~mdw / firewall / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
functions.m4, local.m4: Handle fragments in a useful way.
[firewall] / local.m4
1 ### -*-m4-*-
2 ###
3 ### Local firewall configuration
4 ###
5 ### (c) 2008 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Packet classification.
26
27 ## Define the available network classes.
28 m4_divert(42)m4_dnl
29 defnetclass untrusted untrusted trusted
30 defnetclass trusted untrusted trusted safe noloop
31 defnetclass safe trusted safe noloop
32 defnetclass noloop trusted safe
33 m4_divert(-1)m4_dnl
34
35 ###--------------------------------------------------------------------------
36 ### Network layout.
37
38 m4_divert(46)m4_dnl
39 ## Networks and routing.
40
41 defiface $if_trusted \
42 trusted:172.29.199.0/26 \
43 safe:172.29.199.64/27 \
44 untrusted:default
45 defiface $if_untrusted \
46 untrusted:172.29.198.0/24
47 defvpn $if_vpn safe 172.29.199.128/27 \
48 crybaby:172.29.199.129
49 defiface $if_its_mz safe:172.29.199.160/30
50 defiface $if_its_pi safe:192.168.0.0/24
51
52 m4_divert(60)m4_dnl
53 ###--------------------------------------------------------------------------
54 ### Special forwarding exemptions.
55
56 ## Allow ping from safe/noloop to untrusted networks.
57 run iptables -A FORWARD -j ACCEPT \
58 -p icmp ! -f --icmp-type echo-request \
59 -m mark --mark $to_untrusted/$MASK_TO
60 run iptables -A FORWARD -j ACCEPT \
61 -p icmp ! -f --icmp-type echo-reply \
62 -m mark --mark $from_untrusted/$MASK_FROM \
63 -m state --state ESTABLISHED
64
65 ## Allow SSH from safe/noloop to untrusted networks.
66 run iptables -A FORWARD -j ACCEPT \
67 -p tcp ! -f --destination-port $port_ssh \
68 -m mark --mark $to_untrusted/$MASK_TO
69 run iptables -A FORWARD -j ACCEPT \
70 -p tcp ! -f --source-port $port_ssh \
71 -m mark --mark $from_untrusted/$MASK_FROM \
72 -m state --state ESTABLISHED
73
74 m4_divert(80)m4_dnl
75 ###--------------------------------------------------------------------------
76 ### Locally-bound packet inspection.
77
78 clearchain inbound
79
80 ## Track connections.
81 commonrules inbound
82 conntrack inbound
83
84 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
85 ## local request.
86 run iptables -A inbound -j ACCEPT \
87 -s 0.0.0.0 -d 255.255.255.255 \
88 -p udp --source-port $port_bootpc --destination-port $port_bootps
89 run iptables -A inbound -j ACCEPT \
90 -s 172.29.198.0/23 \
91 -p udp --source-port $port_bootpc --destination-port $port_bootps
92
93 ## Allow incoming ping. This is the only ICMP left.
94 run iptables -A inbound -j ACCEPT -p icmp
95
96 m4_divert(88)m4_dnl
97 ## Allow unusual things.
98 openports inbound
99
100 ## Inspect inbound packets from untrusted sources.
101 run iptables -A inbound -j forbidden
102 run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
103
104 ## Otherwise process as indicated by the mark.
105 for i in INPUT FORWARD; do
106 run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
107 done
108
109 m4_divert(-1)
110 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.