3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
43 ## House border network (dmz). We have all of these, but .145
44 ## is reserved for the router.
46 ## 81.2.113.195, 81.187.238.128/28
47 ## House border network (aaisp). We have all of these; the
48 ## loose address is for the router.
51 ## Jump colocated network (jump). .65--68 are used by Jump
52 ## network infrastructure; we get the rest.
54 ## The latter is the block 172.29.196.0/22. Currently the low half is
55 ## unallocated (and may be returned to the G-RIN); the remaining addresses
56 ## are allocated as follows.
58 ## 172.29.198.0/24 Untrusted networks.
59 ## .0/25 house wireless net
60 ## .128/28 iodine (IP-over-DNS) network
61 ## .160/27 untrusted virtual network
63 ## 172.29.199.0/24 Trusted networks.
64 ## .0/25 house wired network
65 ## .128/27 mobile VPN hosts
66 ## .160/28 reserved, except .160/30 allocated for ITS
67 ## .176/28 internal colocated network
68 ## .192/27 house safe network
69 ## .224/27 anycast services
73 ## There are five blocks of publicly routable IPv6 addresses, though some of
74 ## them aren't very interesting. The ranges are as follows.
76 ## 2001:470:1f08:1b98::/64
77 ## Hurricane Electric tunnel network: only :1 (HE) and :2
80 ## 2001:470:1f09:1b98::/64
81 ## House border network (dmz).
84 ## Main house range. See below for allocation policy.
87 ## Main house range (aaisp). See below for allocation policy.
88 ## There is no explicit DMZ allocation (and no need for one).
90 ## 2001:ba8:0:1d9::/64
91 ## Jump border network (jump): :1 is the router (supplied by
92 ## Jump); other addresses are ours.
95 ## Main colocated range. See below for allocation policy.
97 ## Addresses in the /64 networks are simply allocated in ascending order.
98 ## The /48s are split into /64s by appending a 16-bit network number. The
99 ## top nibble of the network number classifies the network, as follows.
101 ## axxx Virtual, untrusted
103 ## 6xxx Virtual, safe
105 ## 0xxx Unsafe, trusted
107 ## These have been chosen so that network properties can be deduced by
108 ## inspecting bits of the network number:
110 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
111 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
113 ## Finally, the low-order nibbles identify the site.
115 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
117 ## 2 Jump colocation.
119 ## Usually site-0 networks are allocated from the Jump range to improve
120 ## expected performance from/to external sites which don't engage in our
121 ## dynamic routing protocols.
123 ## Define the available network classes.
125 defnetclass scary scary trusted mcast
126 defnetclass untrusted scary untrusted trusted mcast
127 defnetclass trusted scary untrusted trusted safe noloop mcast
128 defnetclass safe trusted safe noloop mcast
129 defnetclass noloop trusted safe mcast
136 ###--------------------------------------------------------------------------
141 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
142 addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
144 defnet unsafe trusted
145 addr 172.29.199.0/25 2001:470:9740:1::/64
148 addr 172.29.199.192/27 2001:470:9740:4001::/64
150 defnet untrusted untrusted
151 addr 172.29.198.0/25 2001:470:9740:8001::/64
154 defnet househub virtual
155 via housebdry dmz unsafe safe untrusted
156 defnet housebdry virtual
162 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
163 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
164 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
165 iface eth3 unsafe untrusted vpn default
168 iface vpn-precision colobdry vpn sgo
172 iface eth0 dmz unsafe
173 iface eth1 dmz unsafe
175 iface eth0 dmz unsafe
176 iface eth1 dmz unsafe
178 iface eth0 dmz unsafe
179 iface eth1 dmz unsafe
182 iface eth0 dmz unsafe untrusted
183 iface eth1 dmz unsafe untrusted
184 iface eth3 unsafe untrusted
187 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
188 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
189 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
190 iface eth0.7 unsafe untrusted vpn
191 iface vpn-precision colobdry vpn sgo
195 iface br-dmz dmz unsafe
196 iface br-unsafe unsafe
198 iface wlan0 untrusted
199 iface vpn-radius unsafe
202 iface wlan0 untrusted
203 iface vpn-radius unsafe
209 ## Colocated networks.
211 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
214 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
216 defnet colohub virtual
217 via colobdry jump colo
218 defnet colobdry virtual
220 defnet iodine untrusted
221 addr 172.29.198.128/28
226 iface br-jump jump colo
227 iface br-colo jump colo
230 iface eth0 jump colo vpn sgo
231 iface eth1 jump colo vpn sgo
232 iface vpn-mango binswood
233 iface vpn-radius housebdry vpn sgo
235 iface vpn-national upn
245 iface eth0 jump colo vpn
246 iface eth1 jump colo vpn
252 via housebdry colobdry
254 addr !172.29.198.0/23
260 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
267 defnet anycast trusted
268 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
269 via dmz unsafe safe untrusted jump colo vpn
271 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
272 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
273 addr 2001:ba8:1d9::/48 #temporary
274 via dmz unsafe untrusted jump colo
276 addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
278 host national 1 ::1:1
283 iface vpn-precision colohub
285 ## Satellite networks.
286 defnet binswood noloop
291 iface eth0 binswood default
292 iface vpn-precision colo
295 ###--------------------------------------------------------------------------
296 ### Connection tracking helper modules.
299 modprobe nf_conntrack_$i
303 ###--------------------------------------------------------------------------
304 ### Special forwarding exemptions.
309 ## Only allow these packets if they're not fragmented. (Don't trust safe
310 ## hosts's fragment reassembly to be robust against malicious fragments.)
311 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
312 ## of `! -f', so we do the negation using early return from a subchain.
313 clearchain fwd-spec-nofrag
314 run iptables -A fwd-spec-nofrag -j RETURN --fragment
315 run ip6tables -A fwd-spec-nofrag -j RETURN \
316 -m ipv6header --soft --header frag
317 run ip46tables -A FORWARD -j fwd-spec-nofrag
319 ## Allow ping from safe/noloop to untrusted networks.
320 run iptables -A fwd-spec-nofrag -j ACCEPT \
321 -p icmp --icmp-type echo-request \
322 -m mark --mark $to_untrusted/$MASK_TO
323 run iptables -A fwd-spec-nofrag -j ACCEPT \
324 -p icmp --icmp-type echo-reply \
325 -m mark --mark $from_untrusted/$MASK_FROM \
326 -m state --state ESTABLISHED
327 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
328 -p icmpv6 --icmpv6-type echo-request \
329 -m mark --mark $to_untrusted/$MASK_TO
330 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
331 -p icmpv6 --icmpv6-type echo-reply \
332 -m mark --mark $from_untrusted/$MASK_FROM \
333 -m state --state ESTABLISHED
335 ## Allow SSH from safe/noloop to untrusted networks.
336 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
337 -p tcp --destination-port $port_ssh \
338 -m mark --mark $to_untrusted/$MASK_TO
339 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
340 -p tcp --source-port $port_ssh \
341 -m mark --mark $from_untrusted/$MASK_FROM \
342 -m state --state ESTABLISHED
348 ###--------------------------------------------------------------------------
349 ### Kill things we don't understand properly.
351 ### I don't like having to do this, but since I don't know how to do proper
352 ### multicast filtering, I'm just going to ban it from being forwarded.
354 errorchain poorly-understood REJECT
356 ## Ban multicast destination addresses in forwarding.
359 run iptables -A FORWARD -g poorly-understood \
361 run ip6tables -A FORWARD -g poorly-understood \
367 ###--------------------------------------------------------------------------
368 ### Locally-bound packet inspection.
372 ## Track connections.
376 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
378 run iptables -A inbound -j ACCEPT \
379 -s 0.0.0.0 -d 255.255.255.255 \
380 -p udp --source-port $port_bootpc --destination-port $port_bootps
381 run iptables -A inbound -j ACCEPT \
383 -p udp --source-port $port_bootpc --destination-port $port_bootps
385 ## Allow incoming ping. This is the only ICMP left.
386 run iptables -A inbound -j ACCEPT -p icmp
387 run ip6tables -A inbound -j ACCEPT -p icmpv6
390 ## Allow unusual things.
393 ## Inspect inbound packets from untrusted sources.
394 run ip46tables -A inbound -j forbidden
395 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
396 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
398 ## Allow responses from the scary outside world into the untrusted net, but
399 ## don't let untrusted things run services.
402 run ip46tables -A FORWARD -j ACCEPT \
403 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
404 -m state --state ESTABLISHED,RELATED
408 ## Otherwise process as indicated by the mark.
409 for i in $inchains; do
410 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
414 ###----- That's all, folks --------------------------------------------------