| 1 | ### -*-sh-*- |
| 2 | ### |
| 3 | ### Local firewall configuration |
| 4 | ### |
| 5 | ### (c) 2008 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | ###-------------------------------------------------------------------------- |
| 25 | ### Local configuration. |
| 26 | |
| 27 | m4_divert(6)m4_dnl |
| 28 | ## Default NTP servers. |
| 29 | defconf(ntp_servers, |
| 30 | "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232") |
| 31 | |
| 32 | m4_divert(-1) |
| 33 | ###-------------------------------------------------------------------------- |
| 34 | ### Packet classification. |
| 35 | |
| 36 | ## Define the available network classes. |
| 37 | m4_divert(42)m4_dnl |
| 38 | defnetclass untrusted untrusted trusted |
| 39 | defnetclass trusted untrusted trusted safe noloop |
| 40 | defnetclass safe trusted safe noloop |
| 41 | defnetclass noloop trusted safe |
| 42 | m4_divert(-1) |
| 43 | |
| 44 | m4_divert(26)m4_dnl |
| 45 | ###-------------------------------------------------------------------------- |
| 46 | ### Network layout. |
| 47 | |
| 48 | ## House networks. |
| 49 | defnet dmz trusted |
| 50 | addr 62.49.204.144/28 2001:470:1f09:1b98::/64 |
| 51 | forwards unsafe untrusted |
| 52 | defnet unsafe trusted |
| 53 | addr 172.29.199.0/25 2001:470:9740:1::/64 |
| 54 | forwards househub |
| 55 | defnet safe safe |
| 56 | addr 172.29.199.192/27 2001:470:9740:4001::/64 |
| 57 | forwards househub |
| 58 | defnet untrusted untrusted |
| 59 | addr 172.29.198.0/25 2001:470:9740:8001::/64 |
| 60 | forwards househub |
| 61 | defnet vpn safe |
| 62 | addr 172.29.199.128/27 2001:ba8:1d9:6000::/64 |
| 63 | forwards househub colohub |
| 64 | host crybaby 1 |
| 65 | host terror 2 |
| 66 | defnet iodine untrusted |
| 67 | addr 172.29.198.128/28 |
| 68 | |
| 69 | defnet househub virtual |
| 70 | forwards housebdry dmz unsafe safe untrusted |
| 71 | defnet housebdry virtual |
| 72 | forwards househub hub |
| 73 | noxit dmz |
| 74 | |
| 75 | ## House hosts. |
| 76 | defhost radius |
| 77 | router |
| 78 | iface eth0 dmz unsafe safe |
| 79 | iface eth1 dmz unsafe safe |
| 80 | iface eth2 safe |
| 81 | iface eth3 untrusted |
| 82 | defhost roadstar |
| 83 | iface eth0 dmz unsafe |
| 84 | iface eth1 dmz unsafe |
| 85 | defhost jem |
| 86 | iface eth0 dmz unsafe |
| 87 | iface eth1 dmz unsafe |
| 88 | defhost artist |
| 89 | iface eth0 dmz unsafe |
| 90 | iface eth1 dmz unsafe |
| 91 | defhost vampire |
| 92 | router |
| 93 | iface eth0.0 dmz unsafe safe |
| 94 | iface eth0.1 dmz unsafe safe |
| 95 | iface eth0.2 safe |
| 96 | iface eth0.3 untrusted |
| 97 | iface dns0 dns |
| 98 | iface vpn-+ vpn |
| 99 | iface vpn-precision colobdry vpn |
| 100 | defhost ibanez |
| 101 | iface br-dmz dmz unsafe |
| 102 | iface br-unsafe unsafe |
| 103 | |
| 104 | defhost gibson |
| 105 | iface eth0 unsafe |
| 106 | |
| 107 | ## Colocated networks. |
| 108 | defnet jump trusted |
| 109 | addr 212.13.198.64/28 2001:ba8:0:1d9::/64 |
| 110 | forwards colohub |
| 111 | defnet colo trusted |
| 112 | addr 172.29.199.176/28 2001:ba8:1d9:2::/64 |
| 113 | forwards colohub |
| 114 | defnet colohub virtual |
| 115 | forwards colobdry jump colo |
| 116 | defnet colobdry virtual |
| 117 | forwards colohub hub |
| 118 | noxit jump |
| 119 | |
| 120 | ## Colocated hosts. |
| 121 | defhost fender |
| 122 | iface br-jump jump colo |
| 123 | iface br-colo jump colo |
| 124 | defhost precision |
| 125 | router |
| 126 | iface eth0 jump colo |
| 127 | iface eth1 jump colo |
| 128 | iface vpn-+ vpn |
| 129 | iface vpn-vampire housebdry vpn |
| 130 | defhost telecaster |
| 131 | iface eth0 jump colo |
| 132 | iface eth1 jump colo |
| 133 | defhost stratocaster |
| 134 | iface eth0 jump colo |
| 135 | iface eth1 jump colo |
| 136 | defhost jazz |
| 137 | iface eth0 jump colo |
| 138 | iface eth1 jump colo |
| 139 | |
| 140 | ## Other networks. |
| 141 | defnet hub virtual |
| 142 | forwards housebdry colobdry |
| 143 | defnet default untrusted |
| 144 | addr 62.49.204.144/28 2001:470:1f09:1b98::/64 |
| 145 | addr 212.13.198.64/28 2001:ba8:0:1d9::/64 |
| 146 | addr 2001:ba8:1d9::/48 #temporary |
| 147 | forwards dmz untrusted unsafe jump colo |
| 148 | |
| 149 | m4_divert(80)m4_dnl |
| 150 | ###-------------------------------------------------------------------------- |
| 151 | ### Special forwarding exemptions. |
| 152 | |
| 153 | case $forward in |
| 154 | 1) |
| 155 | |
| 156 | ## Only allow these packets if they're not fragmented. (Don't trust safe |
| 157 | ## hosts's fragment reassembly to be robust against malicious fragments.) |
| 158 | ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning |
| 159 | ## of `! -f', so we do the negation using early return from a subchain. |
| 160 | clearchain fwd-spec-nofrag |
| 161 | run iptables -A fwd-spec-nofrag -j RETURN --fragment |
| 162 | run ip6tables -A fwd-spec-nofrag -j RETURN \ |
| 163 | -m ipv6header --soft --header frag |
| 164 | run iptables -A FORWARD -j fwd-spec-nofrag |
| 165 | |
| 166 | ## Allow ping from safe/noloop to untrusted networks. |
| 167 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 168 | -p icmp --icmp-type echo-request \ |
| 169 | -m mark --mark $to_untrusted/$MASK_TO |
| 170 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 171 | -p icmp --icmp-type echo-reply \ |
| 172 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 173 | -m state --state ESTABLISHED |
| 174 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 175 | -p ipv6-icmp --icmpv6-type echo-request \ |
| 176 | -m mark --mark $to_untrusted/$MASK_TO |
| 177 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 178 | -p ipv6-icmp --icmpv6-type echo-reply \ |
| 179 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 180 | -m state --state ESTABLISHED |
| 181 | |
| 182 | ## Allow SSH from safe/noloop to untrusted networks. |
| 183 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 184 | -p tcp --destination-port $port_ssh \ |
| 185 | -m mark --mark $to_untrusted/$MASK_TO |
| 186 | run iptables -A fwd-spec-nofrag -j ACCEPT \ |
| 187 | -p tcp --source-port $port_ssh \ |
| 188 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 189 | -m state --state ESTABLISHED |
| 190 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 191 | -p tcp --destination-port $port_ssh \ |
| 192 | -m mark --mark $to_untrusted/$MASK_TO |
| 193 | run ip6tables -A fwd-spec-nofrag -j ACCEPT \ |
| 194 | -p tcp --source-port $port_ssh \ |
| 195 | -m mark --mark $from_untrusted/$MASK_FROM \ |
| 196 | -m state --state ESTABLISHED |
| 197 | |
| 198 | ;; |
| 199 | esac |
| 200 | |
| 201 | m4_divert(80)m4_dnl |
| 202 | ###-------------------------------------------------------------------------- |
| 203 | ### Kill things we don't understand properly. |
| 204 | ### |
| 205 | ### I don't like having to do this, but since I don't know how to do proper |
| 206 | ### multicast filtering, I'm just going to ban it from being forwarded. |
| 207 | |
| 208 | errorchain poorly-understood REJECT |
| 209 | |
| 210 | ## Ban multicast destination addresses in forwarding. |
| 211 | case $forward in |
| 212 | 1) |
| 213 | run iptables -A FORWARD -g poorly-understood \ |
| 214 | -d 224.0.0.0/4 |
| 215 | run ip6tables -A FORWARD -g poorly-understood \ |
| 216 | -d ff::/8 |
| 217 | ;; |
| 218 | esac |
| 219 | |
| 220 | m4_divert(84)m4_dnl |
| 221 | ###-------------------------------------------------------------------------- |
| 222 | ### Locally-bound packet inspection. |
| 223 | |
| 224 | clearchain inbound |
| 225 | |
| 226 | ## Track connections. |
| 227 | commonrules inbound |
| 228 | conntrack inbound |
| 229 | |
| 230 | ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a |
| 231 | ## local request. |
| 232 | run iptables -A inbound -j ACCEPT \ |
| 233 | -s 0.0.0.0 -d 255.255.255.255 \ |
| 234 | -p udp --source-port $port_bootpc --destination-port $port_bootps |
| 235 | run iptables -A inbound -j ACCEPT \ |
| 236 | -s 172.29.198.0/23 \ |
| 237 | -p udp --source-port $port_bootpc --destination-port $port_bootps |
| 238 | |
| 239 | ## Incoming multicast on a network interface associated with a trusted |
| 240 | ## network is OK, since it must have originated there (or been forwarded, but |
| 241 | ## we don't do that yet). |
| 242 | seen=:-: |
| 243 | for net in $allnets; do |
| 244 | eval class=\$net_class_$net |
| 245 | case $class in trusted) ;; *) continue ;; esac |
| 246 | for iface in $(net_interfaces FWHOST $net); do |
| 247 | case "$seen" in *:$iface:*) continue ;; esac |
| 248 | seen=$seen$iface: |
| 249 | run iptables -A inbound -j ACCEPT \ |
| 250 | -s 0.0.0.0 -d 224.0.0.0/24 \ |
| 251 | -i $iface |
| 252 | done |
| 253 | done |
| 254 | |
| 255 | ## Allow incoming ping. This is the only ICMP left. |
| 256 | run ip46tables -A inbound -j ACCEPT -p icmp |
| 257 | |
| 258 | m4_divert(88)m4_dnl |
| 259 | ## Allow unusual things. |
| 260 | openports inbound |
| 261 | |
| 262 | ## Inspect inbound packets from untrusted sources. |
| 263 | run ip46tables -A inbound -j forbidden |
| 264 | run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound |
| 265 | |
| 266 | ## Otherwise process as indicated by the mark. |
| 267 | run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT |
| 268 | case $forward in |
| 269 | 1) |
| 270 | run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT |
| 271 | ;; |
| 272 | esac |
| 273 | |
| 274 | m4_divert(-1) |
| 275 | ###----- That's all, folks -------------------------------------------------- |