### -*-sh-*-
###
### Initialization and finishing touches for firewall scripts
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

m4_divert(30)m4_dnl
###--------------------------------------------------------------------------
### Clear existing firewall rules.

## The main chains: set policy to drop, and then clear the rules.  For a
## while, incoming packets will be silently dropped, but we should have got
## everything going before anyone actually hits a timeout.
for t in mangle filter; do
  for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do
    run ip46tables -t $t -P $i DROP 2>/dev/null || :
    run ip46tables -t $t -F $i 2>/dev/null || :
  done
  run ip46tables -t $t -F
  run ip46tables -t $t -X
done

m4_divert(32)m4_dnl
###--------------------------------------------------------------------------
### Set safe IP options.

## Set forwarding options.  Apparently setting ip_forward clobbers other
## settings, so put this first.
setopt ip_forward $forward
setdevopt forwarding $forward

## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max

## Deploy SYN-cookies if necessary.
setopt tcp_syncookies 1

## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
setopt icmp_echo_ignore_broadcasts 0

## Turn off iptables filtering for bridges.  We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
if [ -x /sbin/brctl ]; then
  modprobe bridge || :
  if [ -d /proc/sys/net/bridge ]; then
    for filter in arptables iptables ip6tables; do
      run sysctl -q net.bridge.bridge-nf-call-$filter=0
    done
  fi
fi

## Turn on the reverse-path filter, and log weird things.
setdevopt rp_filter $rp_filter
setdevopt log_martians $log_martians

## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
setdevopt accept_redirects 0

## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing

m4_divert(34)m4_dnl
###--------------------------------------------------------------------------
### Establish error chains.

errorchain forbidden REJECT
## Generic `not allowed' chain.

errorchain tcp-fragment REJECT
## Chain for logging fragmented TCP segements.

errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
## Bad TCP segments (e.g., for unknown connections).  Sends a TCP reset.

errorchain mangle:bad-source-address DROP
errorchain bad-source-address DROP
## Packet arrived on wrong interface for its source address.  Drops the
## packet, since there's nowhere sensible to send an error.

errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.

errorchain interesting ACCEPT
## Not an error, just log interesting packets.

m4_divert(36)m4_dnl
###--------------------------------------------------------------------------
### Standard filtering.

## Don't clobber local traffic
run ip46tables -A INPUT -i lo -j ACCEPT

## We really shouldn't see packets destined for localhost on any interface
## other than the loopback.
run iptables -A INPUT -g bad-destination-address \
	-d 127.0.0.0/8
run ip6tables -A INPUT -g bad-destination-address \
	-d ::1

## We shouldn't be asked to forward things with link-local addresses.
run iptables -A FORWARD -g bad-source-address \
	-s 169.254.0.0/16
run iptables -A FORWARD -g bad-destination-address \
	-d 169.254.0.0/16
run ip6tables -A FORWARD -g bad-source-address \
	-s fe80::/10
run ip6tables -A FORWARD -g bad-destination-address \
	-d fe80::/10

## Also, don't forward link-local broadcast or multicast.
run iptables -A FORWARD -g bad-destination-address \
	-d 255.255.255.255
run iptables -A FORWARD -g bad-destination-address \
	-m addrtype --dst-type BROADCAST
run iptables -A FORWARD -g bad-destination-address \
	-d 224.0.0.0/24
for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
  run ip6tables -A FORWARD -g bad-destination-address \
	-d fe${x}2::/16
done

## Add a hook for fail2ban.
clearchain fail2ban
run ip46tables -A INPUT -j fail2ban

m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
### Finishing touches.

m4_divert(94)m4_dnl
## Locally generated packets are all OK.
run ip46tables -P OUTPUT ACCEPT

## Other incoming things are forbidden.
for chain in INPUT FORWARD; do
  run ip46tables -A $chain -g forbidden
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------