From 94ce6e764e92676c1a7dea68820bcf198ea4c466 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 30 May 2022 22:15:24 +0100 Subject: [PATCH] local.m4, etc.: Establish `inbound-untrusted' chain and deploy. Quite a lot of the per-host files involve allowing local untrusted access to various services. This was being done with explicit network address ranges, which led to repetition of the rules for IPv4 and IPv6, or only permitting access through IPv4. Instead, introduce a new chain (actually promoted from `vampire.m4') for these local untrusted clients and replace the explicit address ranges. --- artist.m4 | 9 ++------- fender.m4 | 11 ++--------- ibanez.m4 | 11 ++--------- jem.m4 | 3 +-- local.m4 | 5 +++++ roadstar.m4 | 3 +-- vampire.m4 | 16 ++-------------- 7 files changed, 15 insertions(+), 43 deletions(-) diff --git a/artist.m4 b/artist.m4 index bc07708..23195aa 100644 --- a/artist.m4 +++ b/artist.m4 @@ -37,14 +37,9 @@ allowservices inbound udp \ i2p ## Allow smb and nmb to untrusted hosts. -run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ +run ip46tables -A inbound-untrusted -j ACCEPT \ -p udp -m multiport --destination-ports \ - $port_netbios_ns,$port_netbios_dgm -run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ - -p tcp -m multiport --destination-ports \ - $port_netbios_ssn,$port_microsoft_ds + $port_netbios_ns,$port_netbios_dgm ## Open ports for Rygel. run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp diff --git a/fender.m4 b/fender.m4 index 07a441d..77a08fe 100644 --- a/fender.m4 +++ b/fender.m4 @@ -34,15 +34,8 @@ allowservices inbound tcp \ ntpclient inbound $ntp_servers ## Provide NTP service to untrusted clients. -run iptables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 172.29.198.0/23 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:ba8:1d9::/48 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:8b0:c92::/48 +run ip46tables -A inbound-untrusted -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 ## Guaranteed black hole. Put this at the very front of the chain. run iptables -I INPUT -d 212.13.198.78 -j DROP diff --git a/ibanez.m4 b/ibanez.m4 index d70b46e..0708ed6 100644 --- a/ibanez.m4 +++ b/ibanez.m4 @@ -36,15 +36,8 @@ allowservices inbound udp \ ntpclient inbound $ntp_servers ## Provide NTP service to untrusted clients. -run iptables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 172.29.198.0/23 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:ba8:1d9::/48 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:8b0:c92::/48 +run ip46tables -A inbound-untrusted -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/jem.m4 b/jem.m4 index 4a9f9c6..5f79248 100644 --- a/jem.m4 +++ b/jem.m4 @@ -42,8 +42,7 @@ allowservices inbound tcp \ ## Provide DNS resolution to local untrusted hosts. for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ + run ip46tables -A inbound -j ACCEPT \ -p $p --destination-port $port_dns done diff --git a/local.m4 b/local.m4 index c0874c5..dfaae8f 100644 --- a/local.m4 +++ b/local.m4 @@ -381,6 +381,7 @@ m4_divert(84)m4_dnl ### Locally-bound packet inspection. clearchain inbound +clearchain inbound-untrusted ## Track connections. commonrules inbound @@ -404,9 +405,13 @@ m4_divert(88)m4_dnl openports inbound ## Inspect inbound packets from untrusted sources. +run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted +run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted +run ip46tables -A inbound-untrusted -g forbidden run ip46tables -A inbound -g forbidden run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound +run iptables -A inbound -s 172.29.198.0/24 -j inbound-untrusted ## Allow responses from the scary outside world into the untrusted net, but ## don't let untrusted things run services. diff --git a/roadstar.m4 b/roadstar.m4 index 555e669..5485d00 100644 --- a/roadstar.m4 +++ b/roadstar.m4 @@ -35,8 +35,7 @@ allowservices inbound tcp \ ## Provide DNS resolution to local untrusted hosts. for p in tcp udp; do - run iptables -A inbound -j ACCEPT \ - -s 172.29.198.0/24 \ + run ip46tables -A inbound-untrusted -j ACCEPT \ -p $p --destination-port $port_dns done diff --git a/vampire.m4 b/vampire.m4 index 48d25b3..f134bb0 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -35,11 +35,6 @@ allowservices inbound udp \ gnutella_svc \ i2p -## Extend some services to local untrusted hosts. -clearchain inbound-untrusted -run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted -run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted - allowservices inbound-untrusted tcp \ dns \ lpd \ @@ -63,15 +58,8 @@ dnsserver inbound ntpclient inbound $ntp_servers ## Provide NTP service to untrusted clients. -run iptables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 172.29.198.0/23 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:ba8:1d9::/48 -run ip6tables -A inbound -p udp -j ACCEPT \ - --source-port 123 --destination-port 123 \ - -s 2001:8b0:c92::/48 +ip46tables -A inbound-untrusted -p udp -j ACCEPT \ + --source-port 123 --destination-port 123 m4_divert(-1) ###----- That's all, folks -------------------------------------------------- -- 2.11.0