mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## IPv4 addressing.
  37 ##
  38 ## There are two small blocks of publicly routable IPv4 addresses, and a
  39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
  40 ## The former are as follows.
  41 ##
  42 ## 62.49.204.144/28
  43 ##              House border network (dmz).  We have all of these, but .145
  44 ##              is reserved for the router.
  45 ##
  46 ## 212.13.18.64/28
  47 ##              Jump colocated network (jump).  .65--68 are used by Jump
  48 ##              network infrastructure; we get the rest.
  49 ##
  50 ## The latter is the block 172.29.196.0/22.  Currently the low half is
  51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
  52 ## are allocated as follows.
  53 ##
  54 ## 172.29.198.0/24  Untrusted networks.
  55 ##      .0/25           house wireless net
  56 ##      .128/28         iodine (IP-over-DNS) network
  57 ##
  58 ## 172.29.199.0/24  Trusted networks.
  59 ##      .0/25           house wired network
  60 ##      .128/27         mobile VPN hosts
  61 ##      .160/28         reserved, except .160/30 allocated for ITS
  62 ##      .176/28         internal colocated network
  63 ##      .192/27         house safe network
  64 ##      .224/27         anycast services
  65
  66 ## IPv6 addressing.
  67 ##
  68 ## There are five blocks of publicly routable IPv6 addresses, though some of
  69 ## them aren't very interesting.  The ranges are as follows.
  70 ##
  71 ## 2001:470:1f08:1b98::/64
  72 ##              Hurricane Electric tunnel network: only :1 (HE) and :2
  73 ##              (radius) are used.
  74 ##
  75 ## 2001:470:1f09:1b98::/64
  76 ##              House border network (dmz).
  77 ##
  78 ## 2001:470:9740::/48
  79 ##              Main house range.  See below for allocation policy.
  80 ##
  81 ## 2001:ba8:0:1d9::/64
  82 ##              Jump border network (jump): :1 is the router (supplied by
  83 ##              Jump); other addresses are ours.
  84 ##
  85 ## 2001:ba8:1d9::/48
  86 ##              Main colocated range.  See below for allocation policy.
  87 ##
  88 ## Addresses in the /64 networks are simply allocated in ascending order.
  89 ## The /48s are split into /64s by appending a 16-bit network number.  The
  90 ## top nibble of the network number classifies the network, as follows.
  91 ##
  92 ## 8xxx         Untrusted
  93 ## 6xxx         Virtual
  94 ## 4xxx         Safe
  95 ## 0xxx         Unsafe, trusted
  96 ##
  97 ## These have been chosen so that network properties can be deduced by
  98 ## inspecting bits of the network number:
  99 ##
 100 ## Bit 15       If set, the network is untrusted; otherwise it is trusted.
 101 ## Bit 14       If set, the network is safe; otherwise it is unsafe.
 102 ##
 103 ## Finally, the low-order nibbles identify the site.
 104 ##
 105 ## 0            No specific site: mobile VPN endpoints or anycast addresses.
 106 ## 1            House.
 107 ## 2            Jump colocation.
 108 ##
 109 ## Usually site-0 networks are allocated from the Jump range to improve
 110 ## expected performance from/to external sites which don't engage in our
 111 ## dynamic routing protocols.
 112
 113 ## Define the available network classes.
 114 m4_divert(42)m4_dnl
 115 defnetclass untrusted untrusted trusted mcast
 116 defnetclass trusted untrusted trusted safe noloop mcast
 117 defnetclass safe trusted safe noloop mcast
 118 defnetclass noloop trusted safe mcast
 119 defnetclass link
 120 defnetclass mcast
 121 m4_divert(-1)
 122
 123 m4_divert(26)m4_dnl
 124 ###--------------------------------------------------------------------------
 125 ### Network layout.
 126
 127 ## House networks.
 128 defnet dmz trusted
 129         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 130         via unsafe untrusted
 131 defnet unsafe trusted
 132         addr 172.29.199.0/25 2001:470:9740:1::/64
 133         via househub
 134 defnet safe safe
 135         addr 172.29.199.192/27 2001:470:9740:4001::/64
 136         via househub
 137 defnet untrusted untrusted
 138         addr 172.29.198.0/25 2001:470:9740:8001::/64
 139         via househub
 140
 141 defnet househub virtual
 142         via housebdry dmz unsafe safe untrusted
 143 defnet housebdry virtual
 144         via househub hub
 145         noxit dmz
 146
 147 ## House hosts.
 148 defhost radius
 149         hosttype router
 150         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
 151         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
 152         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
 153         iface eth3 untrusted vpn default
 154         iface ppp0 default
 155         iface t6-he default
 156         iface vpn-precision colobdry vpn sgo
 157         iface vpn-chiark sgo
 158         iface vpn-+ vpn
 159 defhost roadstar
 160         iface eth0 dmz unsafe
 161         iface eth1 dmz unsafe
 162 defhost jem
 163         iface eth0 dmz unsafe
 164         iface eth1 dmz unsafe
 165 defhost artist
 166         hosttype router
 167         iface eth0 dmz unsafe untrusted
 168         iface eth1 dmz unsafe untrusted
 169         iface eth3 untrusted
 170 defhost vampire
 171         hosttype router
 172         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
 173         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
 174         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
 175         iface eth0.7 untrusted
 176         iface vpn-precision colobdry vpn sgo
 177         iface vpn-chiark sgo
 178         iface vpn-+ vpn
 179 defhost ibanez
 180         iface br-dmz dmz unsafe
 181         iface br-unsafe unsafe
 182 defhost orange
 183         iface wlan0 untrusted
 184         iface vpn-radius unsafe
 185
 186 defhost gibson
 187         hosttype client
 188         iface eth0 unsafe
 189
 190 ## Colocated networks.
 191 defnet jump trusted
 192         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 193         via colohub
 194 defnet colo trusted
 195         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 196         via colohub
 197 defnet colohub virtual
 198         via colobdry jump colo
 199 defnet colobdry virtual
 200         via colohub hub
 201         noxit jump
 202 defnet iodine untrusted
 203         addr 172.29.198.128/28
 204         via colohub
 205
 206 ## Colocated hosts.
 207 defhost fender
 208         iface br-jump jump colo
 209         iface br-colo jump colo
 210 defhost precision
 211         hosttype router
 212         iface eth0 jump colo vpn sgo
 213         iface eth1 jump colo vpn sgo
 214         iface vpn-radius housebdry vpn sgo
 215         iface vpn-chiark sgo
 216         iface vpn-+ vpn
 217 defhost telecaster
 218         iface eth0 jump colo
 219         iface eth1 jump colo
 220 defhost stratocaster
 221         iface eth0 jump colo
 222         iface eth1 jump colo
 223 defhost jazz
 224         hosttype router
 225         iface eth0 jump colo vpn
 226         iface eth1 jump colo vpn
 227         iface dns0 iodine
 228         iface vpn-+ vpn
 229
 230 ## Other networks.
 231 defnet hub virtual
 232         via housebdry colobdry
 233 defnet sgo noloop
 234         addr !172.29.198.0/23
 235         addr 10.0.0.0/8
 236         addr 172.16.0.0/12
 237         addr 192.168.0.0/16
 238         via househub colohub
 239 defnet vpn safe
 240         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 241         via househub colohub
 242         host crybaby 1
 243         host terror 2
 244         host orange 3
 245 defnet anycast trusted
 246         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 247         via dmz unsafe safe untrusted jump colo vpn
 248 defnet default untrusted
 249         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 250         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 251         addr 2001:ba8:1d9::/48 #temporary
 252         via dmz unsafe untrusted jump colo
 253
 254 m4_divert(80)m4_dnl
 255 ###--------------------------------------------------------------------------
 256 ### Special forwarding exemptions.
 257
 258 case $forward in
 259   1)
 260
 261     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 262     ## hosts's fragment reassembly to be robust against malicious fragments.)
 263     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 264     ## of `! -f', so we do the negation using early return from a subchain.
 265     clearchain fwd-spec-nofrag
 266     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 267     run ip6tables -A fwd-spec-nofrag -j RETURN \
 268             -m ipv6header --soft --header frag
 269     run ip46tables -A FORWARD -j fwd-spec-nofrag
 270
 271     ## Allow ping from safe/noloop to untrusted networks.
 272     run iptables -A fwd-spec-nofrag -j ACCEPT \
 273             -p icmp --icmp-type echo-request \
 274             -m mark --mark $to_untrusted/$MASK_TO
 275     run iptables -A fwd-spec-nofrag -j ACCEPT \
 276             -p icmp --icmp-type echo-reply \
 277             -m mark --mark $from_untrusted/$MASK_FROM \
 278             -m state --state ESTABLISHED
 279     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 280             -p icmpv6 --icmpv6-type echo-request \
 281             -m mark --mark $to_untrusted/$MASK_TO
 282     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 283             -p icmpv6 --icmpv6-type echo-reply \
 284             -m mark --mark $from_untrusted/$MASK_FROM \
 285             -m state --state ESTABLISHED
 286
 287     ## Allow SSH from safe/noloop to untrusted networks.
 288     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 289             -p tcp --destination-port $port_ssh \
 290             -m mark --mark $to_untrusted/$MASK_TO
 291     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 292             -p tcp --source-port $port_ssh \
 293             -m mark --mark $from_untrusted/$MASK_FROM \
 294             -m state --state ESTABLISHED
 295
 296     ;;
 297 esac
 298
 299 m4_divert(80)m4_dnl
 300 ###--------------------------------------------------------------------------
 301 ### Kill things we don't understand properly.
 302 ###
 303 ### I don't like having to do this, but since I don't know how to do proper
 304 ### multicast filtering, I'm just going to ban it from being forwarded.
 305
 306 errorchain poorly-understood REJECT
 307
 308 ## Ban multicast destination addresses in forwarding.
 309 case $forward in
 310   1)
 311     run iptables -A FORWARD -g poorly-understood \
 312             -d 224.0.0.0/4
 313     run ip6tables -A FORWARD -g poorly-understood \
 314             -d ff::/8
 315     ;;
 316 esac
 317
 318 m4_divert(84)m4_dnl
 319 ###--------------------------------------------------------------------------
 320 ### Locally-bound packet inspection.
 321
 322 clearchain inbound
 323
 324 ## Track connections.
 325 commonrules inbound
 326 conntrack inbound
 327
 328 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 329 ## local request.
 330 run iptables -A inbound -j ACCEPT \
 331         -s 0.0.0.0 -d 255.255.255.255 \
 332         -p udp --source-port $port_bootpc --destination-port $port_bootps
 333 run iptables -A inbound -j ACCEPT \
 334         -s 172.29.198.0/23 \
 335         -p udp --source-port $port_bootpc --destination-port $port_bootps
 336
 337 ## Allow incoming ping.  This is the only ICMP left.
 338 run ip46tables -A inbound -j ACCEPT -p icmp
 339
 340 m4_divert(88)m4_dnl
 341 ## Allow unusual things.
 342 openports inbound
 343
 344 ## Inspect inbound packets from untrusted sources.
 345 run ip46tables -A inbound -j forbidden
 346 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 347
 348 ## Otherwise process as indicated by the mark.
 349 for i in $inchains; do
 350   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 351 done
 352
 353 m4_divert(-1)
 354 ###----- That's all, folks --------------------------------------------------