mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted
  39 defnetclass trusted untrusted trusted safe noloop
  40 defnetclass safe trusted safe noloop
  41 defnetclass noloop trusted safe
  42 m4_divert(-1)
  43
  44 m4_divert(26)m4_dnl
  45 ###--------------------------------------------------------------------------
  46 ### Network layout.
  47
  48 ## House networks.
  49 defnet dmz trusted
  50         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
  51         forwards unsafe untrusted
  52 defnet unsafe trusted
  53         addr 172.29.199.0/25 2001:470:9740:1::/64
  54         forwards househub
  55 defnet safe safe
  56         addr 172.29.199.192/27 2001:470:9740:4001::/64
  57         forwards househub
  58 defnet untrusted untrusted
  59         addr 172.29.198.0/25 2001:470:9740:8001::/64
  60         forwards househub
  61 defnet vpn safe
  62         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
  63         forwards househub colohub
  64         host crybaby 1
  65         host terror 2
  66 defnet iodine untrusted
  67         addr 172.29.198.128/28
  68
  69 defnet househub virtual
  70         forwards housebdry dmz unsafe safe untrusted
  71 defnet housebdry virtual
  72         forwards househub hub
  73         noxit dmz
  74
  75 ## House hosts.
  76 defhost radius
  77         router
  78         iface eth0 dmz unsafe safe
  79         iface eth1 dmz unsafe safe
  80         iface eth2 safe
  81         iface eth3 untrusted
  82 defhost roadstar
  83         iface eth0 dmz unsafe
  84         iface eth1 dmz unsafe
  85 defhost jem
  86         iface eth0 dmz unsafe
  87         iface eth1 dmz unsafe
  88 defhost artist
  89         iface eth0 dmz unsafe
  90         iface eth1 dmz unsafe
  91 defhost vampire
  92         router
  93         iface eth0.0 dmz unsafe safe default
  94         iface eth0.1 dmz unsafe safe default
  95         iface eth0.2 safe
  96         iface eth0.3 untrusted default
  97         iface dns0 dns
  98         iface vpn-+ vpn
  99         iface vpn-precision colobdry vpn
 100         iface t6-he default
 101 defhost ibanez
 102         iface br-dmz dmz unsafe
 103         iface br-unsafe unsafe
 104
 105 defhost gibson
 106         iface eth0 unsafe
 107
 108 ## Colocated networks.
 109 defnet jump trusted
 110         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 111         forwards colohub
 112 defnet colo trusted
 113         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 114         forwards colohub
 115 defnet colohub virtual
 116         forwards colobdry jump colo
 117 defnet colobdry virtual
 118         forwards colohub hub
 119         noxit jump
 120
 121 ## Colocated hosts.
 122 defhost fender
 123         iface br-jump jump colo
 124         iface br-colo jump colo
 125 defhost precision
 126         router
 127         iface eth0 jump colo
 128         iface eth1 jump colo
 129         iface vpn-+ vpn
 130         iface vpn-vampire housebdry vpn
 131 defhost telecaster
 132         iface eth0 jump colo
 133         iface eth1 jump colo
 134 defhost stratocaster
 135         iface eth0 jump colo
 136         iface eth1 jump colo
 137 defhost jazz
 138         iface eth0 jump colo
 139         iface eth1 jump colo
 140
 141 ## Other networks.
 142 defnet hub virtual
 143         forwards housebdry colobdry
 144 defnet default untrusted
 145         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 146         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 147         addr 2001:ba8:1d9::/48 #temporary
 148         forwards dmz untrusted unsafe jump colo
 149
 150 m4_divert(80)m4_dnl
 151 ###--------------------------------------------------------------------------
 152 ### Special forwarding exemptions.
 153
 154 case $forward in
 155   1)
 156
 157     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 158     ## hosts's fragment reassembly to be robust against malicious fragments.)
 159     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 160     ## of `! -f', so we do the negation using early return from a subchain.
 161     clearchain fwd-spec-nofrag
 162     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 163     run ip6tables -A fwd-spec-nofrag -j RETURN \
 164             -m ipv6header --soft --header frag
 165     run iptables -A FORWARD -j fwd-spec-nofrag
 166
 167     ## Allow ping from safe/noloop to untrusted networks.
 168     run iptables -A fwd-spec-nofrag -j ACCEPT \
 169             -p icmp --icmp-type echo-request \
 170             -m mark --mark $to_untrusted/$MASK_TO
 171     run iptables -A fwd-spec-nofrag -j ACCEPT \
 172             -p icmp --icmp-type echo-reply \
 173             -m mark --mark $from_untrusted/$MASK_FROM \
 174             -m state --state ESTABLISHED
 175     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 176             -p ipv6-icmp --icmpv6-type echo-request \
 177             -m mark --mark $to_untrusted/$MASK_TO
 178     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 179             -p ipv6-icmp --icmpv6-type echo-reply \
 180             -m mark --mark $from_untrusted/$MASK_FROM \
 181             -m state --state ESTABLISHED
 182
 183     ## Allow SSH from safe/noloop to untrusted networks.
 184     run iptables -A fwd-spec-nofrag -j ACCEPT \
 185             -p tcp --destination-port $port_ssh \
 186             -m mark --mark $to_untrusted/$MASK_TO
 187     run iptables -A fwd-spec-nofrag -j ACCEPT \
 188             -p tcp --source-port $port_ssh \
 189             -m mark --mark $from_untrusted/$MASK_FROM \
 190             -m state --state ESTABLISHED
 191     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 192             -p tcp --destination-port $port_ssh \
 193             -m mark --mark $to_untrusted/$MASK_TO
 194     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 195             -p tcp --source-port $port_ssh \
 196             -m mark --mark $from_untrusted/$MASK_FROM \
 197             -m state --state ESTABLISHED
 198
 199     ;;
 200 esac
 201
 202 m4_divert(80)m4_dnl
 203 ###--------------------------------------------------------------------------
 204 ### Kill things we don't understand properly.
 205 ###
 206 ### I don't like having to do this, but since I don't know how to do proper
 207 ### multicast filtering, I'm just going to ban it from being forwarded.
 208
 209 errorchain poorly-understood REJECT
 210
 211 ## Ban multicast destination addresses in forwarding.
 212 case $forward in
 213   1)
 214     run iptables -A FORWARD -g poorly-understood \
 215             -d 224.0.0.0/4
 216     run ip6tables -A FORWARD -g poorly-understood \
 217             -d ff::/8
 218     ;;
 219 esac
 220
 221 m4_divert(84)m4_dnl
 222 ###--------------------------------------------------------------------------
 223 ### Locally-bound packet inspection.
 224
 225 clearchain inbound
 226
 227 ## Track connections.
 228 commonrules inbound
 229 conntrack inbound
 230
 231 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 232 ## local request.
 233 run iptables -A inbound -j ACCEPT \
 234         -s 0.0.0.0 -d 255.255.255.255 \
 235         -p udp --source-port $port_bootpc --destination-port $port_bootps
 236 run iptables -A inbound -j ACCEPT \
 237         -s 172.29.198.0/23 \
 238         -p udp --source-port $port_bootpc --destination-port $port_bootps
 239
 240 ## Incoming multicast on a network interface associated with a trusted
 241 ## network is OK, since it must have originated there (or been forwarded, but
 242 ## we don't do that yet).
 243 seen=:-:
 244 for net in $allnets; do
 245   eval class=\$net_class_$net
 246   case $class in trusted) ;; *) continue ;; esac
 247   for iface in $(net_interfaces FWHOST $net); do
 248     case "$seen" in *:$iface:*) continue ;; esac
 249     seen=$seen$iface:
 250     run iptables -A inbound -j ACCEPT \
 251         -s 0.0.0.0 -d 224.0.0.0/24 \
 252         -i $iface
 253   done
 254 done
 255
 256 ## Allow incoming ping.  This is the only ICMP left.
 257 run ip46tables -A inbound -j ACCEPT -p icmp
 258
 259 m4_divert(88)m4_dnl
 260 ## Allow unusual things.
 261 openports inbound
 262
 263 ## Inspect inbound packets from untrusted sources.
 264 run ip46tables -A inbound -j forbidden
 265 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 266
 267 ## Otherwise process as indicated by the mark.
 268 run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 269 case $forward in
 270   1)
 271     run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 272     ;;
 273 esac
 274
 275 m4_divert(-1)
 276 ###----- That's all, folks --------------------------------------------------