3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted
39 defnetclass trusted untrusted trusted safe noloop
40 defnetclass safe trusted safe noloop
41 defnetclass noloop trusted safe
45 ###--------------------------------------------------------------------------
51 forwards unsafe untrusted
56 addr 172.29.199.192/28
58 defnet untrusted untrusted
62 addr 172.29.199.128/27
66 defnet iodine untrusted
67 addr 172.29.198.128/28
69 defnet househub virtual
70 forwards housebdry dmz unsafe safe untrusted
71 defnet housebdry virtual
95 iface eth0.3 untrusted
98 iface vpn-precision colobdry vpn
101 iface br-unsafe unsafe
106 ## Colocated networks.
108 addr 212.13.198.64/28
111 addr 172.29.199.176/28
113 defnet colohub virtual
114 forwards colobdry jump colo
115 defnet colobdry virtual
128 iface vpn-vampire housebdry vpn
141 forwards housebdry colobdry
142 defnet default untrusted
143 addr 62.49.204.144/28
144 addr 212.13.198.64/28
145 forwards dmz untrusted unsafe jump colo
148 ###--------------------------------------------------------------------------
149 ### Special forwarding exemptions.
154 ## Only allow these packets if they're not fragmented. (Don't trust safe
155 ## hosts's fragment reassembly to be robust against malicious fragments.)
156 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
157 ## of `! -f', so we do the negation using early return from a subchain.
158 clearchain fwd-spec-nofrag
159 run iptables -A fwd-spec-nofrag -j RETURN --fragment
160 run ip6tables -A fwd-spec-nofrag -j RETURN \
161 -m ipv6header --soft --header frag
162 run iptables -A FORWARD -j fwd-spec-nofrag
164 ## Allow ping from safe/noloop to untrusted networks.
165 run iptables -A fwd-spec-nofrag -j ACCEPT \
166 -p icmp --icmp-type echo-request \
167 -m mark --mark $to_untrusted/$MASK_TO
168 run iptables -A fwd-spec-nofrag -j ACCEPT \
169 -p icmp --icmp-type echo-reply \
170 -m mark --mark $from_untrusted/$MASK_FROM \
171 -m state --state ESTABLISHED
172 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
173 -p ipv6-icmp --icmpv6-type echo-request \
174 -m mark --mark $to_untrusted/$MASK_TO
175 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
176 -p ipv6-icmp --icmpv6-type echo-reply \
177 -m mark --mark $from_untrusted/$MASK_FROM \
178 -m state --state ESTABLISHED
180 ## Allow SSH from safe/noloop to untrusted networks.
181 run iptables -A fwd-spec-nofrag -j ACCEPT \
182 -p tcp --destination-port $port_ssh \
183 -m mark --mark $to_untrusted/$MASK_TO
184 run iptables -A fwd-spec-nofrag -j ACCEPT \
185 -p tcp --source-port $port_ssh \
186 -m mark --mark $from_untrusted/$MASK_FROM \
187 -m state --state ESTABLISHED
188 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
189 -p tcp --destination-port $port_ssh \
190 -m mark --mark $to_untrusted/$MASK_TO
191 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
192 -p tcp --source-port $port_ssh \
193 -m mark --mark $from_untrusted/$MASK_FROM \
194 -m state --state ESTABLISHED
200 ###--------------------------------------------------------------------------
201 ### Kill things we don't understand properly.
203 ### I don't like having to do this, but since I don't know how to do proper
204 ### multicast filtering, I'm just going to ban it from being forwarded.
206 errorchain poorly-understood REJECT
208 ## Ban multicast destination addresses in forwarding.
211 run iptables -A FORWARD -g poorly-understood \
213 run ip6tables -A FORWARD -g poorly-understood \
219 ###--------------------------------------------------------------------------
220 ### Locally-bound packet inspection.
224 ## Track connections.
228 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
230 run iptables -A inbound -j ACCEPT \
231 -s 0.0.0.0 -d 255.255.255.255 \
232 -p udp --source-port $port_bootpc --destination-port $port_bootps
233 run iptables -A inbound -j ACCEPT \
235 -p udp --source-port $port_bootpc --destination-port $port_bootps
237 ## Incoming multicast on a network interface associated with a trusted
238 ## network is OK, since it must have originated there (or been forwarded, but
239 ## we don't do that yet).
241 for net in $allnets; do
242 eval class=\$net_class_$net
243 case $class in trusted) ;; *) continue ;; esac
244 for iface in $(net_interfaces FWHOST $net); do
245 case "$seen" in *:$iface:*) continue ;; esac
247 run iptables -A inbound -j ACCEPT \
248 -s 0.0.0.0 -d 224.0.0.0/24 \
253 ## Allow incoming ping. This is the only ICMP left.
254 run ip46tables -A inbound -j ACCEPT -p icmp
257 ## Allow unusual things.
260 ## Inspect inbound packets from untrusted sources.
261 run ip46tables -A inbound -j forbidden
262 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
264 ## Otherwise process as indicated by the mark.
265 run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
268 run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
273 ###----- That's all, folks --------------------------------------------------