3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
38 ## There are two small blocks of publicly routable IPv4 addresses, and a
39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
40 ## The former are as follows.
42 ## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
43 ## House border network (dmz). We have all of these; the loose
44 ## address is for the router.
46 ## The latter is the block 172.29.196.0/22. Currently the low half is
47 ## unallocated (and may be returned to the G-RIN); the remaining addresses
48 ## are allocated as follows.
50 ## 172.29.198.0/24 Untrusted networks.
51 ## .0/25 house wireless net
52 ## .128/28 iodine (IP-over-DNS) network
53 ## .144/28 hippotat (IP-over-HTTP) network
54 ## .160/27 untrusted virtual network
56 ## 172.29.199.0/24 Trusted networks.
57 ## .0/25 house wired network
58 ## .128/27 mobile VPN hosts
59 ## .160/28 reserved, except .160/30 allocated for ITS
60 ## .176/28 internal colocated network
61 ## .192/27 house safe network
62 ## .224/27 anycast services
66 ## There are five blocks of publicly routable IPv6 addresses, though some of
67 ## them aren't very interesting. The ranges are as follows.
70 ## Main house range (aaisp). See below for allocation policy.
71 ## There is no explicit DMZ allocation (and no need for one).
73 ## Addresses in the /64 networks are simply allocated in ascending order.
74 ## The /48s are split into /64s by appending a 16-bit network number. The
75 ## top nibble of the network number classifies the network, as follows.
77 ## axxx Virtual, untrusted
81 ## 0xxx Unsafe, trusted
83 ## These have been chosen so that network properties can be deduced by
84 ## inspecting bits of the network number:
86 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.
87 ## Bit 14 If set, the network is safe; otherwise it is unsafe.
89 ## Finally, the low-order nibbles identify the site.
91 ## 0 No specific site: mobile VPN endpoints or anycast addresses.
93 ## fff Local border network.
95 ## Define the available network classes.
97 defnetclass scary scary trusted vpnnat mcast
98 defnetclass untrusted scary untrusted trusted mcast
99 defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
100 defnetclass safe trusted safe noloop vpnnat mcast
101 defnetclass noloop trusted safe mcast
102 defnetclass vpnnat scary trusted safe mcast
109 ###--------------------------------------------------------------------------
114 addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
116 defnet unsafe trusted
117 addr 172.29.199.0/25 2001:8b0:c92:1::/64
120 addr 172.29.199.192/27 2001:8b0:c92:4001::/64
122 defnet untrusted untrusted
123 addr 172.29.198.0/25 2001:8b0:c92:8001::/64
126 defnet househub virtual
127 via housebdry dmz unsafe safe untrusted
128 defnet housebdry virtual
134 iface eth0 dmz unsafe safe untrusted vpn sgo default
135 iface eth1 dmz unsafe safe untrusted vpn sgo default
136 iface eth2 dmz unsafe safe untrusted vpn sgo
137 iface eth3 unsafe untrusted vpn default
140 iface vpn-precision vpn sgo
144 iface eth0 dmz unsafe
145 iface eth1 dmz unsafe
147 iface eth0 dmz unsafe
148 iface eth1 dmz unsafe
150 iface eth0 dmz unsafe
151 iface eth1 dmz unsafe
154 iface eth0 dmz unsafe untrusted
155 iface eth1 dmz unsafe untrusted
156 iface eth3 unsafe untrusted
159 iface eth0.4 dmz unsafe untrusted safe vpn sgo
160 iface eth0.5 dmz unsafe untrusted safe vpn sgo
161 iface eth0.6 dmz unsafe safe untrusted vpn sgo
162 iface eth0.7 unsafe untrusted vpn
163 iface vpn-precision vpn sgo
167 iface br-dmz dmz unsafe
168 iface br-unsafe unsafe
170 iface wlan0 untrusted
171 iface vpn-radius unsafe
174 iface wlan0 untrusted
175 iface vpn-radius unsafe
181 ## Formerly colocated hosts.
183 iface br-dmz dmz unsafe
184 iface br-unsafe dmz unsafe
187 iface eth0 dmz unsafe vpn sgo
188 iface eth1 dmz unsafe vpn sgo
189 iface vpn-mango binswood
191 iface vpn-national upn
196 iface eth0 dmz unsafe vpn sgo
197 iface eth1 dmz unsafe vpn sgo
199 iface eth0 dmz unsafe vpn sgo
200 iface eth1 dmz unsafe vpn sgo
203 iface eth0 dmz unsafe vpn sgo
204 iface eth1 dmz unsafe vpn sgo
206 iface hippo-svc hippotat
209 ## Stunt connectivity networks.
210 defnet iodine untrusted
211 addr 172.29.198.128/28
213 defnet hippotat untrusted
214 addr 172.29.198.144/28
222 addr !172.29.198.0/23
229 addr 172.29.199.128/27 2001:8b0:c92:6000::/64
236 host groove 10 ::10:1
237 defnet anycast trusted
238 addr 172.29.199.224/27 2001:8b0:c92:0::/64
239 via dmz unsafe safe untrusted vpn nvpn
241 addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
243 via dmz unsafe untrusted
245 addr 172.29.198.160/27 2001:8b0:c92:a000::/64
247 host national 1 ::1:1
254 iface vpn-precision househub
257 iface vpn-precision househub
259 ## Satellite networks.
260 defnet binswood vpnnat
265 iface eth0 binswood default
266 iface vpn-precision dmz default
269 ###--------------------------------------------------------------------------
270 ### Connection tracking helper modules.
273 modprobe nf_conntrack_$i
277 ###--------------------------------------------------------------------------
278 ### Special forwarding exemptions.
283 ## Only allow these packets if they're not fragmented. (Don't trust safe
284 ## hosts's fragment reassembly to be robust against malicious fragments.)
285 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
286 ## of `! -f', so we do the negation using early return from a subchain.
287 clearchain fwd-spec-nofrag
288 run iptables -A fwd-spec-nofrag -j RETURN --fragment
289 run ip6tables -A fwd-spec-nofrag -j RETURN \
290 -m ipv6header --soft --header frag
291 run ip46tables -A FORWARD -j fwd-spec-nofrag
293 ## Allow ping from safe/noloop to untrusted networks.
294 run iptables -A fwd-spec-nofrag -j ACCEPT \
295 -p icmp --icmp-type echo-request \
296 -m mark --mark $to_untrusted/$MASK_TO
297 run iptables -A fwd-spec-nofrag -j ACCEPT \
298 -p icmp --icmp-type echo-reply \
299 -m mark --mark $from_untrusted/$MASK_FROM \
300 -m state --state ESTABLISHED
301 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
302 -p icmpv6 --icmpv6-type echo-request \
303 -m mark --mark $to_untrusted/$MASK_TO
304 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
305 -p icmpv6 --icmpv6-type echo-reply \
306 -m mark --mark $from_untrusted/$MASK_FROM \
307 -m state --state ESTABLISHED
309 ## Allow SSH from safe/noloop to untrusted networks.
310 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
311 -p tcp --destination-port $port_ssh \
312 -m mark --mark $to_untrusted/$MASK_TO
313 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
314 -p tcp --source-port $port_ssh \
315 -m mark --mark $from_untrusted/$MASK_FROM \
316 -m state --state ESTABLISHED
322 ###--------------------------------------------------------------------------
323 ### Kill things we don't understand properly.
325 ### I don't like having to do this, but since I don't know how to do proper
326 ### multicast filtering, I'm just going to ban it from being forwarded.
328 errorchain poorly-understood REJECT
330 ## Ban multicast destination addresses in forwarding.
333 run iptables -A FORWARD -g poorly-understood \
335 run ip6tables -A FORWARD -g poorly-understood \
341 ###--------------------------------------------------------------------------
342 ### Check for source routing.
344 clearchain check-srcroute
346 run iptables -A check-srcroute -g forbidden \
347 -m ipv4options --any --flags lsrr,ssrr
348 run ip6tables -A check-srcroute -g forbidden \
351 for c in INPUT FORWARD; do
352 for m in $from_scary $from_untrusted; do
353 run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
358 ###--------------------------------------------------------------------------
359 ### Locally-bound packet inspection.
362 clearchain inbound-untrusted
364 ## Track connections.
368 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
370 run iptables -A inbound -j ACCEPT \
371 -s 0.0.0.0 -d 255.255.255.255 \
372 -p udp --source-port $port_bootpc --destination-port $port_bootps
373 run iptables -A inbound -j ACCEPT \
375 -p udp --source-port $port_bootpc --destination-port $port_bootps
377 ## Allow incoming ping. This is the only ICMP left.
378 run iptables -A inbound -j ACCEPT -p icmp
379 run ip6tables -A inbound -j ACCEPT -p icmpv6
382 ## Allow unusual things.
385 ## Inspect inbound packets from untrusted sources.
386 run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
387 run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
388 run ip46tables -A inbound-untrusted -g forbidden
389 run ip46tables -A inbound -g forbidden
390 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
391 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
393 ## Allow responses from the scary outside world into the untrusted net, but
394 ## don't let untrusted things run services.
397 run ip46tables -A FORWARD -j ACCEPT \
398 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
399 -m state --state ESTABLISHED,RELATED
403 ## Otherwise process as indicated by the mark.
404 for i in $inchains; do
405 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
409 ###----- That's all, folks --------------------------------------------------