mdw@git.distorted.org.uk Git - firewall/blob - local.m4

   1 ### -*-sh-*-
   2 ###
   3 ### Local firewall configuration
   4 ###
   5 ### (c) 2008 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Local configuration.
  26
  27 m4_divert(6)m4_dnl
  28 ## Default NTP servers.
  29 defconf(ntp_servers,
  30         "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")
  31
  32 m4_divert(-1)
  33 ###--------------------------------------------------------------------------
  34 ### Packet classification.
  35
  36 ## IPv4 addressing.
  37 ##
  38 ## There are two small blocks of publicly routable IPv4 addresses, and a
  39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
  40 ## The former are as follows.
  41 ##
  42 ## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
  43 ##              House border network (dmz).  We have all of these; the loose
  44 ##              address is for the router.
  45 ##
  46 ## The latter is the block 172.29.196.0/22.  Currently the low half is
  47 ## unallocated (and may be returned to the G-RIN); the remaining addresses
  48 ## are allocated as follows.
  49 ##
  50 ## 172.29.198.0/24  Untrusted networks.
  51 ##      .0/25           house wireless net
  52 ##      .128/28         iodine (IP-over-DNS) network
  53 ##      .144/28         hippotat (IP-over-HTTP) network
  54 ##      .160/27         untrusted virtual network
  55 ##
  56 ## 172.29.199.0/24  Trusted networks.
  57 ##      .0/25           house wired network
  58 ##      .128/27         mobile VPN hosts
  59 ##      .160/28         reserved, except .160/30 allocated for ITS
  60 ##      .176/28         internal colocated network
  61 ##      .192/27         house safe network
  62 ##      .224/27         anycast services
  63
  64 ## IPv6 addressing.
  65 ##
  66 ## There are five blocks of publicly routable IPv6 addresses, though some of
  67 ## them aren't very interesting.  The ranges are as follows.
  68 ##
  69 ## 2001:8b0:c92::/48
  70 ##              Main house range (aaisp).  See below for allocation policy.
  71 ##              There is no explicit DMZ allocation (and no need for one).
  72 ##
  73 ## Addresses in the /64 networks are simply allocated in ascending order.
  74 ## The /48s are split into /64s by appending a 16-bit network number.  The
  75 ## top nibble of the network number classifies the network, as follows.
  76 ##
  77 ## axxx         Virtual, untrusted
  78 ## 8xxx         Untrusted
  79 ## 6xxx         Virtual, safe
  80 ## 4xxx         Safe
  81 ## 0xxx         Unsafe, trusted
  82 ##
  83 ## These have been chosen so that network properties can be deduced by
  84 ## inspecting bits of the network number:
  85 ##
  86 ## Bit 15       If set, the network is untrusted; otherwise it is trusted.
  87 ## Bit 14       If set, the network is safe; otherwise it is unsafe.
  88 ##
  89 ## Finally, the low-order nibbles identify the site.
  90 ##
  91 ## 0            No specific site: mobile VPN endpoints or anycast addresses.
  92 ## 1            House.
  93 ## fff          Local border network.
  94
  95 ## Define the available network classes.
  96 m4_divert(42)m4_dnl
  97 defnetclass scary       scary           trusted             vpnnat mcast
  98 defnetclass untrusted   scary untrusted trusted                    mcast
  99 defnetclass trusted     scary untrusted trusted safe noloop vpnnat mcast
 100 defnetclass safe                        trusted safe noloop vpnnat mcast
 101 defnetclass noloop                      trusted safe               mcast
 102 defnetclass vpnnat      scary           trusted safe               mcast
 103
 104 defnetclass link
 105 defnetclass mcast
 106 m4_divert(-1)
 107
 108 m4_divert(26)m4_dnl
 109 ###--------------------------------------------------------------------------
 110 ### Network layout.
 111
 112 ## House networks.
 113 defnet dmz trusted
 114         addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
 115         via unsafe untrusted
 116 defnet unsafe trusted
 117         addr 172.29.199.0/25 2001:8b0:c92:1::/64
 118         via househub
 119 defnet safe safe
 120         addr 172.29.199.192/27 2001:8b0:c92:4001::/64
 121         via househub
 122 defnet untrusted untrusted
 123         addr 172.29.198.0/25 2001:8b0:c92:8001::/64
 124         via househub
 125
 126 defnet househub virtual
 127         via housebdry dmz unsafe safe untrusted
 128 defnet housebdry virtual
 129         via househub hub
 130
 131 ## House hosts.
 132 defhost radius
 133         hosttype router
 134         iface eth0 dmz unsafe safe untrusted vpn sgo default
 135         iface eth1 dmz unsafe safe untrusted vpn sgo default
 136         iface eth2 dmz unsafe safe untrusted vpn sgo
 137         iface eth3 unsafe untrusted vpn default
 138         iface ppp0 default
 139         iface t6-he default
 140         iface vpn-precision vpn sgo
 141         iface vpn-chiark sgo
 142         iface vpn-+ vpn
 143 defhost roadstar
 144         iface eth0 dmz unsafe
 145         iface eth1 dmz unsafe
 146 defhost jem
 147         iface eth0 dmz unsafe
 148         iface eth1 dmz unsafe
 149 defhost universe
 150         iface eth0 dmz unsafe
 151         iface eth1 dmz unsafe
 152 defhost artist
 153         hosttype router
 154         iface eth0 dmz unsafe untrusted
 155         iface eth1 dmz unsafe untrusted
 156         iface eth3 unsafe untrusted
 157 defhost vampire
 158         hosttype router
 159         iface eth0.4 dmz unsafe untrusted safe vpn sgo
 160         iface eth0.5 dmz unsafe untrusted safe vpn sgo
 161         iface eth0.6 dmz unsafe safe untrusted vpn sgo
 162         iface eth0.7 unsafe untrusted vpn
 163         iface vpn-precision vpn sgo
 164         iface vpn-chiark sgo
 165         iface vpn-+ vpn
 166 defhost ibanez
 167         iface br-dmz dmz unsafe
 168         iface br-unsafe unsafe
 169 defhost orange
 170         iface wlan0 untrusted
 171         iface vpn-radius unsafe
 172 defhost groove
 173         iface eth0 unsafe
 174         iface wlan0 untrusted
 175         iface vpn-radius unsafe
 176
 177 defhost gibson
 178         hosttype client
 179         iface eth0 unsafe
 180
 181 ## Formerly colocated hosts.
 182 defhost fender
 183         iface br-dmz dmz unsafe
 184         iface br-unsafe dmz unsafe
 185 defhost precision
 186         hosttype router
 187         iface eth0 dmz unsafe vpn sgo
 188         iface eth1 dmz unsafe vpn sgo
 189         iface vpn-mango binswood
 190         iface vpn-chiark sgo
 191         iface vpn-national upn
 192         iface vpn-mdwdev upn
 193         iface vpn-eggle upn
 194         iface vpn-+ vpn
 195 defhost telecaster
 196         iface eth0 dmz unsafe vpn sgo
 197         iface eth1 dmz unsafe vpn sgo
 198 defhost stratocaster
 199         iface eth0 dmz unsafe vpn sgo
 200         iface eth1 dmz unsafe vpn sgo
 201 defhost jazz
 202         hosttype router
 203         iface eth0 dmz unsafe vpn sgo
 204         iface eth1 dmz unsafe vpn sgo
 205         iface dns0 iodine
 206         iface hippo-svc hippotat
 207         iface vpn-+ vpn
 208
 209 ## Stunt connectivity networks.
 210 defnet iodine untrusted
 211         addr 172.29.198.128/28
 212         via colohub
 213 defnet hippotat untrusted
 214         addr 172.29.198.144/28
 215         via colohub
 216
 217
 218 ## Other networks.
 219 defnet hub virtual
 220         via housebdry
 221 defnet sgo noloop
 222         addr !172.29.198.0/23
 223         addr !10.165.27.0/24
 224         addr 10.0.0.0/8
 225         addr 172.16.0.0/12
 226         addr 192.168.0.0/16
 227         via househub
 228 defnet vpn trusted
 229         addr 172.29.199.128/27 2001:8b0:c92:6000::/64
 230         via househub
 231         host crybaby 1 ::1:1
 232         host terror 2 ::2:1
 233         host orange 3 ::3:1
 234         host haze 4 ::4:1
 235         host spirit 9 ::9:1
 236         host groove 10 ::10:1
 237 defnet anycast trusted
 238         addr 172.29.199.224/27 2001:8b0:c92:0::/64
 239         via dmz unsafe safe untrusted vpn nvpn
 240 defnet default scary
 241         addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
 242                 2001:8b0:c92::/48
 243         via dmz unsafe untrusted
 244 defnet upn untrusted
 245         addr 172.29.198.160/27 2001:8b0:c92:a000::/64
 246         via househub
 247         host national 1 ::1:1
 248         host mdwdev 2 ::2:1
 249         host eggle 3 ::3:1
 250
 251 ## VPS hosts.
 252 defhost eggle
 253         iface eth0 default
 254         iface vpn-precision househub
 255 defhost national
 256         iface eth0 default
 257         iface vpn-precision househub
 258
 259 ## Satellite networks.
 260 defnet binswood vpnnat
 261         addr 10.165.27.0/24
 262         via househub
 263 defhost mango
 264         hosttype router
 265         iface eth0 binswood default
 266         iface vpn-precision dmz default
 267
 268 m4_divert(80)m4_dnl
 269 ###--------------------------------------------------------------------------
 270 ### Connection tracking helper modules.
 271
 272 for i in ftp; do
 273   modprobe nf_conntrack_$i
 274 done
 275
 276 m4_divert(80)m4_dnl
 277 ###--------------------------------------------------------------------------
 278 ### Special forwarding exemptions.
 279
 280 case $forward in
 281   1)
 282
 283     ## Only allow these packets if they're not fragmented.  (Don't trust safe
 284     ## hosts's fragment reassembly to be robust against malicious fragments.)
 285     ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
 286     ## of `! -f', so we do the negation using early return from a subchain.
 287     clearchain fwd-spec-nofrag
 288     run iptables -A fwd-spec-nofrag -j RETURN --fragment
 289     run ip6tables -A fwd-spec-nofrag -j RETURN \
 290             -m ipv6header --soft --header frag
 291     run ip46tables -A FORWARD -j fwd-spec-nofrag
 292
 293     ## Allow ping from safe/noloop to untrusted networks.
 294     run iptables -A fwd-spec-nofrag -j ACCEPT \
 295             -p icmp --icmp-type echo-request \
 296             -m mark --mark $to_untrusted/$MASK_TO
 297     run iptables -A fwd-spec-nofrag -j ACCEPT \
 298             -p icmp --icmp-type echo-reply \
 299             -m mark --mark $from_untrusted/$MASK_FROM \
 300             -m state --state ESTABLISHED
 301     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 302             -p icmpv6 --icmpv6-type echo-request \
 303             -m mark --mark $to_untrusted/$MASK_TO
 304     run ip6tables -A fwd-spec-nofrag -j ACCEPT \
 305             -p icmpv6 --icmpv6-type echo-reply \
 306             -m mark --mark $from_untrusted/$MASK_FROM \
 307             -m state --state ESTABLISHED
 308
 309     ## Allow SSH from safe/noloop to untrusted networks.
 310     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 311             -p tcp --destination-port $port_ssh \
 312             -m mark --mark $to_untrusted/$MASK_TO
 313     run ip46tables -A fwd-spec-nofrag -j ACCEPT \
 314             -p tcp --source-port $port_ssh \
 315             -m mark --mark $from_untrusted/$MASK_FROM \
 316             -m state --state ESTABLISHED
 317
 318     ;;
 319 esac
 320
 321 m4_divert(80)m4_dnl
 322 ###--------------------------------------------------------------------------
 323 ### Kill things we don't understand properly.
 324 ###
 325 ### I don't like having to do this, but since I don't know how to do proper
 326 ### multicast filtering, I'm just going to ban it from being forwarded.
 327
 328 errorchain poorly-understood REJECT
 329
 330 ## Ban multicast destination addresses in forwarding.
 331 case $forward in
 332   1)
 333     run iptables -A FORWARD -g poorly-understood \
 334             -d 224.0.0.0/4
 335     run ip6tables -A FORWARD -g poorly-understood \
 336             -d ff::/8
 337     ;;
 338 esac
 339
 340 m4_divert(82)m4_dnl
 341 ###--------------------------------------------------------------------------
 342 ### Check for source routing.
 343
 344 clearchain check-srcroute
 345
 346 run iptables -A check-srcroute -g forbidden \
 347     -m ipv4options --any --flags lsrr,ssrr
 348 run ip6tables -A check-srcroute -g forbidden \
 349     -m rt
 350
 351 for c in INPUT FORWARD; do
 352   for m in $from_scary $from_untrusted; do
 353     run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
 354   done
 355 done
 356
 357 m4_divert(84)m4_dnl
 358 ###--------------------------------------------------------------------------
 359 ### Locally-bound packet inspection.
 360
 361 clearchain inbound
 362 clearchain inbound-untrusted
 363
 364 ## Track connections.
 365 commonrules inbound
 366 conntrack inbound
 367
 368 ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
 369 ## local request.
 370 run iptables -A inbound -j ACCEPT \
 371         -s 0.0.0.0 -d 255.255.255.255 \
 372         -p udp --source-port $port_bootpc --destination-port $port_bootps
 373 run iptables -A inbound -j ACCEPT \
 374         -s 172.29.198.0/23 \
 375         -p udp --source-port $port_bootpc --destination-port $port_bootps
 376
 377 ## Allow incoming ping.  This is the only ICMP left.
 378 run iptables -A inbound -j ACCEPT -p icmp
 379 run ip6tables -A inbound -j ACCEPT -p icmpv6
 380
 381 m4_divert(88)m4_dnl
 382 ## Allow unusual things.
 383 openports inbound
 384
 385 ## Inspect inbound packets from untrusted sources.
 386 run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
 387 run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
 388 run ip46tables -A inbound-untrusted -g forbidden
 389 run ip46tables -A inbound -g forbidden
 390 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 391 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 392
 393 ## Allow responses from the scary outside world into the untrusted net, but
 394 ## don't let untrusted things run services.
 395 case $forward in
 396   1)
 397     run ip46tables -A FORWARD -j ACCEPT \
 398         -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
 399         -m state --state ESTABLISHED,RELATED
 400     ;;
 401 esac
 402
 403 ## Otherwise process as indicated by the mark.
 404 for i in $inchains; do
 405   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 406 done
 407
 408 m4_divert(-1)
 409 ###----- That's all, folks --------------------------------------------------