Determine forwarding and reverse-path filtering from host definitions.

[firewall] / bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index b51f8ae..6caad93 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -105,6 +105,10 @@ m4_divert(32)m4_dnl
 
 ## Set forwarding options.  Apparently setting ip_forward clobbers other
 ## settings, so put this first.
+case $host_type_<::>FWHOST in
+  router) forward=1 ;;
+  *) forward=0 ;;
+esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
 
@@ -129,9 +133,11 @@ if [ -x /sbin/brctl ]; then
   fi
 fi
 
-## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter $rp_filter
-setdevopt log_martians $log_martians
+## Turn off the reverse-path filter.  It's basically useless: the filter does
+## nothing at all for single-homed hosts; and multi-homed hosts tend to have
+## routing aysmmetries if there's any kind of cycle.
+setdevopt rp_filter 0
+setdevopt log_martians 0
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
@@ -164,7 +170,7 @@ errorchain bad-destination-address REJECT
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
-m4_divert(36)m4_dnl
+m4_divert(50)m4_dnl
 ###--------------------------------------------------------------------------
 ### Standard filtering.
 
@@ -179,26 +185,34 @@ run ip6tables -A INPUT -g bad-destination-address \
        -d ::1
 
 ## We shouldn't be asked to forward things with link-local addresses.
-run iptables -A FORWARD -g bad-source-address \
-       -s 169.254.0.0/16
-run iptables -A FORWARD -g bad-destination-address \
-       -d 169.254.0.0/16
-run ip6tables -A FORWARD -g bad-source-address \
-       -s fe80::/10
-run ip6tables -A FORWARD -g bad-destination-address \
-       -d fe80::/10
+case $forward in
+  1)
+    run iptables -A FORWARD -g bad-source-address \
+           -s 169.254.0.0/16
+    run iptables -A FORWARD -g bad-destination-address \
+           -d 169.254.0.0/16
+    run ip6tables -A FORWARD -g bad-source-address \
+           -s fe80::/10
+    run ip6tables -A FORWARD -g bad-destination-address \
+           -d fe80::/10
+    ;;
+esac
 
 ## Also, don't forward link-local broadcast or multicast.
-run iptables -A FORWARD -g bad-destination-address \
-       -d 255.255.255.255
-run iptables -A FORWARD -g bad-destination-address \
-       -m addrtype --dst-type BROADCAST
-run iptables -A FORWARD -g bad-destination-address \
-       -d 224.0.0.0/24
-for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
-  run ip6tables -A FORWARD -g bad-destination-address \
-       -d fe${x}2::/16
-done
+case $forward in
+  1)
+    run iptables -A FORWARD -g bad-destination-address \
+           -d 255.255.255.255
+    run iptables -A FORWARD -g bad-destination-address \
+           -m addrtype --dst-type BROADCAST
+    run iptables -A FORWARD -g bad-destination-address \
+           -d 224.0.0.0/24
+    for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+      run ip6tables -A FORWARD -g bad-destination-address \
+           -d fe${x}2::/16
+    done
+    ;;
+esac
 
 ## Add a hook for fail2ban.
 clearchain fail2ban
@@ -217,5 +231,17 @@ for chain in INPUT FORWARD; do
   run ip46tables -A $chain -g forbidden
 done
 
+## Allow stuff through unknown tables.
+for ip in ip ip6; do
+  for table in $(cat /proc/net/${ip}_tables_names); do
+    case $table in mangle | filter) continue ;; esac
+    ${ip}tables -nL -t $table |
+    sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
+    while read chain; do
+      run ${ip}tables -t $table -P $chain ACCEPT
+    done
+  done
+done
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------