local.m4: Inbound restriction on untrusted is no longer experimental.

[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
        "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 62.49.204.144/28
##              House border network (dmz).  We have all of these, but .145
##              is reserved for the router.
##
## 212.13.18.64/28
##              Jump colocated network (jump).  .65--68 are used by Jump
##              network infrastructure; we get the rest.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##      .0/25           house wireless net
##      .128/28         iodine (IP-over-DNS) network
##
## 172.29.199.0/24  Trusted networks.
##      .0/25           house wired network
##      .128/27         mobile VPN hosts
##      .160/28         reserved, except .160/30 allocated for ITS
##      .176/28         internal colocated network
##      .192/27         house safe network
##      .224/27         anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:470:1f08:1b98::/64
##              Hurricane Electric tunnel network: only :1 (HE) and :2
##              (radius) are used.
##
## 2001:470:1f09:1b98::/64
##              House border network (dmz).
##
## 2001:470:9740::/48
##              Main house range.  See below for allocation policy.
##
## 2001:ba8:0:1d9::/64
##              Jump border network (jump): :1 is the router (supplied by
##              Jump); other addresses are ours.
##
## 2001:ba8:1d9::/48
##              Main colocated range.  See below for allocation policy.
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## 8xxx         Untrusted
## 6xxx         Virtual, safe
## 4xxx         Safe
## 0xxx         Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15       If set, the network is untrusted; otherwise it is trusted.
## Bit 14       If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0            No specific site: mobile VPN endpoints or anycast addresses.
## 1            House.
## 2            Jump colocation.
##
## Usually site-0 networks are allocated from the Jump range to improve
## expected performance from/to external sites which don't engage in our
## dynamic routing protocols.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary       scary           trusted             mcast
defnetclass untrusted   scary untrusted trusted             mcast
defnetclass trusted     scary untrusted trusted safe noloop mcast
defnetclass safe                        trusted safe noloop mcast
defnetclass noloop                      trusted safe        mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
        addr 62.49.204.144/28 2001:470:1f09:1b98::/64
        via unsafe untrusted
defnet unsafe trusted
        addr 172.29.199.0/25 2001:470:9740:1::/64
        via househub
defnet safe safe
        addr 172.29.199.192/27 2001:470:9740:4001::/64
        via househub
defnet untrusted untrusted
        addr 172.29.198.0/25 2001:470:9740:8001::/64
        via househub

defnet househub virtual
        via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
        via househub hub

## House hosts.
defhost radius
        hosttype router
        iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
        iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
        iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth3 unsafe untrusted vpn default
        iface ppp0 default
        iface t6-he default
        iface vpn-precision colobdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost roadstar
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost jem
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost artist
        hosttype router
        iface eth0 dmz unsafe untrusted
        iface eth1 dmz unsafe untrusted
        iface eth3 unsafe untrusted
defhost vampire
        hosttype router
        iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
        iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
        iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth0.7 unsafe untrusted vpn
        iface vpn-precision colobdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost ibanez
        iface br-dmz dmz unsafe
        iface br-unsafe unsafe
defhost orange
        iface wlan0 untrusted
        iface vpn-radius unsafe
defhost groove
        iface eth0 unsafe
        iface wlan0 untrusted
        iface vpn-radius unsafe

defhost gibson
        hosttype client
        iface eth0 unsafe

## Colocated networks.
defnet jump trusted
        addr 212.13.198.64/28 2001:ba8:0:1d9::/64
        via colohub
defnet colo trusted
        addr 172.29.199.176/28 2001:ba8:1d9:2::/64
        via colohub
defnet colohub virtual
        via colobdry jump colo
defnet colobdry virtual
        via colohub hub
defnet iodine untrusted
        addr 172.29.198.128/28
        via colohub

## Colocated hosts.
defhost fender
        iface br-jump jump colo
        iface br-colo jump colo
defhost precision
        hosttype router
        iface eth0 jump colo vpn sgo
        iface eth1 jump colo vpn sgo
        iface vpn-mango binswood
        iface vpn-radius housebdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost telecaster
        iface eth0 jump colo
        iface eth1 jump colo
defhost stratocaster
        iface eth0 jump colo
        iface eth1 jump colo
defhost jaguar
        iface eth0 jump
defhost jazz
        hosttype router
        iface eth0 jump colo vpn
        iface eth1 jump colo vpn
        iface dns0 iodine
        iface vpn-+ vpn

## Other networks.
defnet hub virtual
        via housebdry colobdry
defnet sgo noloop
        addr !172.29.198.0/23
        addr 10.0.0.0/8
        addr 172.16.0.0/12
        addr 192.168.0.0/16
        via househub colohub
defnet vpn safe
        addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
        via househub colohub
        host crybaby 1 ::1:1
        host terror 2 ::2:1
        host orange 3 ::3:1
        host haze 4 ::4:1
        host groove 5 ::5:1
defnet anycast trusted
        addr 172.29.199.224/27 2001:ba8:1d9:0::/64
        via dmz unsafe safe untrusted jump colo vpn
defnet default scary
        addr 62.49.204.144/28 2001:470:1f09:1b98::/64
        addr 212.13.198.64/28 2001:ba8:0:1d9::/64
        addr 2001:ba8:1d9::/48 #temporary
        via dmz unsafe untrusted jump colo

## Satellite networks.
defnet binswood noloop
        addr 10.165.27.0/24
        via colohub

defhost mango
        hosttype router
        iface eth0 binswood default
        iface vpn-precision colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --destination-port $port_ssh \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --source-port $port_ssh \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
            -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
            -d ff::/8
    ;;
esac

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 255.255.255.255 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
        -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
        -m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------