mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted mcast
  39 defnetclass trusted untrusted trusted safe noloop mcast
  40 defnetclass safe trusted safe noloop mcast
  41 defnetclass noloop trusted safe mcast
  42 defnetclass link
  43 defnetclass mcast
  44 m4_divert(-1)
  45
  46 m4_divert(26)m4_dnl
  47 ###--------------------------------------------------------------------------
  48 ### Network layout.
  49
  50 ## House networks.
  51 defnet dmz trusted
  52         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
  53         forwards unsafe untrusted
  54 defnet unsafe trusted
  55         addr 172.29.199.0/25 2001:470:9740:1::/64
  56         forwards househub
  57 defnet safe safe
  58         addr 172.29.199.192/27 2001:470:9740:4001::/64
  59         forwards househub
  60 defnet untrusted untrusted
  61         addr 172.29.198.0/25 2001:470:9740:8001::/64
  62         forwards househub
  63 defnet vpn safe
  64         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
  65         forwards househub colohub
  66         host crybaby 1
  67         host terror 2
  68 defnet iodine untrusted
  69         addr 172.29.198.128/28
  70
  71 defnet househub virtual
  72         forwards housebdry dmz unsafe safe untrusted
  73 defnet housebdry virtual
  74         forwards househub hub
  75         noxit dmz
  76
  77 ## House hosts.
  78 defhost radius
  79         router
  80         iface eth0 dmz unsafe safe
  81         iface eth1 dmz unsafe safe
  82         iface eth2 safe
  83         iface eth3 untrusted
  84 defhost roadstar
  85         iface eth0 dmz unsafe
  86         iface eth1 dmz unsafe
  87 defhost jem
  88         iface eth0 dmz unsafe
  89         iface eth1 dmz unsafe
  90 defhost artist
  91         iface eth0 dmz unsafe
  92         iface eth1 dmz unsafe
  93 defhost vampire
  94         router
  95         iface eth0.0 dmz unsafe safe default
  96         iface eth0.1 dmz unsafe safe default
  97         iface eth0.2 safe
  98         iface eth0.3 untrusted default
  99         iface dns0 dns
 100         iface vpn-+ vpn
 101         iface vpn-precision colobdry vpn
 102         iface t6-he default
 103 defhost ibanez
 104         iface br-dmz dmz unsafe
 105         iface br-unsafe unsafe
 106
 107 defhost gibson
 108         iface eth0 unsafe
 109
 110 ## Colocated networks.
 111 defnet jump trusted
 112         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 113         forwards colohub
 114 defnet colo trusted
 115         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 116         forwards colohub
 117 defnet colohub virtual
 118         forwards colobdry jump colo
 119 defnet colobdry virtual
 120         forwards colohub hub
 121         noxit jump
 122
 123 ## Colocated hosts.
 124 defhost fender
 125         iface br-jump jump colo
 126         iface br-colo jump colo
 127 defhost precision
 128         router
 129         iface eth0 jump colo
 130         iface eth1 jump colo
 131         iface vpn-+ vpn
 132         iface vpn-vampire housebdry vpn
 133 defhost telecaster
 134         iface eth0 jump colo
 135         iface eth1 jump colo
 136 defhost stratocaster
 137         iface eth0 jump colo
 138         iface eth1 jump colo
 139 defhost jazz
 140         iface eth0 jump colo
 141         iface eth1 jump colo
 142
 143 ## Other networks.
 144 defnet hub virtual
 145         forwards housebdry colobdry
 146 defnet default untrusted
 147         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 148         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 149         addr 2001:ba8:1d9::/48 #temporary
 150         forwards dmz untrusted unsafe jump colo
 151
 152 m4_divert(80)m4_dnl
 153 ###--------------------------------------------------------------------------
 154 ### Special forwarding exemptions.
 155
 156 case $forward in
 157   1)
 158
 159     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 160     ## hosts's fragment reassembly to be robust against malicious fragments.)
 161     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 162     ## of `! -f', so we do the negation using early return from a subchain.
 163     clearchain fwd-spec-nofrag
 164     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 165     run ip6tables -A fwd-spec-nofrag -j RETURN \
 166             -m ipv6header --soft --header frag
 167     run ip46tables -A FORWARD -j fwd-spec-nofrag
 168
 169     ## Allow ping from safe/noloop to untrusted networks.
 170     run iptables -A fwd-spec-nofrag -j ACCEPT \
 171             -p icmp --icmp-type echo-request \
 172             -m mark --mark $to_untrusted/$MASK_TO
 173     run iptables -A fwd-spec-nofrag -j ACCEPT \
 174             -p icmp --icmp-type echo-reply \
 175             -m mark --mark $from_untrusted/$MASK_FROM \
 176             -m state --state ESTABLISHED
 177     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 178             -p icmpv6 --icmpv6-type echo-request \
 179             -m mark --mark $to_untrusted/$MASK_TO
 180     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 181             -p icmpv6 --icmpv6-type echo-reply \
 182             -m mark --mark $from_untrusted/$MASK_FROM \
 183             -m state --state ESTABLISHED
 184
 185     ## Allow SSH from safe/noloop to untrusted networks.
 186     run iptables -A fwd-spec-nofrag -j ACCEPT \
 187             -p tcp --destination-port $port_ssh \
 188             -m mark --mark $to_untrusted/$MASK_TO
 189     run iptables -A fwd-spec-nofrag -j ACCEPT \
 190             -p tcp --source-port $port_ssh \
 191             -m mark --mark $from_untrusted/$MASK_FROM \
 192             -m state --state ESTABLISHED
 193     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 194             -p tcp --destination-port $port_ssh \
 195             -m mark --mark $to_untrusted/$MASK_TO
 196     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 197             -p tcp --source-port $port_ssh \
 198             -m mark --mark $from_untrusted/$MASK_FROM \
 199             -m state --state ESTABLISHED
 200
 201     ;;
 202 esac
 203
 204 m4_divert(80)m4_dnl
 205 ###--------------------------------------------------------------------------
 206 ### Kill things we don't understand properly.
 207 ###
 208 ### I don't like having to do this, but since I don't know how to do proper
 209 ### multicast filtering, I'm just going to ban it from being forwarded.
 210
 211 errorchain poorly-understood REJECT
 212
 213 ## Ban multicast destination addresses in forwarding.
 214 case $forward in
 215   1)
 216     run iptables -A FORWARD -g poorly-understood \
 217             -d 224.0.0.0/4
 218     run ip6tables -A FORWARD -g poorly-understood \
 219             -d ff::/8
 220     ;;
 221 esac
 222
 223 m4_divert(84)m4_dnl
 224 ###--------------------------------------------------------------------------
 225 ### Locally-bound packet inspection.
 226
 227 clearchain inbound
 228
 229 ## Track connections.
 230 commonrules inbound
 231 conntrack inbound
 232
 233 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 234 ## local request.
 235 run iptables -A inbound -j ACCEPT \
 236         -s 0.0.0.0 -d 255.255.255.255 \
 237         -p udp --source-port $port_bootpc --destination-port $port_bootps
 238 run iptables -A inbound -j ACCEPT \
 239         -s 172.29.198.0/23 \
 240         -p udp --source-port $port_bootpc --destination-port $port_bootps
 241
 242 ## Allow incoming ping.  This is the only ICMP left.
 243 run ip46tables -A inbound -j ACCEPT -p icmp
 244
 245 m4_divert(88)m4_dnl
 246 ## Allow unusual things.
 247 openports inbound
 248
 249 ## Inspect inbound packets from untrusted sources.
 250 run ip46tables -A inbound -j forbidden
 251 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 252
 253 ## Otherwise process as indicated by the mark.
 254 for i in $inchains; do
 255   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 256 done
 257
 258 m4_divert(-1)
 259 ###----- That's all, folks --------------------------------------------------