### -*-sh-*- ### ### Local firewall configuration ### ### (c) 2008 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### Local configuration. m4_divert(6)m4_dnl ## Default NTP servers. defconf(ntp_servers, "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232") m4_divert(-1) ###-------------------------------------------------------------------------- ### Packet classification. ## Define the available network classes. m4_divert(42)m4_dnl defnetclass untrusted untrusted trusted defnetclass trusted untrusted trusted safe noloop defnetclass safe trusted safe noloop defnetclass noloop trusted safe m4_divert(-1) m4_divert(26)m4_dnl ###-------------------------------------------------------------------------- ### Network layout. ## House networks. defnet dmz trusted addr 62.49.204.144/28 forwards unsafe untrusted defnet unsafe trusted addr 172.29.199.0/25 forwards househub defnet safe safe addr 172.29.199.192/28 forwards househub defnet untrusted untrusted addr 172.29.198.0/25 forwards househub defnet vpn safe addr 172.29.199.128/27 forwards househub host crybaby 1 host terror 2 defnet iodine untrusted addr 172.29.198.128/28 defnet househub virtual forwards housebdry dmz unsafe safe untrusted defnet housebdry virtual forwards househub hub noxit dmz ## House hosts. defhost radius router iface eth0 dmz iface eth1 unsafe iface eth2 safe iface eth3 untrusted defhost roadstar iface eth0 dmz iface eth1 unsafe defhost jem iface eth0 dmz iface eth1 unsafe defhost artist iface eth0 dmz iface eth1 unsafe defhost vampire router iface eth0.0 dmz iface eth0.1 unsafe iface eth0.3 untrusted iface dns0 dns iface vpn-+ vpn iface vpn-precision colobdry vpn defhost ibanez iface br-dmz dmz iface br-unsafe unsafe defhost gibson iface eth0 unsafe ## Colocated networks. defnet jump trusted addr 212.13.198.64/28 forwards colohub defnet colo trusted addr 172.29.199.176/28 forwards colohub defnet colohub virtual forwards colobdry jump colo defnet colobdry virtual forwards colohub hub noxit jump ## Colocated hosts. defhost fender iface br-jump jump iface br-colo colo defhost precision router iface eth0 jump iface eth1 colo iface vpn-+ vpn iface vpn-vampire housebdry vpn defhost telecaster iface eth0 jump iface eth1 colo defhost stratocaster iface eth0 jump iface eth1 colo defhost jazz iface eth0 jump iface eth1 colo ## Other networks. defnet hub virtual forwards housebdry colobdry defnet default untrusted addr 62.49.204.144/28 addr 212.13.198.64/28 forwards dmz untrusted unsafe jump colo m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. case $forward in 1) ## Only allow these packets if they're not fragmented. (Don't trust safe ## hosts's fragment reassembly to be robust against malicious fragments.) ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning ## of `! -f', so we do the negation using early return from a subchain. clearchain fwd-spec-nofrag run iptables -A fwd-spec-nofrag -j RETURN --fragment run ip6tables -A fwd-spec-nofrag -j RETURN \ -m ipv6header --soft --header frag run iptables -A FORWARD -j fwd-spec-nofrag ## Allow ping from safe/noloop to untrusted networks. run iptables -A fwd-spec-nofrag -j ACCEPT \ -p icmp --icmp-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO run iptables -A fwd-spec-nofrag -j ACCEPT \ -p icmp --icmp-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p ipv6-icmp --icmpv6-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p ipv6-icmp --icmpv6-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED ## Allow SSH from safe/noloop to untrusted networks. run iptables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --destination-port $port_ssh \ -m mark --mark $to_untrusted/$MASK_TO run iptables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --source-port $port_ssh \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --destination-port $port_ssh \ -m mark --mark $to_untrusted/$MASK_TO run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --source-port $port_ssh \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED ;; esac m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Kill things we don't understand properly. ### ### I don't like having to do this, but since I don't know how to do proper ### multicast filtering, I'm just going to ban it from being forwarded. errorchain poorly-understood REJECT ## Ban multicast destination addresses in forwarding. case $forward in 1) run iptables -A FORWARD -g poorly-understood \ -d 224.0.0.0/4 run ip6tables -A FORWARD -g poorly-understood \ -d ff::/8 ;; esac m4_divert(84)m4_dnl ###-------------------------------------------------------------------------- ### Locally-bound packet inspection. clearchain inbound ## Track connections. commonrules inbound conntrack inbound ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a ## local request. run iptables -A inbound -j ACCEPT \ -s 0.0.0.0 -d 255.255.255.255 \ -p udp --source-port $port_bootpc --destination-port $port_bootps run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps ## Incoming multicast on a network interface associated with a trusted ## network is OK, since it must have originated there (or been forwarded, but ## we don't do that yet). for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do echo $i done | { seen=: while read i; do case "$seen" in *:$i:*) continue ;; esac seen=$seen$i: run iptables -A inbound -j ACCEPT \ -s 0.0.0.0 -d 224.0.0.0/24 \ -i $i done } ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp m4_divert(88)m4_dnl ## Allow unusual things. openports inbound ## Inspect inbound packets from untrusted sources. run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT case $forward in 1) run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT ;; esac m4_divert(-1) ###----- That's all, folks --------------------------------------------------