X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/335b2afe384c35ca09f167a5f52172937b8069d4..d8852323c83b301994626d17c936c894d596beaf:/local.m4 diff --git a/local.m4 b/local.m4 index 987cf73..b31b649 100644 --- a/local.m4 +++ b/local.m4 @@ -45,73 +45,157 @@ m4_divert(26)m4_dnl ###-------------------------------------------------------------------------- ### Network layout. -m4_divert(44)m4_dnl -## Network definitions. -defiface $if_dmz \ - trusted:62.49.204.144/28 \ - trusted:172.29.199.0/25 \ - untrusted:default -defiface $if_trusted \ - trusted:172.29.199.0/25 \ - untrusted:default -defiface $if_safe safe:172.29.199.192/26 -defiface $if_untrusted \ - untrusted:172.29.198.0/25 -defvpn $if_vpn safe 172.29.199.128/27 \ - crybaby:172.29.199.129 \ - terror:172.29.199.130 -defiface $if_iodine untrusted:172.29.198.128/28 -defiface $if_its_mz safe:172.29.199.160/30 -defiface $if_its_pi safe:192.168.0.0/24 +## House networks. +defnet dmz trusted + addr 62.49.204.144/28 + forwards unsafe untrusted +defnet unsafe trusted + addr 172.29.199.0/25 + forwards househub +defnet safe safe + addr 172.29.199.192/28 + forwards househub +defnet untrusted untrusted + addr 172.29.198.0/25 + forwards househub +defnet vpn safe + addr 172.29.199.128/27 + forwards househub + host crybaby 1 + host terror 2 +defnet iodine untrusted + addr 172.29.198.128/28 +defnet househub virtual + forwards housebdry dmz unsafe safe untrusted +defnet housebdry virtual + forwards househub hub + noxit dmz + +## House hosts. +defhost radius + router + iface eth0 dmz + iface eth1 unsafe + iface eth2 safe + iface eth3 untrusted +defhost roadstar + iface eth0 dmz + iface eth1 unsafe +defhost jem + iface eth0 dmz + iface eth1 unsafe +defhost artist + iface eth0 dmz + iface eth1 unsafe +defhost vampire + router + iface eth0.0 dmz + iface eth0.1 unsafe + iface eth0.3 untrusted + iface dns0 dns + iface vpn-+ vpn + iface vpn-precision colobdry vpn +defhost ibanez + iface br-dmz dmz + iface br-unsafe unsafe + +defhost gibson + iface eth0 unsafe + +## Colocated networks. +defnet jump trusted + addr 212.13.198.64/28 + forwards colohub +defnet colo trusted + addr 172.29.199.176/28 + forwards colohub +defnet colohub virtual + forwards colobdry jump colo +defnet colobdry virtual + forwards colohub hub + noxit jump + +## Colocated hosts. +defhost fender + iface br-jump jump + iface br-colo colo +defhost precision + router + iface eth0 jump + iface eth1 colo + iface vpn-+ vpn + iface vpn-vampire housebdry vpn +defhost telecaster + iface eth0 jump + iface eth1 colo +defhost stratocaster + iface eth0 jump + iface eth1 colo +defhost jazz + iface eth0 jump + iface eth1 colo + +## Other networks. +defnet hub virtual + forwards housebdry colobdry +defnet default untrusted + addr 62.49.204.144/28 + addr 212.13.198.64/28 + forwards dmz untrusted unsafe jump colo m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. -## Only allow these packets if they're not fragmented. (Don't trust safe -## hosts's fragment reassembly to be robust against malicious fragments.) -## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of -## `! -f', so we do the negation using early return from a subchain. -clearchain fwd-spec-nofrag -run iptables -A fwd-spec-nofrag -j RETURN --fragment -run ip6tables -A fwd-spec-nofrag -j RETURN \ - -m ipv6header --soft --header frag -run iptables -A FORWARD -j fwd-spec-nofrag - -## Allow ping from safe/noloop to untrusted networks. -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p icmp --icmp-type echo-request \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p icmp --icmp-type echo-reply \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-request \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-reply \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -## Allow SSH from safe/noloop to untrusted networks. -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --destination-port $port_ssh \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --source-port $port_ssh \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --destination-port $port_ssh \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --source-port $port_ssh \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -m4_divert(60)m4_dnl +case $forward in + 1) + + ## Only allow these packets if they're not fragmented. (Don't trust safe + ## hosts's fragment reassembly to be robust against malicious fragments.) + ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning + ## of `! -f', so we do the negation using early return from a subchain. + clearchain fwd-spec-nofrag + run iptables -A fwd-spec-nofrag -j RETURN --fragment + run ip6tables -A fwd-spec-nofrag -j RETURN \ + -m ipv6header --soft --header frag + run iptables -A FORWARD -j fwd-spec-nofrag + + ## Allow ping from safe/noloop to untrusted networks. + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p ipv6-icmp --icmpv6-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p ipv6-icmp --icmpv6-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ## Allow SSH from safe/noloop to untrusted networks. + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ + -m mark --mark $to_untrusted/$MASK_TO + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ + -m mark --mark $to_untrusted/$MASK_TO + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ;; +esac + m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Kill things we don't understand properly. @@ -122,10 +206,14 @@ m4_divert(80)m4_dnl errorchain poorly-understood REJECT ## Ban multicast destination addresses in forwarding. -run iptables -A FORWARD -g poorly-understood \ - -d 224.0.0.0/4 -run ip6tables -A FORWARD -g poorly-understood \ - -d ff::/8 +case $forward in + 1) + run iptables -A FORWARD -g poorly-understood \ + -d 224.0.0.0/4 + run ip6tables -A FORWARD -g poorly-understood \ + -d ff::/8 + ;; +esac m4_divert(84)m4_dnl ###-------------------------------------------------------------------------- @@ -174,9 +262,12 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. -for i in INPUT FORWARD; do - run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT -done +run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT +case $forward in + 1) + run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT + ;; +esac m4_divert(-1) ###----- That's all, folks --------------------------------------------------