X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/c1c877c2eeabab5614c10a3870494d7f4ec271e7..994ac8d0782c89a636f47b02a2dc096c72ff58c5:/bookends.m4 diff --git a/bookends.m4 b/bookends.m4 index ed5dcc7..1004b76 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -28,14 +28,78 @@ m4_divert(30)m4_dnl ## The main chains: set policy to drop, and then clear the rules. For a ## while, incoming packets will be silently dropped, but we should have got ## everything going before anyone actually hits a timeout. -for t in mangle filter; do - for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do - run ip46tables -t $t -P $i DROP 2>/dev/null || : - run ip46tables -t $t -F $i 2>/dev/null || : +## +## We don't control some of the chains, so we should preserve them. This +## introduces a whole bunch of problems. + +## Chains we're meant to preserve +preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" + +## Take the various IP versions in turn. +unref=nil +for ip in ip ip6; do + if [ "$FW_NOACT" ]; then break; fi + + for table in $(cat /proc/net/${ip}_tables_names); do + + ## Step 1: clear out the builtin chains. + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | + while read chain; do + case $table in + nat) policy=ACCEPT ;; + *) policy=DROP ;; + esac + run ${ip}tables -t $table -P $chain $policy + run ${ip}tables -t $table -F $chain + done + + ## Step 2: clear out user chains. Unfortunately, we can only clear + ## chains which have no references to them, so work through picking off + ## unreferenced chains which aren't meant to be preserved until there are + ## none left. + while :; do + progress=nil + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ + >/var/run/firewall-chains.tmp + while read chain; do + match=nil + for pat in $preserve_chains; do + case "$table:$chain" in $pat) match=t ;; esac + done + case $match in + nil) + run ${ip}tables -t $table -F $chain + run ${ip}tables -t $table -X $chain + progress=t + ;; + esac + done /var/run/firewall-chains.tmp + while read chain refs; do + match=nil + for pat in $preserve_chains; do + case "$table:$chain" in $pat) match=t ;; esac + done + case $match in + nil) + echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" + unref=t + ;; + esac + done FWHOST in + router) forward=1 host=0 ;; + server) forward=0 host=0 ;; + client) forward=0 host=1 ;; +esac setopt ip_forward $forward setdevopt forwarding $forward +for i in \ + accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \ + accept_redirects +do + setdevopt $i $host +done +case $forward in + 0) inchains="INPUT" ;; + 1) inchains="INPUT FORWARD" ;; +esac ## Set dynamic port allocation. setopt ip_local_port_range $open_port_min $open_port_max @@ -58,22 +137,24 @@ setopt icmp_echo_ignore_broadcasts 0 ## Turn off iptables filtering for bridges. We'll use ebtables if we need ## to; but right now the model is that we do filtering at the borders, and ## are tolerant of things which are local. -if [ -x /sbin/brctl ]; then +if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then modprobe bridge || : - if [ -d /proc/sys/net/bridge ]; then - for filter in arptables iptables ip6tables; do - run sysctl -q net.bridge.bridge-nf-call-$filter=0 - done - fi +fi +if [ -d /proc/sys/net/bridge ]; then + for filter in arptables iptables ip6tables; do + run sysctl -q net.bridge.bridge-nf-call-$filter=0 + done fi -## Turn on the reverse-path filter, and log weird things. -setdevopt rp_filter $rp_filter -setdevopt log_martians $log_martians +## Turn off the reverse-path filter. It's basically useless: the filter does +## nothing at all for single-homed hosts; and multi-homed hosts tend to have +## routing aysmmetries if there's any kind of cycle. +setdevopt rp_filter 0 +setdevopt log_martians 0 ## Turn off things which can mess with our routing decisions. setdevopt accept_source_route 0 -setdevopt accept_redirects 0 +setdevopt secure_redirects 1 ## If we're maent to stop the firewall, then now is the time to do it. $exit_after_clearing @@ -96,15 +177,19 @@ errorchain bad-source-address DROP ## Packet arrived on wrong interface for its source address. Drops the ## packet, since there's nowhere sensible to send an error. +errorchain dns-rate-limit DROP +## Dropped incoming DNS query due to rate limiting. The source address is +## suspicious, so don't produce ICMP. + errorchain bad-destination-address REJECT ## Packet arrived on non-loopback interface with loopback destination. errorchain interesting ACCEPT ## Not an error, just log interesting packets. -m4_divert(36)m4_dnl +m4_divert(50)m4_dnl ###-------------------------------------------------------------------------- -### Standard loopback stuff. +### Standard filtering. ## Don't clobber local traffic run ip46tables -A INPUT -i lo -j ACCEPT @@ -117,26 +202,40 @@ run ip6tables -A INPUT -g bad-destination-address \ -d ::1 ## We shouldn't be asked to forward things with link-local addresses. -run iptables -A FORWARD -g bad-source-address \ - -s 169.254.0.0/16 -run iptables -A FORWARD -g bad-destination-address \ - -d 169.254.0.0/16 -run ip6tables -A FORWARD -g bad-source-address \ - -s fe80::/10 -run ip6tables -A FORWARD -g bad-destination-address \ - -d fe80::/10 +case $forward in + 1) + run iptables -A FORWARD -g bad-source-address \ + -s 169.254.0.0/16 + run iptables -A FORWARD -g bad-destination-address \ + -d 169.254.0.0/16 + run ip6tables -A FORWARD -g bad-source-address \ + -s fe80::/10 + run ip6tables -A FORWARD -g bad-destination-address \ + -d fe80::/10 + ;; +esac ## Also, don't forward link-local broadcast or multicast. -run iptables -A FORWARD -g bad-destination-address \ - -d 255.255.255.255 -run iptables -A FORWARD -g bad-destination-address \ - -m addrtype --dst-type BROADCAST -run iptables -A FORWARD -g bad-destination-address \ - -d 224.0.0.0/24 -for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do - run ip6tables -A FORWARD -g bad-destination-address \ - -d fe${x}2::/16 -done +case $forward in + 1) + run iptables -A FORWARD -g bad-destination-address \ + -d 255.255.255.255 + run iptables -A FORWARD -g bad-destination-address \ + -m addrtype --dst-type BROADCAST + run iptables -A FORWARD -g bad-destination-address \ + -d 224.0.0.0/24 + clearchain check-fwd-multi + for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do + run ip6tables -A check-fwd-multi -g bad-destination-address \ + -d ff${x}2::/16 + done + run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 + ;; +esac + +## Add a hook for fail2ban. +clearchain fail2ban +run ip46tables -A INPUT -j fail2ban m4_divert(90)m4_dnl ###-------------------------------------------------------------------------- @@ -151,5 +250,29 @@ for chain in INPUT FORWARD; do run ip46tables -A $chain -g forbidden done +## Allow stuff through unknown tables. +for ip in ip ip6; do + for table in $(cat /proc/net/${ip}_tables_names); do + case $table in mangle | filter) continue ;; esac + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | + while read chain; do + run ${ip}tables -t $table -P $chain ACCEPT + done + done +done + +## Dump the resulting configuration. +if [ "$FW_DEBUG" ]; then + for ip in ip ip6; do + for table in mangle filter; do + echo "----- $ip $table -----" + echo + ${ip}tables -t $table -nvL + echo + done + done +fi + m4_divert(-1) ###----- That's all, folks --------------------------------------------------