From: Mark Wooding Date: Mon, 12 Mar 2012 00:16:27 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/50982adee2bcdcfdb7cd53bd672c12f1ecca79f0?hp=-c Merge branch 'master' into emergency * master: Overhaul address classification for link-local and non-unicast addresses. functions.m4: Publish the per-class forwarding bitmasks. functions.m4: The mark-{from,to}-* rules no longer own the packet marks. classify.m4: Use canonical forms for IPv6 addresses. local.m4: Actually use the IPv6 fragmentation forbidding filter. Extend proper ICMP handling to IPv6. bookends.m4: Optimize checking for forwarding IPv6 link-local multicast. vampire.m4: Extend services to untrusted hosts over IPv6. Introduce variable for expected input chains. --- 50982adee2bcdcfdb7cd53bd672c12f1ecca79f0 diff --combined local.m4 index 4385223,d084db4..c479ed8 --- a/local.m4 +++ b/local.m4 @@@ -35,10 -35,12 +35,12 @@@ m4_divert(-1 ## Define the available network classes. m4_divert(42)m4_dnl - defnetclass untrusted untrusted trusted - defnetclass trusted untrusted trusted safe noloop - defnetclass safe trusted safe noloop - defnetclass noloop trusted safe + defnetclass untrusted untrusted trusted mcast + defnetclass trusted untrusted trusted safe noloop mcast + defnetclass safe trusted safe noloop mcast + defnetclass noloop trusted safe mcast + defnetclass link + defnetclass mcast m4_divert(-1) m4_divert(26)m4_dnl @@@ -90,14 -92,13 +92,14 @@@ defhost artis iface eth1 dmz unsafe defhost vampire router - iface eth0.0 dmz unsafe safe - iface eth0.1 dmz unsafe safe + iface eth0.0 dmz unsafe safe default + iface eth0.1 dmz unsafe safe default iface eth0.2 safe - iface eth0.3 untrusted + iface eth0.3 untrusted default iface dns0 dns iface vpn-+ vpn iface vpn-precision colobdry vpn + iface t6-he default defhost ibanez iface br-dmz dmz unsafe iface br-unsafe unsafe @@@ -162,7 -163,7 +164,7 @@@ case $forward i run iptables -A fwd-spec-nofrag -j RETURN --fragment run ip6tables -A fwd-spec-nofrag -j RETURN \ -m ipv6header --soft --header frag - run iptables -A FORWARD -j fwd-spec-nofrag + run ip46tables -A FORWARD -j fwd-spec-nofrag ## Allow ping from safe/noloop to untrusted networks. run iptables -A fwd-spec-nofrag -j ACCEPT \ @@@ -173,10 -174,10 +175,10 @@@ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-request \ + -p icmpv6 --icmpv6-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-reply \ + -p icmpv6 --icmpv6-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED @@@ -237,22 -238,6 +239,6 @@@ run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps - ## Incoming multicast on a network interface associated with a trusted - ## network is OK, since it must have originated there (or been forwarded, but - ## we don't do that yet). - seen=:-: - for net in $allnets; do - eval class=\$net_class_$net - case $class in trusted) ;; *) continue ;; esac - for iface in $(net_interfaces FWHOST $net); do - case "$seen" in *:$iface:*) continue ;; esac - seen=$seen$iface: - run iptables -A inbound -j ACCEPT \ - -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $iface - done - done - ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp @@@ -265,12 -250,9 +251,9 @@@ run ip46tables -A inbound -j forbidde run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. - run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT - case $forward in - 1) - run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT - ;; - esac + for i in $inchains; do + run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT + done m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --combined vampire.m4 index 4e00a49,b3257c7..acd2008 --- a/vampire.m4 +++ b/vampire.m4 @@@ -31,7 -31,6 +31,7 @@@ allowservices inbound tcp dns iodine \ ssh \ smtp submission \ + rdesktop \ gnutella_svc \ ftp ftp_data \ rsync \ @@@ -48,8 -47,8 +48,8 @@@ allowservices inbound udp ## Extend some services to local untrusted hosts. clearchain inbound-untrusted - run iptables -A inbound -j inbound-untrusted \ - -s 172.29.198.0/24 + run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted + run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted allowservices inbound-untrusted tcp \ dns \ @@@ -71,38 -70,5 +71,38 @@@ run iptables -A OUTPUT -m multiport dnsresolver inbound ntpclient inbound $ntp_servers +## IPv6 6-in-4 tunnel. +run iptables -A inbound -j ACCEPT \ + -p $proto_ipv6 -s 216.66.80.26 + +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound +run iptables -t nat -A outbound -j RETURN ! -o eth0.0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + +## Forbid anything complicated to the NAT address. +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT + m4_divert(-1) ###----- That's all, folks --------------------------------------------------