local.m4, etc.: Establish `inbound-untrusted' chain and deploy.

Quite a lot of the per-host files involve allowing local untrusted
access to various services.  This was being done with explicit network
address ranges, which led to repetition of the rules for IPv4 and IPv6,
or only permitting access through IPv4.

Instead, introduce a new chain (actually promoted from `vampire.m4') for
these local untrusted clients and replace the explicit address ranges.

diff --git a/artist.m4 b/artist.m4
index bc07708..23195aa 100644 (file)
--- a/artist.m4
+++ b/artist.m4
@@ -37,14 +37,9 @@ allowservices inbound udp \
        i2p
 
 ## Allow smb and nmb to untrusted hosts.
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
+run ip46tables -A inbound-untrusted -j ACCEPT \
        -p udp -m multiport --destination-ports \
-               $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p tcp -m multiport --destination-ports \
-               $port_netbios_ssn,$port_microsoft_ds
+       $port_netbios_ns,$port_netbios_dgm
 
 ## Open ports for Rygel.
 run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp

diff --git a/fender.m4 b/fender.m4
index 07a441d..77a08fe 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -34,15 +34,8 @@ allowservices inbound tcp \
 ntpclient inbound $ntp_servers
 
 ## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+         --source-port 123 --destination-port 123
 
 ## Guaranteed black hole.  Put this at the very front of the chain.
 run iptables -I INPUT -d 212.13.198.78 -j DROP

diff --git a/ibanez.m4 b/ibanez.m4
index d70b46e..0708ed6 100644 (file)
--- a/ibanez.m4
+++ b/ibanez.m4
@@ -36,15 +36,8 @@ allowservices inbound udp \
 ntpclient inbound $ntp_servers
 
 ## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+       --source-port 123 --destination-port 123
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------

diff --git a/jem.m4 b/jem.m4
index 4a9f9c6..5f79248 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -42,8 +42,7 @@ allowservices inbound tcp \
 
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-         -s 172.29.198.0/24 \
+  run ip46tables -A inbound -j ACCEPT \
          -p $p --destination-port $port_dns
 done
 

diff --git a/local.m4 b/local.m4
index c0874c5..dfaae8f 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -381,6 +381,7 @@ m4_divert(84)m4_dnl
 ### Locally-bound packet inspection.
 
 clearchain inbound
+clearchain inbound-untrusted
 
 ## Track connections.
 commonrules inbound
@@ -404,9 +405,13 @@ m4_divert(88)m4_dnl
 openports inbound
 
 ## Inspect inbound packets from untrusted sources.
+run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
+run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
+run ip46tables -A inbound-untrusted -g forbidden
 run ip46tables -A inbound -g forbidden
 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run iptables -A inbound -s 172.29.198.0/24 -j inbound-untrusted
 
 ## Allow responses from the scary outside world into the untrusted net, but
 ## don't let untrusted things run services.

diff --git a/roadstar.m4 b/roadstar.m4
index 555e669..5485d00 100644 (file)
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -35,8 +35,7 @@ allowservices inbound tcp \
 
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-         -s 172.29.198.0/24 \
+  run ip46tables -A inbound-untrusted -j ACCEPT \
          -p $p --destination-port $port_dns
 done
 

diff --git a/vampire.m4 b/vampire.m4
index 48d25b3..f134bb0 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -35,11 +35,6 @@ allowservices inbound udp \
        gnutella_svc \
        i2p
 
-## Extend some services to local untrusted hosts.
-clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
-run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
-
 allowservices inbound-untrusted tcp \
        dns \
        lpd \
@@ -63,15 +58,8 @@ dnsserver inbound
 ntpclient inbound $ntp_servers
 
 ## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:8b0:c92::/48
+ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+       --source-port 123 --destination-port 123
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------