3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted
39 defnetclass trusted untrusted trusted safe noloop
40 defnetclass safe trusted safe noloop
41 defnetclass noloop trusted safe
45 ###--------------------------------------------------------------------------
50 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
51 forwards unsafe untrusted
53 addr 172.29.199.0/25 2001:470:9740:1::/64
56 addr 172.29.199.192/27 2001:470:9740:4001::/64
58 defnet untrusted untrusted
59 addr 172.29.198.0/25 2001:470:9740:8001::/64
62 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
63 forwards househub colohub
66 defnet iodine untrusted
67 addr 172.29.198.128/28
69 defnet househub virtual
70 forwards housebdry dmz unsafe safe untrusted
71 defnet housebdry virtual
78 iface eth0 dmz unsafe safe
79 iface eth1 dmz unsafe safe
93 iface eth0.0 dmz unsafe safe default
94 iface eth0.1 dmz unsafe safe default
96 iface eth0.3 untrusted default
99 iface vpn-precision colobdry vpn
102 iface br-dmz dmz unsafe
103 iface br-unsafe unsafe
108 ## Colocated networks.
110 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
113 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
115 defnet colohub virtual
116 forwards colobdry jump colo
117 defnet colobdry virtual
123 iface br-jump jump colo
124 iface br-colo jump colo
130 iface vpn-vampire housebdry vpn
143 forwards housebdry colobdry
144 defnet default untrusted
145 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
146 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
147 addr 2001:ba8:1d9::/48 #temporary
148 forwards dmz untrusted unsafe jump colo
151 ###--------------------------------------------------------------------------
152 ### Special forwarding exemptions.
157 ## Only allow these packets if they're not fragmented. (Don't trust safe
158 ## hosts's fragment reassembly to be robust against malicious fragments.)
159 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
160 ## of `! -f', so we do the negation using early return from a subchain.
161 clearchain fwd-spec-nofrag
162 run iptables -A fwd-spec-nofrag -j RETURN --fragment
163 run ip6tables -A fwd-spec-nofrag -j RETURN \
164 -m ipv6header --soft --header frag
165 run iptables -A FORWARD -j fwd-spec-nofrag
167 ## Allow ping from safe/noloop to untrusted networks.
168 run iptables -A fwd-spec-nofrag -j ACCEPT \
169 -p icmp --icmp-type echo-request \
170 -m mark --mark $to_untrusted/$MASK_TO
171 run iptables -A fwd-spec-nofrag -j ACCEPT \
172 -p icmp --icmp-type echo-reply \
173 -m mark --mark $from_untrusted/$MASK_FROM \
174 -m state --state ESTABLISHED
175 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
176 -p ipv6-icmp --icmpv6-type echo-request \
177 -m mark --mark $to_untrusted/$MASK_TO
178 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
179 -p ipv6-icmp --icmpv6-type echo-reply \
180 -m mark --mark $from_untrusted/$MASK_FROM \
181 -m state --state ESTABLISHED
183 ## Allow SSH from safe/noloop to untrusted networks.
184 run iptables -A fwd-spec-nofrag -j ACCEPT \
185 -p tcp --destination-port $port_ssh \
186 -m mark --mark $to_untrusted/$MASK_TO
187 run iptables -A fwd-spec-nofrag -j ACCEPT \
188 -p tcp --source-port $port_ssh \
189 -m mark --mark $from_untrusted/$MASK_FROM \
190 -m state --state ESTABLISHED
191 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
192 -p tcp --destination-port $port_ssh \
193 -m mark --mark $to_untrusted/$MASK_TO
194 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
195 -p tcp --source-port $port_ssh \
196 -m mark --mark $from_untrusted/$MASK_FROM \
197 -m state --state ESTABLISHED
203 ###--------------------------------------------------------------------------
204 ### Kill things we don't understand properly.
206 ### I don't like having to do this, but since I don't know how to do proper
207 ### multicast filtering, I'm just going to ban it from being forwarded.
209 errorchain poorly-understood REJECT
211 ## Ban multicast destination addresses in forwarding.
214 run iptables -A FORWARD -g poorly-understood \
216 run ip6tables -A FORWARD -g poorly-understood \
222 ###--------------------------------------------------------------------------
223 ### Locally-bound packet inspection.
227 ## Track connections.
231 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
233 run iptables -A inbound -j ACCEPT \
234 -s 0.0.0.0 -d 255.255.255.255 \
235 -p udp --source-port $port_bootpc --destination-port $port_bootps
236 run iptables -A inbound -j ACCEPT \
238 -p udp --source-port $port_bootpc --destination-port $port_bootps
240 ## Incoming multicast on a network interface associated with a trusted
241 ## network is OK, since it must have originated there (or been forwarded, but
242 ## we don't do that yet).
244 for net in $allnets; do
245 eval class=\$net_class_$net
246 case $class in trusted) ;; *) continue ;; esac
247 for iface in $(net_interfaces FWHOST $net); do
248 case "$seen" in *:$iface:*) continue ;; esac
250 run iptables -A inbound -j ACCEPT \
251 -s 0.0.0.0 -d 224.0.0.0/24 \
256 ## Allow incoming ping. This is the only ICMP left.
257 run ip46tables -A inbound -j ACCEPT -p icmp
260 ## Allow unusual things.
263 ## Inspect inbound packets from untrusted sources.
264 run ip46tables -A inbound -j forbidden
265 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
267 ## Otherwise process as indicated by the mark.
268 run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
271 run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
276 ###----- That's all, folks --------------------------------------------------