From ecdca1312d3214c5039e7f783330a90bbfeae2db Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 15 Apr 2010 15:49:49 +0100 Subject: [PATCH] functions.m4, local.m4: Handle fragments in a useful way. Add a function for defining standard rules on a chain: currently it only provides fragment-handling policy. The fragment policy is to pass fragments unmolested, except for TCP. An IP stack which can't reassemble fragments safely needs more protection than we can provide here. Note that this only affects `inbound' chains. The forwarding rules don't usually work at the level of individual ports, so this is OK; the ones that do have been nobbled to refuse IP fragments. --- functions.m4 | 14 ++++++++++++++ local.m4 | 9 +++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/functions.m4 b/functions.m4 index 80caf1d..85afc10 100644 --- a/functions.m4 +++ b/functions.m4 @@ -126,6 +126,20 @@ conntrack () { run iptables -A $chain -p tcp ! --syn -g bad-tcp } +## commonrules CHAIN +## +## Add standard IP filtering rules to the CHAIN. +commonrules () { + set -e + chain=$1 + + ## Pass fragments through, assuming that the eventual destination will sort + ## things out properly. Except for TCP, that is, which should never be + ## fragmented. + run iptables -A $chain -p tcp -f -g tcp-fragment + run iptables -A $chain -f -j ACCEPT +} + ## allowservices CHAIN PROTO SERVICE ... ## ## Add rules to allow the SERVICES on the CHAIN. diff --git a/local.m4 b/local.m4 index 56c2253..2b1b898 100644 --- a/local.m4 +++ b/local.m4 @@ -55,19 +55,19 @@ m4_divert(60)m4_dnl ## Allow ping from safe/noloop to untrusted networks. run iptables -A FORWARD -j ACCEPT \ - -p icmp --icmp-type echo-request \ + -p icmp ! -f --icmp-type echo-request \ -m mark --mark $to_untrusted/$MASK_TO run iptables -A FORWARD -j ACCEPT \ - -p icmp --icmp-type echo-reply \ + -p icmp ! -f --icmp-type echo-reply \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED ## Allow SSH from safe/noloop to untrusted networks. run iptables -A FORWARD -j ACCEPT \ - -p tcp --destination-port $port_ssh \ + -p tcp ! -f --destination-port $port_ssh \ -m mark --mark $to_untrusted/$MASK_TO run iptables -A FORWARD -j ACCEPT \ - -p tcp --source-port $port_ssh \ + -p tcp ! -f --source-port $port_ssh \ -m mark --mark $from_untrusted/$MASK_FROM \ -m state --state ESTABLISHED @@ -78,6 +78,7 @@ m4_divert(80)m4_dnl clearchain inbound ## Track connections. +commonrules inbound conntrack inbound ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a -- 2.11.0