## House networks.
defnet dmz trusted
- addr 62.49.204.144/28
+ addr 62.49.204.144/28 2001:470:1f09:1b98::/64
forwards unsafe untrusted
defnet unsafe trusted
- addr 172.29.199.0/25
+ addr 172.29.199.0/25 2001:470:9740:1::/64
forwards househub
defnet safe safe
- addr 172.29.199.192/28
+ addr 172.29.199.192/27 2001:470:9740:4001::/64
forwards househub
defnet untrusted untrusted
- addr 172.29.198.0/25
+ addr 172.29.198.0/25 2001:470:9740:8001::/64
forwards househub
defnet vpn safe
- addr 172.29.199.128/27
- forwards househub
+ addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
+ forwards househub colohub
host crybaby 1
host terror 2
defnet iodine untrusted
## House hosts.
defhost radius
router
- iface eth0 dmz
- iface eth1 unsafe
+ iface eth0 dmz unsafe safe
+ iface eth1 dmz unsafe safe
iface eth2 safe
iface eth3 untrusted
defhost roadstar
- iface eth0 dmz
- iface eth1 unsafe
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
defhost jem
- iface eth0 dmz
- iface eth1 unsafe
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
defhost artist
- iface eth0 dmz
- iface eth1 unsafe
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
defhost vampire
router
- iface eth0.0 dmz
- iface eth0.1 unsafe
+ iface eth0.0 dmz unsafe safe
+ iface eth0.1 dmz unsafe safe
+ iface eth0.2 safe
iface eth0.3 untrusted
iface dns0 dns
iface vpn-+ vpn
iface vpn-precision colobdry vpn
defhost ibanez
- iface br-dmz dmz
+ iface br-dmz dmz unsafe
iface br-unsafe unsafe
defhost gibson
## Colocated networks.
defnet jump trusted
- addr 212.13.198.64/28
+ addr 212.13.198.64/28 2001:ba8:0:1d9::/64
forwards colohub
defnet colo trusted
- addr 172.29.199.176/28
+ addr 172.29.199.176/28 2001:ba8:1d9:2::/64
forwards colohub
defnet colohub virtual
forwards colobdry jump colo
## Colocated hosts.
defhost fender
- iface br-jump jump
- iface br-colo colo
+ iface br-jump jump colo
+ iface br-colo jump colo
defhost precision
router
- iface eth0 jump
- iface eth1 colo
+ iface eth0 jump colo
+ iface eth1 jump colo
iface vpn-+ vpn
iface vpn-vampire housebdry vpn
defhost telecaster
- iface eth0 jump
- iface eth1 colo
+ iface eth0 jump colo
+ iface eth1 jump colo
defhost stratocaster
- iface eth0 jump
- iface eth1 colo
+ iface eth0 jump colo
+ iface eth1 jump colo
defhost jazz
- iface eth0 jump
- iface eth1 colo
+ iface eth0 jump colo
+ iface eth1 jump colo
## Other networks.
defnet hub virtual
forwards housebdry colobdry
defnet default untrusted
- addr 62.49.204.144/28
- addr 212.13.198.64/28
+ addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ addr 212.13.198.64/28 2001:ba8:0:1d9::/64
+ addr 2001:ba8:1d9::/48 #temporary
forwards dmz untrusted unsafe jump colo
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-## Only allow these packets if they're not fragmented. (Don't trust safe
-## hosts's fragment reassembly to be robust against malicious fragments.)
-## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
-## `! -f', so we do the negation using early return from a subchain.
-clearchain fwd-spec-nofrag
-run iptables -A fwd-spec-nofrag -j RETURN --fragment
-run ip6tables -A fwd-spec-nofrag -j RETURN \
- -m ipv6header --soft --header frag
-run iptables -A FORWARD -j fwd-spec-nofrag
-
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-m4_divert(60)m4_dnl
+case $forward in
+ 1)
+
+ ## Only allow these packets if they're not fragmented. (Don't trust safe
+ ## hosts's fragment reassembly to be robust against malicious fragments.)
+ ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+ ## of `! -f', so we do the negation using early return from a subchain.
+ clearchain fwd-spec-nofrag
+ run iptables -A fwd-spec-nofrag -j RETURN --fragment
+ run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
+
+ ## Allow ping from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ## Allow SSH from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ;;
+esac
+
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
errorchain poorly-understood REJECT
## Ban multicast destination addresses in forwarding.
-run iptables -A FORWARD -g poorly-understood \
- -d 224.0.0.0/4
-run ip6tables -A FORWARD -g poorly-understood \
- -d ff::/8
+case $forward in
+ 1)
+ run iptables -A FORWARD -g poorly-understood \
+ -d 224.0.0.0/4
+ run ip6tables -A FORWARD -g poorly-understood \
+ -d ff::/8
+ ;;
+esac
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
## Incoming multicast on a network interface associated with a trusted
## network is OK, since it must have originated there (or been forwarded, but
## we don't do that yet).
-for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
- echo $i
-done | {
- seen=:
- while read i; do
- case "$seen" in *:$i:*) continue ;; esac
- seen=$seen$i:
+seen=:-:
+for net in $allnets; do
+ eval class=\$net_class_$net
+ case $class in trusted) ;; *) continue ;; esac
+ for iface in $(net_interfaces FWHOST $net); do
+ case "$seen" in *:$iface:*) continue ;; esac
+ seen=$seen$iface:
run iptables -A inbound -j ACCEPT \
-s 0.0.0.0 -d 224.0.0.0/24 \
- -i $i
+ -i $iface
done
-}
+done
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
+for i in $inchains; do
run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done
~mdw / firewall / blobdiff