X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/f543dab768f9b1e3e3278085be88369ec2e5db6b..3b250fe6986bd168aa7e4f46336b3a43b2735b37:/bookends.m4 diff --git a/bookends.m4 b/bookends.m4 index 7374cd3..a0731d2 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -28,14 +28,76 @@ m4_divert(30)m4_dnl ## The main chains: set policy to drop, and then clear the rules. For a ## while, incoming packets will be silently dropped, but we should have got ## everything going before anyone actually hits a timeout. -for t in mangle filter; do - for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do - run ip46tables -t $t -P $i DROP 2>/dev/null || : - run ip46tables -t $t -F $i 2>/dev/null || : +## +## We don't control some of the chains, so we should preserve them. This +## introduces a whole bunch of problems. + +## Chains we're meant to preserve +preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains" + +## Take the various IP versions in turn. +unref=nil +for ip in ip ip6; do + for table in $(cat /proc/net/${ip}_tables_names); do + + ## Step 1: clear out the builtin chains. + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | + while read chain; do + case $table in + nat) policy=ACCEPT ;; + *) policy=DROP ;; + esac + run ${ip}tables -t $table -P $chain $policy + run ${ip}tables -t $table -F $chain + done + + ## Step 2: clear out user chains. Unfortunately, we can only clear + ## chains which have no references to them, so work through picking off + ## unreferenced chains which aren't meant to be preserved until there are + ## none left. + while :; do + progress=nil + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \ + >/var/run/firewall-chains.tmp + while read chain; do + match=nil + for pat in $preserve_chains; do + case "$table:$chain" in $pat) match=t ;; esac + done + case $match in + nil) + run ${ip}tables -t $table -F $chain + run ${ip}tables -t $table -X $chain + progress=t + ;; + esac + done /var/run/firewall-chains.tmp + while read chain refs; do + match=nil + for pat in $preserve_chains; do + case "$table:$chain" in $pat) match=t ;; esac + done + case $match in + nil) + echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'" + unref=t + ;; + esac + done FWHOST in + router) forward=1 ;; + *) forward=0 ;; +esac setopt ip_forward $forward setdevopt forwarding $forward +case $forward in + 0) inchains="INPUT" ;; + 1) inchains="INPUT FORWARD" ;; +esac ## Set dynamic port allocation. setopt ip_local_port_range $open_port_min $open_port_max @@ -67,9 +137,11 @@ if [ -x /sbin/brctl ]; then fi fi -## Turn on the reverse-path filter, and log weird things. -setdevopt rp_filter $rp_filter -setdevopt log_martians $log_martians +## Turn off the reverse-path filter. It's basically useless: the filter does +## nothing at all for single-homed hosts; and multi-homed hosts tend to have +## routing aysmmetries if there's any kind of cycle. +setdevopt rp_filter 0 +setdevopt log_martians 0 ## Turn off things which can mess with our routing decisions. setdevopt accept_source_route 0 @@ -102,7 +174,7 @@ errorchain bad-destination-address REJECT errorchain interesting ACCEPT ## Not an error, just log interesting packets. -m4_divert(36)m4_dnl +m4_divert(50)m4_dnl ###-------------------------------------------------------------------------- ### Standard filtering. @@ -117,26 +189,36 @@ run ip6tables -A INPUT -g bad-destination-address \ -d ::1 ## We shouldn't be asked to forward things with link-local addresses. -run iptables -A FORWARD -g bad-source-address \ - -s 169.254.0.0/16 -run iptables -A FORWARD -g bad-destination-address \ - -d 169.254.0.0/16 -run ip6tables -A FORWARD -g bad-source-address \ - -s fe80::/10 -run ip6tables -A FORWARD -g bad-destination-address \ - -d fe80::/10 +case $forward in + 1) + run iptables -A FORWARD -g bad-source-address \ + -s 169.254.0.0/16 + run iptables -A FORWARD -g bad-destination-address \ + -d 169.254.0.0/16 + run ip6tables -A FORWARD -g bad-source-address \ + -s fe80::/10 + run ip6tables -A FORWARD -g bad-destination-address \ + -d fe80::/10 + ;; +esac ## Also, don't forward link-local broadcast or multicast. -run iptables -A FORWARD -g bad-destination-address \ - -d 255.255.255.255 -run iptables -A FORWARD -g bad-destination-address \ - -m addrtype --dst-type BROADCAST -run iptables -A FORWARD -g bad-destination-address \ - -d 224.0.0.0/24 -for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do - run ip6tables -A FORWARD -g bad-destination-address \ - -d fe${x}2::/16 -done +case $forward in + 1) + run iptables -A FORWARD -g bad-destination-address \ + -d 255.255.255.255 + run iptables -A FORWARD -g bad-destination-address \ + -m addrtype --dst-type BROADCAST + run iptables -A FORWARD -g bad-destination-address \ + -d 224.0.0.0/24 + clearchain check-fwd-multi + for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do + run ip6tables -A check-fwd-multi -g bad-destination-address \ + -d ff${x}2::/16 + done + ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 + ;; +esac ## Add a hook for fail2ban. clearchain fail2ban @@ -155,5 +237,29 @@ for chain in INPUT FORWARD; do run ip46tables -A $chain -g forbidden done +## Allow stuff through unknown tables. +for ip in ip ip6; do + for table in $(cat /proc/net/${ip}_tables_names); do + case $table in mangle | filter) continue ;; esac + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | + while read chain; do + run ${ip}tables -t $table -P $chain ACCEPT + done + done +done + +## Dump the resulting configuration. +if [ "$FW_DEBUG" ]; then + for ip in ip ip6; do + for table in mangle filter; do + echo "----- $ip $table -----" + echo + ${ip}tables -t $table -nvL + echo + done + done +fi + m4_divert(-1) ###----- That's all, folks --------------------------------------------------