From: Mark Wooding Date: Mon, 12 Mar 2012 00:16:27 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/50982adee2bcdcfdb7cd53bd672c12f1ecca79f0?hp=c8dab9d26762658a6ba0b34c5598b589ae2652d3 Merge branch 'master' into emergency * master: Overhaul address classification for link-local and non-unicast addresses. functions.m4: Publish the per-class forwarding bitmasks. functions.m4: The mark-{from,to}-* rules no longer own the packet marks. classify.m4: Use canonical forms for IPv6 addresses. local.m4: Actually use the IPv6 fragmentation forbidding filter. Extend proper ICMP handling to IPv6. bookends.m4: Optimize checking for forwarding IPv6 link-local multicast. vampire.m4: Extend services to untrusted hosts over IPv6. Introduce variable for expected input chains. --- diff --git a/bookends.m4 b/bookends.m4 index 69a721e..a0731d2 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -111,6 +111,10 @@ case $host_type_<::>FWHOST in esac setopt ip_forward $forward setdevopt forwarding $forward +case $forward in + 0) inchains="INPUT" ;; + 1) inchains="INPUT FORWARD" ;; +esac ## Set dynamic port allocation. setopt ip_local_port_range $open_port_min $open_port_max @@ -207,10 +211,12 @@ case $forward in -m addrtype --dst-type BROADCAST run iptables -A FORWARD -g bad-destination-address \ -d 224.0.0.0/24 + clearchain check-fwd-multi for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do - run ip6tables -A FORWARD -g bad-destination-address \ - -d fe${x}2::/16 + run ip6tables -A check-fwd-multi -g bad-destination-address \ + -d ff${x}2::/16 done + ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8 ;; esac diff --git a/classify.m4 b/classify.m4 index 16a92c9..59ac3d9 100644 --- a/classify.m4 +++ b/classify.m4 @@ -65,6 +65,17 @@ m4_divert(40)m4_dnl clearchain mangle:in-classify mangle:in-default mangle:out-classify clearchain mangle:local-source +## An unpleasant hack. We can't reject packets from the mangle table, so +## we mark packets with a bad destination and then detect this in the +## filter table. +clearchain mangle:bad-destination-address +BAD_DEST=0xf6f377d2 +ip46tables -t mangle -A bad-destination-address -j MARK --set-mark $BAD_DEST +ip46tables -t mangle -A bad-destination-address -j ACCEPT +for i in $inchains; do + ip46tables -A $i -m mark --mark $BAD_DEST -g bad-destination-address +done + ## Packets over the loopback interface are automatically trusted. All manner ## of weird stuff happens on lo, and it's best not to second-guess it. run ip46tables -t mangle -A in-classify -i lo -j ACCEPT @@ -98,15 +109,6 @@ for addr in $host_6addrs; do -s $addr done -## It's not valid to have a multicast address as a packet source: multicast -## routing is done away from the source, so a multicast address would make -## this impossible to do. So discard these packets. Also discard class-E -## IPv4 addresses, since they aren't assigned. -run iptables -t mangle -A in-classify -g bad-source-address \ - -s 224.0.0.0/3 -run ip6tables -t mangle -A in-classify -g bad-source-address \ - -s ff00::/8 - m4_divert(41)m4_dnl ## Define the important networks. for pass in 1 2; do @@ -115,6 +117,56 @@ m4_divert(42)m4_dnl done m4_divert(46)m4_dnl +## Special IPv4 source addresses. Forbid broadcast and multicast sources. +## Mark the special zero address and link-local addresses as such. (This +## also matches class-E addresses, which are probably permanently invalid.) +for i in 0.0.0.0 169.254.0.0/16; do + run iptables -t mangle -A in-classify -g mark-from-link -s $i +done +run iptables -t mangle -A in-classify -g bad-source-address \ + -s 224.0.0.0/3 +run iptables -t mangle -A in-classify -g bad-source-address \ + -m addrtype --src-type BROADCAST \ + +## Special IPv6 addresses. Format multicast sources, and mark zero and +## link local addresses. +for i in :: fe80::/10; do + run ip6tables -t mangle -A in-classify -g mark-from-link -s $i +done +run ip6tables -t mangle -A in-classify -g bad-source-address \ + -s ff00::/8 + +## Special IPv4 destination addresses. The zero address is invalid; mark +## link-local and recognized broadcast addresses as link-local. We leave +## multicast for later. +for i in 0.0.0.0 240.0.0.0/4; do + run iptables -t mangle -A out-classify -g bad-destination-address -d $i +done +run iptables -t mangle -A out-classify -g mark-to-link -d 169.254.0.0/16 +run iptables -t mangle -A out-classify -g mark-to-link \ + -m addrtype --dst-type BROADCAST + +## Special IPv6 destination addressses. The zero address is again invalid; +## mark link local addresses. We do multicast later. +run ip6tables -t mangle -A out-classify -g bad-destination-address \ + -d :: +run ip6tables -t mangle -A out-classify -g mark-to-link -d fe80::/10 + +## Now deal with multicast. Link-local multicast is detected as being +## link-local, so that we can prevent it being forwarded correctly. +clearchain mangle:out-classify-mcast +run iptables -t mangle -A out-classify-mcast -g mark-to-link \ + -d 224.0.0.0/24 +for i in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do + run ip6tables -t mangle -A out-classify-mcast -g mark-to-link \ + -d ff${i}2::/16 +done +run ip46tables -t mangle -A out-classify-mcast -g mark-to-mcast +run iptables -t mangle -A out-classify -g out-classify-mcast \ + -d 224.0.0.0/4 +run ip6tables -t mangle -A out-classify -g out-classify-mcast \ + -d ff00::/8 + ## Build the input classification chains. There's one chain `in-IFACE' for ## each local interface. This chain does a further dispatch on the source ## address to the appropriate `mark-from-CLASS' chain for the source network @@ -252,7 +304,7 @@ do done for addr in \ fc00::/7 \ - 2001:0db8::/32 + 2001:db8::/32 do run ip6tables -t mangle -A in-default -s $addr -g bad-source-address done @@ -268,6 +320,14 @@ run ip46tables -t mangle -A out-classify -g mark-to-$net_class_default run ip46tables -t mangle -A PREROUTING -j in-classify run ip46tables -t mangle -A PREROUTING -j out-classify +## Incoming stuff to or from a link-local address is OK. +run ip46tables -t mangle -A INPUT \ + -m mark --mark $to_link/$MASK_TO \ + -j MARK --or-mark $fwd_link +run ip46tables -t mangle -A INPUT \ + -m mark --mark $from_link/$MASK_FROM \ + -j MARK --or-mark $fwd_link + ## Now it's safe to let stuff through. for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do run ip46tables -t mangle -P $i ACCEPT diff --git a/functions.m4 b/functions.m4 index b78dcbe..0ebba30 100644 --- a/functions.m4 +++ b/functions.m4 @@ -393,30 +393,30 @@ defnetclass () { trace "netclass $name = $netclassindex" eval from_$name=$(( $netclassindex << $BIT_FROM )) eval to_$name=$(( $netclassindex << $BIT_TO )) - eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) )) + eval fwd_$name=$(( 1 << ($netclassindex + $BIT_MASK) )) nets="$nets $name" ;; 2) - ## Pass 2. Compute the actual from and to values. We're a little bit - ## clever during source classification, and set the TO field to - ## all-bits-one, so that destination classification needs only a single - ## AND operation. - from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) )) + ## Pass 2. Compute the actual from and to values. This is fiddly: + ## we want to preserve the other flags. + from=$(( ($netclassindex << $BIT_FROM) )) + frommask=$(( $MASK_FROM | $MASK_MASK )) for net; do - eval bit=\$_mask_$net + eval bit=\$fwd_$net from=$(( $from + $bit )) done - to=$(( ($netclassindex << $BIT_TO) + \ - (0xf << $BIT_FROM) + \ - (1 << ($netclassindex + $BIT_MASK)) )) - trace "from $name --> set $(printf %x $from)" - trace " to $name --> and $(printf %x $from)" + to=$(( ($netclassindex << $BIT_TO) )) + tomask=$(( $MASK_MASK ^ (1 << ($netclassindex + $BIT_MASK)) )) + trace "from $name --> set $(printf %08x/%08x $from $frommask)" + trace " to $name --> and $(printf %08x/%08x $to $tomask)" ## Now establish the mark-from-NAME and mark-to-NAME chains. clearchain mangle:mark-from-$name mangle:mark-to-$name - run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from - run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to + run ip46tables -t mangle -A mark-from-$name -j MARK \ + --set-xmark $from/$frommask + run ip46tables -t mangle -A mark-to-$name -j MARK \ + --set-xmark $to/$tomask ;; esac netclassindex=$(( $netclassindex + 1 )) diff --git a/icmp.m4 b/icmp.m4 index 3de0483..93c2973 100644 --- a/icmp.m4 +++ b/icmp.m4 @@ -30,21 +30,15 @@ clearchain check-icmp ## Ping needs inspecting on a host-by-host basis. for type in echo-request echo-reply; do run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN + run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN done -## Certainly don't allow ping to broadcast addresses. -run iptables -A check-icmp -g forbidden \ - -p icmp --icmp-type echo-request \ - -m addrtype --dst-type BROADCAST - m4_divert(58)m4_dnl ## Other ICMP is basically benign, we claim. -run iptables -A check-icmp -j ACCEPT +run ip46tables -A check-icmp -j ACCEPT ## Done. -for i in INPUT FORWARD; do - run iptables -A $i -p icmp -j check-icmp -done +for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/local.m4 b/local.m4 index 4385223..c479ed8 100644 --- a/local.m4 +++ b/local.m4 @@ -35,10 +35,12 @@ m4_divert(-1) ## Define the available network classes. m4_divert(42)m4_dnl -defnetclass untrusted untrusted trusted -defnetclass trusted untrusted trusted safe noloop -defnetclass safe trusted safe noloop -defnetclass noloop trusted safe +defnetclass untrusted untrusted trusted mcast +defnetclass trusted untrusted trusted safe noloop mcast +defnetclass safe trusted safe noloop mcast +defnetclass noloop trusted safe mcast +defnetclass link +defnetclass mcast m4_divert(-1) m4_divert(26)m4_dnl @@ -162,7 +164,7 @@ case $forward in run iptables -A fwd-spec-nofrag -j RETURN --fragment run ip6tables -A fwd-spec-nofrag -j RETURN \ -m ipv6header --soft --header frag - run iptables -A FORWARD -j fwd-spec-nofrag + run ip46tables -A FORWARD -j fwd-spec-nofrag ## Allow ping from safe/noloop to untrusted networks. run iptables -A fwd-spec-nofrag -j ACCEPT \ @@ -173,10 +175,10 @@ case $forward in -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-request \ + -p icmpv6 --icmpv6-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO run ip6tables -A fwd-spec-nofrag -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-reply \ + -p icmpv6 --icmpv6-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED @@ -237,22 +239,6 @@ run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps -## Incoming multicast on a network interface associated with a trusted -## network is OK, since it must have originated there (or been forwarded, but -## we don't do that yet). -seen=:-: -for net in $allnets; do - eval class=\$net_class_$net - case $class in trusted) ;; *) continue ;; esac - for iface in $(net_interfaces FWHOST $net); do - case "$seen" in *:$iface:*) continue ;; esac - seen=$seen$iface: - run iptables -A inbound -j ACCEPT \ - -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $iface - done -done - ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp @@ -265,12 +251,9 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. -run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT -case $forward in - 1) - run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT - ;; -esac +for i in $inchains; do + run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT +done m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/vampire.m4 b/vampire.m4 index 4e00a49..acd2008 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -48,8 +48,8 @@ allowservices inbound udp \ ## Extend some services to local untrusted hosts. clearchain inbound-untrusted -run iptables -A inbound -j inbound-untrusted \ - -s 172.29.198.0/24 +run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted +run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted allowservices inbound-untrusted tcp \ dns \