esac
setopt ip_forward $forward
setdevopt forwarding $forward
+case $forward in
+ 0) inchains="INPUT" ;;
+ 1) inchains="INPUT FORWARD" ;;
+esac
## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max
-m addrtype --dst-type BROADCAST
run iptables -A FORWARD -g bad-destination-address \
-d 224.0.0.0/24
+ clearchain check-fwd-multi
for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
- run ip6tables -A FORWARD -g bad-destination-address \
- -d fe${x}2::/16
+ run ip6tables -A check-fwd-multi -g bad-destination-address \
+ -d ff${x}2::/16
done
+ ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
;;
esac
clearchain mangle:in-classify mangle:in-default mangle:out-classify
clearchain mangle:local-source
+## An unpleasant hack. We can't reject packets from the mangle table, so
+## we mark packets with a bad destination and then detect this in the
+## filter table.
+clearchain mangle:bad-destination-address
+BAD_DEST=0xf6f377d2
+ip46tables -t mangle -A bad-destination-address -j MARK --set-mark $BAD_DEST
+ip46tables -t mangle -A bad-destination-address -j ACCEPT
+for i in $inchains; do
+ ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address
+done
+
## Packets over the loopback interface are automatically trusted. All manner
## of weird stuff happens on lo, and it's best not to second-guess it.
run ip46tables -t mangle -A in-classify -i lo -j ACCEPT
-s $addr
done
-## It's not valid to have a multicast address as a packet source: multicast
-## routing is done away from the source, so a multicast address would make
-## this impossible to do. So discard these packets. Also discard class-E
-## IPv4 addresses, since they aren't assigned.
-run iptables -t mangle -A in-classify -g bad-source-address \
- -s 224.0.0.0/3
-run ip6tables -t mangle -A in-classify -g bad-source-address \
- -s ff00::/8
-
m4_divert(41)m4_dnl
## Define the important networks.
for pass in 1 2; do
done
m4_divert(46)m4_dnl
+## Special IPv4 source addresses. Forbid broadcast and multicast sources.
+## Mark the special zero address and link-local addresses as such. (This
+## also matches class-E addresses, which are probably permanently invalid.)
+for i in 0.0.0.0 169.254.0.0/16; do
+ run iptables -t mangle -A in-classify -g mark-from-link -s $i
+done
+run iptables -t mangle -A in-classify -g bad-source-address \
+ -s 224.0.0.0/3
+run iptables -t mangle -A in-classify -g bad-source-address \
+ -m addrtype --src-type BROADCAST \
+
+## Special IPv6 addresses. Format multicast sources, and mark zero and
+## link local addresses.
+for i in :: fe80::/10; do
+ run ip6tables -t mangle -A in-classify -g mark-from-link -s $i
+done
+run ip6tables -t mangle -A in-classify -g bad-source-address \
+ -s ff00::/8
+
+## Special IPv4 destination addresses. The zero address is invalid; mark
+## link-local and recognized broadcast addresses as link-local. We leave
+## multicast for later.
+for i in 0.0.0.0 240.0.0.0/4; do
+ run iptables -t mangle -A out-classify -g bad-destination-address -d $i
+done
+run iptables -t mangle -A out-classify -g mark-to-link -d 169.254.0.0/16
+run iptables -t mangle -A out-classify -g mark-to-link \
+ -m addrtype --dst-type BROADCAST
+
+## Special IPv6 destination addressses. The zero address is again invalid;
+## mark link local addresses. We do multicast later.
+run ip6tables -t mangle -A out-classify -g bad-destination-address \
+ -d ::
+run ip6tables -t mangle -A out-classify -g mark-to-link -d fe80::/10
+
+## Now deal with multicast. Link-local multicast is detected as being
+## link-local, so that we can prevent it being forwarded correctly.
+clearchain mangle:out-classify-mcast
+run iptables -t mangle -A out-classify-mcast -g mark-to-link \
+ -d 224.0.0.0/24
+for i in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+ run ip6tables -t mangle -A out-classify-mcast -g mark-to-link \
+ -d ff${i}2::/16
+done
+run ip46tables -t mangle -A out-classify-mcast -g mark-to-mcast
+run iptables -t mangle -A out-classify -g out-classify-mcast \
+ -d 224.0.0.0/4
+run ip6tables -t mangle -A out-classify -g out-classify-mcast \
+ -d ff00::/8
+
## Build the input classification chains. There's one chain `in-IFACE' for
## each local interface. This chain does a further dispatch on the source
## address to the appropriate `mark-from-CLASS' chain for the source network
done
for addr in \
fc00::/7 \
- 2001:0db8::/32
+ 2001:db8::/32
do
run ip6tables -t mangle -A in-default -s $addr -g bad-source-address
done
run ip46tables -t mangle -A PREROUTING -j in-classify
run ip46tables -t mangle -A PREROUTING -j out-classify
+## Incoming stuff to or from a link-local address is OK.
+run ip46tables -t mangle -A INPUT \
+ -m mark --mark $to_link/$MASK_TO \
+ -j MARK --or-mark $fwd_link
+run ip46tables -t mangle -A INPUT \
+ -m mark --mark $from_link/$MASK_FROM \
+ -j MARK --or-mark $fwd_link
+
## Now it's safe to let stuff through.
for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do
run ip46tables -t mangle -P $i ACCEPT
trace "netclass $name = $netclassindex"
eval from_$name=$(( $netclassindex << $BIT_FROM ))
eval to_$name=$(( $netclassindex << $BIT_TO ))
- eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
+ eval fwd_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
nets="$nets $name"
;;
2)
- ## Pass 2. Compute the actual from and to values. We're a little bit
- ## clever during source classification, and set the TO field to
- ## all-bits-one, so that destination classification needs only a single
- ## AND operation.
- from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
+ ## Pass 2. Compute the actual from and to values. This is fiddly:
+ ## we want to preserve the other flags.
+ from=$(( ($netclassindex << $BIT_FROM) ))
+ frommask=$(( $MASK_FROM | $MASK_MASK ))
for net; do
- eval bit=\$_mask_$net
+ eval bit=\$fwd_$net
from=$(( $from + $bit ))
done
- to=$(( ($netclassindex << $BIT_TO) + \
- (0xf << $BIT_FROM) + \
- (1 << ($netclassindex + $BIT_MASK)) ))
- trace "from $name --> set $(printf %x $from)"
- trace " to $name --> and $(printf %x $from)"
+ to=$(( ($netclassindex << $BIT_TO) ))
+ tomask=$(( $MASK_MASK ^ (1 << ($netclassindex + $BIT_MASK)) ))
+ trace "from $name --> set $(printf %08x/%08x $from $frommask)"
+ trace " to $name --> and $(printf %08x/%08x $to $tomask)"
## Now establish the mark-from-NAME and mark-to-NAME chains.
clearchain mangle:mark-from-$name mangle:mark-to-$name
- run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from
- run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to
+ run ip46tables -t mangle -A mark-from-$name -j MARK \
+ --set-xmark $from/$frommask
+ run ip46tables -t mangle -A mark-to-$name -j MARK \
+ --set-xmark $to/$tomask
;;
esac
netclassindex=$(( $netclassindex + 1 ))
## Ping needs inspecting on a host-by-host basis.
for type in echo-request echo-reply; do
run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN
+ run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN
done
-## Certainly don't allow ping to broadcast addresses.
-run iptables -A check-icmp -g forbidden \
- -p icmp --icmp-type echo-request \
- -m addrtype --dst-type BROADCAST
-
m4_divert(58)m4_dnl
## Other ICMP is basically benign, we claim.
-run iptables -A check-icmp -j ACCEPT
+run ip46tables -A check-icmp -j ACCEPT
## Done.
-for i in INPUT FORWARD; do
- run iptables -A $i -p icmp -j check-icmp
-done
+for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted trusted mcast
+defnetclass trusted untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
+defnetclass link
+defnetclass mcast
m4_divert(-1)
m4_divert(26)m4_dnl
run iptables -A fwd-spec-nofrag -j RETURN --fragment
run ip6tables -A fwd-spec-nofrag -j RETURN \
-m ipv6header --soft --header frag
- run iptables -A FORWARD -j fwd-spec-nofrag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
## Allow ping from safe/noloop to untrusted networks.
run iptables -A fwd-spec-nofrag -j ACCEPT \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
+ -p icmpv6 --icmpv6-type echo-request \
-m mark --mark $to_untrusted/$MASK_TO
run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
+ -p icmpv6 --icmpv6-type echo-reply \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-seen=:-:
-for net in $allnets; do
- eval class=\$net_class_$net
- case $class in trusted) ;; *) continue ;; esac
- for iface in $(net_interfaces FWHOST $net); do
- case "$seen" in *:$iface:*) continue ;; esac
- seen=$seen$iface:
- run iptables -A inbound -j ACCEPT \
- -s 0.0.0.0 -d 224.0.0.0/24 \
- -i $iface
- done
-done
-
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
-run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-case $forward in
- 1)
- run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
- ;;
-esac
+for i in $inchains; do
+ run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+done
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
## Extend some services to local untrusted hosts.
clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted \
- -s 172.29.198.0/24
+run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
+run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
allowservices inbound-untrusted tcp \
dns \
~mdw / firewall / commitdiff