mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## IPv4 addressing.
  37 ##
  38 ## There are two small blocks of publicly routable IPv4 addresses, and a
  39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
  40 ## The former are as follows.
  41 ##
  42 ## 62.49.204.144/28
  43 ##              House border network (dmz).  We have all of these, but .145
  44 ##              is reserved for the router.
  45 ##
  46 ## 212.13.18.64/28
  47 ##              Jump colocated network (jump).  .65--68 are used by Jump
  48 ##              network infrastructure; we get the rest.
  49 ##
  50 ## The latter is the block 172.29.196.0/22.  Currently the low half is
  51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
  52 ## are allocated as follows.
  53 ##
  54 ## 172.29.198.0/24  Untrusted networks.
  55 ##      .0/25           house wireless net
  56 ##      .128/28         iodine (IP-over-DNS) network
  57 ##      .160/27         untrusted virtual network
  58 ##
  59 ## 172.29.199.0/24  Trusted networks.
  60 ##      .0/25           house wired network
  61 ##      .128/27         mobile VPN hosts
  62 ##      .160/28         reserved, except .160/30 allocated for ITS
  63 ##      .176/28         internal colocated network
  64 ##      .192/27         house safe network
  65 ##      .224/27         anycast services
  66
  67 ## IPv6 addressing.
  68 ##
  69 ## There are five blocks of publicly routable IPv6 addresses, though some of
  70 ## them aren't very interesting.  The ranges are as follows.
  71 ##
  72 ## 2001:470:1f08:1b98::/64
  73 ##              Hurricane Electric tunnel network: only :1 (HE) and :2
  74 ##              (radius) are used.
  75 ##
  76 ## 2001:470:1f09:1b98::/64
  77 ##              House border network (dmz).
  78 ##
  79 ## 2001:470:9740::/48
  80 ##              Main house range.  See below for allocation policy.
  81 ##
  82 ## 2001:ba8:0:1d9::/64
  83 ##              Jump border network (jump): :1 is the router (supplied by
  84 ##              Jump); other addresses are ours.
  85 ##
  86 ## 2001:ba8:1d9::/48
  87 ##              Main colocated range.  See below for allocation policy.
  88 ##
  89 ## Addresses in the /64 networks are simply allocated in ascending order.
  90 ## The /48s are split into /64s by appending a 16-bit network number.  The
  91 ## top nibble of the network number classifies the network, as follows.
  92 ##
  93 ## axxx         Virtual, untrusted
  94 ## 8xxx         Untrusted
  95 ## 6xxx         Virtual, safe
  96 ## 4xxx         Safe
  97 ## 0xxx         Unsafe, trusted
  98 ##
  99 ## These have been chosen so that network properties can be deduced by
 100 ## inspecting bits of the network number:
 101 ##
 102 ## Bit 15       If set, the network is untrusted; otherwise it is trusted.
 103 ## Bit 14       If set, the network is safe; otherwise it is unsafe.
 104 ##
 105 ## Finally, the low-order nibbles identify the site.
 106 ##
 107 ## 0            No specific site: mobile VPN endpoints or anycast addresses.
 108 ## 1            House.
 109 ## 2            Jump colocation.
 110 ##
 111 ## Usually site-0 networks are allocated from the Jump range to improve
 112 ## expected performance from/to external sites which don't engage in our
 113 ## dynamic routing protocols.
 114
 115 ## Define the available network classes.
 116 m4_divert(42)m4_dnl
 117 defnetclass scary       scary           trusted             mcast
 118 defnetclass untrusted   scary untrusted trusted             mcast
 119 defnetclass trusted     scary untrusted trusted safe noloop mcast
 120 defnetclass safe                        trusted safe noloop mcast
 121 defnetclass noloop                      trusted safe        mcast
 122
 123 defnetclass link
 124 defnetclass mcast
 125 m4_divert(-1)
 126
 127 m4_divert(26)m4_dnl
 128 ###--------------------------------------------------------------------------
 129 ### Network layout.
 130
 131 ## House networks.
 132 defnet dmz trusted
 133         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 134         via unsafe untrusted
 135 defnet unsafe trusted
 136         addr 172.29.199.0/25 2001:470:9740:1::/64
 137         via househub
 138 defnet safe safe
 139         addr 172.29.199.192/27 2001:470:9740:4001::/64
 140         via househub
 141 defnet untrusted untrusted
 142         addr 172.29.198.0/25 2001:470:9740:8001::/64
 143         via househub
 144
 145 defnet househub virtual
 146         via housebdry dmz unsafe safe untrusted
 147 defnet housebdry virtual
 148         via househub hub
 149
 150 ## House hosts.
 151 defhost radius
 152         hosttype router
 153         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
 154         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
 155         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
 156         iface eth3 unsafe untrusted vpn default
 157         iface ppp0 default
 158         iface t6-he default
 159         iface vpn-precision colobdry vpn sgo
 160         iface vpn-chiark sgo
 161         iface vpn-+ vpn
 162 defhost roadstar
 163         iface eth0 dmz unsafe
 164         iface eth1 dmz unsafe
 165 defhost jem
 166         iface eth0 dmz unsafe
 167         iface eth1 dmz unsafe
 168 defhost universe
 169         iface eth0 dmz unsafe
 170         iface eth1 dmz unsafe
 171 defhost artist
 172         hosttype router
 173         iface eth0 dmz unsafe untrusted
 174         iface eth1 dmz unsafe untrusted
 175         iface eth3 unsafe untrusted
 176 defhost vampire
 177         hosttype router
 178         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
 179         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
 180         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
 181         iface eth0.7 unsafe untrusted vpn
 182         iface vpn-precision colobdry vpn sgo
 183         iface vpn-chiark sgo
 184         iface vpn-+ vpn
 185 defhost ibanez
 186         iface br-dmz dmz unsafe
 187         iface br-unsafe unsafe
 188 defhost orange
 189         iface wlan0 untrusted
 190         iface vpn-radius unsafe
 191 defhost groove
 192         iface eth0 unsafe
 193         iface wlan0 untrusted
 194         iface vpn-radius unsafe
 195
 196 defhost gibson
 197         hosttype client
 198         iface eth0.5 unsafe
 199
 200 ## Colocated networks.
 201 defnet jump trusted
 202         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 203         via colohub
 204 defnet colo trusted
 205         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 206         via colohub
 207 defnet colohub virtual
 208         via colobdry jump colo
 209 defnet colobdry virtual
 210         via colohub hub
 211 defnet iodine untrusted
 212         addr 172.29.198.128/28
 213         via colohub
 214
 215 ## Colocated hosts.
 216 defhost fender
 217         iface br-jump jump colo
 218         iface br-colo jump colo
 219 defhost precision
 220         hosttype router
 221         iface eth0 jump colo vpn sgo
 222         iface eth1 jump colo vpn sgo
 223         iface vpn-mango binswood
 224         iface vpn-radius housebdry vpn sgo
 225         iface vpn-chiark sgo
 226         iface vpn-national upn
 227         iface vpn-+ vpn
 228 defhost telecaster
 229         iface eth0 jump colo
 230         iface eth1 jump colo
 231 defhost stratocaster
 232         iface eth0 jump colo
 233         iface eth1 jump colo
 234 defhost jazz
 235         hosttype router
 236         iface eth0 jump colo vpn
 237         iface eth1 jump colo vpn
 238         iface dns0 iodine
 239         iface vpn-+ vpn
 240
 241 ## Other networks.
 242 defnet hub virtual
 243         via housebdry colobdry
 244 defnet sgo noloop
 245         addr !172.29.198.0/23
 246         addr 10.0.0.0/8
 247         addr 172.16.0.0/12
 248         addr 192.168.0.0/16
 249         via househub colohub
 250 defnet vpn safe
 251         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 252         via househub colohub
 253         host crybaby 1 ::1:1
 254         host terror 2 ::2:1
 255         host orange 3 ::3:1
 256         host haze 4 ::4:1
 257         host groove 5 ::5:1
 258 defnet anycast trusted
 259         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 260         via dmz unsafe safe untrusted jump colo vpn
 261 defnet default scary
 262         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 263         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 264         addr 2001:ba8:1d9::/48 #temporary
 265         via dmz unsafe untrusted jump colo
 266 defnet upn untrusted
 267         addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
 268         via colohub
 269         host national 1 ::1:1
 270
 271 ## Linode hosts.
 272 defhost national
 273         iface eth0 default
 274         iface vpn-precision colohub
 275
 276 ## Satellite networks.
 277 defnet binswood noloop
 278         addr 10.165.27.0/24
 279         via colohub
 280 defhost mango
 281         hosttype router
 282         iface eth0 binswood default
 283         iface vpn-precision colo
 284
 285 m4_divert(80)m4_dnl
 286 ###--------------------------------------------------------------------------
 287 ### Connection tracking helper modules.
 288
 289 for i in ftp; do
 290   modprobe nf_conntrack_$i
 291 done
 292
 293 m4_divert(80)m4_dnl
 294 ###--------------------------------------------------------------------------
 295 ### Special forwarding exemptions.
 296
 297 case $forward in
 298   1)
 299
 300     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 301     ## hosts's fragment reassembly to be robust against malicious fragments.)
 302     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 303     ## of `! -f', so we do the negation using early return from a subchain.
 304     clearchain fwd-spec-nofrag
 305     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 306     run ip6tables -A fwd-spec-nofrag -j RETURN \
 307             -m ipv6header --soft --header frag
 308     run ip46tables -A FORWARD -j fwd-spec-nofrag
 309
 310     ## Allow ping from safe/noloop to untrusted networks.
 311     run iptables -A fwd-spec-nofrag -j ACCEPT \
 312             -p icmp --icmp-type echo-request \
 313             -m mark --mark $to_untrusted/$MASK_TO
 314     run iptables -A fwd-spec-nofrag -j ACCEPT \
 315             -p icmp --icmp-type echo-reply \
 316             -m mark --mark $from_untrusted/$MASK_FROM \
 317             -m state --state ESTABLISHED
 318     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 319             -p icmpv6 --icmpv6-type echo-request \
 320             -m mark --mark $to_untrusted/$MASK_TO
 321     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 322             -p icmpv6 --icmpv6-type echo-reply \
 323             -m mark --mark $from_untrusted/$MASK_FROM \
 324             -m state --state ESTABLISHED
 325
 326     ## Allow SSH from safe/noloop to untrusted networks.
 327     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 328             -p tcp --destination-port $port_ssh \
 329             -m mark --mark $to_untrusted/$MASK_TO
 330     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 331             -p tcp --source-port $port_ssh \
 332             -m mark --mark $from_untrusted/$MASK_FROM \
 333             -m state --state ESTABLISHED
 334
 335     ;;
 336 esac
 337
 338 m4_divert(80)m4_dnl
 339 ###--------------------------------------------------------------------------
 340 ### Kill things we don't understand properly.
 341 ###
 342 ### I don't like having to do this, but since I don't know how to do proper
 343 ### multicast filtering, I'm just going to ban it from being forwarded.
 344
 345 errorchain poorly-understood REJECT
 346
 347 ## Ban multicast destination addresses in forwarding.
 348 case $forward in
 349   1)
 350     run iptables -A FORWARD -g poorly-understood \
 351             -d 224.0.0.0/4
 352     run ip6tables -A FORWARD -g poorly-understood \
 353             -d ff::/8
 354     ;;
 355 esac
 356
 357 m4_divert(84)m4_dnl
 358 ###--------------------------------------------------------------------------
 359 ### Locally-bound packet inspection.
 360
 361 clearchain inbound
 362
 363 ## Track connections.
 364 commonrules inbound
 365 conntrack inbound
 366
 367 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 368 ## local request.
 369 run iptables -A inbound -j ACCEPT \
 370         -s 0.0.0.0 -d 255.255.255.255 \
 371         -p udp --source-port $port_bootpc --destination-port $port_bootps
 372 run iptables -A inbound -j ACCEPT \
 373         -s 172.29.198.0/23 \
 374         -p udp --source-port $port_bootpc --destination-port $port_bootps
 375
 376 ## Allow incoming ping.  This is the only ICMP left.
 377 run iptables -A inbound -j ACCEPT -p icmp
 378 run ip6tables -A inbound -j ACCEPT -p icmpv6
 379
 380 m4_divert(88)m4_dnl
 381 ## Allow unusual things.
 382 openports inbound
 383
 384 ## Inspect inbound packets from untrusted sources.
 385 run ip46tables -A inbound -j forbidden
 386 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 387 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 388
 389 ## Allow responses from the scary outside world into the untrusted net, but
 390 ## don't let untrusted things run services.
 391 case $forward in
 392   1)
 393     run ip46tables -A FORWARD -j ACCEPT \
 394         -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
 395         -m state --state ESTABLISHED,RELATED
 396     ;;
 397 esac
 398
 399 ## Otherwise process as indicated by the mark.
 400 for i in $inchains; do
 401   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 402 done
 403
 404 m4_divert(-1)
 405 ###----- That's all, folks --------------------------------------------------