## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted mcast
+
+defnetclass link
+defnetclass mcast
m4_divert(-1)
m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.
-## House networks.
-defnet dmz trusted
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
- forwards unsafe untrusted
-defnet unsafe trusted
- addr 172.29.199.0/25 2001:470:9740:1::/64
- forwards househub
-defnet safe safe
- addr 172.29.199.192/27 2001:470:9740:4001::/64
- forwards househub
-defnet untrusted untrusted
- addr 172.29.198.0/25 2001:470:9740:8001::/64
- forwards househub
-defnet vpn safe
- addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
- forwards househub colohub
- host crybaby 1
- host terror 2
-defnet iodine untrusted
- addr 172.29.198.128/28
-
-defnet househub virtual
- forwards housebdry dmz unsafe safe untrusted
-defnet housebdry virtual
- forwards househub hub
- noxit dmz
-
-## House hosts.
-defhost radius
- router
- iface eth0 dmz unsafe safe
- iface eth1 dmz unsafe safe
- iface eth2 safe
- iface eth3 untrusted
-defhost roadstar
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
-defhost jem
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
-defhost artist
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
-defhost vampire
- router
- iface eth0.0 dmz unsafe safe
- iface eth0.1 dmz unsafe safe
- iface eth0.2 safe
- iface eth0.3 untrusted
- iface dns0 dns
- iface vpn-+ vpn
- iface vpn-precision colobdry vpn
-defhost ibanez
- iface br-dmz dmz unsafe
- iface br-unsafe unsafe
-
-defhost gibson
- iface eth0 unsafe
+defnet default untrusted
-## Colocated networks.
-defnet jump trusted
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- forwards colohub
-defnet colo trusted
- addr 172.29.199.176/28 2001:ba8:1d9:2::/64
- forwards colohub
-defnet colohub virtual
- forwards colobdry jump colo
-defnet colobdry virtual
- forwards colohub hub
- noxit jump
+## Hosts.
+defhost jaguar
+ iface eth0 default
-## Colocated hosts.
-defhost fender
- iface br-jump jump colo
- iface br-colo jump colo
-defhost precision
- router
- iface eth0 jump colo
- iface eth1 jump colo
- iface vpn-+ vpn
- iface vpn-vampire housebdry vpn
-defhost telecaster
- iface eth0 jump colo
- iface eth1 jump colo
-defhost stratocaster
- iface eth0 jump colo
- iface eth1 jump colo
-defhost jazz
- iface eth0 jump colo
- iface eth1 jump colo
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
-## Other networks.
-defnet hub virtual
- forwards housebdry colobdry
-defnet default untrusted
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- addr 2001:ba8:1d9::/48 #temporary
- forwards dmz untrusted unsafe jump colo
+for i in ftp; do
+ modprobe nf_conntrack_$i
+done
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
-m ipv6header --soft --header frag
- run iptables -A FORWARD -j fwd-spec-nofrag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
- run iptables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
- run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-seen=:-:
-for net in $allnets; do
- eval class=\$net_class_$net
- case $class in trusted) ;; *) continue ;; esac
- for iface in $(net_interfaces FWHOST $net); do
- case "$seen" in *:$iface:*) continue ;; esac
- seen=$seen$iface:
- run iptables -A inbound -j ACCEPT \
- -s 0.0.0.0 -d 224.0.0.0/24 \
- -i $iface
- done
-done
-
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
+
## Otherwise process as indicated by the mark.
for i in $inchains; do
run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT