X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/beb4f0eeafb386d83f2593fec489f4291583e08b..06ff80827cd67ab85ee31fc32fc5e740bda9193e:/local.m4 diff --git a/local.m4 b/local.m4 index 69122e2..2d9cacb 100644 --- a/local.m4 +++ b/local.m4 @@ -75,29 +75,29 @@ defnet housebdry virtual ## House hosts. defhost radius router - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe iface eth2 safe iface eth3 untrusted defhost roadstar - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost jem - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost artist - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost vampire router - iface eth0.0 dmz - iface eth0.1 unsafe + iface eth0.0 dmz unsafe + iface eth0.1 dmz unsafe iface eth0.3 untrusted iface dns0 dns iface vpn-+ vpn iface vpn-precision colobdry vpn defhost ibanez - iface br-dmz dmz + iface br-dmz dmz unsafe iface br-unsafe unsafe defhost gibson @@ -118,23 +118,23 @@ defnet colobdry virtual ## Colocated hosts. defhost fender - iface br-jump jump - iface br-colo colo + iface br-jump jump colo + iface br-colo jump colo defhost precision router - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo iface vpn-+ vpn iface vpn-vampire housebdry vpn defhost telecaster - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo defhost stratocaster - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo defhost jazz - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo ## Other networks. defnet hub virtual @@ -148,49 +148,54 @@ m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. -## Only allow these packets if they're not fragmented. (Don't trust safe -## hosts's fragment reassembly to be robust against malicious fragments.) -## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of -## `! -f', so we do the negation using early return from a subchain. -clearchain fwd-spec-nofrag -run iptables -A fwd-spec-nofrag -j RETURN --fragment -run ip6tables -A fwd-spec-nofrag -j RETURN \ - -m ipv6header --soft --header frag -run iptables -A FORWARD -j fwd-spec-nofrag - -## Allow ping from safe/noloop to untrusted networks. -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p icmp --icmp-type echo-request \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p icmp --icmp-type echo-reply \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-request \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-reply \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -## Allow SSH from safe/noloop to untrusted networks. -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --destination-port $port_ssh \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --source-port $port_ssh \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --destination-port $port_ssh \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p tcp --source-port $port_ssh \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -m4_divert(60)m4_dnl +case $forward in + 1) + + ## Only allow these packets if they're not fragmented. (Don't trust safe + ## hosts's fragment reassembly to be robust against malicious fragments.) + ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning + ## of `! -f', so we do the negation using early return from a subchain. + clearchain fwd-spec-nofrag + run iptables -A fwd-spec-nofrag -j RETURN --fragment + run ip6tables -A fwd-spec-nofrag -j RETURN \ + -m ipv6header --soft --header frag + run iptables -A FORWARD -j fwd-spec-nofrag + + ## Allow ping from safe/noloop to untrusted networks. + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p ipv6-icmp --icmpv6-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p ipv6-icmp --icmpv6-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ## Allow SSH from safe/noloop to untrusted networks. + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ + -m mark --mark $to_untrusted/$MASK_TO + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ + -m mark --mark $to_untrusted/$MASK_TO + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ;; +esac + m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Kill things we don't understand properly. @@ -201,10 +206,14 @@ m4_divert(80)m4_dnl errorchain poorly-understood REJECT ## Ban multicast destination addresses in forwarding. -run iptables -A FORWARD -g poorly-understood \ - -d 224.0.0.0/4 -run ip6tables -A FORWARD -g poorly-understood \ - -d ff::/8 +case $forward in + 1) + run iptables -A FORWARD -g poorly-understood \ + -d 224.0.0.0/4 + run ip6tables -A FORWARD -g poorly-understood \ + -d ff::/8 + ;; +esac m4_divert(84)m4_dnl ###-------------------------------------------------------------------------- @@ -228,18 +237,18 @@ run iptables -A inbound -j ACCEPT \ ## Incoming multicast on a network interface associated with a trusted ## network is OK, since it must have originated there (or been forwarded, but ## we don't do that yet). -for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do - echo $i -done | { - seen=: - while read i; do - case "$seen" in *:$i:*) continue ;; esac - seen=$seen$i: +seen=:-: +for net in $allnets; do + eval class=\$net_class_$net + case $class in trusted) ;; *) continue ;; esac + for iface in $(net_interfaces FWHOST $net); do + case "$seen" in *:$iface:*) continue ;; esac + seen=$seen$iface: run iptables -A inbound -j ACCEPT \ -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $i + -i $iface done -} +done ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp @@ -253,9 +262,12 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. -for i in INPUT FORWARD; do - run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT -done +run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT +case $forward in + 1) + run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT + ;; +esac m4_divert(-1) ###----- That's all, folks --------------------------------------------------