X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/f381cc0ab4290f7f531c747c9c71875a44f440d8..b551adaf68ad28b57d06295fe3eb32deb171f7b7:/bookends.m4 diff --git a/bookends.m4 b/bookends.m4 index 6b4f5f4..6ba2827 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -1,4 +1,4 @@ -### -*-m4-*- +### -*-sh-*- ### ### Initialization and finishing touches for firewall scripts ### @@ -30,11 +30,11 @@ m4_divert(30)m4_dnl ## everything going before anyone actually hits a timeout. for t in mangle filter; do for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do - run iptables -t $t -P $i DROP 2>/dev/null || : - run iptables -t $t -F $i 2>/dev/null || : + run ip46tables -t $t -P $i DROP 2>/dev/null || : + run ip46tables -t $t -F $i 2>/dev/null || : done - run iptables -t $t -F - run iptables -t $t -X + run ip46tables -t $t -F + run ip46tables -t $t -X done m4_divert(32)m4_dnl @@ -52,6 +52,13 @@ setopt ip_local_port_range $open_port_min $open_port_max ## Deploy SYN-cookies if necessary. setopt tcp_syncookies 1 +## Turn off iptables filtering for bridges. We'll use ebtables if we need +## to; but right now the model is that we do filtering at the borders, and +## are tolerant of things which are local. +for filter in arptables iptables ip6tables; do + run sysctl -q net/bridge/bridge-nf-call-$filter=0 +done + ## Turn on the reverse-path filter, and log weird things. setdevopt rp_filter 1 setdevopt log_martians 1 @@ -67,23 +74,22 @@ m4_divert(34)m4_dnl ###-------------------------------------------------------------------------- ### Establish error chains. -errorchain forbidden REJECT --reject-with icmp-host-prohibited -## Generic `not allowed' chain. Rejects with ICMP host-prohibited. +errorchain forbidden REJECT +## Generic `not allowed' chain. -errorchain tcp-fragment REJECT --reject-with icmp-host-prohibited -## Chain for logging fragmented TCP segements. Rejects with ICMP -## host-prohibited. +errorchain tcp-fragment REJECT +## Chain for logging fragmented TCP segements. errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset ## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset. errorchain mangle:bad-source-address DROP +errorchain bad-source-address DROP ## Packet arrived on wrong interface for its source address. Drops the ## packet, since there's nowhere sensible to send an error. -errorchain bad-destination-address REJECT --reject-with icmp-host-prohibited -## Packet arrived on non-loopback interface with loopback destination. Sends -## a rude note back. +errorchain bad-destination-address REJECT +## Packet arrived on non-loopback interface with loopback destination. errorchain interesting ACCEPT ## Not an error, just log interesting packets. @@ -93,12 +99,36 @@ m4_divert(36)m4_dnl ### Standard loopback stuff. ## Don't clobber local traffic -run iptables -A INPUT -i lo -j ACCEPT +run ip46tables -A INPUT -i lo -j ACCEPT ## We really shouldn't see packets destined for localhost on any interface ## other than the loopback. run iptables -A INPUT -g bad-destination-address \ -d 127.0.0.0/8 +run ip6tables -A INPUT -g bad-destination-address \ + -d ::1 + +## We shouldn't be asked to forward things with link-local addresses. +run iptables -A FORWARD -g bad-source-address \ + -s 169.254.0.0/16 +run iptables -A FORWARD -g bad-destination-address \ + -d 169.254.0.0/16 +run ip6tables -A FORWARD -g bad-source-address \ + -s fe80::/10 +run ip6tables -A FORWARD -g bad-destination-address \ + -d fe80::/10 + +## Also, don't forward link-local broadcast or multicast. +run iptables -A FORWARD -g bad-destination-address \ + -d 255.255.255.255 +run iptables -A FORWARD -g bad-destination-address \ + -m addrtype --dst-type BROADCAST +run iptables -A FORWARD -g bad-destination-address \ + -d 224.0.0.0/24 +for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do + run ip6tables -A FORWARD -g bad-destination-address \ + -d fe${x}2::/16 +done m4_divert(90)m4_dnl ###--------------------------------------------------------------------------