mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## Define the available network classes.
  37 m4_divert(42)m4_dnl
  38 defnetclass untrusted untrusted trusted mcast
  39 defnetclass trusted untrusted trusted safe noloop mcast
  40 defnetclass safe trusted safe noloop mcast
  41 defnetclass noloop trusted safe mcast
  42 defnetclass link
  43 defnetclass mcast
  44 m4_divert(-1)
  45
  46 m4_divert(26)m4_dnl
  47 ###--------------------------------------------------------------------------
  48 ### Network layout.
  49
  50 ## House networks.
  51 defnet dmz trusted
  52         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
  53         forwards unsafe untrusted
  54 defnet unsafe trusted
  55         addr 172.29.199.0/25 2001:470:9740:1::/64
  56         forwards househub
  57 defnet safe safe
  58         addr 172.29.199.192/27 2001:470:9740:4001::/64
  59         forwards househub
  60 defnet untrusted untrusted
  61         addr 172.29.198.0/25 2001:470:9740:8001::/64
  62         forwards househub
  63 defnet iodine untrusted
  64         addr 172.29.198.128/28
  65
  66 defnet househub virtual
  67         forwards housebdry dmz unsafe safe untrusted
  68 defnet housebdry virtual
  69         forwards househub hub
  70         noxit dmz
  71
  72 ## House hosts.
  73 defhost radius
  74         hosttype router
  75         iface eth0 dmz unsafe safe
  76         iface eth1 dmz unsafe safe
  77         iface eth2 safe
  78         iface eth3 untrusted
  79 defhost roadstar
  80         iface eth0 dmz unsafe
  81         iface eth1 dmz unsafe
  82 defhost jem
  83         iface eth0 dmz unsafe
  84         iface eth1 dmz unsafe
  85 defhost artist
  86         iface eth0 dmz unsafe
  87         iface eth1 dmz unsafe
  88 defhost vampire
  89         hosttype router
  90         iface eth0.0 dmz unsafe safe default
  91         iface eth0.1 dmz unsafe safe default
  92         iface eth0.2 safe
  93         iface eth0.3 untrusted default
  94         iface dns0 dns
  95         iface vpn-+ vpn
  96         iface vpn-precision colobdry vpn
  97         iface t6-he default
  98 defhost ibanez
  99         iface br-dmz dmz unsafe
 100         iface br-unsafe unsafe
 101
 102 defhost gibson
 103         hosttype client
 104         iface eth0 unsafe
 105
 106 ## Colocated networks.
 107 defnet jump trusted
 108         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 109         forwards colohub
 110 defnet colo trusted
 111         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 112         forwards colohub
 113 defnet colohub virtual
 114         forwards colobdry jump colo
 115 defnet colobdry virtual
 116         forwards colohub hub
 117         noxit jump
 118
 119 ## Colocated hosts.
 120 defhost fender
 121         iface br-jump jump colo
 122         iface br-colo jump colo
 123 defhost precision
 124         hosttype router
 125         iface eth0 jump colo
 126         iface eth1 jump colo
 127         iface vpn-+ vpn
 128         iface vpn-vampire housebdry vpn
 129 defhost telecaster
 130         iface eth0 jump colo
 131         iface eth1 jump colo
 132 defhost stratocaster
 133         iface eth0 jump colo
 134         iface eth1 jump colo
 135 defhost jazz
 136         iface eth0 jump colo
 137         iface eth1 jump colo
 138
 139 ## Other networks.
 140 defnet hub virtual
 141         forwards housebdry colobdry
 142 defnet vpn safe
 143         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 144         forwards househub colohub
 145         host crybaby 1
 146         host terror 2
 147 defnet anycast trusted
 148         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 149         forwards dmz unsafe safe untrusted jump colo vpn
 150 defnet default untrusted
 151         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 152         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 153         addr 2001:ba8:1d9::/48 #temporary
 154         forwards dmz unsafe untrusted jump colo
 155
 156 m4_divert(80)m4_dnl
 157 ###--------------------------------------------------------------------------
 158 ### Special forwarding exemptions.
 159
 160 case $forward in
 161   1)
 162
 163     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 164     ## hosts's fragment reassembly to be robust against malicious fragments.)
 165     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 166     ## of `! -f', so we do the negation using early return from a subchain.
 167     clearchain fwd-spec-nofrag
 168     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 169     run ip6tables -A fwd-spec-nofrag -j RETURN \
 170             -m ipv6header --soft --header frag
 171     run ip46tables -A FORWARD -j fwd-spec-nofrag
 172
 173     ## Allow ping from safe/noloop to untrusted networks.
 174     run iptables -A fwd-spec-nofrag -j ACCEPT \
 175             -p icmp --icmp-type echo-request \
 176             -m mark --mark $to_untrusted/$MASK_TO
 177     run iptables -A fwd-spec-nofrag -j ACCEPT \
 178             -p icmp --icmp-type echo-reply \
 179             -m mark --mark $from_untrusted/$MASK_FROM \
 180             -m state --state ESTABLISHED
 181     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 182             -p icmpv6 --icmpv6-type echo-request \
 183             -m mark --mark $to_untrusted/$MASK_TO
 184     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 185             -p icmpv6 --icmpv6-type echo-reply \
 186             -m mark --mark $from_untrusted/$MASK_FROM \
 187             -m state --state ESTABLISHED
 188
 189     ## Allow SSH from safe/noloop to untrusted networks.
 190     run iptables -A fwd-spec-nofrag -j ACCEPT \
 191             -p tcp --destination-port $port_ssh \
 192             -m mark --mark $to_untrusted/$MASK_TO
 193     run iptables -A fwd-spec-nofrag -j ACCEPT \
 194             -p tcp --source-port $port_ssh \
 195             -m mark --mark $from_untrusted/$MASK_FROM \
 196             -m state --state ESTABLISHED
 197     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 198             -p tcp --destination-port $port_ssh \
 199             -m mark --mark $to_untrusted/$MASK_TO
 200     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 201             -p tcp --source-port $port_ssh \
 202             -m mark --mark $from_untrusted/$MASK_FROM \
 203             -m state --state ESTABLISHED
 204
 205     ;;
 206 esac
 207
 208 m4_divert(80)m4_dnl
 209 ###--------------------------------------------------------------------------
 210 ### Kill things we don't understand properly.
 211 ###
 212 ### I don't like having to do this, but since I don't know how to do proper
 213 ### multicast filtering, I'm just going to ban it from being forwarded.
 214
 215 errorchain poorly-understood REJECT
 216
 217 ## Ban multicast destination addresses in forwarding.
 218 case $forward in
 219   1)
 220     run iptables -A FORWARD -g poorly-understood \
 221             -d 224.0.0.0/4
 222     run ip6tables -A FORWARD -g poorly-understood \
 223             -d ff::/8
 224     ;;
 225 esac
 226
 227 m4_divert(84)m4_dnl
 228 ###--------------------------------------------------------------------------
 229 ### Locally-bound packet inspection.
 230
 231 clearchain inbound
 232
 233 ## Track connections.
 234 commonrules inbound
 235 conntrack inbound
 236
 237 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 238 ## local request.
 239 run iptables -A inbound -j ACCEPT \
 240         -s 0.0.0.0 -d 255.255.255.255 \
 241         -p udp --source-port $port_bootpc --destination-port $port_bootps
 242 run iptables -A inbound -j ACCEPT \
 243         -s 172.29.198.0/23 \
 244         -p udp --source-port $port_bootpc --destination-port $port_bootps
 245
 246 ## Allow incoming ping.  This is the only ICMP left.
 247 run ip46tables -A inbound -j ACCEPT -p icmp
 248
 249 m4_divert(88)m4_dnl
 250 ## Allow unusual things.
 251 openports inbound
 252
 253 ## Inspect inbound packets from untrusted sources.
 254 run ip46tables -A inbound -j forbidden
 255 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 256
 257 ## Otherwise process as indicated by the mark.
 258 for i in $inchains; do
 259   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 260 done
 261
 262 m4_divert(-1)
 263 ###----- That's all, folks --------------------------------------------------