3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted mcast
39 defnetclass trusted untrusted trusted safe noloop mcast
40 defnetclass safe trusted safe noloop mcast
41 defnetclass noloop trusted safe mcast
47 ###--------------------------------------------------------------------------
52 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
53 forwards unsafe untrusted
55 addr 172.29.199.0/25 2001:470:9740:1::/64
58 addr 172.29.199.192/27 2001:470:9740:4001::/64
60 defnet untrusted untrusted
61 addr 172.29.198.0/25 2001:470:9740:8001::/64
63 defnet iodine untrusted
64 addr 172.29.198.128/28
66 defnet househub virtual
67 forwards housebdry dmz unsafe safe untrusted
68 defnet housebdry virtual
75 iface eth0 dmz unsafe safe
76 iface eth1 dmz unsafe safe
90 iface eth0.0 dmz unsafe safe default
91 iface eth0.1 dmz unsafe safe default
93 iface eth0.3 untrusted default
96 iface vpn-precision colobdry vpn
99 iface br-dmz dmz unsafe
100 iface br-unsafe unsafe
106 ## Colocated networks.
108 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
111 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
113 defnet colohub virtual
114 forwards colobdry jump colo
115 defnet colobdry virtual
121 iface br-jump jump colo
122 iface br-colo jump colo
128 iface vpn-vampire housebdry vpn
141 forwards housebdry colobdry
143 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
144 forwards househub colohub
147 defnet anycast trusted
148 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
149 forwards dmz unsafe safe untrusted jump colo vpn
150 defnet default untrusted
151 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
152 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
153 addr 2001:ba8:1d9::/48 #temporary
154 forwards dmz unsafe untrusted jump colo
157 ###--------------------------------------------------------------------------
158 ### Special forwarding exemptions.
163 ## Only allow these packets if they're not fragmented. (Don't trust safe
164 ## hosts's fragment reassembly to be robust against malicious fragments.)
165 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
166 ## of `! -f', so we do the negation using early return from a subchain.
167 clearchain fwd-spec-nofrag
168 run iptables -A fwd-spec-nofrag -j RETURN --fragment
169 run ip6tables -A fwd-spec-nofrag -j RETURN \
170 -m ipv6header --soft --header frag
171 run ip46tables -A FORWARD -j fwd-spec-nofrag
173 ## Allow ping from safe/noloop to untrusted networks.
174 run iptables -A fwd-spec-nofrag -j ACCEPT \
175 -p icmp --icmp-type echo-request \
176 -m mark --mark $to_untrusted/$MASK_TO
177 run iptables -A fwd-spec-nofrag -j ACCEPT \
178 -p icmp --icmp-type echo-reply \
179 -m mark --mark $from_untrusted/$MASK_FROM \
180 -m state --state ESTABLISHED
181 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
182 -p icmpv6 --icmpv6-type echo-request \
183 -m mark --mark $to_untrusted/$MASK_TO
184 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
185 -p icmpv6 --icmpv6-type echo-reply \
186 -m mark --mark $from_untrusted/$MASK_FROM \
187 -m state --state ESTABLISHED
189 ## Allow SSH from safe/noloop to untrusted networks.
190 run iptables -A fwd-spec-nofrag -j ACCEPT \
191 -p tcp --destination-port $port_ssh \
192 -m mark --mark $to_untrusted/$MASK_TO
193 run iptables -A fwd-spec-nofrag -j ACCEPT \
194 -p tcp --source-port $port_ssh \
195 -m mark --mark $from_untrusted/$MASK_FROM \
196 -m state --state ESTABLISHED
197 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
198 -p tcp --destination-port $port_ssh \
199 -m mark --mark $to_untrusted/$MASK_TO
200 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
201 -p tcp --source-port $port_ssh \
202 -m mark --mark $from_untrusted/$MASK_FROM \
203 -m state --state ESTABLISHED
209 ###--------------------------------------------------------------------------
210 ### Kill things we don't understand properly.
212 ### I don't like having to do this, but since I don't know how to do proper
213 ### multicast filtering, I'm just going to ban it from being forwarded.
215 errorchain poorly-understood REJECT
217 ## Ban multicast destination addresses in forwarding.
220 run iptables -A FORWARD -g poorly-understood \
222 run ip6tables -A FORWARD -g poorly-understood \
228 ###--------------------------------------------------------------------------
229 ### Locally-bound packet inspection.
233 ## Track connections.
237 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
239 run iptables -A inbound -j ACCEPT \
240 -s 0.0.0.0 -d 255.255.255.255 \
241 -p udp --source-port $port_bootpc --destination-port $port_bootps
242 run iptables -A inbound -j ACCEPT \
244 -p udp --source-port $port_bootpc --destination-port $port_bootps
246 ## Allow incoming ping. This is the only ICMP left.
247 run ip46tables -A inbound -j ACCEPT -p icmp
250 ## Allow unusual things.
253 ## Inspect inbound packets from untrusted sources.
254 run ip46tables -A inbound -j forbidden
255 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
257 ## Otherwise process as indicated by the mark.
258 for i in $inchains; do
259 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
263 ###----- That's all, folks --------------------------------------------------