3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
42 ## 81.2.113.195, 81.187.238.128/28
43 ## House border network (dmz). We have all of these; the loose
44 ## address is for the router.
47 ## Jump colocated network (jump). .65--68 are used by Jump
48 ## network infrastructure; we get the rest.
50 ## The latter is the block 172.29.196.0/22. Currently the low half is
51 ## unallocated (and may be returned to the G-RIN); the remaining addresses
52 ## are allocated as follows.
54 ## 172.29.198.0/24 Untrusted networks.
55 ## .0/25 house wireless net
56 ## .128/28 iodine (IP-over-DNS) network
57 ## .160/27 untrusted virtual network
59 ## 172.29.199.0/24 Trusted networks.
60 ## .0/25 house wired network
61 ## .128/27 mobile VPN hosts
62 ## .160/28 reserved, except .160/30 allocated for ITS
63 ## .176/28 internal colocated network
64 ## .192/27 house safe network
65 ## .224/27 anycast services
69 ## There are five blocks of publicly routable IPv6 addresses, though some of
70 ## them aren't very interesting. The ranges are as follows.
73 ## Main house range (aaisp). See below for allocation policy.
74 ## There is no explicit DMZ allocation (and no need for one).
76 ## 2001:ba8:0:1d9::/64
77 ## Jump border network (jump): :1 is the router (supplied by
78 ## Jump); other addresses are ours.
81 ## Main colocated range. See below for allocation policy.
83 ## Addresses in the /64 networks are simply allocated in ascending order.
84 ## The /48s are split into /64s by appending a 16-bit network number. The
85 ## top nibble of the network number classifies the network, as follows.
87 ## axxx Virtual, untrusted
91 ## 0xxx Unsafe, trusted
93 ## These have been chosen so that network properties can be deduced by
94 ## inspecting bits of the network number:
96 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
97 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
99 ## Finally, the low-order nibbles identify the site.
101 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
103 ## 2 Jump colocation.
104 ## fff Local border network.
106 ## Usually site-0 networks are allocated from the Jump range to improve
107 ## expected performance from/to external sites which don't engage in our
108 ## dynamic routing protocols.
110 ## Define the available network classes.
112 defnetclass scary scary trusted mcast
113 defnetclass untrusted scary untrusted trusted mcast
114 defnetclass trusted scary untrusted trusted safe noloop mcast
115 defnetclass safe trusted safe noloop mcast
116 defnetclass noloop trusted safe mcast
123 ###--------------------------------------------------------------------------
128 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
130 defnet unsafe trusted
131 addr 172.29.199.0/25 2001:8b0:c92:1::/64
134 addr 172.29.199.192/27 2001:8b0:c92:4001::/64
136 defnet untrusted untrusted
137 addr 172.29.198.0/25 2001:8b0:c92:8001::/64
140 defnet househub virtual
141 via housebdry dmz unsafe safe untrusted
142 defnet housebdry virtual
148 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
149 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
150 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
151 iface eth3 unsafe untrusted vpn default
154 iface vpn-precision colobdry vpn sgo
158 iface eth0 dmz unsafe
159 iface eth1 dmz unsafe
161 iface eth0 dmz unsafe
162 iface eth1 dmz unsafe
164 iface eth0 dmz unsafe
165 iface eth1 dmz unsafe
168 iface eth0 dmz unsafe untrusted
169 iface eth1 dmz unsafe untrusted
170 iface eth3 unsafe untrusted
173 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
174 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
175 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
176 iface eth0.7 unsafe untrusted vpn
177 iface vpn-precision colobdry vpn sgo
181 iface br-dmz dmz unsafe
182 iface br-unsafe unsafe
184 iface wlan0 untrusted
185 iface vpn-radius unsafe
188 iface wlan0 untrusted
189 iface vpn-radius unsafe
195 ## Colocated networks.
197 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
200 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
202 defnet colohub virtual
203 via colobdry jump colo
204 defnet colobdry virtual
206 defnet iodine untrusted
207 addr 172.29.198.128/28
212 iface br-jump jump colo
213 iface br-colo jump colo
216 iface eth0 jump colo vpn sgo
217 iface eth1 jump colo vpn sgo
218 iface vpn-mango binswood
219 iface vpn-radius housebdry vpn sgo
221 iface vpn-national upn
231 iface eth0 jump colo vpn
232 iface eth1 jump colo vpn
238 via housebdry colobdry
240 addr !172.29.198.0/23
246 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
253 defnet anycast trusted
254 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
255 via dmz unsafe safe untrusted jump colo vpn
257 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
258 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
259 addr 2001:ba8:1d9::/48 #temporary
260 via dmz unsafe untrusted jump colo
262 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
264 host national 1 ::1:1
269 iface vpn-precision colohub
271 ## Satellite networks.
272 defnet binswood noloop
277 iface eth0 binswood default
278 iface vpn-precision colo
281 ###--------------------------------------------------------------------------
282 ### Connection tracking helper modules.
285 modprobe nf_conntrack_$i
289 ###--------------------------------------------------------------------------
290 ### Special forwarding exemptions.
295 ## Only allow these packets if they're not fragmented. (Don't trust safe
296 ## hosts's fragment reassembly to be robust against malicious fragments.)
297 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
298 ## of `! -f', so we do the negation using early return from a subchain.
299 clearchain fwd-spec-nofrag
300 run iptables -A fwd-spec-nofrag -j RETURN --fragment
301 run ip6tables -A fwd-spec-nofrag -j RETURN \
302 -m ipv6header --soft --header frag
303 run ip46tables -A FORWARD -j fwd-spec-nofrag
305 ## Allow ping from safe/noloop to untrusted networks.
306 run iptables -A fwd-spec-nofrag -j ACCEPT \
307 -p icmp --icmp-type echo-request \
308 -m mark --mark $to_untrusted/$MASK_TO
309 run iptables -A fwd-spec-nofrag -j ACCEPT \
310 -p icmp --icmp-type echo-reply \
311 -m mark --mark $from_untrusted/$MASK_FROM \
312 -m state --state ESTABLISHED
313 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
314 -p icmpv6 --icmpv6-type echo-request \
315 -m mark --mark $to_untrusted/$MASK_TO
316 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
317 -p icmpv6 --icmpv6-type echo-reply \
318 -m mark --mark $from_untrusted/$MASK_FROM \
319 -m state --state ESTABLISHED
321 ## Allow SSH from safe/noloop to untrusted networks.
322 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
323 -p tcp --destination-port $port_ssh \
324 -m mark --mark $to_untrusted/$MASK_TO
325 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
326 -p tcp --source-port $port_ssh \
327 -m mark --mark $from_untrusted/$MASK_FROM \
328 -m state --state ESTABLISHED
334 ###--------------------------------------------------------------------------
335 ### Kill things we don't understand properly.
337 ### I don't like having to do this, but since I don't know how to do proper
338 ### multicast filtering, I'm just going to ban it from being forwarded.
340 errorchain poorly-understood REJECT
342 ## Ban multicast destination addresses in forwarding.
345 run iptables -A FORWARD -g poorly-understood \
347 run ip6tables -A FORWARD -g poorly-understood \
353 ###--------------------------------------------------------------------------
354 ### Locally-bound packet inspection.
358 ## Track connections.
362 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
364 run iptables -A inbound -j ACCEPT \
365 -s 0.0.0.0 -d 255.255.255.255 \
366 -p udp --source-port $port_bootpc --destination-port $port_bootps
367 run iptables -A inbound -j ACCEPT \
369 -p udp --source-port $port_bootpc --destination-port $port_bootps
371 ## Allow incoming ping. This is the only ICMP left.
372 run iptables -A inbound -j ACCEPT -p icmp
373 run ip6tables -A inbound -j ACCEPT -p icmpv6
376 ## Allow unusual things.
379 ## Inspect inbound packets from untrusted sources.
380 run ip46tables -A inbound -j forbidden
381 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
382 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
384 ## Allow responses from the scary outside world into the untrusted net, but
385 ## don't let untrusted things run services.
388 run ip46tables -A FORWARD -j ACCEPT \
389 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
390 -m state --state ESTABLISHED,RELATED
394 ## Otherwise process as indicated by the mark.
395 for i in $inchains; do
396 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
400 ###----- That's all, folks --------------------------------------------------