3 ### Local firewall configuration
5 ### (c) 2008 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
25 ### Local configuration.
28 ## Default NTP servers.
30 "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
33 ###--------------------------------------------------------------------------
34 ### Packet classification.
36 ## Define the available network classes.
38 defnetclass untrusted untrusted trusted
39 defnetclass trusted untrusted trusted safe noloop
40 defnetclass safe trusted safe noloop
41 defnetclass noloop trusted safe
45 ###--------------------------------------------------------------------------
51 forwards unsafe untrusted
56 addr 172.29.199.192/28
58 defnet untrusted untrusted
62 addr 172.29.199.128/27
63 forwards househub colohub
66 defnet iodine untrusted
67 addr 172.29.198.128/28
69 defnet househub virtual
70 forwards housebdry dmz unsafe safe untrusted
71 defnet housebdry virtual
93 iface eth0.0 dmz unsafe
94 iface eth0.1 dmz unsafe
95 iface eth0.3 untrusted
98 iface vpn-precision colobdry vpn
100 iface br-dmz dmz unsafe
101 iface br-unsafe unsafe
106 ## Colocated networks.
108 addr 212.13.198.64/28
111 addr 172.29.199.176/28
113 defnet colohub virtual
114 forwards colobdry jump colo
115 defnet colobdry virtual
121 iface br-jump jump colo
122 iface br-colo jump colo
128 iface vpn-vampire housebdry vpn
141 forwards housebdry colobdry
142 defnet default untrusted
143 addr 62.49.204.144/28
144 addr 212.13.198.64/28
145 forwards dmz untrusted unsafe jump colo
148 ###--------------------------------------------------------------------------
149 ### Special forwarding exemptions.
154 ## Only allow these packets if they're not fragmented. (Don't trust safe
155 ## hosts's fragment reassembly to be robust against malicious fragments.)
156 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
157 ## of `! -f', so we do the negation using early return from a subchain.
158 clearchain fwd-spec-nofrag
159 run iptables -A fwd-spec-nofrag -j RETURN --fragment
160 run ip6tables -A fwd-spec-nofrag -j RETURN \
161 -m ipv6header --soft --header frag
162 run iptables -A FORWARD -j fwd-spec-nofrag
164 ## Allow ping from safe/noloop to untrusted networks.
165 run iptables -A fwd-spec-nofrag -j ACCEPT \
166 -p icmp --icmp-type echo-request \
167 -m mark --mark $to_untrusted/$MASK_TO
168 run iptables -A fwd-spec-nofrag -j ACCEPT \
169 -p icmp --icmp-type echo-reply \
170 -m mark --mark $from_untrusted/$MASK_FROM \
171 -m state --state ESTABLISHED
172 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
173 -p ipv6-icmp --icmpv6-type echo-request \
174 -m mark --mark $to_untrusted/$MASK_TO
175 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
176 -p ipv6-icmp --icmpv6-type echo-reply \
177 -m mark --mark $from_untrusted/$MASK_FROM \
178 -m state --state ESTABLISHED
180 ## Allow SSH from safe/noloop to untrusted networks.
181 run iptables -A fwd-spec-nofrag -j ACCEPT \
182 -p tcp --destination-port $port_ssh \
183 -m mark --mark $to_untrusted/$MASK_TO
184 run iptables -A fwd-spec-nofrag -j ACCEPT \
185 -p tcp --source-port $port_ssh \
186 -m mark --mark $from_untrusted/$MASK_FROM \
187 -m state --state ESTABLISHED
188 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
189 -p tcp --destination-port $port_ssh \
190 -m mark --mark $to_untrusted/$MASK_TO
191 run ip6tables -A fwd-spec-nofrag -j ACCEPT \
192 -p tcp --source-port $port_ssh \
193 -m mark --mark $from_untrusted/$MASK_FROM \
194 -m state --state ESTABLISHED
200 ###--------------------------------------------------------------------------
201 ### Kill things we don't understand properly.
203 ### I don't like having to do this, but since I don't know how to do proper
204 ### multicast filtering, I'm just going to ban it from being forwarded.
206 errorchain poorly-understood REJECT
208 ## Ban multicast destination addresses in forwarding.
211 run iptables -A FORWARD -g poorly-understood \
213 run ip6tables -A FORWARD -g poorly-understood \
219 ###--------------------------------------------------------------------------
220 ### Locally-bound packet inspection.
224 ## Track connections.
228 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
230 run iptables -A inbound -j ACCEPT \
231 -s 0.0.0.0 -d 255.255.255.255 \
232 -p udp --source-port $port_bootpc --destination-port $port_bootps
233 run iptables -A inbound -j ACCEPT \
235 -p udp --source-port $port_bootpc --destination-port $port_bootps
237 ## Incoming multicast on a network interface associated with a trusted
238 ## network is OK, since it must have originated there (or been forwarded, but
239 ## we don't do that yet).
241 for net in $allnets; do
242 eval class=\$net_class_$net
243 case $class in trusted) ;; *) continue ;; esac
244 for iface in $(net_interfaces FWHOST $net); do
245 case "$seen" in *:$iface:*) continue ;; esac
247 run iptables -A inbound -j ACCEPT \
248 -s 0.0.0.0 -d 224.0.0.0/24 \
253 ## Allow incoming ping. This is the only ICMP left.
254 run ip46tables -A inbound -j ACCEPT -p icmp
257 ## Allow unusual things.
260 ## Inspect inbound packets from untrusted sources.
261 run ip46tables -A inbound -j forbidden
262 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
264 ## Otherwise process as indicated by the mark.
265 run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
268 run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
273 ###----- That's all, folks --------------------------------------------------