3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted mcast
39 defnetclass trusted untrusted trusted safe noloop mcast
40 defnetclass safe trusted safe noloop mcast
41 defnetclass noloop trusted safe mcast
47 ###--------------------------------------------------------------------------
52 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
53 forwards unsafe untrusted
55 addr 172.29.199.0/25 2001:470:9740:1::/64
58 addr 172.29.199.192/27 2001:470:9740:4001::/64
60 defnet untrusted untrusted
61 addr 172.29.198.0/25 2001:470:9740:8001::/64
64 defnet househub virtual
65 forwards housebdry dmz unsafe safe untrusted
66 defnet housebdry virtual
73 iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
74 iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
75 iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
76 iface eth3 untrusted vpn default
79 iface vpn-precision colobdry vpn sgo
90 iface eth0 dmz unsafe untrusted
91 iface eth1 dmz unsafe untrusted
95 iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
96 iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
97 iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
98 iface eth0.7 untrusted
99 iface vpn-precision colobdry vpn sgo
103 iface br-dmz dmz unsafe
104 iface br-unsafe unsafe
110 ## Colocated networks.
112 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
115 addr 172.29.199.176/28 2001:ba8:1d9:2::/64
117 defnet colohub virtual
118 forwards colobdry jump colo iodine
119 defnet colobdry virtual
122 defnet iodine untrusted
123 addr 172.29.198.128/28
128 iface br-jump jump colo
129 iface br-colo jump colo
132 iface eth0 jump colo sgo
133 iface eth1 jump colo sgo
134 iface vpn-radius housebdry vpn sgo
150 forwards housebdry colobdry
152 addr !172.29.198.0/23
156 forwards househub colohub
158 addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
159 forwards househub colohub
162 defnet anycast trusted
163 addr 172.29.199.224/27 2001:ba8:1d9:0::/64
164 forwards dmz unsafe safe untrusted jump colo vpn
165 defnet default untrusted
166 addr 62.49.204.144/28 2001:470:1f09:1b98::/64
167 addr 212.13.198.64/28 2001:ba8:0:1d9::/64
168 addr 2001:ba8:1d9::/48 #temporary
169 forwards dmz unsafe untrusted jump colo
172 ###--------------------------------------------------------------------------
173 ### Special forwarding exemptions.
178 ## Only allow these packets if they're not fragmented. (Don't trust safe
179 ## hosts's fragment reassembly to be robust against malicious fragments.)
180 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
181 ## of `! -f', so we do the negation using early return from a subchain.
182 clearchain fwd-spec-nofrag
183 run iptables -A fwd-spec-nofrag -j RETURN --fragment
184 run ip6tables -A fwd-spec-nofrag -j RETURN \
185 -m ipv6header --soft --header frag
186 run ip46tables -A FORWARD -j fwd-spec-nofrag
188 ## Allow ping from safe/noloop to untrusted networks.
189 run iptables -A fwd-spec-nofrag -j ACCEPT \
190 -p icmp --icmp-type echo-request \
191 -m mark --mark $to_untrusted/$MASK_TO
192 run iptables -A fwd-spec-nofrag -j ACCEPT \
193 -p icmp --icmp-type echo-reply \
194 -m mark --mark $from_untrusted/$MASK_FROM \
195 -m state --state ESTABLISHED
196 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
197 -p icmpv6 --icmpv6-type echo-request \
198 -m mark --mark $to_untrusted/$MASK_TO
199 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
200 -p icmpv6 --icmpv6-type echo-reply \
201 -m mark --mark $from_untrusted/$MASK_FROM \
202 -m state --state ESTABLISHED
204 ## Allow SSH from safe/noloop to untrusted networks.
205 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
206 -p tcp --destination-port $port_ssh \
207 -m mark --mark $to_untrusted/$MASK_TO
208 run ip46tables -A fwd-spec-nofrag -j ACCEPT \
209 -p tcp --source-port $port_ssh \
210 -m mark --mark $from_untrusted/$MASK_FROM \
211 -m state --state ESTABLISHED
217 ###--------------------------------------------------------------------------
218 ### Kill things we don't understand properly.
220 ### I don't like having to do this, but since I don't know how to do proper
221 ### multicast filtering, I'm just going to ban it from being forwarded.
223 errorchain poorly-understood REJECT
225 ## Ban multicast destination addresses in forwarding.
228 run iptables -A FORWARD -g poorly-understood \
230 run ip6tables -A FORWARD -g poorly-understood \
236 ###--------------------------------------------------------------------------
237 ### Locally-bound packet inspection.
241 ## Track connections.
245 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
247 run iptables -A inbound -j ACCEPT \
248 -s 0.0.0.0 -d 255.255.255.255 \
249 -p udp --source-port $port_bootpc --destination-port $port_bootps
250 run iptables -A inbound -j ACCEPT \
252 -p udp --source-port $port_bootpc --destination-port $port_bootps
254 ## Allow incoming ping. This is the only ICMP left.
255 run ip46tables -A inbound -j ACCEPT -p icmp
258 ## Allow unusual things.
261 ## Inspect inbound packets from untrusted sources.
262 run ip46tables -A inbound -j forbidden
263 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
265 ## Otherwise process as indicated by the mark.
266 for i in $inchains; do
267 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
271 ###----- That's all, folks --------------------------------------------------