mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## IPv4 addressing.
  37 ##
  38 ## There are two small blocks of publicly routable IPv4 addresses, and a
  39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
  40 ## The former are as follows.
  41 ##
  42 ## 62.49.204.144/28
  43 ##              House border network (dmz).  We have all of these, but .145
  44 ##              is reserved for the router.
  45 ##
  46 ## 81.2.113.195, 81.187.238.128/28
  47 ##              House border network (aaisp).  We have all of these; the
  48 ##              loose address is for the router.
  49 ##
  50 ## 212.13.18.64/28
  51 ##              Jump colocated network (jump).  .65--68 are used by Jump
  52 ##              network infrastructure; we get the rest.
  53 ##
  54 ## The latter is the block 172.29.196.0/22.  Currently the low half is
  55 ## unallocated (and may be returned to the G-RIN); the remaining addresses
  56 ## are allocated as follows.
  57 ##
  58 ## 172.29.198.0/24  Untrusted networks.
  59 ##      .0/25           house wireless net
  60 ##      .128/28         iodine (IP-over-DNS) network
  61 ##      .160/27         untrusted virtual network
  62 ##
  63 ## 172.29.199.0/24  Trusted networks.
  64 ##      .0/25           house wired network
  65 ##      .128/27         mobile VPN hosts
  66 ##      .160/28         reserved, except .160/30 allocated for ITS
  67 ##      .176/28         internal colocated network
  68 ##      .192/27         house safe network
  69 ##      .224/27         anycast services
  70
  71 ## IPv6 addressing.
  72 ##
  73 ## There are five blocks of publicly routable IPv6 addresses, though some of
  74 ## them aren't very interesting.  The ranges are as follows.
  75 ##
  76 ## 2001:470:1f08:1b98::/64
  77 ##              Hurricane Electric tunnel network: only :1 (HE) and :2
  78 ##              (radius) are used.
  79 ##
  80 ## 2001:470:1f09:1b98::/64
  81 ##              House border network (dmz).
  82 ##
  83 ## 2001:470:9740::/48
  84 ##              Main house range.  See below for allocation policy.
  85 ##
  86 ## 2001:8b0:c92::/48
  87 ##              Main house range (aaisp).  See below for allocation policy.
  88 ##              There is no explicit DMZ allocation (and no need for one).
  89 ##
  90 ## 2001:ba8:0:1d9::/64
  91 ##              Jump border network (jump): :1 is the router (supplied by
  92 ##              Jump); other addresses are ours.
  93 ##
  94 ## 2001:ba8:1d9::/48
  95 ##              Main colocated range.  See below for allocation policy.
  96 ##
  97 ## Addresses in the /64 networks are simply allocated in ascending order.
  98 ## The /48s are split into /64s by appending a 16-bit network number.  The
  99 ## top nibble of the network number classifies the network, as follows.
 100 ##
 101 ## axxx         Virtual, untrusted
 102 ## 8xxx         Untrusted
 103 ## 6xxx         Virtual, safe
 104 ## 4xxx         Safe
 105 ## 0xxx         Unsafe, trusted
 106 ##
 107 ## These have been chosen so that network properties can be deduced by
 108 ## inspecting bits of the network number:
 109 ##
 110 ## Bit 15       If set, the network is untrusted; otherwise it is trusted.
 111 ## Bit 14       If set, the network is safe; otherwise it is unsafe.
 112 ##
 113 ## Finally, the low-order nibbles identify the site.
 114 ##
 115 ## 0            No specific site: mobile VPN endpoints or anycast addresses.
 116 ## 1            House.
 117 ## 2            Jump colocation.
 118 ##
 119 ## Usually site-0 networks are allocated from the Jump range to improve
 120 ## expected performance from/to external sites which don't engage in our
 121 ## dynamic routing protocols.
 122
 123 ## Define the available network classes.
 124 m4_divert(42)m4_dnl
 125 defnetclass scary       scary           trusted             mcast
 126 defnetclass untrusted   scary untrusted trusted             mcast
 127 defnetclass trusted     scary untrusted trusted safe noloop mcast
 128 defnetclass safe                        trusted safe noloop mcast
 129 defnetclass noloop                      trusted safe        mcast
 130
 131 defnetclass link
 132 defnetclass mcast
 133 m4_divert(-1)
 134
 135 m4_divert(26)m4_dnl
 136 ###--------------------------------------------------------------------------
 137 ### Network layout.
 138
 139 ## House networks.
 140 defnet dmz trusted
 141         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 142         addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
 143         via unsafe untrusted
 144 defnet unsafe trusted
 145         addr 172.29.199.0/25 2001:470:9740:1::/64
 146         via househub
 147 defnet safe safe
 148         addr 172.29.199.192/27 2001:470:9740:4001::/64
 149         via househub
 150 defnet untrusted untrusted
 151         addr 172.29.198.0/25 2001:470:9740:8001::/64
 152         via househub
 153
 154 defnet househub virtual
 155         via housebdry dmz unsafe safe untrusted
 156 defnet housebdry virtual
 157         via househub hub
 158
 159 ## House hosts.
 160 defhost radius
 161         hosttype router
 162         iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
 163         iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
 164         iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
 165         iface eth3 unsafe untrusted vpn default
 166         iface ppp0 default
 167         iface t6-he default
 168         iface vpn-precision colobdry vpn sgo
 169         iface vpn-chiark sgo
 170         iface vpn-+ vpn
 171 defhost roadstar
 172         iface eth0 dmz unsafe
 173         iface eth1 dmz unsafe
 174 defhost jem
 175         iface eth0 dmz unsafe
 176         iface eth1 dmz unsafe
 177 defhost universe
 178         iface eth0 dmz unsafe
 179         iface eth1 dmz unsafe
 180 defhost artist
 181         hosttype router
 182         iface eth0 dmz unsafe untrusted
 183         iface eth1 dmz unsafe untrusted
 184         iface eth3 unsafe untrusted
 185 defhost vampire
 186         hosttype router
 187         iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
 188         iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
 189         iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
 190         iface eth0.7 unsafe untrusted vpn
 191         iface vpn-precision colobdry vpn sgo
 192         iface vpn-chiark sgo
 193         iface vpn-+ vpn
 194 defhost ibanez
 195         iface br-dmz dmz unsafe
 196         iface br-unsafe unsafe
 197 defhost orange
 198         iface wlan0 untrusted
 199         iface vpn-radius unsafe
 200 defhost groove
 201         iface eth0 unsafe
 202         iface wlan0 untrusted
 203         iface vpn-radius unsafe
 204
 205 defhost gibson
 206         hosttype client
 207         iface eth0.5 unsafe
 208
 209 ## Colocated networks.
 210 defnet jump trusted
 211         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 212         via colohub
 213 defnet colo trusted
 214         addr 172.29.199.176/28 2001:ba8:1d9:2::/64
 215         via colohub
 216 defnet colohub virtual
 217         via colobdry jump colo
 218 defnet colobdry virtual
 219         via colohub hub
 220 defnet iodine untrusted
 221         addr 172.29.198.128/28
 222         via colohub
 223
 224 ## Colocated hosts.
 225 defhost fender
 226         iface br-jump jump colo
 227         iface br-colo jump colo
 228 defhost precision
 229         hosttype router
 230         iface eth0 jump colo vpn sgo
 231         iface eth1 jump colo vpn sgo
 232         iface vpn-mango binswood
 233         iface vpn-radius housebdry vpn sgo
 234         iface vpn-chiark sgo
 235         iface vpn-national upn
 236         iface vpn-+ vpn
 237 defhost telecaster
 238         iface eth0 jump colo
 239         iface eth1 jump colo
 240 defhost stratocaster
 241         iface eth0 jump colo
 242         iface eth1 jump colo
 243 defhost jazz
 244         hosttype router
 245         iface eth0 jump colo vpn
 246         iface eth1 jump colo vpn
 247         iface dns0 iodine
 248         iface vpn-+ vpn
 249
 250 ## Other networks.
 251 defnet hub virtual
 252         via housebdry colobdry
 253 defnet sgo noloop
 254         addr !172.29.198.0/23
 255         addr 10.0.0.0/8
 256         addr 172.16.0.0/12
 257         addr 192.168.0.0/16
 258         via househub colohub
 259 defnet vpn safe
 260         addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
 261         via househub colohub
 262         host crybaby 1 ::1:1
 263         host terror 2 ::2:1
 264         host orange 3 ::3:1
 265         host haze 4 ::4:1
 266         host groove 5 ::5:1
 267 defnet anycast trusted
 268         addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 269         via dmz unsafe safe untrusted jump colo vpn
 270 defnet default scary
 271         addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 272         addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 273         addr 2001:ba8:1d9::/48 #temporary
 274         via dmz unsafe untrusted jump colo
 275 defnet upn untrusted
 276         addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
 277         via colohub
 278         host national 1 ::1:1
 279
 280 ## Linode hosts.
 281 defhost national
 282         iface eth0 default
 283         iface vpn-precision colohub
 284
 285 ## Satellite networks.
 286 defnet binswood noloop
 287         addr 10.165.27.0/24
 288         via colohub
 289 defhost mango
 290         hosttype router
 291         iface eth0 binswood default
 292         iface vpn-precision colo
 293
 294 m4_divert(80)m4_dnl
 295 ###--------------------------------------------------------------------------
 296 ### Connection tracking helper modules.
 297
 298 for i in ftp; do
 299   modprobe nf_conntrack_$i
 300 done
 301
 302 m4_divert(80)m4_dnl
 303 ###--------------------------------------------------------------------------
 304 ### Special forwarding exemptions.
 305
 306 case $forward in
 307   1)
 308
 309     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 310     ## hosts's fragment reassembly to be robust against malicious fragments.)
 311     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 312     ## of `! -f', so we do the negation using early return from a subchain.
 313     clearchain fwd-spec-nofrag
 314     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 315     run ip6tables -A fwd-spec-nofrag -j RETURN \
 316             -m ipv6header --soft --header frag
 317     run ip46tables -A FORWARD -j fwd-spec-nofrag
 318
 319     ## Allow ping from safe/noloop to untrusted networks.
 320     run iptables -A fwd-spec-nofrag -j ACCEPT \
 321             -p icmp --icmp-type echo-request \
 322             -m mark --mark $to_untrusted/$MASK_TO
 323     run iptables -A fwd-spec-nofrag -j ACCEPT \
 324             -p icmp --icmp-type echo-reply \
 325             -m mark --mark $from_untrusted/$MASK_FROM \
 326             -m state --state ESTABLISHED
 327     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 328             -p icmpv6 --icmpv6-type echo-request \
 329             -m mark --mark $to_untrusted/$MASK_TO
 330     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 331             -p icmpv6 --icmpv6-type echo-reply \
 332             -m mark --mark $from_untrusted/$MASK_FROM \
 333             -m state --state ESTABLISHED
 334
 335     ## Allow SSH from safe/noloop to untrusted networks.
 336     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 337             -p tcp --destination-port $port_ssh \
 338             -m mark --mark $to_untrusted/$MASK_TO
 339     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 340             -p tcp --source-port $port_ssh \
 341             -m mark --mark $from_untrusted/$MASK_FROM \
 342             -m state --state ESTABLISHED
 343
 344     ;;
 345 esac
 346
 347 m4_divert(80)m4_dnl
 348 ###--------------------------------------------------------------------------
 349 ### Kill things we don't understand properly.
 350 ###
 351 ### I don't like having to do this, but since I don't know how to do proper
 352 ### multicast filtering, I'm just going to ban it from being forwarded.
 353
 354 errorchain poorly-understood REJECT
 355
 356 ## Ban multicast destination addresses in forwarding.
 357 case $forward in
 358   1)
 359     run iptables -A FORWARD -g poorly-understood \
 360             -d 224.0.0.0/4
 361     run ip6tables -A FORWARD -g poorly-understood \
 362             -d ff::/8
 363     ;;
 364 esac
 365
 366 m4_divert(84)m4_dnl
 367 ###--------------------------------------------------------------------------
 368 ### Locally-bound packet inspection.
 369
 370 clearchain inbound
 371
 372 ## Track connections.
 373 commonrules inbound
 374 conntrack inbound
 375
 376 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 377 ## local request.
 378 run iptables -A inbound -j ACCEPT \
 379         -s 0.0.0.0 -d 255.255.255.255 \
 380         -p udp --source-port $port_bootpc --destination-port $port_bootps
 381 run iptables -A inbound -j ACCEPT \
 382         -s 172.29.198.0/23 \
 383         -p udp --source-port $port_bootpc --destination-port $port_bootps
 384
 385 ## Allow incoming ping.  This is the only ICMP left.
 386 run iptables -A inbound -j ACCEPT -p icmp
 387 run ip6tables -A inbound -j ACCEPT -p icmpv6
 388
 389 m4_divert(88)m4_dnl
 390 ## Allow unusual things.
 391 openports inbound
 392
 393 ## Inspect inbound packets from untrusted sources.
 394 run ip46tables -A inbound -j forbidden
 395 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 396 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 397
 398 ## Allow responses from the scary outside world into the untrusted net, but
 399 ## don't let untrusted things run services.
 400 case $forward in
 401   1)
 402     run ip46tables -A FORWARD -j ACCEPT \
 403         -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
 404         -m state --state ESTABLISHED,RELATED
 405     ;;
 406 esac
 407
 408 ## Otherwise process as indicated by the mark.
 409 for i in $inchains; do
 410   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 411 done
 412
 413 m4_divert(-1)
 414 ###----- That's all, folks --------------------------------------------------