X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/0291d6d55d3dc38a12d61abc007dda5cc3aa5110..3a68f6887e27cd5e9369a9c421e417e59acef08b:/local.m4 diff --git a/local.m4 b/local.m4 index 5e27449..f6b5f46 100644 --- a/local.m4 +++ b/local.m4 @@ -1,4 +1,4 @@ -### -*-m4-*- +### -*-sh-*- ### ### Local firewall configuration ### @@ -51,46 +51,70 @@ defiface $if_trusted \ safe:172.29.199.64/27 \ untrusted:default +## Default NTP servers. +ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" + m4_divert(60)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. +## Only allow these packets if they're not fragmented. (Don't trust safe +## hosts's fragment reassembly to be robust against malicious fragments.) +## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of +## `! -f', so we do the negation using early return from a subchain. +clearchain fwd-spec-nofrag +run iptables -A fwd-spec-nofrag -j RETURN --fragment +run ip6tables -A fwd-spec-nofrag -j RETURN \ + -m ipv6header --soft --header frag +run iptables -A FORWARD -j fwd-spec-nofrag + ## Allow ping from safe/noloop to untrusted networks. -run iptables -A FORWARD -j ACCEPT \ - -p icmp ! -f --icmp-type echo-request \ +run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO -run iptables -A FORWARD -j ACCEPT \ - -p icmp ! -f --icmp-type echo-reply \ +run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED -run ip6tables -A FORWARD -j ACCEPT \ +run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p ipv6-icmp --icmpv6-type echo-request \ - -m ipv6header --soft ! --header frag \ -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A FORWARD -j ACCEPT \ +run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p ipv6-icmp --icmpv6-type echo-reply \ - -m ipv6header --soft ! --header frag \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED ## Allow SSH from safe/noloop to untrusted networks. -run iptables -A FORWARD -j ACCEPT \ - -p tcp ! -f --destination-port $port_ssh \ +run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ -m mark --mark $to_untrusted/$MASK_TO -run iptables -A FORWARD -j ACCEPT \ - -p tcp ! -f --source-port $port_ssh \ +run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED -run ip6tables -A FORWARD -j ACCEPT \ +run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --destination-port $port_ssh \ - -m ipv6header --soft ! --header frag \ -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A FORWARD -j ACCEPT \ +run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -p tcp --source-port $port_ssh \ - -m ipv6header --soft ! --header frag \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED +m4_divert(60)m4_dnl +###-------------------------------------------------------------------------- +### Kill things we don't understand properly. +### +### I don't like having to do this, but since I don't know how to do proper +### multicast filtering, I'm just going to ban it from being forwarded. + +errorchain poorly-understood REJECT + +## Ban multicast destination addresses in forwarding. +run iptables -A FORWARD -g poorly-understood \ + -d 224.0.0.0/4 +run ip6tables -A FORWARD -g poorly-understood \ + -d ff::/8 + m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Locally-bound packet inspection. @@ -110,6 +134,13 @@ run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps +## Incoming broadcast multicast on a network interface associated with the +## trusted network is OK, since it must have originated there (or been +## forwarded, but we don't do that yet). +run iptables -A inbound -j ACCEPT \ + -s 0.0.0.0 -d 224.0.0.0/24 \ + -i $if_trusted + ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp