3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted mcast
39 defnetclass trusted untrusted trusted safe noloop mcast
40 defnetclass safe trusted safe noloop mcast
41 defnetclass noloop trusted safe mcast
47 ###--------------------------------------------------------------------------
52 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
53 forwards unsafe untrusted
55 addr 172.29.199.0/25 2001:470:9740:1::/64
58 addr 172.29.199.192/27 2001:470:9740:4001::/64
60 defnet untrusted untrusted
61 addr 172.29.198.0/25 2001:470:9740:8001::/64
63 defnet iodine untrusted
64 addr 172.29.198.128/28
66 defnet househub virtual
67 forwards housebdry dmz unsafe safe untrusted
68 defnet housebdry virtual
75 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
76 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
77 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
78 iface eth3 untrusted vpn default
80 iface vpn-precision colobdry vpn sgo
96 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
97 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
98 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
99 iface eth0.7 untrusted
101 iface vpn-precision colobdry vpn sgo
105 iface br-dmz dmz unsafe
106 iface br-unsafe unsafe
112 ## Colocated networks.
114 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
117 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
119 defnet colohub virtual
120 forwards colobdry jump colo
121 defnet colobdry virtual
127 iface br-jump jump colo
128 iface br-colo jump colo
131 iface eth0 jump colo sgo
132 iface eth1 jump colo sgo
133 iface vpn-radius housebdry vpn sgo
148 forwards housebdry colobdry
150 addr !172.29.198.0/23
154 forwards househub colohub
156 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
157 forwards househub colohub
160 defnet anycast trusted
161 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
162 forwards dmz unsafe safe untrusted jump colo vpn
163 defnet default untrusted
164 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
165 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
166 addr 2001:ba8:1d9::/48 #temporary
167 forwards dmz unsafe untrusted jump colo
170 ###--------------------------------------------------------------------------
171 ### Special forwarding exemptions.
176 ## Only allow these packets if they're not fragmented. (Don't trust safe
177 ## hosts's fragment reassembly to be robust against malicious fragments.)
178 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
179 ## of `! -f', so we do the negation using early return from a subchain.
180 clearchain fwd-spec-nofrag
181 run iptables -A fwd-spec-nofrag -j RETURN --fragment
182 run ip6tables -A fwd-spec-nofrag -j RETURN \
183 -m ipv6header --soft --header frag
184 run ip46tables -A FORWARD -j fwd-spec-nofrag
186 ## Allow ping from safe/noloop to untrusted networks.
187 run iptables -A fwd-spec-nofrag -j ACCEPT \
188 -p icmp --icmp-type echo-request \
189 -m mark --mark $to_untrusted/$MASK_TO
190 run iptables -A fwd-spec-nofrag -j ACCEPT \
191 -p icmp --icmp-type echo-reply \
192 -m mark --mark $from_untrusted/$MASK_FROM \
193 -m state --state ESTABLISHED
194 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
195 -p icmpv6 --icmpv6-type echo-request \
196 -m mark --mark $to_untrusted/$MASK_TO
197 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
198 -p icmpv6 --icmpv6-type echo-reply \
199 -m mark --mark $from_untrusted/$MASK_FROM \
200 -m state --state ESTABLISHED
202 ## Allow SSH from safe/noloop to untrusted networks.
203 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
204 -p tcp --destination-port $port_ssh \
205 -m mark --mark $to_untrusted/$MASK_TO
206 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
207 -p tcp --source-port $port_ssh \
208 -m mark --mark $from_untrusted/$MASK_FROM \
209 -m state --state ESTABLISHED
215 ###--------------------------------------------------------------------------
216 ### Kill things we don't understand properly.
218 ### I don't like having to do this, but since I don't know how to do proper
219 ### multicast filtering, I'm just going to ban it from being forwarded.
221 errorchain poorly-understood REJECT
223 ## Ban multicast destination addresses in forwarding.
226 run iptables -A FORWARD -g poorly-understood \
228 run ip6tables -A FORWARD -g poorly-understood \
234 ###--------------------------------------------------------------------------
235 ### Locally-bound packet inspection.
239 ## Track connections.
243 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
245 run iptables -A inbound -j ACCEPT \
246 -s 0.0.0.0 -d 255.255.255.255 \
247 -p udp --source-port $port_bootpc --destination-port $port_bootps
248 run iptables -A inbound -j ACCEPT \
250 -p udp --source-port $port_bootpc --destination-port $port_bootps
252 ## Allow incoming ping. This is the only ICMP left.
253 run ip46tables -A inbound -j ACCEPT -p icmp
256 ## Allow unusual things.
259 ## Inspect inbound packets from untrusted sources.
260 run ip46tables -A inbound -j forbidden
261 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
263 ## Otherwise process as indicated by the mark.
264 for i in $inchains; do
265 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
269 ###----- That's all, folks --------------------------------------------------