m4_divert(46)m4_dnl
## Networks and routing.
+defiface $if_dmz \
+ trusted:62.49.204.144/28 \
+ trusted:172.29.199.0/25 \
+ untrusted:default
+defiface $if_trusted \
+ trusted:172.29.199.0/25 \
+ untrusted:default
+defiface $if_safe safe:172.29.199.192/26
defiface $if_untrusted \
untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
-defiface $if_trusted \
- trusted:172.29.199.0/26 \
- safe:172.29.199.64/27 \
- untrusted:default
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
###--------------------------------------------------------------------------
### Special forwarding exemptions.
+## Only allow these packets if they're not fragmented. (Don't trust safe
+## hosts's fragment reassembly to be robust against malicious fragments.)
+## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
+## `! -f', so we do the negation using early return from a subchain.
+clearchain fwd-spec-nofrag
+run iptables -A fwd-spec-nofrag -j RETURN --fragment
+run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+run iptables -A FORWARD -j fwd-spec-nofrag
+
## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p icmp ! -f --icmp-type echo-request \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p icmp ! -f --icmp-type echo-reply \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-p ipv6-icmp --icmpv6-type echo-request \
- -m ipv6header --soft ! --header frag \
-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-p ipv6-icmp --icmpv6-type echo-reply \
- -m ipv6header --soft ! --header frag \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p tcp ! -f --destination-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p tcp ! -f --source-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --destination-port $port_ssh \
- -m ipv6header --soft ! --header frag \
-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --source-port $port_ssh \
- -m ipv6header --soft ! --header frag \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming broadcast multicast on a network interface associated with the
-## trusted network is OK, since it must have originated there (or been
-## forwarded, but we don't do that yet).
-run iptables -A inbound -j ACCEPT \
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
+ echo $i
+done | {
+ seen=:
+ while read i; do
+ case "$seen" in *:$i:*) continue ;; esac
+ seen=$seen$i:
+ run iptables -A inbound -j ACCEPT \
-s 0.0.0.0 -d 224.0.0.0/24 \
- -i $if_trusted
+ -i $i
+ done
+}
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
~mdw / firewall / blobdiff