~mdw / firewall / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
local.m4: Don't expect `forbidden' to return.
[firewall] / local.m4
1 ### -*-sh-*-
2 ###
3 ### Local firewall configuration
4 ###
5 ### (c) 2008 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
26
27 m4_divert(6)m4_dnl
28 ## Default NTP servers.
29 defconf(ntp_servers,
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
31
32 m4_divert(-1)
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
35
36 ## IPv4 addressing.
37 ##
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
41 ##
42 ## 81.2.113.195, 81.187.238.128/28
43 ## House border network (dmz). We have all of these; the loose
44 ## address is for the router.
45 ##
46 ## 212.13.18.64/28
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
49 ##
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
53 ##
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
57 ## .144/28 hippotat (IP-over-HTTP) network
58 ## .160/27 untrusted virtual network
59 ##
60 ## 172.29.199.0/24 Trusted networks.
61 ## .0/25 house wired network
62 ## .128/27 mobile VPN hosts
63 ## .160/28 reserved, except .160/30 allocated for ITS
64 ## .176/28 internal colocated network
65 ## .192/27 house safe network
66 ## .224/27 anycast services
67
68 ## IPv6 addressing.
69 ##
70 ## There are five blocks of publicly routable IPv6 addresses, though some of
71 ## them aren't very interesting. The ranges are as follows.
72 ##
73 ## 2001:8b0:c92::/48
74 ## Main house range (aaisp). See below for allocation policy.
75 ## There is no explicit DMZ allocation (and no need for one).
76 ##
77 ## 2001:ba8:0:1d9::/64
78 ## Jump border network (jump): :1 is the router (supplied by
79 ## Jump); other addresses are ours.
80 ##
81 ## 2001:ba8:1d9::/48
82 ## Main colocated range. See below for allocation policy.
83 ##
84 ## Addresses in the /64 networks are simply allocated in ascending order.
85 ## The /48s are split into /64s by appending a 16-bit network number. The
86 ## top nibble of the network number classifies the network, as follows.
87 ##
88 ## axxx Virtual, untrusted
89 ## 8xxx Untrusted
90 ## 6xxx Virtual, safe
91 ## 4xxx Safe
92 ## 0xxx Unsafe, trusted
93 ##
94 ## These have been chosen so that network properties can be deduced by
95 ## inspecting bits of the network number:
96 ##
97 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
98 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
99 ##
100 ## Finally, the low-order nibbles identify the site.
101 ##
102 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
103 ## 1 House.
104 ## 2 Jump colocation.
105 ## fff Local border network.
106 ##
107 ## Usually site-0 networks are allocated from the Jump range to improve
108 ## expected performance from/to external sites which don't engage in our
109 ## dynamic routing protocols.
110
111 ## Define the available network classes.
112 m4_divert(42)m4_dnl
113 defnetclass scary scary trusted mcast
114 defnetclass untrusted scary untrusted trusted mcast
115 defnetclass trusted scary untrusted trusted safe noloop mcast
116 defnetclass safe trusted safe noloop mcast
117 defnetclass noloop trusted safe mcast
118
119 defnetclass link
120 defnetclass mcast
121 m4_divert(-1)
122
123 m4_divert(26)m4_dnl
124 ###--------------------------------------------------------------------------
125 ### Network layout.
126
127 ## House networks.
128 defnet dmz trusted
129 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
130 via unsafe untrusted
131 defnet unsafe trusted
132 addr 172.29.199.0/25 2001:8b0:c92:1::/64
133 via househub
134 defnet safe safe
135 addr 172.29.199.192/27 2001:8b0:c92:4001::/64
136 via househub
137 defnet untrusted untrusted
138 addr 172.29.198.0/25 2001:8b0:c92:8001::/64
139 via househub
140
141 defnet househub virtual
142 via housebdry dmz unsafe safe untrusted
143 defnet housebdry virtual
144 via househub hub
145
146 ## House hosts.
147 defhost radius
148 hosttype router
149 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
150 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
151 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
152 iface eth3 unsafe untrusted vpn default
153 iface ppp0 default
154 iface t6-he default
155 iface vpn-precision colobdry vpn sgo
156 iface vpn-chiark sgo
157 iface vpn-+ vpn
158 defhost roadstar
159 iface eth0 dmz unsafe
160 iface eth1 dmz unsafe
161 defhost jem
162 iface eth0 dmz unsafe
163 iface eth1 dmz unsafe
164 defhost universe
165 iface eth0 dmz unsafe
166 iface eth1 dmz unsafe
167 defhost artist
168 hosttype router
169 iface eth0 dmz unsafe untrusted
170 iface eth1 dmz unsafe untrusted
171 iface eth3 unsafe untrusted
172 defhost vampire
173 hosttype router
174 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
175 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
176 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
177 iface eth0.7 unsafe untrusted vpn
178 iface vpn-precision colobdry vpn sgo
179 iface vpn-chiark sgo
180 iface vpn-+ vpn
181 defhost ibanez
182 iface br-dmz dmz unsafe
183 iface br-unsafe unsafe
184 defhost orange
185 iface wlan0 untrusted
186 iface vpn-radius unsafe
187 defhost groove
188 iface eth0 unsafe
189 iface wlan0 untrusted
190 iface vpn-radius unsafe
191
192 defhost gibson
193 hosttype client
194 iface eth0 unsafe
195
196 ## Colocated networks.
197 defnet jump trusted
198 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
199 via colohub
200 defnet colo trusted
201 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
202 via colohub
203 defnet colohub virtual
204 via colobdry jump colo
205 defnet colobdry virtual
206 via colohub hub
207 defnet iodine untrusted
208 addr 172.29.198.128/28
209 via colohub
210 defnet hippotat untrusted
211 addr 172.29.198.144/28
212 via colohub
213
214 ## Colocated hosts.
215 defhost fender
216 iface br-jump jump colo
217 iface br-colo jump colo
218 defhost precision
219 hosttype router
220 iface eth0 jump colo vpn sgo
221 iface eth1 jump colo vpn sgo
222 iface vpn-mango binswood
223 iface vpn-radius housebdry vpn sgo
224 iface vpn-chiark sgo
225 iface vpn-national upn
226 iface vpn-+ vpn
227 defhost telecaster
228 iface eth0 jump colo
229 iface eth1 jump colo
230 defhost stratocaster
231 iface eth0 jump colo
232 iface eth1 jump colo
233 defhost jazz
234 hosttype router
235 iface eth0 jump colo vpn
236 iface eth1 jump colo vpn
237 iface dns0 iodine
238 iface hippo-svc hippotat
239 iface vpn-+ vpn
240
241 ## Other networks.
242 defnet hub virtual
243 via housebdry colobdry
244 defnet sgo noloop
245 addr !172.29.198.0/23
246 addr 10.0.0.0/8
247 addr 172.16.0.0/12
248 addr 192.168.0.0/16
249 via househub colohub
250 defnet vpn trusted
251 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
252 via househub colohub
253 host crybaby 1 ::1:1
254 host terror 2 ::2:1
255 host orange 3 ::3:1
256 host haze 4 ::4:1
257 host groove 5 ::5:1
258 defnet anycast trusted
259 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
260 via dmz unsafe safe untrusted jump colo vpn
261 defnet default scary
262 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
263 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
264 addr 2001:ba8:1d9::/48 #temporary
265 via dmz unsafe untrusted jump colo
266 defnet upn untrusted
267 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
268 via colohub
269 host national 1 ::1:1
270
271 ## Linode hosts.
272 defhost national
273 iface eth0 default
274 iface vpn-precision colohub
275
276 ## Satellite networks.
277 defnet binswood noloop
278 addr 10.165.27.0/24
279 via colohub
280 defhost mango
281 hosttype router
282 iface eth0 binswood default
283 iface vpn-precision colo
284
285 m4_divert(80)m4_dnl
286 ###--------------------------------------------------------------------------
287 ### Connection tracking helper modules.
288
289 for i in ftp; do
290 modprobe nf_conntrack_$i
291 done
292
293 m4_divert(80)m4_dnl
294 ###--------------------------------------------------------------------------
295 ### Special forwarding exemptions.
296
297 case $forward in
298 1)
299
300 ## Only allow these packets if they're not fragmented. (Don't trust safe
301 ## hosts's fragment reassembly to be robust against malicious fragments.)
302 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
303 ## of `! -f', so we do the negation using early return from a subchain.
304 clearchain fwd-spec-nofrag
305 run iptables -A fwd-spec-nofrag -j RETURN --fragment
306 run ip6tables -A fwd-spec-nofrag -j RETURN \
307 -m ipv6header --soft --header frag
308 run ip46tables -A FORWARD -j fwd-spec-nofrag
309
310 ## Allow ping from safe/noloop to untrusted networks.
311 run iptables -A fwd-spec-nofrag -j ACCEPT \
312 -p icmp --icmp-type echo-request \
313 -m mark --mark $to_untrusted/$MASK_TO
314 run iptables -A fwd-spec-nofrag -j ACCEPT \
315 -p icmp --icmp-type echo-reply \
316 -m mark --mark $from_untrusted/$MASK_FROM \
317 -m state --state ESTABLISHED
318 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
319 -p icmpv6 --icmpv6-type echo-request \
320 -m mark --mark $to_untrusted/$MASK_TO
321 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
322 -p icmpv6 --icmpv6-type echo-reply \
323 -m mark --mark $from_untrusted/$MASK_FROM \
324 -m state --state ESTABLISHED
325
326 ## Allow SSH from safe/noloop to untrusted networks.
327 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
328 -p tcp --destination-port $port_ssh \
329 -m mark --mark $to_untrusted/$MASK_TO
330 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
331 -p tcp --source-port $port_ssh \
332 -m mark --mark $from_untrusted/$MASK_FROM \
333 -m state --state ESTABLISHED
334
335 ;;
336 esac
337
338 m4_divert(80)m4_dnl
339 ###--------------------------------------------------------------------------
340 ### Kill things we don't understand properly.
341 ###
342 ### I don't like having to do this, but since I don't know how to do proper
343 ### multicast filtering, I'm just going to ban it from being forwarded.
344
345 errorchain poorly-understood REJECT
346
347 ## Ban multicast destination addresses in forwarding.
348 case $forward in
349 1)
350 run iptables -A FORWARD -g poorly-understood \
351 -d 224.0.0.0/4
352 run ip6tables -A FORWARD -g poorly-understood \
353 -d ff::/8
354 ;;
355 esac
356
357 m4_divert(84)m4_dnl
358 ###--------------------------------------------------------------------------
359 ### Locally-bound packet inspection.
360
361 clearchain inbound
362
363 ## Track connections.
364 commonrules inbound
365 conntrack inbound
366
367 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
368 ## local request.
369 run iptables -A inbound -j ACCEPT \
370 -s 0.0.0.0 -d 255.255.255.255 \
371 -p udp --source-port $port_bootpc --destination-port $port_bootps
372 run iptables -A inbound -j ACCEPT \
373 -s 172.29.198.0/23 \
374 -p udp --source-port $port_bootpc --destination-port $port_bootps
375
376 ## Allow incoming ping. This is the only ICMP left.
377 run iptables -A inbound -j ACCEPT -p icmp
378 run ip6tables -A inbound -j ACCEPT -p icmpv6
379
380 m4_divert(88)m4_dnl
381 ## Allow unusual things.
382 openports inbound
383
384 ## Inspect inbound packets from untrusted sources.
385 run ip46tables -A inbound -g forbidden
386 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
387 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
388
389 ## Allow responses from the scary outside world into the untrusted net, but
390 ## don't let untrusted things run services.
391 case $forward in
392 1)
393 run ip46tables -A FORWARD -j ACCEPT \
394 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
395 -m state --state ESTABLISHED,RELATED
396 ;;
397 esac
398
399 ## Otherwise process as indicated by the mark.
400 for i in $inchains; do
401 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
402 done
403
404 m4_divert(-1)
405 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.