X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1a42af95515f1f6920f0ba2b45576278bbc2c8cf..4f8c198960217f631e0fcb20e8615fc93c3d1da2:/fender.m4 diff --git a/fender.m4 b/fender.m4 index a6c7362..b9ce79f 100644 --- a/fender.m4 +++ b/fender.m4 @@ -33,5 +33,55 @@ allowservices inbound tcp \ ## We have to provide NTP service. The guests sync to our clock. ntpclient inbound $ntp_servers +## Guaranteed black hole. Put this at the very front of the chain. +run iptables -I INPUT -d 212.13.198.78 -j DROP +run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP + +## Ethernet bridge-level filtering for source addresses. +run ebtables -F +for i in log limit ip ip6; do run modprobe ebt-$i; done + +for c in bad-source-addr check-eth0 bcp38 check-bcp38; do + run ebtables -X $c >/dev/null 2>&1 || : +done + +for ch in bad-source-addr bcp38; do + run ebtables -N $ch + run ebtables -A $ch \ + --limit 20/second --limit-burst 100 \ + --log-prefix "fw: $ch(br)" --log-ip --log-ip6 + run ebtables -A $ch -j DROP +done + +run ebtables -N check-eth0 +run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28 +run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1 +run ebtables -A check-eth0 -j bad-source-addr \ + -p ip6 --ip6-source 2001:ba8:1d9::/48 +run ebtables -A check-eth0 -j bad-source-addr \ + -p ip6 --ip6-source 2001:ba8:0:1d9::/64 +run ebtables -A check-eth0 -j RETURN -p ip6 +run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30 +run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68 +run ebtables -A check-eth0 -j bad-source-addr -p ip +run ebtables -A INPUT -j check-eth0 -i bond0 +run ebtables -A FORWARD -j check-eth0 -i bond0 + +run ebtables -N check-bcp38 +run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28 +run ebtables -A check-bcp38 -j bcp38 -p ip +run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64 +run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48 +run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10 +run ebtables -A check-bcp38 -j bcp38 -p ip6 +run ebtables -A FORWARD -j check-bcp38 -o bond0 + +## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it +## misparses (at least) locally originated multicast packets, and tries to +## extract IP header fields relative to the start of the Ethernet frame. The +## result is obviously a hideous mess. Don't try to do BCP38 checking for +## locally originated packets until this is fixed. +##run ebtables -A OUTPUT -j check-bcp38 -o bond0 + m4_divert(-1) ###----- That's all, folks --------------------------------------------------