[firewall] / bookends.m4

### -*-sh-*-
###
### Initialization and finishing touches for firewall scripts
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

m4_divert(30)m4_dnl
###--------------------------------------------------------------------------
### Clear existing firewall rules.

## The main chains: set policy to drop, and then clear the rules.  For a
## while, incoming packets will be silently dropped, but we should have got
## everything going before anyone actually hits a timeout.
##
## We don't control some of the chains, so we should preserve them.  This
## introduces a whole bunch of problems.

## Chains we're meant to preserve
preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"

## Take the various IP versions in turn.
unref=nil
for ip in ip ip6; do
  if [ "$FW_NOACT" ]; then break; fi

  for table in $(cat /proc/net/${ip}_tables_names); do

    ## Step 1: clear out the builtin chains.
    ${ip}tables -nL -t $table |
    sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
    while read chain; do
      case $table in
	nat) policy=ACCEPT ;;
	*) policy=DROP ;;
      esac
      run ${ip}tables -t $table -P $chain $policy
      run ${ip}tables -t $table -F $chain
    done

    ## Step 2: clear out user chains.  Unfortunately, we can only clear
    ## chains which have no references to them, so work through picking off
    ## unreferenced chains which aren't meant to be preserved until there are
    ## none left.
    while :; do
      progress=nil
      ${ip}tables -nL -t $table |
      sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
	>/var/run/firewall-chains.tmp
      while read chain; do
	match=nil
	for pat in $preserve_chains; do
	  case "$table:$chain" in $pat) match=t ;; esac
	done
	case $match in
	  nil)
	    run ${ip}tables -t $table -F $chain
	    run ${ip}tables -t $table -X $chain
	    progress=t
	    ;;
	esac
      done </var/run/firewall-chains.tmp
      case $progress in nil) break ;; esac
    done

    ## Step 3: report on uncleared user chains.  This means that there's a
    ## serious problem.
    ${ip}tables -nL -t $table |
    sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
      >/var/run/firewall-chains.tmp
    while read chain refs; do
      match=nil
      for pat in $preserve_chains; do
	case "$table:$chain" in $pat) match=t ;; esac
      done
      case $match in
	nil)
	  echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
	  unref=t
	  ;;
      esac
    done </var/run/firewall-chains.tmp
  done
done
rm -f /var/run/firewall-chains.tmp
case $unref in t) exit 1 ;; esac

m4_divert(32)m4_dnl
###--------------------------------------------------------------------------
### Set safe IP options.

## Set forwarding options.  Apparently setting ip_forward clobbers other
## settings, so put this first.
case $host_type_<::>FWHOST in
  router) forward=1 host=0 ;;
  server) forward=0 host=0 ;;
  client) forward=0 host=1 ;;
esac
setopt ip_forward $forward
setdevopt forwarding $forward
for i in \
  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
  accept_redirects
do
  setdevopt $i $host
done
case $forward in
  0) inchains="INPUT" ;;
  1) inchains="INPUT FORWARD" ;;
esac

## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max

## Deploy SYN-cookies if necessary.
setopt tcp_syncookies 1

## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
setopt icmp_echo_ignore_broadcasts 0

## Turn off iptables filtering for bridges.  We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then
  modprobe bridge || :
fi
if [ -d /proc/sys/net/bridge ]; then
  for filter in arptables iptables ip6tables; do
    run sysctl -q net.bridge.bridge-nf-call-$filter=0
  done
fi

## Turn off the reverse-path filter.  It's basically useless: the filter does
## nothing at all for single-homed hosts; and multi-homed hosts tend to have
## routing aysmmetries if there's any kind of cycle.
setdevopt rp_filter 0
setdevopt log_martians 0

## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
setdevopt secure_redirects 1

## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing

m4_divert(34)m4_dnl
###--------------------------------------------------------------------------
### Establish error chains.

errorchain forbidden REJECT
## Generic `not allowed' chain.

errorchain tcp-fragment REJECT
## Chain for logging fragmented TCP segements.

errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
## Bad TCP segments (e.g., for unknown connections).  Sends a TCP reset.

errorchain mangle:bad-source-address DROP
errorchain bad-source-address DROP
## Packet arrived on wrong interface for its source address.  Drops the
## packet, since there's nowhere sensible to send an error.

errorchain dns-rate-limit DROP
## Dropped incoming DNS query due to rate limiting.  The source address is
## suspicious, so don't produce ICMP.

errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.

errorchain interesting ACCEPT
## Not an error, just log interesting packets.

m4_divert(50)m4_dnl
###--------------------------------------------------------------------------
### Standard filtering.

## Don't clobber local traffic
run ip46tables -A INPUT -i lo -j ACCEPT

## We really shouldn't see packets destined for localhost on any interface
## other than the loopback.
run iptables -A INPUT -g bad-destination-address \
	-d 127.0.0.0/8
run ip6tables -A INPUT -g bad-destination-address \
	-d ::1

## We shouldn't be asked to forward things with link-local addresses.
case $forward in
  1)
    run iptables -A FORWARD -g bad-source-address \
	    -s 169.254.0.0/16
    run iptables -A FORWARD -g bad-destination-address \
	    -d 169.254.0.0/16
    run ip6tables -A FORWARD -g bad-source-address \
	    -s fe80::/10
    run ip6tables -A FORWARD -g bad-destination-address \
	    -d fe80::/10
    ;;
esac

## Also, don't forward link-local broadcast or multicast.
case $forward in
  1)
    run iptables -A FORWARD -g bad-destination-address \
	    -d 255.255.255.255
    run iptables -A FORWARD -g bad-destination-address \
	    -m addrtype --dst-type BROADCAST
    run iptables -A FORWARD -g bad-destination-address \
	    -d 224.0.0.0/24
    clearchain check-fwd-multi
    for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
      run ip6tables -A check-fwd-multi -g bad-destination-address \
	    -d ff${x}2::/16
    done
    run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
    ;;
esac

## Add a hook for fail2ban.
clearchain fail2ban
run ip46tables -A INPUT -j fail2ban

m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
### Finishing touches.

m4_divert(94)m4_dnl
## Locally generated packets are all OK.
run ip46tables -P OUTPUT ACCEPT

## Other incoming things are forbidden.
for chain in INPUT FORWARD; do
  run ip46tables -A $chain -g forbidden
done

## Allow stuff through unknown tables.
for ip in ip ip6; do
  for table in $(cat /proc/net/${ip}_tables_names); do
    case $table in mangle | filter) continue ;; esac
    ${ip}tables -nL -t $table |
    sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
    while read chain; do
      run ${ip}tables -t $table -P $chain ACCEPT
    done
  done
done

## Dump the resulting configuration.
if [ "$FW_DEBUG" ]; then
  for ip in ip ip6; do
    for table in mangle filter; do
      echo "----- $ip $table -----"
      echo
      ${ip}tables -t $table -nvL
      echo
    done
  done
fi

m4_divert(-1)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
775bd287	1	### --sh--
bfdc045d MW	2	###
	3	### Initialization and finishing touches for firewall scripts
	4	###
	5	### (c) 2008 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	m4_divert(30)m4_dnl
	25	###--------------------------------------------------------------------------
	26	### Clear existing firewall rules.
	27
	28	## The main chains: set policy to drop, and then clear the rules. For a
	29	## while, incoming packets will be silently dropped, but we should have got
	30	## everything going before anyone actually hits a timeout.
42dae9ae MW	31	##
	32	## We don't control some of the chains, so we should preserve them. This
	33	## introduces a whole bunch of problems.
	34
	35	## Chains we're meant to preserve
	36	preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
	37
	38	## Take the various IP versions in turn.
	39	unref=nil
	40	for ip in ip ip6; do
fb7845a8 MW	41	if [ "$FW_NOACT" ]; then break; fi
fb7845a8 MW	42
42dae9ae MW	43	for table in $(cat /proc/net/${ip}_tables_names); do
	44
	45	## Step 1: clear out the builtin chains.
	46	${ip}tables -nL -t $table \|
	47	sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' \|
	48	while read chain; do
	49	case $table in
	50	nat) policy=ACCEPT ;;
	51	*) policy=DROP ;;
	52	esac
	53	run ${ip}tables -t $table -P $chain $policy
	54	run ${ip}tables -t $table -F $chain
	55	done
	56
	57	## Step 2: clear out user chains. Unfortunately, we can only clear
	58	## chains which have no references to them, so work through picking off
	59	## unreferenced chains which aren't meant to be preserved until there are
	60	## none left.
	61	while :; do
	62	progress=nil
	63	${ip}tables -nL -t $table \|
	64	sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
	65	>/var/run/firewall-chains.tmp
	66	while read chain; do
	67	match=nil
	68	for pat in $preserve_chains; do
	69	case "$table:$chain" in $pat) match=t ;; esac
	70	done
	71	case $match in
	72	nil)
	73	run ${ip}tables -t $table -F $chain
	74	run ${ip}tables -t $table -X $chain
	75	progress=t
	76	;;
	77	esac
	78	done </var/run/firewall-chains.tmp
	79	case $progress in nil) break ;; esac
	80	done
	81
	82	## Step 3: report on uncleared user chains. This means that there's a
	83	## serious problem.
	84	${ip}tables -nL -t $table \|
	85	sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
	86	>/var/run/firewall-chains.tmp
	87	while read chain refs; do
	88	match=nil
	89	for pat in $preserve_chains; do
	90	case "$table:$chain" in $pat) match=t ;; esac
	91	done
	92	case $match in
	93	nil)
	94	echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
	95	unref=t
	96	;;
	97	esac
	98	done </var/run/firewall-chains.tmp
bfdc045d	99	done
bfdc045d	100	done
42dae9ae MW	101	rm -f /var/run/firewall-chains.tmp
42dae9ae MW	102	case $unref in t) exit 1 ;; esac
bfdc045d MW	103
	104	m4_divert(32)m4_dnl
	105	###--------------------------------------------------------------------------
	106	### Set safe IP options.
	107
	108	## Set forwarding options. Apparently setting ip_forward clobbers other
	109	## settings, so put this first.
78af294c	110	case $host_type_<::>FWHOST in
64de9249 MW	111	router) forward=1 host=0 ;;
	112	server) forward=0 host=0 ;;
	113	client) forward=0 host=1 ;;
78af294c	114	esac
bfdc045d MW	115	setopt ip_forward $forward
bfdc045d MW	116	setdevopt forwarding $forward
64de9249	117	for i in \
51988d08 MW	118	accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
51988d08 MW	119	accept_redirects
64de9249 MW	120	do
	121	setdevopt $i $host
	122	done
f0033e07 MW	123	case $forward in
	124	0) inchains="INPUT" ;;
	125	1) inchains="INPUT FORWARD" ;;
	126	esac
bfdc045d MW	127
	128	## Set dynamic port allocation.
	129	setopt ip_local_port_range $open_port_min $open_port_max
	130
	131	## Deploy SYN-cookies if necessary.
	132	setopt tcp_syncookies 1
	133
c8d422ec MW	134	## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
	135	setopt icmp_echo_ignore_broadcasts 0
	136
429f4314 MW	137	## Turn off iptables filtering for bridges. We'll use ebtables if we need
	138	## to; but right now the model is that we do filtering at the borders, and
	139	## are tolerant of things which are local.
5cadbadd	140	if [ -x /sbin/brctl ] \|\| [ -x /usr/sbin/brctl ]; then
6d47692a	141	modprobe bridge \|\| :
5cadbadd MW	142	fi
	143	if [ -d /proc/sys/net/bridge ]; then
	144	for filter in arptables iptables ip6tables; do
	145	run sysctl -q net.bridge.bridge-nf-call-$filter=0
	146	done
6d47692a	147	fi
429f4314	148
78af294c MW	149	## Turn off the reverse-path filter. It's basically useless: the filter does
	150	## nothing at all for single-homed hosts; and multi-homed hosts tend to have
	151	## routing aysmmetries if there's any kind of cycle.
	152	setdevopt rp_filter 0
	153	setdevopt log_martians 0
bfdc045d MW	154
	155	## Turn off things which can mess with our routing decisions.
	156	setdevopt accept_source_route 0
51988d08	157	setdevopt secure_redirects 1
bfdc045d MW	158
	159	## If we're maent to stop the firewall, then now is the time to do it.
	160	$exit_after_clearing
	161
	162	m4_divert(34)m4_dnl
	163	###--------------------------------------------------------------------------
	164	### Establish error chains.
	165
0291d6d5 MW	166	errorchain forbidden REJECT
0291d6d5 MW	167	## Generic `not allowed' chain.
bfdc045d	168
0291d6d5 MW	169	errorchain tcp-fragment REJECT
0291d6d5 MW	170	## Chain for logging fragmented TCP segements.
bfdc045d MW	171
	172	errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
	173	## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset.
	174
	175	errorchain mangle:bad-source-address DROP
0291d6d5	176	errorchain bad-source-address DROP
bfdc045d MW	177	## Packet arrived on wrong interface for its source address. Drops the
	178	## packet, since there's nowhere sensible to send an error.
	179
7dde20fa MW	180	errorchain dns-rate-limit DROP
	181	## Dropped incoming DNS query due to rate limiting. The source address is
	182	## suspicious, so don't produce ICMP.
	183
0291d6d5 MW	184	errorchain bad-destination-address REJECT
0291d6d5 MW	185	## Packet arrived on non-loopback interface with loopback destination.
f381cc0a	186
bfdc045d MW	187	errorchain interesting ACCEPT
	188	## Not an error, just log interesting packets.
	189
a4d8cae3	190	m4_divert(50)m4_dnl
bfdc045d	191	###--------------------------------------------------------------------------
f543dab7	192	### Standard filtering.
bfdc045d	193
f381cc0a	194	## Don't clobber local traffic
0291d6d5	195	run ip46tables -A INPUT -i lo -j ACCEPT
bfdc045d	196
f381cc0a MW	197	## We really shouldn't see packets destined for localhost on any interface
	198	## other than the loopback.
	199	run iptables -A INPUT -g bad-destination-address \
	200	-d 127.0.0.0/8
0291d6d5 MW	201	run ip6tables -A INPUT -g bad-destination-address \
	202	-d ::1
	203
	204	## We shouldn't be asked to forward things with link-local addresses.
78af294c MW	205	case $forward in
	206	1)
	207	run iptables -A FORWARD -g bad-source-address \
	208	-s 169.254.0.0/16
	209	run iptables -A FORWARD -g bad-destination-address \
	210	-d 169.254.0.0/16
	211	run ip6tables -A FORWARD -g bad-source-address \
	212	-s fe80::/10
	213	run ip6tables -A FORWARD -g bad-destination-address \
	214	-d fe80::/10
	215	;;
	216	esac
f381cc0a	217
429f4314	218	## Also, don't forward link-local broadcast or multicast.
78af294c MW	219	case $forward in
	220	1)
	221	run iptables -A FORWARD -g bad-destination-address \
	222	-d 255.255.255.255
	223	run iptables -A FORWARD -g bad-destination-address \
	224	-m addrtype --dst-type BROADCAST
	225	run iptables -A FORWARD -g bad-destination-address \
	226	-d 224.0.0.0/24
e6d64b67	227	clearchain check-fwd-multi
78af294c	228	for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
e6d64b67 MW	229	run ip6tables -A check-fwd-multi -g bad-destination-address \
e6d64b67 MW	230	-d ff${x}2::/16
78af294c	231	done
fb7845a8	232	run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
78af294c MW	233	;;
78af294c MW	234	esac
429f4314	235
f543dab7 MW	236	## Add a hook for fail2ban.
	237	clearchain fail2ban
	238	run ip46tables -A INPUT -j fail2ban
	239
bfdc045d MW	240	m4_divert(90)m4_dnl
	241	###--------------------------------------------------------------------------
	242	### Finishing touches.
	243
	244	m4_divert(94)m4_dnl
	245	## Locally generated packets are all OK.
c1c877c2	246	run ip46tables -P OUTPUT ACCEPT
bfdc045d MW	247
	248	## Other incoming things are forbidden.
	249	for chain in INPUT FORWARD; do
c1c877c2	250	run ip46tables -A $chain -g forbidden
bfdc045d MW	251	done
bfdc045d MW	252
86c975b5 MW	253	## Allow stuff through unknown tables.
	254	for ip in ip ip6; do
	255	for table in $(cat /proc/net/${ip}_tables_names); do
	256	case $table in mangle \| filter) continue ;; esac
	257	${ip}tables -nL -t $table \|
	258	sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' \|
	259	while read chain; do
	260	run ${ip}tables -t $table -P $chain ACCEPT
	261	done
	262	done
	263	done
	264
d8852323 MW	265	## Dump the resulting configuration.
	266	if [ "$FW_DEBUG" ]; then
	267	for ip in ip ip6; do
	268	for table in mangle filter; do
	269	echo "----- $ip $table -----"
	270	echo
	271	${ip}tables -t $table -nvL
	272	echo
	273	done
	274	done
	275	fi
	276
bfdc045d MW	277	m4_divert(-1)
bfdc045d MW	278	###----- That's all, folks --------------------------------------------------