3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Packet classification.
27 ## Define the available network classes.
29 defnetclass untrusted untrusted trusted
30 defnetclass trusted untrusted trusted safe noloop
31 defnetclass safe trusted safe noloop
32 defnetclass noloop trusted safe
35 ###--------------------------------------------------------------------------
39 ## Networks and routing.
41 defiface $if_untrusted \
42 untrusted:172.29.198.0/25
43 defvpn $if_vpn safe 172.29.199.128/27 \
44 crybaby:172.29.199.129 \
46 defiface $if_iodine untrusted:172.29.198.128/28
47 defiface $if_its_mz safe:172.29.199.160/30
48 defiface $if_its_pi safe:192.168.0.0/24
49 defiface $if_trusted \
50 trusted:172.29.199.0/26 \
51 safe:172.29.199.64/27 \
54 ## Default NTP servers.
55 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
58 ###--------------------------------------------------------------------------
59 ### Special forwarding exemptions.
61 ## Only allow these packets if they're not fragmented. (Don't trust safe
62 ## hosts's fragment reassembly to be robust against malicious fragments.)
63 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
64 ## `! -f', so we do the negation using early return from a subchain.
65 clearchain fwd-spec-nofrag
66 run iptables -A fwd-spec-nofrag -j RETURN --fragment
67 run ip6tables -A fwd-spec-nofrag -j RETURN \
68 -m ipv6header --soft --header frag
69 run iptables -A FORWARD -j fwd-spec-nofrag
71 ## Allow ping from safe/noloop to untrusted networks.
72 run iptables -A fwd-spec-nofrag -j ACCEPT \
73 -p icmp --icmp-type echo-request \
74 -m mark --mark $to_untrusted/$MASK_TO
75 run iptables -A fwd-spec-nofrag -j ACCEPT \
76 -p icmp --icmp-type echo-reply \
77 -m mark --mark $from_untrusted/$MASK_FROM \
78 -m state --state ESTABLISHED
79 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
80 -p ipv6-icmp --icmpv6-type echo-request \
81 -m mark --mark $to_untrusted/$MASK_TO
82 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
83 -p ipv6-icmp --icmpv6-type echo-reply \
84 -m mark --mark $from_untrusted/$MASK_FROM \
85 -m state --state ESTABLISHED
87 ## Allow SSH from safe/noloop to untrusted networks.
88 run iptables -A fwd-spec-nofrag -j ACCEPT \
89 -p tcp --destination-port $port_ssh \
90 -m mark --mark $to_untrusted/$MASK_TO
91 run iptables -A fwd-spec-nofrag -j ACCEPT \
92 -p tcp --source-port $port_ssh \
93 -m mark --mark $from_untrusted/$MASK_FROM \
94 -m state --state ESTABLISHED
95 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
96 -p tcp --destination-port $port_ssh \
97 -m mark --mark $to_untrusted/$MASK_TO
98 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
99 -p tcp --source-port $port_ssh \
100 -m mark --mark $from_untrusted/$MASK_FROM \
101 -m state --state ESTABLISHED
104 ###--------------------------------------------------------------------------
105 ### Kill things we don't understand properly.
107 ### I don't like having to do this, but since I don't know how to do proper
108 ### multicast filtering, I'm just going to ban it from being forwarded.
110 errorchain poorly-understood REJECT
112 ## Ban multicast destination addresses in forwarding.
113 run iptables -A FORWARD -g poorly-understood \
115 run ip6tables -A FORWARD -g poorly-understood \
119 ###--------------------------------------------------------------------------
120 ### Locally-bound packet inspection.
124 ## Track connections.
128 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
130 run iptables -A inbound -j ACCEPT \
131 -s 0.0.0.0 -d 255.255.255.255 \
132 -p udp --source-port $port_bootpc --destination-port $port_bootps
133 run iptables -A inbound -j ACCEPT \
135 -p udp --source-port $port_bootpc --destination-port $port_bootps
137 ## Incoming broadcast multicast on a network interface associated with the
138 ## trusted network is OK, since it must have originated there (or been
139 ## forwarded, but we don't do that yet).
140 run iptables -A inbound -j ACCEPT \
141 -s 0.0.0.0 -d 224.0.0.0/24 \
144 ## Allow incoming ping. This is the only ICMP left.
145 run ip46tables -A inbound -j ACCEPT -p icmp
148 ## Allow unusual things.
151 ## Inspect inbound packets from untrusted sources.
152 run ip46tables -A inbound -j forbidden
153 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
155 ## Otherwise process as indicated by the mark.
156 for i in INPUT FORWARD; do
157 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
161 ###----- That's all, folks --------------------------------------------------