chiark - git - mdw - firewall/blob

1 ### -*-sh-*-

2 ###

3 ### Local firewall configuration

4 ###

6 ###

8 ###----- Licensing notice ---------------------------------------------------

9 ###

10 ### This program is free software; you can redistribute it and/or modify

11 ### it under the terms of the GNU General Public License as published by

12 ### the Free Software Foundation; either version 2 of the License, or

13 ### (at your option) any later version.

14 ###

15 ### This program is distributed in the hope that it will be useful,

16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of

17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

18 ### GNU General Public License for more details.

19 ###

20 ### You should have received a copy of the GNU General Public License

21 ### along with this program; if not, write to the Free Software Foundation,

22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

24 ###--------------------------------------------------------------------------

25 ### Local configuration.

27 m4_divert(6)m4_dnl

28 ## Default NTP servers.

29 defconf(ntp_servers,

30 "81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")

32 m4_divert(-1)

33 ###--------------------------------------------------------------------------

34 ### Packet classification.

36 ## IPv4 addressing.

37 ##

38 ## There are two small blocks of publicly routable IPv4 addresses, and a

39 ## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.

40 ## The former are as follows.

41 ##

42 ## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28

43 ## House border network (dmz). We have all of these; the loose

44 ## address is for the router.

45 ##

46 ## The latter is the block 172.29.196.0/22. Currently the low half is

47 ## unallocated (and may be returned to the G-RIN); the remaining addresses

48 ## are allocated as follows.

49 ##

50 ## 172.29.198.0/24 Untrusted networks.

51 ## .0/25 house wireless net

52 ## .128/28 iodine (IP-over-DNS) network

53 ## .144/28 hippotat (IP-over-HTTP) network

54 ## .160/27 untrusted virtual network

55 ##

56 ## 172.29.199.0/24 Trusted networks.

57 ## .0/25 house wired network

58 ## .128/27 mobile VPN hosts

59 ## .160/28 reserved, except .160/30 allocated for ITS

60 ## .176/28 internal colocated network

61 ## .192/27 house safe network

62 ## .224/27 anycast services

64 ## IPv6 addressing.

65 ##

66 ## There are five blocks of publicly routable IPv6 addresses, though some of

67 ## them aren't very interesting. The ranges are as follows.

68 ##

69 ## 2001:8b0:c92::/48

70 ## Main house range (aaisp). See below for allocation policy.

71 ## There is no explicit DMZ allocation (and no need for one).

72 ##

73 ## Addresses in the /64 networks are simply allocated in ascending order.

74 ## The /48s are split into /64s by appending a 16-bit network number. The

75 ## top nibble of the network number classifies the network, as follows.

76 ##

77 ## axxx Virtual, untrusted

78 ## 8xxx Untrusted

79 ## 6xxx Virtual, safe

80 ## 4xxx Safe

81 ## 0xxx Unsafe, trusted

82 ##

83 ## These have been chosen so that network properties can be deduced by

84 ## inspecting bits of the network number:

85 ##

86 ## Bit 15 If set, the network is untrusted; otherwise it is trusted.

87 ## Bit 14 If set, the network is safe; otherwise it is unsafe.

88 ##

89 ## Finally, the low-order nibbles identify the site.

90 ##

91 ## 0 No specific site: mobile VPN endpoints or anycast addresses.

92 ## 1 House.

93 ## fff Local border network.

95 ## Define the available network classes.

96 m4_divert(42)m4_dnl

97 defnetclass scary scary trusted vpnnat mcast

98 defnetclass untrusted scary untrusted trusted mcast

99 defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast

100 defnetclass safe trusted safe noloop vpnnat mcast

101 defnetclass noloop trusted safe mcast

102 defnetclass vpnnat scary trusted safe mcast

103

104 defnetclass link

105 defnetclass mcast

106 m4_divert(-1)

107

108 m4_divert(26)m4_dnl

109 ###--------------------------------------------------------------------------

110 ### Network layout.

111

112 ## House networks.

113 defnet dmz trusted

114 addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64

115 via unsafe untrusted

116 defnet unsafe trusted

117 addr 172.29.199.0/25 2001:8b0:c92:1::/64

118 via househub

119 defnet safe safe

120 addr 172.29.199.192/27 2001:8b0:c92:4001::/64

121 via househub

122 defnet untrusted untrusted

123 addr 172.29.198.0/25 2001:8b0:c92:8001::/64

124 via househub

125

126 defnet househub virtual

127 via housebdry dmz unsafe safe untrusted

128 defnet housebdry virtual

129 via househub hub

130

131 ## House hosts.

132 defhost radius

133 hosttype router

134 iface eth0 dmz unsafe safe untrusted vpn sgo default

135 iface eth1 dmz unsafe safe untrusted vpn sgo default

136 iface eth2 dmz unsafe safe untrusted vpn sgo

137 iface eth3 unsafe untrusted vpn default

138 iface ppp0 default

139 iface t6-he default

140 iface vpn-precision vpn sgo

141 iface vpn-chiark sgo

142 iface vpn-+ vpn

143 defhost roadstar

144 iface eth0 dmz unsafe

145 iface eth1 dmz unsafe

146 defhost jem

147 iface eth0 dmz unsafe

148 iface eth1 dmz unsafe

149 defhost universe

150 iface eth0 dmz unsafe

151 iface eth1 dmz unsafe

152 defhost artist

153 hosttype router

154 iface eth0 dmz unsafe untrusted

155 iface eth1 dmz unsafe untrusted

156 iface eth3 unsafe untrusted

157 defhost vampire

158 hosttype router

159 iface eth0.4 dmz unsafe untrusted safe vpn sgo

160 iface eth0.5 dmz unsafe untrusted safe vpn sgo

161 iface eth0.6 dmz unsafe safe untrusted vpn sgo

162 iface eth0.7 unsafe untrusted vpn

163 iface vpn-precision vpn sgo

164 iface vpn-chiark sgo

165 iface vpn-+ vpn

166 defhost ibanez

167 iface br-dmz dmz unsafe

168 iface br-unsafe unsafe

169 defhost orange

170 iface wlan0 untrusted

171 iface vpn-radius unsafe

172 defhost groove

173 iface eth0 unsafe

174 iface wlan0 untrusted

175 iface vpn-radius unsafe

176

177 defhost gibson

178 hosttype client

179 iface eth0 unsafe

180

181 ## Formerly colocated hosts.

182 defhost fender

183 iface br-dmz dmz unsafe

184 iface br-unsafe dmz unsafe

185 defhost precision

186 hosttype router

187 iface eth0 dmz unsafe vpn sgo

188 iface eth1 dmz unsafe vpn sgo

189 iface vpn-mango binswood

190 iface vpn-chiark sgo

191 iface vpn-national upn

192 iface vpn-mdwdev upn

193 iface vpn-eggle upn

194 iface vpn-+ vpn

195 defhost telecaster

196 iface eth0 dmz unsafe vpn sgo

197 iface eth1 dmz unsafe vpn sgo

198 defhost stratocaster

199 iface eth0 dmz unsafe vpn sgo

200 iface eth1 dmz unsafe vpn sgo

201 defhost jazz

202 hosttype router

203 iface eth0 dmz unsafe vpn sgo

204 iface eth1 dmz unsafe vpn sgo

205 iface dns0 iodine

206 iface hippo-svc hippotat

207 iface vpn-+ vpn

208

209 ## Stunt connectivity networks.

210 defnet iodine untrusted

211 addr 172.29.198.128/28

212 via colohub

213 defnet hippotat untrusted

214 addr 172.29.198.144/28

215 via colohub

216

217

218 ## Other networks.

219 defnet hub virtual

220 via housebdry

221 defnet sgo noloop

222 addr !172.29.198.0/23

223 addr !10.165.27.0/24

224 addr 10.0.0.0/8

225 addr 172.16.0.0/12

226 addr 192.168.0.0/16

227 via househub

228 defnet vpn trusted

229 addr 172.29.199.128/27 2001:8b0:c92:6000::/64

230 via househub

231 host crybaby 1 ::1:1

232 host terror 2 ::2:1

233 host orange 3 ::3:1

234 host haze 4 ::4:1

235 host spirit 9 ::9:1

236 host groove 10 ::10:1

237 defnet anycast trusted

238 addr 172.29.199.224/27 2001:8b0:c92:0::/64

239 via dmz unsafe safe untrusted vpn nvpn

240 defnet default scary

241 addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \

242 2001:8b0:c92::/48

243 via dmz unsafe untrusted

244 defnet upn untrusted

245 addr 172.29.198.160/27 2001:8b0:c92:a000::/64

246 via househub

247 host national 1 ::1:1

248 host mdwdev 2 ::2:1

249 host eggle 3 ::3:1

250

251 ## VPS hosts.

252 defhost eggle

253 iface eth0 default

254 iface vpn-precision househub

255 defhost national

256 iface eth0 default

257 iface vpn-precision househub

258

259 ## Satellite networks.

260 defnet binswood vpnnat

261 addr 10.165.27.0/24

262 via househub

263 defhost mango

264 hosttype router

265 iface eth0 binswood default

266 iface vpn-precision dmz default

267

268 m4_divert(80)m4_dnl

269 ###--------------------------------------------------------------------------

270 ### Connection tracking helper modules.

271

272 for i in ftp; do

273 modprobe nf_conntrack_$i

274 done

275

276 m4_divert(80)m4_dnl

277 ###--------------------------------------------------------------------------

278 ### Special forwarding exemptions.

279

280 case $forward in

281 1)

282

283 ## Only allow these packets if they're not fragmented. (Don't trust safe

284 ## hosts's fragment reassembly to be robust against malicious fragments.)

285 ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning

286 ## of `! -f', so we do the negation using early return from a subchain.

287 clearchain fwd-spec-nofrag

288 run iptables -A fwd-spec-nofrag -j RETURN --fragment

289 run ip6tables -A fwd-spec-nofrag -j RETURN \

290 -m ipv6header --soft --header frag

291 run ip46tables -A FORWARD -j fwd-spec-nofrag

292

293 ## Allow ping from safe/noloop to untrusted networks.

294 run iptables -A fwd-spec-nofrag -j ACCEPT \

295 -p icmp --icmp-type echo-request \

296 -m mark --mark $to_untrusted/$MASK_TO

297 run iptables -A fwd-spec-nofrag -j ACCEPT \

298 -p icmp --icmp-type echo-reply \

299 -m mark --mark $from_untrusted/$MASK_FROM \

300 -m state --state ESTABLISHED

301 run ip6tables -A fwd-spec-nofrag -j ACCEPT \

302 -p icmpv6 --icmpv6-type echo-request \

303 -m mark --mark $to_untrusted/$MASK_TO

304 run ip6tables -A fwd-spec-nofrag -j ACCEPT \

305 -p icmpv6 --icmpv6-type echo-reply \

306 -m mark --mark $from_untrusted/$MASK_FROM \

307 -m state --state ESTABLISHED

308

309 ## Allow SSH from safe/noloop to untrusted networks.

310 run ip46tables -A fwd-spec-nofrag -j ACCEPT \

311 -p tcp --destination-port $port_ssh \

312 -m mark --mark $to_untrusted/$MASK_TO

313 run ip46tables -A fwd-spec-nofrag -j ACCEPT \

314 -p tcp --source-port $port_ssh \

315 -m mark --mark $from_untrusted/$MASK_FROM \

316 -m state --state ESTABLISHED

317

318 ;;

319 esac

320

321 m4_divert(80)m4_dnl

322 ###--------------------------------------------------------------------------

323 ### Kill things we don't understand properly.

324 ###

325 ### I don't like having to do this, but since I don't know how to do proper

326 ### multicast filtering, I'm just going to ban it from being forwarded.

327

328 errorchain poorly-understood REJECT

329

330 ## Ban multicast destination addresses in forwarding.

331 case $forward in

332 1)

333 run iptables -A FORWARD -g poorly-understood \

334 -d 224.0.0.0/4

335 run ip6tables -A FORWARD -g poorly-understood \

336 -d ff::/8

337 ;;

338 esac

339

340 m4_divert(82)m4_dnl

341 ###--------------------------------------------------------------------------

342 ### Check for source routing.

343

344 clearchain check-srcroute

345

346 run iptables -A check-srcroute -g forbidden \

347 -m ipv4options --any --flags lsrr,ssrr

348 run ip6tables -A check-srcroute -g forbidden \

349 -m rt

350

351 for c in INPUT FORWARD; do

352 for m in $from_scary $from_untrusted; do

353 run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute

354 done

355 done

356

357 m4_divert(84)m4_dnl

358 ###--------------------------------------------------------------------------

359 ### Locally-bound packet inspection.

360

361 clearchain inbound

362 clearchain inbound-untrusted

363

364 ## Track connections.

365 commonrules inbound

366 conntrack inbound

367

368 ## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a

369 ## local request.

370 run iptables -A inbound -j ACCEPT \

371 -s 0.0.0.0 -d 255.255.255.255 \

372 -p udp --source-port $port_bootpc --destination-port $port_bootps

373 run iptables -A inbound -j ACCEPT \

374 -s 172.29.198.0/23 \

375 -p udp --source-port $port_bootpc --destination-port $port_bootps

376

377 ## Allow incoming ping. This is the only ICMP left.

378 run iptables -A inbound -j ACCEPT -p icmp

379 run ip6tables -A inbound -j ACCEPT -p icmpv6

380

381 m4_divert(88)m4_dnl

382 ## Allow unusual things.

383 openports inbound

384

385 ## Inspect inbound packets from untrusted sources.

386 run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted

387 run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted

388 run ip46tables -A inbound-untrusted -g forbidden

389 run ip46tables -A inbound -g forbidden

390 run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound

391 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

392

393 ## Allow responses from the scary outside world into the untrusted net, but

394 ## don't let untrusted things run services.

395 case $forward in

396 1)

397 run ip46tables -A FORWARD -j ACCEPT \

398 -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \

399 -m state --state ESTABLISHED,RELATED

400 ;;

401 esac

402

403 ## Otherwise process as indicated by the mark.

404 for i in $inchains; do

405 run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT

406 done

407

408 m4_divert(-1)

409 ###----- That's all, folks --------------------------------------------------