~mdw / firewall / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
local.m4: Fix the IPv4 version of the `inbound-untrusted' chain.
[firewall] / local.m4
1 ### -*-sh-*-
2 ###
3 ### Local firewall configuration
4 ###
5 ### (c) 2008 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
26
27 m4_divert(6)m4_dnl
28 ## Default NTP servers.
29 defconf(ntp_servers,
30 "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")
31
32 m4_divert(-1)
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
35
36 ## IPv4 addressing.
37 ##
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
41 ##
42 ## 81.2.113.195, 81.187.238.128/28
43 ## House border network (dmz). We have all of these; the loose
44 ## address is for the router.
45 ##
46 ## 212.13.18.64/28
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
49 ##
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
53 ##
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
57 ## .144/28 hippotat (IP-over-HTTP) network
58 ## .160/27 untrusted virtual network
59 ##
60 ## 172.29.199.0/24 Trusted networks.
61 ## .0/25 house wired network
62 ## .128/27 mobile VPN hosts
63 ## .160/28 reserved, except .160/30 allocated for ITS
64 ## .176/28 internal colocated network
65 ## .192/27 house safe network
66 ## .224/27 anycast services
67
68 ## IPv6 addressing.
69 ##
70 ## There are five blocks of publicly routable IPv6 addresses, though some of
71 ## them aren't very interesting. The ranges are as follows.
72 ##
73 ## 2001:8b0:c92::/48
74 ## Main house range (aaisp). See below for allocation policy.
75 ## There is no explicit DMZ allocation (and no need for one).
76 ##
77 ## 2001:ba8:0:1d9::/64
78 ## Jump border network (jump): :1 is the router (supplied by
79 ## Jump); other addresses are ours.
80 ##
81 ## 2001:ba8:1d9::/48
82 ## Main colocated range. See below for allocation policy.
83 ##
84 ## Addresses in the /64 networks are simply allocated in ascending order.
85 ## The /48s are split into /64s by appending a 16-bit network number. The
86 ## top nibble of the network number classifies the network, as follows.
87 ##
88 ## axxx Virtual, untrusted
89 ## 8xxx Untrusted
90 ## 6xxx Virtual, safe
91 ## 4xxx Safe
92 ## 0xxx Unsafe, trusted
93 ##
94 ## These have been chosen so that network properties can be deduced by
95 ## inspecting bits of the network number:
96 ##
97 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
98 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
99 ##
100 ## Finally, the low-order nibbles identify the site.
101 ##
102 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
103 ## 1 House.
104 ## 2 Jump colocation.
105 ## fff Local border network.
106 ##
107 ## Usually site-0 networks are allocated from the Jump range to improve
108 ## expected performance from/to external sites which don't engage in our
109 ## dynamic routing protocols.
110
111 ## Define the available network classes.
112 m4_divert(42)m4_dnl
113 defnetclass scary scary trusted vpnnat mcast
114 defnetclass untrusted scary untrusted trusted mcast
115 defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
116 defnetclass safe trusted safe noloop vpnnat mcast
117 defnetclass noloop trusted safe mcast
118 defnetclass vpnnat scary trusted safe mcast
119
120 defnetclass link
121 defnetclass mcast
122 m4_divert(-1)
123
124 m4_divert(26)m4_dnl
125 ###--------------------------------------------------------------------------
126 ### Network layout.
127
128 ## House networks.
129 defnet dmz trusted
130 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
131 via unsafe untrusted
132 defnet unsafe trusted
133 addr 172.29.199.0/25 2001:8b0:c92:1::/64
134 via househub
135 defnet safe safe
136 addr 172.29.199.192/27 2001:8b0:c92:4001::/64
137 via househub
138 defnet untrusted untrusted
139 addr 172.29.198.0/25 2001:8b0:c92:8001::/64
140 via househub
141
142 defnet househub virtual
143 via housebdry dmz unsafe safe untrusted
144 defnet housebdry virtual
145 via househub hub
146
147 ## House hosts.
148 defhost radius
149 hosttype router
150 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
151 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
152 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
153 iface eth3 unsafe untrusted vpn default
154 iface ppp0 default
155 iface t6-he default
156 iface vpn-precision colobdry vpn sgo
157 iface vpn-chiark sgo
158 iface vpn-+ vpn
159 defhost roadstar
160 iface eth0 dmz unsafe
161 iface eth1 dmz unsafe
162 defhost jem
163 iface eth0 dmz unsafe
164 iface eth1 dmz unsafe
165 defhost universe
166 iface eth0 dmz unsafe
167 iface eth1 dmz unsafe
168 defhost artist
169 hosttype router
170 iface eth0 dmz unsafe untrusted
171 iface eth1 dmz unsafe untrusted
172 iface eth3 unsafe untrusted
173 defhost vampire
174 hosttype router
175 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
176 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
177 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
178 iface eth0.7 unsafe untrusted vpn
179 iface vpn-precision colobdry vpn sgo
180 iface vpn-chiark sgo
181 iface vpn-+ vpn
182 defhost ibanez
183 iface br-dmz dmz unsafe
184 iface br-unsafe unsafe
185 defhost orange
186 iface wlan0 untrusted
187 iface vpn-radius unsafe
188 defhost groove
189 iface eth0 unsafe
190 iface wlan0 untrusted
191 iface vpn-radius unsafe
192
193 defhost gibson
194 hosttype client
195 iface eth0 unsafe
196
197 ## Colocated networks.
198 defnet jump trusted
199 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
200 via colohub
201 defnet colo trusted
202 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
203 via colohub
204 defnet colohub virtual
205 via colobdry jump colo
206 defnet colobdry virtual
207 via colohub hub
208 defnet iodine untrusted
209 addr 172.29.198.128/28
210 via colohub
211 defnet hippotat untrusted
212 addr 172.29.198.144/28
213 via colohub
214
215 ## Colocated hosts.
216 defhost fender
217 iface br-jump jump colo
218 iface br-colo jump colo
219 defhost precision
220 hosttype router
221 iface eth0 jump colo vpn sgo
222 iface eth1 jump colo vpn sgo
223 iface vpn-mango binswood
224 iface vpn-radius housebdry vpn sgo
225 iface vpn-chiark sgo
226 iface vpn-national upn
227 iface vpn-mdwdev upn
228 iface vpn-+ vpn
229 defhost telecaster
230 iface eth0 jump colo
231 iface eth1 jump colo
232 defhost stratocaster
233 iface eth0 jump colo
234 iface eth1 jump colo
235 defhost jazz
236 hosttype router
237 iface eth0 jump colo vpn
238 iface eth1 jump colo vpn
239 iface dns0 iodine
240 iface hippo-svc hippotat
241 iface vpn-+ vpn
242
243 ## Other networks.
244 defnet hub virtual
245 via housebdry colobdry
246 defnet sgo noloop
247 addr !172.29.198.0/23
248 addr !10.165.27.0/24
249 addr 10.0.0.0/8
250 addr 172.16.0.0/12
251 addr 192.168.0.0/16
252 via househub colohub
253 defnet vpn trusted
254 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
255 via househub colohub
256 host crybaby 1 ::1:1
257 host terror 2 ::2:1
258 host orange 3 ::3:1
259 host haze 4 ::4:1
260 host groove 5 ::5:1
261 host spirit 9 ::9:1
262 defnet anycast trusted
263 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
264 via dmz unsafe safe untrusted jump colo vpn
265 defnet default scary
266 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
267 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
268 addr 2001:ba8:1d9::/48 #temporary
269 via dmz unsafe untrusted jump colo
270 defnet upn untrusted
271 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
272 via colohub
273 host national 1 ::1:1
274 host mdwdev 2 ::2:1
275
276 ## Linode hosts.
277 defhost national
278 iface eth0 default
279 iface vpn-precision colohub
280
281 ## Satellite networks.
282 defnet binswood vpnnat
283 addr 10.165.27.0/24
284 via colohub
285 defhost mango
286 hosttype router
287 iface eth0 binswood default
288 iface vpn-precision colo default
289
290 m4_divert(80)m4_dnl
291 ###--------------------------------------------------------------------------
292 ### Connection tracking helper modules.
293
294 for i in ftp; do
295 modprobe nf_conntrack_$i
296 done
297
298 m4_divert(80)m4_dnl
299 ###--------------------------------------------------------------------------
300 ### Special forwarding exemptions.
301
302 case $forward in
303 1)
304
305 ## Only allow these packets if they're not fragmented. (Don't trust safe
306 ## hosts's fragment reassembly to be robust against malicious fragments.)
307 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
308 ## of `! -f', so we do the negation using early return from a subchain.
309 clearchain fwd-spec-nofrag
310 run iptables -A fwd-spec-nofrag -j RETURN --fragment
311 run ip6tables -A fwd-spec-nofrag -j RETURN \
312 -m ipv6header --soft --header frag
313 run ip46tables -A FORWARD -j fwd-spec-nofrag
314
315 ## Allow ping from safe/noloop to untrusted networks.
316 run iptables -A fwd-spec-nofrag -j ACCEPT \
317 -p icmp --icmp-type echo-request \
318 -m mark --mark $to_untrusted/$MASK_TO
319 run iptables -A fwd-spec-nofrag -j ACCEPT \
320 -p icmp --icmp-type echo-reply \
321 -m mark --mark $from_untrusted/$MASK_FROM \
322 -m state --state ESTABLISHED
323 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
324 -p icmpv6 --icmpv6-type echo-request \
325 -m mark --mark $to_untrusted/$MASK_TO
326 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
327 -p icmpv6 --icmpv6-type echo-reply \
328 -m mark --mark $from_untrusted/$MASK_FROM \
329 -m state --state ESTABLISHED
330
331 ## Allow SSH from safe/noloop to untrusted networks.
332 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
333 -p tcp --destination-port $port_ssh \
334 -m mark --mark $to_untrusted/$MASK_TO
335 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
336 -p tcp --source-port $port_ssh \
337 -m mark --mark $from_untrusted/$MASK_FROM \
338 -m state --state ESTABLISHED
339
340 ;;
341 esac
342
343 m4_divert(80)m4_dnl
344 ###--------------------------------------------------------------------------
345 ### Kill things we don't understand properly.
346 ###
347 ### I don't like having to do this, but since I don't know how to do proper
348 ### multicast filtering, I'm just going to ban it from being forwarded.
349
350 errorchain poorly-understood REJECT
351
352 ## Ban multicast destination addresses in forwarding.
353 case $forward in
354 1)
355 run iptables -A FORWARD -g poorly-understood \
356 -d 224.0.0.0/4
357 run ip6tables -A FORWARD -g poorly-understood \
358 -d ff::/8
359 ;;
360 esac
361
362 m4_divert(82)m4_dnl
363 ###--------------------------------------------------------------------------
364 ### Check for source routing.
365
366 clearchain check-srcroute
367
368 run iptables -A check-srcroute -g forbidden \
369 -m ipv4options --any --flags lsrr,ssrr
370 run ip6tables -A check-srcroute -g forbidden \
371 -m rt
372
373 for c in INPUT FORWARD; do
374 for m in $from_scary $from_untrusted; do
375 run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
376 done
377 done
378
379 m4_divert(84)m4_dnl
380 ###--------------------------------------------------------------------------
381 ### Locally-bound packet inspection.
382
383 clearchain inbound
384 clearchain inbound-untrusted
385
386 ## Track connections.
387 commonrules inbound
388 conntrack inbound
389
390 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
391 ## local request.
392 run iptables -A inbound -j ACCEPT \
393 -s 0.0.0.0 -d 255.255.255.255 \
394 -p udp --source-port $port_bootpc --destination-port $port_bootps
395 run iptables -A inbound -j ACCEPT \
396 -s 172.29.198.0/23 \
397 -p udp --source-port $port_bootpc --destination-port $port_bootps
398
399 ## Allow incoming ping. This is the only ICMP left.
400 run iptables -A inbound -j ACCEPT -p icmp
401 run ip6tables -A inbound -j ACCEPT -p icmpv6
402
403 m4_divert(88)m4_dnl
404 ## Allow unusual things.
405 openports inbound
406
407 ## Inspect inbound packets from untrusted sources.
408 run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
409 run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
410 run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
411 run ip46tables -A inbound-untrusted -g forbidden
412 run ip46tables -A inbound -g forbidden
413 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
414 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
415
416 ## Allow responses from the scary outside world into the untrusted net, but
417 ## don't let untrusted things run services.
418 case $forward in
419 1)
420 run ip46tables -A FORWARD -j ACCEPT \
421 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
422 -m state --state ESTABLISHED,RELATED
423 ;;
424 esac
425
426 ## Otherwise process as indicated by the mark.
427 for i in $inchains; do
428 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
429 done
430
431 m4_divert(-1)
432 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.