### -*-sh-*- ### ### Firewall configuration for fender actual ### ### (c) 2008 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### fender-specific rules. m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ ident ## We have to provide NTP service. The guests sync to our clock. ntpclient inbound $ntp_servers ## Provide NTP service to untrusted clients. iptables -A inbound -p udp -j ACCEPT \ --source-port 123 --destination-port 123 \ -s 172.29.198.0/23 ip6tables -A inbound -p udp -j ACCEPT \ --source-port 123 --destination-port 123 \ -s 2001:470:9740::/48 ## Guaranteed black hole. Put this at the very front of the chain. run iptables -I INPUT -d 212.13.198.78 -j DROP run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP ## Ethernet bridge-level filtering for source addresses. run ebtables -F for i in log limit ip ip6; do run modprobe ebt-$i; done for c in bad-source-addr check-eth0 bcp38 check-bcp38; do run ebtables -X $c >/dev/null 2>&1 || : done for ch in bad-source-addr bcp38; do run ebtables -N $ch run ebtables -A $ch \ --limit 20/second --limit-burst 100 \ --log-prefix "fw: $ch(br)" --log-ip --log-ip6 run ebtables -A $ch -j DROP done run ebtables -N check-eth0 run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28 run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1 run ebtables -A check-eth0 -j bad-source-addr \ -p ip6 --ip6-source 2001:ba8:1d9::/48 run ebtables -A check-eth0 -j bad-source-addr \ -p ip6 --ip6-source 2001:ba8:0:1d9::/64 run ebtables -A check-eth0 -j RETURN -p ip6 run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30 run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68 run ebtables -A check-eth0 -j bad-source-addr -p ip run ebtables -A INPUT -j check-eth0 -i bond0 run ebtables -A FORWARD -j check-eth0 -i bond0 run ebtables -N check-bcp38 run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28 run ebtables -A check-bcp38 -j bcp38 -p ip run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48 run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10 run ebtables -A check-bcp38 -j bcp38 -p ip6 run ebtables -A FORWARD -j check-bcp38 -o bond0 ## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it ## misparses (at least) locally originated multicast packets, and tries to ## extract IP header fields relative to the start of the Ethernet frame. The ## result is obviously a hideous mess. Don't try to do BCP38 checking for ## locally originated packets until this is fixed. ##run ebtables -A OUTPUT -j check-bcp38 -o bond0 m4_divert(-1) ###----- That's all, folks --------------------------------------------------