## The main chains: set policy to drop, and then clear the rules. For a
## while, incoming packets will be silently dropped, but we should have got
## everything going before anyone actually hits a timeout.
-for t in mangle filter; do
- for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do
- run ip46tables -t $t -P $i DROP 2>/dev/null || :
- run ip46tables -t $t -F $i 2>/dev/null || :
+##
+## We don't control some of the chains, so we should preserve them. This
+## introduces a whole bunch of problems.
+
+## Chains we're meant to preserve
+preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
+
+## Take the various IP versions in turn.
+unref=nil
+for ip in ip ip6; do
+ if [ "$FW_NOACT" ]; then break; fi
+
+ for table in $(cat /proc/net/${ip}_tables_names); do
+
+ ## Step 1: clear out the builtin chains.
+ ${ip}tables -nL -t $table |
+ sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
+ while read chain; do
+ case $table in
+ nat) policy=ACCEPT ;;
+ *) policy=DROP ;;
+ esac
+ run ${ip}tables -t $table -P $chain $policy
+ run ${ip}tables -t $table -F $chain
+ done
+
+ ## Step 2: clear out user chains. Unfortunately, we can only clear
+ ## chains which have no references to them, so work through picking off
+ ## unreferenced chains which aren't meant to be preserved until there are
+ ## none left.
+ while :; do
+ progress=nil
+ ${ip}tables -nL -t $table |
+ sed -n '/^Chain \([^ ]\+\) (0 references)$/ s//\1/p ' \
+ >/var/run/firewall-chains.tmp
+ while read chain; do
+ match=nil
+ for pat in $preserve_chains; do
+ case "$table:$chain" in $pat) match=t ;; esac
+ done
+ case $match in
+ nil)
+ run ${ip}tables -t $table -F $chain
+ run ${ip}tables -t $table -X $chain
+ progress=t
+ ;;
+ esac
+ done </var/run/firewall-chains.tmp
+ case $progress in nil) break ;; esac
+ done
+
+ ## Step 3: report on uncleared user chains. This means that there's a
+ ## serious problem.
+ ${ip}tables -nL -t $table |
+ sed -n '/^Chain \([^ ]\+\) (\([1-9][0-9]*\) references)$/ s//\1 \2/p ' \
+ >/var/run/firewall-chains.tmp
+ while read chain refs; do
+ match=nil
+ for pat in $preserve_chains; do
+ case "$table:$chain" in $pat) match=t ;; esac
+ done
+ case $match in
+ nil)
+ echo >&2 "$0: can't clear referenced $ip chain \`$table:$chain'"
+ unref=t
+ ;;
+ esac
+ done </var/run/firewall-chains.tmp
done
- run ip46tables -t $t -F
- run ip46tables -t $t -X
done
+rm -f /var/run/firewall-chains.tmp
+case $unref in t) exit 1 ;; esac
m4_divert(32)m4_dnl
###--------------------------------------------------------------------------
## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
+case $host_type_<::>FWHOST in
+ router) forward=1 host=0 ;;
+ server) forward=0 host=0 ;;
+ client) forward=0 host=1 ;;
+esac
setopt ip_forward $forward
setdevopt forwarding $forward
+for i in \
+ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
+do
+ setdevopt $i $host
+done
+case $forward in
+ 0) inchains="INPUT" ;;
+ 1) inchains="INPUT FORWARD" ;;
+esac
## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max
fi
fi
-## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter $rp_filter
-setdevopt log_martians $log_martians
+## Turn off the reverse-path filter. It's basically useless: the filter does
+## nothing at all for single-homed hosts; and multi-homed hosts tend to have
+## routing aysmmetries if there's any kind of cycle.
+setdevopt rp_filter 0
+setdevopt log_martians 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
-m4_divert(36)m4_dnl
+m4_divert(50)m4_dnl
###--------------------------------------------------------------------------
-### Standard loopback stuff.
+### Standard filtering.
## Don't clobber local traffic
run ip46tables -A INPUT -i lo -j ACCEPT
-d ::1
## We shouldn't be asked to forward things with link-local addresses.
-run iptables -A FORWARD -g bad-source-address \
- -s 169.254.0.0/16
-run iptables -A FORWARD -g bad-destination-address \
- -d 169.254.0.0/16
-run ip6tables -A FORWARD -g bad-source-address \
- -s fe80::/10
-run ip6tables -A FORWARD -g bad-destination-address \
- -d fe80::/10
+case $forward in
+ 1)
+ run iptables -A FORWARD -g bad-source-address \
+ -s 169.254.0.0/16
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 169.254.0.0/16
+ run ip6tables -A FORWARD -g bad-source-address \
+ -s fe80::/10
+ run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe80::/10
+ ;;
+esac
## Also, don't forward link-local broadcast or multicast.
-run iptables -A FORWARD -g bad-destination-address \
- -d 255.255.255.255
-run iptables -A FORWARD -g bad-destination-address \
- -m addrtype --dst-type BROADCAST
-run iptables -A FORWARD -g bad-destination-address \
- -d 224.0.0.0/24
-for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
- run ip6tables -A FORWARD -g bad-destination-address \
- -d fe${x}2::/16
-done
+case $forward in
+ 1)
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 255.255.255.255
+ run iptables -A FORWARD -g bad-destination-address \
+ -m addrtype --dst-type BROADCAST
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 224.0.0.0/24
+ clearchain check-fwd-multi
+ for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+ run ip6tables -A check-fwd-multi -g bad-destination-address \
+ -d ff${x}2::/16
+ done
+ run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
+ ;;
+esac
+
+## Add a hook for fail2ban.
+clearchain fail2ban
+run ip46tables -A INPUT -j fail2ban
m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
m4_divert(94)m4_dnl
## Locally generated packets are all OK.
-run iptables -P OUTPUT ACCEPT
+run ip46tables -P OUTPUT ACCEPT
## Other incoming things are forbidden.
for chain in INPUT FORWARD; do
- run iptables -A $chain -g forbidden
+ run ip46tables -A $chain -g forbidden
+done
+
+## Allow stuff through unknown tables.
+for ip in ip ip6; do
+ for table in $(cat /proc/net/${ip}_tables_names); do
+ case $table in mangle | filter) continue ;; esac
+ ${ip}tables -nL -t $table |
+ sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
+ while read chain; do
+ run ${ip}tables -t $table -P $chain ACCEPT
+ done
+ done
done
+## Dump the resulting configuration.
+if [ "$FW_DEBUG" ]; then
+ for ip in ip ip6; do
+ for table in mangle filter; do
+ echo "----- $ip $table -----"
+ echo
+ ${ip}tables -t $table -nvL
+ echo
+ done
+ done
+fi
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------