 -p icmp --icmp-type echo-request \
313 -m mark --mark $to_untrusted/$MASK_TO
314 run iptables -A fwd-spec-nofrag -j ACCEPT \
315 -p icmp --icmp-type echo-reply \
316 -m mark --mark $from_untrusted/$MASK_FROM \
317 -m state --state ESTABLISHED
318 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
319 -p icmpv6 --icmpv6-type echo-request \
320 -m mark --mark $to_untrusted/$MASK_TO
321 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
322 -p icmpv6 --icmpv6-type echo-reply \
323 -m mark --mark $from_untrusted/$MASK_FROM \
324 -m state --state ESTABLISHED
326 ## Allow SSH from safe/noloop to untrusted networks.
327 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
328 -p tcp --destination-port $port_ssh \
329 -m mark --mark $to_untrusted/$MASK_TO
330 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
331 -p tcp --source-port $port_ssh \
332 -m mark --mark $from_untrusted/$MASK_FROM \
333 -m state --state ESTABLISHED
339 ###--------------------------------------------------------------------------
340 ### Kill things we don't understand properly.
342 ### I don't like having to do this, but since I don't know how to do proper
343 ### multicast filtering, I'm just going to ban it from being forwarded.
345 errorchain poorly-understood REJECT
347 ## Ban multicast destination addresses in forwarding.
350 run iptables -A FORWARD -g poorly-understood \
352 run ip6tables -A FORWARD -g poorly-understood \
358 ###--------------------------------------------------------------------------
359 ### Locally-bound packet inspection.
363 ## Track connections.
367 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
369 run iptables -A inbound -j ACCEPT \
370 -s 0.0.0.0 -d 255.255.255.255 \
371 -p udp --source-port $port_bootpc --destination-port $port_bootps
372 run iptables -A inbound -j ACCEPT \
374 -p udp --source-port $port_bootpc --destination-port $port_bootps
376 ## Allow incoming ping. This is the only ICMP left.
377 run iptables -A inbound -j ACCEPT -p icmp
378 run ip6tables -A inbound -j ACCEPT -p icmpv6
381 ## Allow unusual things.
384 ## Inspect inbound packets from untrusted sources.
385 run ip46tables -A inbound -j forbidden
386 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
387 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
389 ## Allow responses from the scary outside world into the untrusted net, but
390 ## don't let untrusted things run services.
393 run ip46tables -A FORWARD -j ACCEPT \
394 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
395 -m state --state ESTABLISHED,RELATED
399 ## Otherwise process as indicated by the mark.
400 for i in $inchains; do
401 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
405 ###----- That's all, folks --------------------------------------------------