### -*-sh-*- ### ### Initialization and finishing touches for firewall scripts ### ### (c) 2008 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. m4_divert(30)m4_dnl ###-------------------------------------------------------------------------- ### Clear existing firewall rules. ## The main chains: set policy to drop, and then clear the rules. For a ## while, incoming packets will be silently dropped, but we should have got ## everything going before anyone actually hits a timeout. ## ## We don't control some of the chains, so we should preserve them. This ## introduces a whole bunch of problems. ## Chains we're meant to preserve preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" ## Take the various IP versions in turn. unref=nil for ip in ip ip6; do if [ "$FW_NOACT" ]; then break; fi for table in $(cat /proc/net/${ip}_tables_names); do ## Step 1: clear out the builtin chains. ${ip}tables -nL -t $table | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | while read chain; do case $table in nat) policy=ACCEPT ;; *) policy=DROP ;; esac run ${ip}tables -t $table -P $chain $policy run ${ip}tables -t $table -F $chain done ## Step 2: clear out user chains. Unfortunately, we can only clear ## chains which have no references to them, so work through picking off ## unreferenced chains which aren't meant to be preserved until there are ## none left. while :; do progress=nil ${ip}tables -nL -t $table | sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ >/var/run/firewall-chains.tmp while read chain; do match=nil for pat in $preserve_chains; do case "$table:$chain" in $pat) match=t ;; esac done case $match in nil) run ${ip}tables -t $table -F $chain run ${ip}tables -t $table -X $chain progress=t ;; esac done /var/run/firewall-chains.tmp while read chain refs; do match=nil for pat in $preserve_chains; do case "$table:$chain" in $pat) match=t ;; esac done case $match in nil) echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" unref=t ;; esac done FWHOST in router) forward=1 host=0 ;; server) forward=0 host=0 ;; client) forward=0 host=1 ;; esac setopt ip_forward $forward setdevopt forwarding $forward for i in \ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \ accept_redirects do setdevopt $i $host done case $forward in 0) inchains="INPUT" ;; 1) inchains="INPUT FORWARD" ;; esac ## Set dynamic port allocation. setopt ip_local_port_range $open_port_min $open_port_max ## Deploy SYN-cookies if necessary. setopt tcp_syncookies 1 ## Allow broadcast and multicast ping, because it's a useful diagnostic tool. setopt icmp_echo_ignore_broadcasts 0 ## Turn off iptables filtering for bridges. We'll use ebtables if we need ## to; but right now the model is that we do filtering at the borders, and ## are tolerant of things which are local. if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then modprobe bridge || : fi if [ -d /proc/sys/net/bridge ]; then for filter in arptables iptables ip6tables; do run sysctl -q net.bridge.bridge-nf-call-$filter=0 done fi ## Turn off the reverse-path filter. It's basically useless: the filter does ## nothing at all for single-homed hosts; and multi-homed hosts tend to have ## routing aysmmetries if there's any kind of cycle. setdevopt rp_filter 0 setdevopt log_martians 0 ## Turn off things which can mess with our routing decisions. setdevopt accept_source_route 0 setdevopt secure_redirects 1 ## If we're maent to stop the firewall, then now is the time to do it. $exit_after_clearing m4_divert(34)m4_dnl ###-------------------------------------------------------------------------- ### Establish error chains. errorchain forbidden REJECT ## Generic `not allowed' chain. errorchain tcp-fragment REJECT ## Chain for logging fragmented TCP segements. errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset. errorchain mangle:bad-source-address DROP errorchain bad-source-address DROP ## Packet arrived on wrong interface for its source address. Drops the ## packet, since there's nowhere sensible to send an error. errorchain dns-rate-limit DROP ## Dropped incoming DNS query due to rate limiting. The source address is ## suspicious, so don't produce ICMP. errorchain bad-destination-address REJECT ## Packet arrived on non-loopback interface with loopback destination. errorchain interesting ACCEPT ## Not an error, just log interesting packets. m4_divert(50)m4_dnl ###-------------------------------------------------------------------------- ### Standard filtering. ## Don't clobber local traffic run ip46tables -A INPUT -i lo -j ACCEPT ## We really shouldn't see packets destined for localhost on any interface ## other than the loopback. run iptables -A INPUT -g bad-destination-address \ -d 127.0.0.0/8 run ip6tables -A INPUT -g bad-destination-address \ -d ::1 ## We shouldn't be asked to forward things with link-local addresses. case $forward in 1) run iptables -A FORWARD -g bad-source-address \ -s 169.254.0.0/16 run iptables -A FORWARD -g bad-destination-address \ -d 169.254.0.0/16 run ip6tables -A FORWARD -g bad-source-address \ -s fe80::/10 run ip6tables -A FORWARD -g bad-destination-address \ -d fe80::/10 ;; esac ## Also, don't forward link-local broadcast or multicast. case $forward in 1) run iptables -A FORWARD -g bad-destination-address \ -d 255.255.255.255 run iptables -A FORWARD -g bad-destination-address \ -m addrtype --dst-type BROADCAST run iptables -A FORWARD -g bad-destination-address \ -d 224.0.0.0/24 clearchain check-fwd-multi for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do run ip6tables -A check-fwd-multi -g bad-destination-address \ -d ff${x}2::/16 done run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 ;; esac ## Add a hook for fail2ban. clearchain fail2ban run ip46tables -A INPUT -j fail2ban m4_divert(90)m4_dnl ###-------------------------------------------------------------------------- ### Finishing touches. m4_divert(94)m4_dnl ## Locally generated packets are all OK. run ip46tables -P OUTPUT ACCEPT ## Other incoming things are forbidden. for chain in INPUT FORWARD; do run ip46tables -A $chain -g forbidden done ## Allow stuff through unknown tables. for ip in ip ip6; do for table in $(cat /proc/net/${ip}_tables_names); do case $table in mangle | filter) continue ;; esac ${ip}tables -nL -t $table | sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | while read chain; do run ${ip}tables -t $table -P $chain ACCEPT done done done ## Dump the resulting configuration. if [ "$FW_DEBUG" ]; then for ip in ip ip6; do for table in mangle filter; do echo "----- $ip $table -----" echo ${ip}tables -t $table -nvL echo done done fi m4_divert(-1) ###----- That's all, folks --------------------------------------------------