3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted mcast
39 defnetclass trusted untrusted trusted safe noloop mcast
40 defnetclass safe trusted safe noloop mcast
41 defnetclass noloop trusted safe mcast
47 ###--------------------------------------------------------------------------
52 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
53 forwards unsafe untrusted
55 addr 172.29.199.0/25 2001:470:9740:1::/64
58 addr 172.29.199.192/27 2001:470:9740:4001::/64
60 defnet untrusted untrusted
61 addr 172.29.198.0/25 2001:470:9740:8001::/64
64 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
65 forwards househub colohub
68 defnet iodine untrusted
69 addr 172.29.198.128/28
71 defnet househub virtual
72 forwards housebdry dmz unsafe safe untrusted
73 defnet housebdry virtual
80 iface eth0 dmz unsafe safe
81 iface eth1 dmz unsafe safe
95 iface eth0.0 dmz unsafe safe default
96 iface eth0.1 dmz unsafe safe default
98 iface eth0.3 untrusted default
101 iface vpn-precision colobdry vpn
104 iface br-dmz dmz unsafe
105 iface br-unsafe unsafe
110 ## Colocated networks.
112 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
115 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
117 defnet colohub virtual
118 forwards colobdry jump colo
119 defnet colobdry virtual
125 iface br-jump jump colo
126 iface br-colo jump colo
132 iface vpn-vampire housebdry vpn
145 forwards housebdry colobdry
146 defnet default untrusted
147 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
148 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
149 addr 2001:ba8:1d9::/48 #temporary
150 forwards dmz untrusted unsafe jump colo
153 ###--------------------------------------------------------------------------
154 ### Special forwarding exemptions.
159 ## Only allow these packets if they're not fragmented. (Don't trust safe
160 ## hosts's fragment reassembly to be robust against malicious fragments.)
161 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
162 ## of `! -f', so we do the negation using early return from a subchain.
163 clearchain fwd-spec-nofrag
164 run iptables -A fwd-spec-nofrag -j RETURN --fragment
165 run ip6tables -A fwd-spec-nofrag -j RETURN \
166 -m ipv6header --soft --header frag
167 run ip46tables -A FORWARD -j fwd-spec-nofrag
169 ## Allow ping from safe/noloop to untrusted networks.
170 run iptables -A fwd-spec-nofrag -j ACCEPT \
171 -p icmp --icmp-type echo-request \
172 -m mark --mark $to_untrusted/$MASK_TO
173 run iptables -A fwd-spec-nofrag -j ACCEPT \
174 -p icmp --icmp-type echo-reply \
175 -m mark --mark $from_untrusted/$MASK_FROM \
176 -m state --state ESTABLISHED
177 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
178 -p icmpv6 --icmpv6-type echo-request \
179 -m mark --mark $to_untrusted/$MASK_TO
180 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
181 -p icmpv6 --icmpv6-type echo-reply \
182 -m mark --mark $from_untrusted/$MASK_FROM \
183 -m state --state ESTABLISHED
185 ## Allow SSH from safe/noloop to untrusted networks.
186 run iptables -A fwd-spec-nofrag -j ACCEPT \
187 -p tcp --destination-port $port_ssh \
188 -m mark --mark $to_untrusted/$MASK_TO
189 run iptables -A fwd-spec-nofrag -j ACCEPT \
190 -p tcp --source-port $port_ssh \
191 -m mark --mark $from_untrusted/$MASK_FROM \
192 -m state --state ESTABLISHED
193 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
194 -p tcp --destination-port $port_ssh \
195 -m mark --mark $to_untrusted/$MASK_TO
196 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
197 -p tcp --source-port $port_ssh \
198 -m mark --mark $from_untrusted/$MASK_FROM \
199 -m state --state ESTABLISHED
205 ###--------------------------------------------------------------------------
206 ### Kill things we don't understand properly.
208 ### I don't like having to do this, but since I don't know how to do proper
209 ### multicast filtering, I'm just going to ban it from being forwarded.
211 errorchain poorly-understood REJECT
213 ## Ban multicast destination addresses in forwarding.
216 run iptables -A FORWARD -g poorly-understood \
218 run ip6tables -A FORWARD -g poorly-understood \
224 ###--------------------------------------------------------------------------
225 ### Locally-bound packet inspection.
229 ## Track connections.
233 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
235 run iptables -A inbound -j ACCEPT \
236 -s 0.0.0.0 -d 255.255.255.255 \
237 -p udp --source-port $port_bootpc --destination-port $port_bootps
238 run iptables -A inbound -j ACCEPT \
240 -p udp --source-port $port_bootpc --destination-port $port_bootps
242 ## Allow incoming ping. This is the only ICMP left.
243 run ip46tables -A inbound -j ACCEPT -p icmp
246 ## Allow unusual things.
249 ## Inspect inbound packets from untrusted sources.
250 run ip46tables -A inbound -j forbidden
251 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
253 ## Otherwise process as indicated by the mark.
254 for i in $inchains; do
255 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
259 ###----- That's all, folks --------------------------------------------------